[Emerging-Sigs] Daily Ruleset Update Summary 2018/01/09

Travis Green tgreen at emergingthreats.net
Tue Jan 9 13:01:25 HST 2018


[***]            Summary:            [***]

7 Open, 18 new Pro (7 + 11). Spectre Exploit Javascript,
Win32/CoinMiner.AQL, MAPP, Various Phishing.

January MAPP Coverage:
CVE-2018-0762 -> 2829230

[+++]          Added rules:          [+++]

Open:

 2025188 - ET WEB_CLIENT Spectre Exploit Javascript (web_client.rules)
 2025189 - ET INFO Observed Let's Encrypt Certificate for Suspicious TLD
(.ml) (info.rules)
 2025190 - ET INFO Observed Let's Encrypt Certificate for Suspicious TLD
(.gdn) (info.rules)
 2025191 - ET INFO Observed Let's Encrypt Certificate for Suspicious TLD
(.gq) (info.rules)
 2025192 - ET INFO Observed Let's Encrypt Certificate for Suspicious TLD
(.ga) (info.rules)
 2025193 - ET INFO Observed Let's Encrypt Certificate for Suspicious TLD
(.cf) (info.rules)
 2025194 - ET INFO Observed Let's Encrypt Certificate for Suspicious TLD
(.xyz) (info.rules)

Pro:

 2829220 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-01-09
(current_events.rules)
 2829221 - ETPRO CURRENT_EVENTS MalDoc Retrieving EXE Payload 2018-01-09
(current_events.rules)
 2829222 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL)
(trojan.rules)
 2829223 - ETPRO TROJAN Win32/CoinMiner.AQL Checkin Observed (trojan.rules)
 2829224 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-09 1) (trojan.rules)
 2829225 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-09 2) (trojan.rules)
 2829226 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-09 3) (trojan.rules)
 2829227 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-09 4) (trojan.rules)
 2829228 - ETPRO TROJAN Observed Malicious SSL Cert (Dridex CnC)
(trojan.rules)
 2829229 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2018-01-09 5) (trojan.rules)
 2829230 - ETPRO WEB_CLIENT MS IE 11 Type Confusion RCE (CVE-2018-0762)
(web_client.rules)


[///]     Modified active rules:     [///]

 2010001 - ET EXPLOIT xp_enumerrorlogs access (exploit.rules)
 2010002 - ET EXPLOIT xp_readerrorlogs access (exploit.rules)
 2010003 - ET EXPLOIT xp_enumdsn access (exploit.rules)
 2014726 - ET POLICY Outdated Flash Version M1 (policy.rules)
 2021659 - ET TROJAN APT Cheshire Cat DNS Lookup (groupdive. com)
(trojan.rules)
 2024379 - ET POLICY Outdated Flash Version M2 (policy.rules)


[///]    Modified inactive rules:    [///]

 2000419 - ET POLICY PE EXE or DLL Windows file download Non-HTTP
(policy.rules)


[---]         Disabled rules:        [---]

