[Emerging-Sigs] Emerging-sigs RogueKiller Anti-Malware, sig 2002405 FP

Maxim Maxim.Parpaley at netwatcher.com
Wed Jan 3 06:32:15 HST 2018


Hello,

RogueKiller Anti-Malware performs http requests to host: ip-api.com,  I don't know why but we see them.

The problem is that the signature with ID 2002405 (ET MALWARE Internet Optimizer User-Agent (ROGUE) triggers during that requests. 

Pcap:

GET /json/10.0.0.34 HTTP/1.1
Connection: Keep-Alive
User-Agent: RogueKiller
Host: ip-api.com

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Wed, 03 Jan 2018 15:27:58 GMT
Content-Length: 63

{"message":"private range","query":"10.0.0.34","status":"fail"}  


-----Original Message-----
From: Emerging-sigs [mailto:emerging-sigs-bounces at lists.emergingthreats.net] On Behalf Of emerging-sigs-request at lists.emergingthreats.net
Sent: Wednesday, January 3, 2018 12:14 AM
To: emerging-sigs at lists.emergingthreats.net
Subject: Emerging-sigs Digest, Vol 122, Issue 1

Send Emerging-sigs mailing list submissions to
	emerging-sigs at lists.emergingthreats.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
or, via email, send a message with subject or body 'help' to
	emerging-sigs-request at lists.emergingthreats.net

You can reach the person managing the list at
	emerging-sigs-owner at lists.emergingthreats.net

When replying, please edit your Subject line so it is more specific than "Re: Contents of Emerging-sigs digest..."


Today's Topics:

   1. Re: [Etpro-sigs] Daily Ruleset Update Summary	2017/12/29
      (Duane Howard)
   2. Re: [Etpro-sigs] Daily Ruleset Update Summary	2017/12/29
      (Jack Mott)
   3. Daily Ruleset Update Summary 2018/01/02 (Travis Green)


----------------------------------------------------------------------

Message: 1
Date: Tue, 2 Jan 2018 11:38:02 -0800
From: Duane Howard <duane.security at gmail.com>
To: Travis Green <tgreen at emergingthreats.net>
Cc: "emerging-sigs at emergingthreats.net"
	<emerging-sigs at emergingthreats.net>,  Emerging-updates redirect
	<emerging-updates at emergingthreats.net>,  ETPro-sigs List
	<etpro-sigs at emergingthreatspro.com>
Subject: Re: [Emerging-Sigs] [Etpro-sigs] Daily Ruleset Update Summary
	2017/12/29
Message-ID:
	<CAH9u3cudEUg5k77Fa4RYjqFj-E3kgWvF9vPfo0jHT-0Ht8pspQ at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

both of the below rules contain
a  reference:md5,7c60ce8d44e21fcddd5214e93db7602e;
but the descriptions use different names for the malware? is the reference incorrect on one of them, or are the names out of alignment?
2829108 - ETPRO TROJAN MSIL/Tiny.R CnC Checkin (Infoback) (trojan.rules)
2829110 - ETPRO TROJAN Win32/Crimson Variant CnC Checkin (trojan.rules)

-Duane

On Fri, Dec 29, 2017 at 1:00 PM, Travis Green <tgreen at emergingthreats.net>
wrote:

