[Emerging-Sigs] Emerging-sigs RogueKiller Anti-Malware, sig 2002405 FP

Travis Green tgreen at emergingthreats.net
Wed Jan 3 07:01:25 HST 2018


Maxim, it appears this signature was built to detect an older adware
<https://en.wikipedia.org/wiki/Internet_Optimizer> and not RogueKiller.
I'll modify the sig to eliminate the FP. Thanks for reporting this issue.

-Travis

On Wed, Jan 3, 2018 at 9:32 AM, Maxim <Maxim.Parpaley at netwatcher.com> wrote:

> Hello,
>
> RogueKiller Anti-Malware performs http requests to host: ip-api.com,  I
> don't know why but we see them.
>
> The problem is that the signature with ID 2002405 (ET MALWARE Internet
> Optimizer User-Agent (ROGUE) triggers during that requests.
>
> Pcap:
>
> GET /json/10.0.0.34 HTTP/1.1
> Connection: Keep-Alive
> User-Agent: RogueKiller
> Host: ip-api.com
>
> HTTP/1.1 200 OK
> Access-Control-Allow-Origin: *
> Content-Type: application/json; charset=utf-8
> Date: Wed, 03 Jan 2018 15:27:58 GMT
> Content-Length: 63
>
> {"message":"private range","query":"10.0.0.34","status":"fail"}
>
>
> -----Original Message-----
> From: Emerging-sigs [mailto:emerging-sigs-bounces@
> lists.emergingthreats.net] On Behalf Of emerging-sigs-request at lists.
> emergingthreats.net
> Sent: Wednesday, January 3, 2018 12:14 AM
> To: emerging-sigs at lists.emergingthreats.net
> Subject: Emerging-sigs Digest, Vol 122, Issue 1
>
> Send Emerging-sigs mailing list submissions to
>         emerging-sigs at lists.emergingthreats.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> or, via email, send a message with subject or body 'help' to
>         emerging-sigs-request at lists.emergingthreats.net
>
> You can reach the person managing the list at
>         emerging-sigs-owner at lists.emergingthreats.net
>
> When replying, please edit your Subject line so it is more specific than
> "Re: Contents of Emerging-sigs digest..."
>
>
> Today's Topics:
>
>    1. Re: [Etpro-sigs] Daily Ruleset Update Summary     2017/12/29
>       (Duane Howard)
>    2. Re: [Etpro-sigs] Daily Ruleset Update Summary     2017/12/29
>       (Jack Mott)
>    3. Daily Ruleset Update Summary 2018/01/02 (Travis Green)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 2 Jan 2018 11:38:02 -0800
> From: Duane Howard <duane.security at gmail.com>
> To: Travis Green <tgreen at emergingthreats.net>
> Cc: "emerging-sigs at emergingthreats.net"
>         <emerging-sigs at emergingthreats.net>,  Emerging-updates redirect
>         <emerging-updates at emergingthreats.net>,  ETPro-sigs List
>         <etpro-sigs at emergingthreatspro.com>
> Subject: Re: [Emerging-Sigs] [Etpro-sigs] Daily Ruleset Update Summary
>         2017/12/29
> Message-ID:
>         <CAH9u3cudEUg5k77Fa4RYjqFj-E3kgWvF9vPfo0jHT-0Ht8pspQ@
> mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> both of the below rules contain
> a  reference:md5,7c60ce8d44e21fcddd5214e93db7602e;
> but the descriptions use different names for the malware? is the reference
> incorrect on one of them, or are the names out of alignment?
> 2829108 - ETPRO TROJAN MSIL/Tiny.R CnC Checkin (Infoback) (trojan.rules)
> 2829110 - ETPRO TROJAN Win32/Crimson Variant CnC Checkin (trojan.rules)
>
> -Duane
>
> On Fri, Dec 29, 2017 at 1:00 PM, Travis Green <tgreen at emergingthreats.net>
> wrote:
>
> > [***]            Summary:            [***]
> >
> > 1 new Open, 13 new Pro (1 + 12). FireBlaze, MSIL/Tiny.R, Win32/Crimson
> > Variant, Various Phishing.