 2011511 - ET DOS ntop Basic-Auth DOS inbound (dos.rules)
 2011512 - ET DOS ntop Basic-Auth DOS outbound (dos.rules)
 2012938 - ET DOS IBM Tivoli Endpoint Buffer Overflow Attempt (dos.rules)
 2013462 - ET DOS Skype FindCountriesByNamePattern property Buffer Overflow
Attempt (dos.rules)
 2013463 - ET DOS Skype FindCountriesByNamePattern property Buffer Overflow
Attempt Format String Function Call (dos.rules)
 2014384 - ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second
DoS Attempt (dos.rules)
 2014430 - ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS
Attempt Negative INT (dos.rules)
 2014431 - ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS
Attempt (dos.rules)
 2014662 - ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds
Integer indef DoS Attempt (dos.rules)
 2014663 - ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds
Negative Integer indef DoS Attempt (dos.rules)
 2015793 - ET CURRENT_EVENTS Scalaxy Java Exploit 10/11/12
(current_events.rules)
 2015812 - ET CURRENT_EVENTS SofosFO Jar file 10/17/12
(current_events.rules)
 2015840 - ET CURRENT_EVENTS Unknown Exploit Kit Landing Page
(current_events.rules)
 2015841 - ET CURRENT_EVENTS Unknown Exploit Kit Landing Page
(current_events.rules)
 2015866 - ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length
Buffer Overflow (current_events.rules)
 2015867 - ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length
Buffer Overflow (current_events.rules)
 2015876 - ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12
(current_events.rules)
 2015883 - ET CURRENT_EVENTS Java Exploit Campaign SetAttribute Java Applet
(current_events.rules)
 2015921 - ET CURRENT_EVENTS Spam Campaign JPG CnC Link
(current_events.rules)
 2015955 - ET CURRENT_EVENTS PDF /FlateDecode and PDF version 1.1 (seen in
pamdql EK) (current_events.rules)
 2015997 - ET CURRENT_EVENTS Fake Google Chrome Update/Install
(current_events.rules)
 2016001 - ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen
in pamdql and other EKs) (current_events.rules)
 2016022 - ET CURRENT_EVENTS MALVERTISING FlashPost - Redirection IFRAME
(current_events.rules)
 2016098 - ET CURRENT_EVENTS Drupal Mass Injection Campaign Inbound
(current_events.rules)
 2016099 - ET CURRENT_EVENTS Drupal Mass Injection Campaign Outbound
(current_events.rules)
 2100261 - GPL DNS named overflow attempt (dns.rules)
 2100315 - GPL EXPLOIT x86 Linux mountd overflow (exploit.rules)
 2100319 - GPL EXPLOIT bootp x86 linux overflow (exploit.rules)
 2100571 - GPL EXPLOIT ttdbserv Solaris overflow (exploit.rules)
 2101261 - GPL EXPLOIT AIX pdnsd overflow (exploit.rules)
 2101327 - GPL EXPLOIT ssh CRC32 overflow (exploit.rules)
 2101751 - GPL EXPLOIT cachefsd buffer overflow attempt (exploit.rules)
 2101900 - GPL EXPLOIT successful kadmind buffer overflow attempt
(exploit.rules)
 2101901 - GPL EXPLOIT successful kadmind buffer overflow attempt
(exploit.rules)
 2102318 - GPL EXPLOIT CVS non-relative path access attempt (exploit.rules)
 2800002 - ETPRO EXPLOIT CVS Entry Line Flag Remote Heap Overflow
(exploit.rules)
 2800003 - ETPRO EXPLOIT CVS Entry Line Flag Remote Heap Overflow
(exploit.rules)
 2800611 - ETPRO EXPLOIT Windows Oracle Application Server Forms Arbitrary
System Command Execution (exploit.rules)
 2800614 - ETPRO EXPLOIT Ipswitch WS_FTP Server FTP Commands Buffer
Overflow(XSHA1) (exploit.rules)
 2800629 - ETPRO EXPLOIT 3Com TFTP Server Transporting Mode Remote Buffer
Overflow Generic Exploit Detected (exploit.rules)
 2800630 - ETPRO EXPLOIT WEB_SERVER McAfee Multiple Products HTTP Server
Header Processing Buffer Overflow (exploit.rules)
 2800639 - ETPRO EXPLOIT Cisco IOS HTTP Service HTML Injection
Vulnerability (Published Exploit) (exploit.rules)
 2800646 - ETPRO EXPLOIT Microsoft Word TextBox Sub-document Memory
Corruption CVE-2007-1910 (exploit.rules)
 2801212 - ETPRO DOS iCal Null pointer de-reference Count Variable
(dos.rules)
 2801213 - ETPRO DOS iCal Null pointer de-reference Trigger Variable
(dos.rules)
 2801214 - ETPRO DOS iCal improper resource liberation (dos.rules)
 2801241 - ETPRO DOS HP Data Protector Manager RDS Denial of Service
(dos.rules)
 2802958 - ETPRO DOS Microsoft Host Integration Server snabase.exe Infinite
Loop Denial of Service (Exploit Specific) (dos.rules)
 2805325 - ETPRO DOS Microsoft Remote Desktop Protocol (RDP) DoS 1
(dos.rules)
 2805326 - ETPRO DOS Microsoft Remote Desktop Protocol (RDP) DoS 2
(dos.rules)
 2805327 - ETPRO DOS Microsoft Remote Desktop Protocol (RDP) DoS 3
(dos.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180109/371539fc/attachment.html>


More information about the Emerging-sigs mailing list