> [***]            Summary:            [***]
>
> 1 new Open, 13 new Pro (1 + 12). FireBlaze, MSIL/Tiny.R, Win32/Crimson 
> Variant, Various Phishing.
>
>
> [+++]          Added rules:          [+++]
>
> Open:
>
>  2025177 - ET TROJAN Zeus Panda CnC Domain (in DNS Lookup) 
> (trojan.rules)
>
> Pro:
>
>  2829106 - ETPRO CURRENT_EVENTS Observed FireBlaze Keylogger 
> Downloader Domain (fireblazes .000webhostapp .com in TLS SNI) 
> (current_events.rules)
>  2829107 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2017-12-29
> (current_events.rules)
>  2829108 - ETPRO TROJAN MSIL/Tiny.R CnC Checkin (Infoback) 
> (trojan.rules)
>  2829109 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc 
> DL)
> (current_events.rules)
>  2829110 - ETPRO TROJAN Win32/Crimson Variant CnC Checkin 
> (trojan.rules)
>  2829111 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
> 2017-12-29 (current_events.rules)
>  2829112 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2017-12-29 1) (trojan.rules)
>  2829113 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2017-12-29 2) (trojan.rules)
>  2829114 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2017-12-29 3) (trojan.rules)
>  2829115 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2017-12-29 4) (trojan.rules)
>  2829116 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2017-12-29 5) (trojan.rules)
>  2829117 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2017-12-29 6) (trojan.rules)
>
>
> [///]     Modified active rules:     [///]
>
>  2814624 - ETPRO TROJAN XtremeRAT CnC Beacon 1 (trojan.rules)
>
>
> --
> PGP: 0xBED7B297
> <https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
>
> _______________________________________________
> Etpro-sigs mailing list
> Etpro-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/etpro-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180102/d4718c13/attachment-0001.html>

------------------------------

Message: 2
Date: Tue, 2 Jan 2018 15:12:07 -0500
From: Jack Mott <jmott at emergingthreats.net>
To: Duane Howard <duane.security at gmail.com>
Cc: Travis Green <tgreen at emergingthreats.net>,
	"emerging-sigs at emergingthreats.net"
	<emerging-sigs at emergingthreats.net>,  ETPro-sigs List
	<etpro-sigs at emergingthreatspro.com>,  Emerging-updates redirect
	<emerging-updates at emergingthreats.net>
Subject: Re: [Emerging-Sigs] [Etpro-sigs] Daily Ruleset Update Summary
	2017/12/29
Message-ID:
	<CAHHK96HN-gaAxVPvgHi1+joN=9a7oV7netJiv4bMnebrt2BuOg at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Hey Duane,

Thanks for pointing that out-- it is certainly an error. The md5 ref for
2929108 is correct. The proper md5 for 2829110 should be 786075ed272ea549bbe3b29da354de43 and will be updated with today's push.

Thanks again!

Jack

On Tue, Jan 2, 2018 at 2:38 PM, Duane Howard <duane.security at gmail.com>
wrote:

> both of the below rules contain a  reference:md5, 
> 7c60ce8d44e21fcddd5214e93db7602e; but the descriptions use different 
> names for the malware? is the reference incorrect on one of them, or 
> are the names out of alignment?
> 2829108 - ETPRO TROJAN MSIL/Tiny.R CnC Checkin (Infoback) 
> (trojan.rules)
> 2829110 - ETPRO TROJAN Win32/Crimson Variant CnC Checkin 
> (trojan.rules)
>
> -Duane
>
> On Fri, Dec 29, 2017 at 1:00 PM, Travis Green 
> <tgreen at emergingthreats.net>
> wrote:
>
>> [***]            Summary:            [***]
>>
>> 1 new Open, 13 new Pro (1 + 12). FireBlaze, MSIL/Tiny.R, 
>> Win32/Crimson Variant, Various Phishing.
>>
>>
>> [+++]          Added rules:          [+++]
>>
>> Open:
>>
>>  2025177 - ET TROJAN Zeus Panda CnC Domain (in DNS Lookup) 
>> (trojan.rules)
>>
>> Pro:
>>
>>  2829106 - ETPRO CURRENT_EVENTS Observed FireBlaze Keylogger 
>> Downloader Domain (fireblazes .000webhostapp .com in TLS SNI) 
>> (current_events.rules)
>>  2829107 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2017-12-29
>> (current_events.rules)
>>  2829108 - ETPRO TROJAN MSIL/Tiny.R CnC Checkin (Infoback) 
>> (trojan.rules)
>>  2829109 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc 
>> DL)
>> (current_events.rules)
>>  2829110 - ETPRO TROJAN Win32/Crimson Variant CnC Checkin 
>> (trojan.rules)
>>  2829111 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
>> 2017-12-29 (current_events.rules)
>>  2829112 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
>> (2017-12-29 1) (trojan.rules)
>>  2829113 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
>> (2017-12-29 2) (trojan.rules)
>>  2829114 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
>> (2017-12-29 3) (trojan.rules)
>>  2829115 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
>> (2017-12-29 4) (trojan.rules)
>>  2829116 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
>> (2017-12-29 5) (trojan.rules)
>>  2829117 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
>> (2017-12-29 6) (trojan.rules)
>>
>>
>> [///]     Modified active rules:     [///]
>>
>>  2814624 - ETPRO TROJAN XtremeRAT CnC Beacon 1 (trojan.rules)
>>
>>
>> --
>> PGP: 0xBED7B297
>> <https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
>>
>> _______________________________________________
>> Etpro-sigs mailing list
>> Etpro-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/etpro-sigs
>>
>>
>
> _______________________________________________
> Etpro-sigs mailing list
> Etpro-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/etpro-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180102/8ca12802/attachment-0001.html>