> >
> >
> > [+++]          Added rules:          [+++]
> >
> > Open:
> >
> >  2025177 - ET TROJAN Zeus Panda CnC Domain (in DNS Lookup)
> > (trojan.rules)
> >
> > Pro:
> >
> >  2829106 - ETPRO CURRENT_EVENTS Observed FireBlaze Keylogger
> > Downloader Domain (fireblazes .000webhostapp .com in TLS SNI)
> > (current_events.rules)
> >  2829107 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2017-12-29
> > (current_events.rules)
> >  2829108 - ETPRO TROJAN MSIL/Tiny.R CnC Checkin (Infoback)
> > (trojan.rules)
> >  2829109 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc
> > DL)
> > (current_events.rules)
> >  2829110 - ETPRO TROJAN Win32/Crimson Variant CnC Checkin
> > (trojan.rules)
> >  2829111 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
> > 2017-12-29 (current_events.rules)
> >  2829112 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> > (2017-12-29 1) (trojan.rules)
> >  2829113 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> > (2017-12-29 2) (trojan.rules)
> >  2829114 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> > (2017-12-29 3) (trojan.rules)
> >  2829115 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> > (2017-12-29 4) (trojan.rules)
> >  2829116 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> > (2017-12-29 5) (trojan.rules)
> >  2829117 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> > (2017-12-29 6) (trojan.rules)
> >
> >
> > [///]     Modified active rules:     [///]
> >
> >  2814624 - ETPRO TROJAN XtremeRAT CnC Beacon 1 (trojan.rules)
> >
> >
> > --
> > PGP: 0xBED7B297
> > <https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
> >
> > _______________________________________________
> > Etpro-sigs mailing list
> > Etpro-sigs at lists.emergingthreats.net
> > https://lists.emergingthreats.net/mailman/listinfo/etpro-sigs
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/
> attachments/20180102/d4718c13/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 2 Jan 2018 15:12:07 -0500
> From: Jack Mott <jmott at emergingthreats.net>
> To: Duane Howard <duane.security at gmail.com>
> Cc: Travis Green <tgreen at emergingthreats.net>,
>         "emerging-sigs at emergingthreats.net"
>         <emerging-sigs at emergingthreats.net>,  ETPro-sigs List
>         <etpro-sigs at emergingthreatspro.com>,  Emerging-updates redirect
>         <emerging-updates at emergingthreats.net>
> Subject: Re: [Emerging-Sigs] [Etpro-sigs] Daily Ruleset Update Summary
>         2017/12/29
> Message-ID:
>         <CAHHK96HN-gaAxVPvgHi1+joN=9a7oV7netJiv4bMnebrt2BuOg at mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hey Duane,
>
> Thanks for pointing that out-- it is certainly an error. The md5 ref for
> 2929108 is correct. The proper md5 for 2829110 should be
> 786075ed272ea549bbe3b29da354de43 and will be updated with today's push.
>
> Thanks again!
>
> Jack
>
> On Tue, Jan 2, 2018 at 2:38 PM, Duane Howard <duane.security at gmail.com>
> wrote:
>
> > both of the below rules contain a  reference:md5,
> > 7c60ce8d44e21fcddd5214e93db7602e; but the descriptions use different
> > names for the malware? is the reference incorrect on one of them, or
> > are the names out of alignment?
> > 2829108 - ETPRO TROJAN MSIL/Tiny.R CnC Checkin (Infoback)
> > (trojan.rules)
> > 2829110 - ETPRO TROJAN Win32/Crimson Variant CnC Checkin
> > (trojan.rules)
> >
> > -Duane
> >
> > On Fri, Dec 29, 2017 at 1:00 PM, Travis Green
> > <tgreen at emergingthreats.net>
> > wrote:
> >
> >> [***]            Summary:            [***]
> >>
> >> 1 new Open, 13 new Pro (1 + 12). FireBlaze, MSIL/Tiny.R,
> >> Win32/Crimson Variant, Various Phishing.