------------------------------

Message: 3
Date: Tue, 2 Jan 2018 15:13:51 -0700
From: Travis Green <tgreen at emergingthreats.net>
To: "emerging-sigs at emergingthreats.net"
	<emerging-sigs at emergingthreats.net>,  Emerging-updates redirect
	<emerging-updates at emergingthreats.net>,  ETPro-sigs List
	<etpro-sigs at emergingthreatspro.com>
Subject: [Emerging-Sigs] Daily Ruleset Update Summary 2018/01/02
Message-ID:
	<CAKgkF6md9igUz=9XRA9aujTunDL8S=h_vRyhBZ1Ek4niFDPO6w at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

[***]            Summary:            [***]

3 new Open, 25 new Pro (3 + 22). Win32/CoinMining Loader, Xtrat/XtremeRAT, Various Phishing.


[+++]          Added rules:          [+++]

Open:

 2025178 - ET TROJAN Sharik/Smoke CnC Beacon 9 (trojan.rules)
 2025179 - ET TROJAN Qasar Variant Domain (datapeople-cn .com in DNS
Lookup) (trojan.rules)
 2025180 - ET CURRENT_EVENTS Possible Successful Generic Phish (set)
2018-01-02 (current_events.rules)

Pro:

 2829118 - ETPRO TROJAN Win32/CoinMining Loader CnC Checkin (trojan.rules)
 2829119 - ETPRO CURRENT_EVENTS Successful Citizens Bank Phish 2018-01-02
M1 (current_events.rules)
 2829120 - ETPRO CURRENT_EVENTS Successful Citizens Bank Phish 2018-01-02
M2 (current_events.rules)
 2829121 - ETPRO CURRENT_EVENTS Successful Citizens Bank Phish 2018-01-02
M3 (current_events.rules)
 2829122 - ETPRO CURRENT_EVENTS Successful DHL Phish 2018-01-02
(current_events.rules)
 2829123 - ETPRO CURRENT_EVENTS Successful Amazon Cancel Order Phish
2018-01-02 (current_events.rules)
 2829124 - ETPRO CURRENT_EVENTS Successful Orange.fr Phish 2018-01-02
(current_events.rules)
 2829125 - ETPRO CURRENT_EVENTS Suspicious AutoIt EXE Download (Observed in Maldoc Campaign Dropping Xtrat) (current_events.rules)
 2829126 - ETPRO CURRENT_EVENTS Successful Netflix (BR) Phish 2018-01-02
(current_events.rules)
 2829127 - ETPRO CURRENT_EVENTS Successful Dropbox (CN) Phish 2018-01-02 M1
(current_events.rules)
 2829128 - ETPRO CURRENT_EVENTS Successful Dropbox (CN) Phish 2018-01-02 M2
(current_events.rules)
 2829129 - ETPRO TROJAN Xtrat/XtremeRAT Google PING Connectivity Check
(trojan.rules)
 2829130 - ETPRO CURRENT_EVENTS MalDoc Retrieving EXE Payload 2018-01-02
(current_events.rules)
 2829131 - ETPRO CURRENT_EVENTS Successful SFR Account Phish 2018-01-02
(current_events.rules)
 2829132 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-02 1) (trojan.rules)
 2829133 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-02 2) (trojan.rules)
 2829134 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-02 3) (trojan.rules)
 2829135 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-02 4) (trojan.rules)
 2829136 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-02 5) (trojan.rules)
 2829137 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-02 6) (trojan.rules)
 2829138 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-02 8) (trojan.rules)
 2829139 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-02 9) (trojan.rules)