> >>
> >>
> >> [+++]          Added rules:          [+++]
> >>
> >> Open:
> >>
> >>  2025177 - ET TROJAN Zeus Panda CnC Domain (in DNS Lookup)
> >> (trojan.rules)
> >>
> >> Pro:
> >>
> >>  2829106 - ETPRO CURRENT_EVENTS Observed FireBlaze Keylogger
> >> Downloader Domain (fireblazes .000webhostapp .com in TLS SNI)
> >> (current_events.rules)
> >>  2829107 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2017-12-29
> >> (current_events.rules)
> >>  2829108 - ETPRO TROJAN MSIL/Tiny.R CnC Checkin (Infoback)
> >> (trojan.rules)
> >>  2829109 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc
> >> DL)
> >> (current_events.rules)
> >>  2829110 - ETPRO TROJAN Win32/Crimson Variant CnC Checkin
> >> (trojan.rules)
> >>  2829111 - ETPRO CURRENT_EVENTS Successful Generic Webmail Phish
> >> 2017-12-29 (current_events.rules)
> >>  2829112 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> >> (2017-12-29 1) (trojan.rules)
> >>  2829113 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> >> (2017-12-29 2) (trojan.rules)
> >>  2829114 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> >> (2017-12-29 3) (trojan.rules)
> >>  2829115 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> >> (2017-12-29 4) (trojan.rules)
> >>  2829116 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> >> (2017-12-29 5) (trojan.rules)
> >>  2829117 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> >> (2017-12-29 6) (trojan.rules)
> >>
> >>
> >> [///]     Modified active rules:     [///]
> >>
> >>  2814624 - ETPRO TROJAN XtremeRAT CnC Beacon 1 (trojan.rules)
> >>
> >>
> >> --
> >> PGP: 0xBED7B297
> >> <https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
> >>
> >> _______________________________________________
> >> Etpro-sigs mailing list
> >> Etpro-sigs at lists.emergingthreats.net
> >> https://lists.emergingthreats.net/mailman/listinfo/etpro-sigs
> >>
> >>
> >
> > _______________________________________________
> > Etpro-sigs mailing list
> > Etpro-sigs at lists.emergingthreats.net
> > https://lists.emergingthreats.net/mailman/listinfo/etpro-sigs
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/
> attachments/20180102/8ca12802/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 2 Jan 2018 15:13:51 -0700
> From: Travis Green <tgreen at emergingthreats.net>
> To: "emerging-sigs at emergingthreats.net"
>         <emerging-sigs at emergingthreats.net>,  Emerging-updates redirect
>         <emerging-updates at emergingthreats.net>,  ETPro-sigs List
>         <etpro-sigs at emergingthreatspro.com>
> Subject: [Emerging-Sigs] Daily Ruleset Update Summary 2018/01/02
> Message-ID:
>         <CAKgkF6md9igUz=9XRA9aujTunDL8S=h_vRyhBZ1Ek4niFDPO6w at mail.gmail.
> com>
> Content-Type: text/plain; charset="utf-8"
>
> [***]            Summary:            [***]
>
> 3 new Open, 25 new Pro (3 + 22). Win32/CoinMining Loader, Xtrat/XtremeRAT,
> Various Phishing.
>
>
> [+++]          Added rules:          [+++]
>
> Open:
>
>  2025178 - ET TROJAN Sharik/Smoke CnC Beacon 9 (trojan.rules)
>  2025179 - ET TROJAN Qasar Variant Domain (datapeople-cn .com in DNS
> Lookup) (trojan.rules)
>  2025180 - ET CURRENT_EVENTS Possible Successful Generic Phish (set)
> 2018-01-02 (current_events.rules)
>
> Pro:
>
>  2829118 - ETPRO TROJAN Win32/CoinMining Loader CnC Checkin (trojan.rules)
>  2829119 - ETPRO CURRENT_EVENTS Successful Citizens Bank Phish 2018-01-02
> M1 (current_events.rules)
>  2829120 - ETPRO CURRENT_EVENTS Successful Citizens Bank Phish 2018-01-02
> M2 (current_events.rules)
>  2829121 - ETPRO CURRENT_EVENTS Successful Citizens Bank Phish 2018-01-02
> M3 (current_events.rules)
>  2829122 - ETPRO CURRENT_EVENTS Successful DHL Phish 2018-01-02
> (current_events.rules)
>  2829123 - ETPRO CURRENT_EVENTS Successful Amazon Cancel Order Phish
> 2018-01-02 (current_events.rules)
>  2829124 - ETPRO CURRENT_EVENTS Successful Orange.fr Phish 2018-01-02
> (current_events.rules)
>  2829125 - ETPRO CURRENT_EVENTS Suspicious AutoIt EXE Download (Observed
> in Maldoc Campaign Dropping Xtrat) (current_events.rules)
>  2829126 - ETPRO CURRENT_EVENTS Successful Netflix (BR) Phish 2018-01-02
> (current_events.rules)
>  2829127 - ETPRO CURRENT_EVENTS Successful Dropbox (CN) Phish 2018-01-02 M1
> (current_events.rules)
>  2829128 - ETPRO CURRENT_EVENTS Successful Dropbox (CN) Phish 2018-01-02 M2
> (current_events.rules)
>  2829129 - ETPRO TROJAN Xtrat/XtremeRAT Google PING Connectivity Check
> (trojan.rules)
>  2829130 - ETPRO CURRENT_EVENTS MalDoc Retrieving EXE Payload 2018-01-02
> (current_events.rules)
>  2829131 - ETPRO CURRENT_EVENTS Successful SFR Account Phish 2018-01-02
> (current_events.rules)
>  2829132 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-02 1) (trojan.rules)
>  2829133 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-02 2) (trojan.rules)
>  2829134 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-02 3) (trojan.rules)
>  2829135 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-02 4) (trojan.rules)
>  2829136 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-02 5) (trojan.rules)
>  2829137 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-02 6) (trojan.rules)
>  2829138 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-02 8) (trojan.rules)
>  2829139 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
> (2018-01-02 9) (trojan.rules)
>
>
> [///]     Modified active rules:     [///]
>
>  2018401 - ET TROJAN Win32.Kazy Checkin (trojan.rules)
>  2022730 - ET INFO PhishMe.com Phishing Landing Exercise (info.rules)
>  2023712 - ET CURRENT_EVENTS Paypal Phishing Landing Jan 09 2017
> (current_events.rules)
>  2024583 - ET CURRENT_EVENTS Possible YapiKredi Bank (TR) Phishing Landing
> - Title over non SSL (current_events.rules)
>  2024705 - ET CURRENT_EVENTS Apple Phishing Landing M3 Sep 14 2017
> (current_events.rules)
>  2814624 - ETPRO TROJAN XtremeRAT CnC Beacon 1 (trojan.rules)
>  2815129 - ETPRO CURRENT_EVENTS Possible Base64 Obfuscated Phishing Landing
> 2015-11-30 (current_events.rules)
>  2816734 - ETPRO CURRENT_EVENTS Obfuscated Chase Phishing Landing
> 2016-03-23 (current_events.rules)
>  2816790 - ETPRO CURRENT_EVENTS L33bo Phishing Landing 2016-03-29
> (current_events.rules)
>  2821737 - ETPRO TROJAN Babylon RAT C2 Client Request (trojan.rules)
>  2822442 - ETPRO CURRENT_EVENTS Multibank Phishing Landing/Redirect (NL) M1
> 2016-10-06 (current_events.rules)
>  2822443 - ETPRO CURRENT_EVENTS SNS Bank Phishing Landing/Redirect (NL) M1
> 2016-10-06 (current_events.rules)
>  2822444 - ETPRO CURRENT_EVENTS SNS Bank Phishing Landing/Redirect/ (NL) M2
> 2016-10-06 (current_events.rules)
>  2822445 - ETPRO CURRENT_EVENTS ASN/Regio Bank Phishing Landing/Redirect
> (NL) M1 2016-10-06 (current_events.rules)
>  2822446 - ETPRO CURRENT_EVENTS ASN/Regio Bank Phishing Landing/Redirect
> (NL) M2 2016-10-06 (current_events.rules)
>  2822447 - ETPRO CURRENT_EVENTS Multibank Phishing Landing/Redirect (NL) M2
> 2016-10-06 (current_events.rules)
>  2823939 - ETPRO CURRENT_EVENTS Obfuscated Phishing Landing Dec 18 2016
> (current_events.rules)
>  2823940 - ETPRO TROJAN Google Docs Phishing Landing Dec 18 2016
> (trojan.rules)
>  2823945 - ETPRO CURRENT_EVENTS Microsoft Office Phishing Landing Dec 18
> 2016 (current_events.rules)
>  2824565 - ETPRO CURRENT_EVENTS DHL Phishing Landing Jan 20 2017
> (current_events.rules)
>  2824614 - ETPRO CURRENT_EVENTS Paypal Phishing Landing Jan 24 2017
> (current_events.rules)
>  2824792 - ETPRO CURRENT_EVENTS Banco Itau Phishing Landing Javascript Feb
> 06 2017 (current_events.rules)
>  2825147 - ETPRO CURRENT_EVENTS Possible Sparkasse Bank Phishing Landing
> Feb 27 2017 (current_events.rules)
>  2828073 - ETPRO CURRENT_EVENTS Successful Raiffeisen Bank Phishing
> Landing / Fake Android App Sep 27 2017 (current_events.rules)
>  2829110 - ETPRO TROJAN Win32/Crimson Variant CnC Checkin (trojan.rules)
>
>
> [---]         Removed rules:         [---]
>
>  2014571 - ET TROJAN HTTP Request to a a known malware domain (sektori.org
> )
> (trojan.rules)
>  2828164 - ETPRO MOBILE_MALWARE ANDROIDOS_HIDDENAPP.HRXZ Checkin
> (mobile_malware.rules)
>
>
> --
> PGP: 0xBED7B297
> <https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/
> attachments/20180102/b1ea25b9/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
> ------------------------------
>
> End of Emerging-sigs Digest, Vol 122, Issue 1
> *********************************************
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180103/a1a9b18b/attachment-0001.html>


More information about the Emerging-sigs mailing list