[///]     Modified active rules:     [///]

 2018401 - ET TROJAN Win32.Kazy Checkin (trojan.rules)
 2022730 - ET INFO PhishMe.com Phishing Landing Exercise (info.rules)
 2023712 - ET CURRENT_EVENTS Paypal Phishing Landing Jan 09 2017
(current_events.rules)
 2024583 - ET CURRENT_EVENTS Possible YapiKredi Bank (TR) Phishing Landing
- Title over non SSL (current_events.rules)
 2024705 - ET CURRENT_EVENTS Apple Phishing Landing M3 Sep 14 2017
(current_events.rules)
 2814624 - ETPRO TROJAN XtremeRAT CnC Beacon 1 (trojan.rules)
 2815129 - ETPRO CURRENT_EVENTS Possible Base64 Obfuscated Phishing Landing
2015-11-30 (current_events.rules)
 2816734 - ETPRO CURRENT_EVENTS Obfuscated Chase Phishing Landing
2016-03-23 (current_events.rules)
 2816790 - ETPRO CURRENT_EVENTS L33bo Phishing Landing 2016-03-29
(current_events.rules)
 2821737 - ETPRO TROJAN Babylon RAT C2 Client Request (trojan.rules)
 2822442 - ETPRO CURRENT_EVENTS Multibank Phishing Landing/Redirect (NL) M1
2016-10-06 (current_events.rules)
 2822443 - ETPRO CURRENT_EVENTS SNS Bank Phishing Landing/Redirect (NL) M1
2016-10-06 (current_events.rules)
 2822444 - ETPRO CURRENT_EVENTS SNS Bank Phishing Landing/Redirect/ (NL) M2
2016-10-06 (current_events.rules)
 2822445 - ETPRO CURRENT_EVENTS ASN/Regio Bank Phishing Landing/Redirect
(NL) M1 2016-10-06 (current_events.rules)
 2822446 - ETPRO CURRENT_EVENTS ASN/Regio Bank Phishing Landing/Redirect
(NL) M2 2016-10-06 (current_events.rules)
 2822447 - ETPRO CURRENT_EVENTS Multibank Phishing Landing/Redirect (NL) M2
2016-10-06 (current_events.rules)
 2823939 - ETPRO CURRENT_EVENTS Obfuscated Phishing Landing Dec 18 2016
(current_events.rules)
 2823940 - ETPRO TROJAN Google Docs Phishing Landing Dec 18 2016
(trojan.rules)
 2823945 - ETPRO CURRENT_EVENTS Microsoft Office Phishing Landing Dec 18
2016 (current_events.rules)
 2824565 - ETPRO CURRENT_EVENTS DHL Phishing Landing Jan 20 2017
(current_events.rules)
 2824614 - ETPRO CURRENT_EVENTS Paypal Phishing Landing Jan 24 2017
(current_events.rules)
 2824792 - ETPRO CURRENT_EVENTS Banco Itau Phishing Landing Javascript Feb
06 2017 (current_events.rules)
 2825147 - ETPRO CURRENT_EVENTS Possible Sparkasse Bank Phishing Landing Feb 27 2017 (current_events.rules)
 2828073 - ETPRO CURRENT_EVENTS Successful Raiffeisen Bank Phishing Landing / Fake Android App Sep 27 2017 (current_events.rules)
 2829110 - ETPRO TROJAN Win32/Crimson Variant CnC Checkin (trojan.rules)


[---]         Removed rules:         [---]

 2014571 - ET TROJAN HTTP Request to a a known malware domain (sektori.org)
(trojan.rules)
 2828164 - ETPRO MOBILE_MALWARE ANDROIDOS_HIDDENAPP.HRXZ Checkin
(mobile_malware.rules)


--
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180102/b1ea25b9/attachment.html>

------------------------------

Subject: Digest Footer

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


------------------------------

End of Emerging-sigs Digest, Vol 122, Issue 1
*********************************************


More information about the Emerging-sigs mailing list