[Emerging-updates] Daily Ruleset Update Summary 4/12/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Apr 12 14:06:23 EDT 2011


Significant updates today. An update to the RBN ruleset, we removed nocase from the PDF sigs as discussed on the list, and a slew of Patch Tuesday signatures. More comments inline, but for the most up to date information on the new vulnerabilities for this month from Microsoft check in at the blog: http://blog.emergingthreats.net


[+++]          Added rules:          [+++]

 2012685 - ET CURRENT_EVENTS Win32/CazinoSilver Download VegasVIP_setup.exe (current_events.rules)


The Pro rules added:

 2802023 - ETPRO ACTIVEX Vulnerable IE8 Developer Toolkit COM Object Use (activex.rules)
 2802024 - ETPRO ACTIVEX Vulnerable WBEM.SingleView.1 Object clsid Access (activex.rules)
 2802025 - ETPRO ACTIVEX Vulnerable WBEM.SingleView.1 Object Access (activex.rules)


This is a particularly bad one. Local exploitation, single packet. If weaponized exploits become stable a single local infection could multiply quickly. Think worm.

 2802026 - ETPRO EXPLOIT LLMNR Name Resolution Exploit UDP (exploit.rules)
 2802027 - ETPRO EXPLOIT LLMNR Name Resolution Exploit TCP (exploit.rules)


More bad clsids...

 2802030 - ETPRO ACTIVEX Vulnerable Windows Messenger Service clsid Access (activex.rules)
 2802031 - ETPRO ACTIVEX Vulnerable Windows Messenger Service Object Access (activex.rules)


None of us like the IDS sigs for Office documents, but these ought to be reliable and not significant load.

 2802032 - ETPRO WEB_CLIENT Microsoft Excel Crafted URL Unicode Buffer Overflow (web_client.rules)
 2802033 - ETPRO WEB_CLIENT Microsoft Excel Malformed CatSerRange Record Vulnerability (web_client.rules)
 2802034 - ETPRO WEB_CLIENT Microsoft Excel Malformed SupBook Record Vulnerability (web_client.rules)
 2802035 - ETPRO WEB_CLIENT Microsoft Excel OBJ Records Vulnerability (web_client.rules)
 2802020 - ETPRO WEB_CLIENT Excel File Containing Integer Overrun Vulnerability BIFF v6 Record ToolBarDef (web_client.rules)
 2802021 - ETPRO WEB_CLIENT Excel File Containing Integer Overrun Vulnerability BIFF v5 Record ToolBarDef (web_client.rules)
 2802022 - ETPRO WEB_CLIENT Excel File Malformed Label recType BIFF5 record (web_client.rules)


This signature is horrid, no other way to put it. But it'll do the job.

 2802036 - ETPRO WEB_CLIENT Microsoft CSS swapnode Memory Corruption Vulnerability (web_client.rules)


And we hope this is the last of the MS apps that load dll's insecurely. If you get hits on these it should be investigated quickly. 

 2802037 - ETPRO NETBIOS MFC Insecure DLL Load SMD-DS Unicode (netbios.rules)
 2802038 - ETPRO NETBIOS MFC Insecure DLL Load SMB ASCII (netbios.rules)
 2802039 - ETPRO NETBIOS MFC Insecure DLL Load SMB Unicode (netbios.rules)
 2802040 - ETPRO NETBIOS MFC Insecure DLL Load SMB ASCII (netbios.rules)




[///]     Modified active rules:     [///]


Most of these are the PDF modifications to eliminate false positives. 

 2009076 - ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF) (current_events.rules)
 2010495 - ET WEB_CLIENT Possible Adobe Multimedia Doc.media.newPlayer Memory Corruption Attempt (web_client.rules)
 2010876 - ET WEB_CLIENT Foxit PDF Reader Buffer Overflow Attempt (web_client.rules)
 2010878 - ET EXPLOIT Possible Foxit PDF Reader Authentication Bypass Attempt (exploit.rules)
 2010881 - ET WEB_CLIENT PDF With Unescape Method Defined Possible Hostile Obfuscation Attempt (web_client.rules)
 2010882 - ET POLICY .pdf File Containing Javascript (policy.rules)
 2010883 - ET POLICY PDF File Containing arguments.callee in Cleartext - Likely Hostile (policy.rules)
 2010968 - ET WEB_CLIENT Possible Foxit/Adobe PDF Reader Launch Action Remote Code Execution Attempt (web_client.rules)
 2011329 - ET WEB_CLIENT Possible PDF Launch Function Remote Code Execution Attempt with Name Representation Obfuscation (web_client.rules)
 2011499 - ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash, Possibly Related to Remote Code Execution Attempt (web_client.rules)
 2011501 - ET CURRENT_EVENTS Possible Adobe CoolType Smart INdependent Glyplets - SING - Table uniqueName Stack Buffer Overflow Attempt (current_events.rules)
 2011504 - ET WEB_CLIENT String Replace in PDF File, Likely Hostile (web_client.rules)
 2011505 - ET WEB_CLIENT PDF With Embedded Flash, Possible Remote Code Execution Attempt (web_client.rules)
 2011506 - ET WEB_CLIENT PDF With eval Function - Possibly Hostile (web_client.rules)
 2011507 - ET WEB_CLIENT PDF With Embedded File (web_client.rules)
 2011865 - ET WEB_CLIENT Embedded Executable File in PDF - This Program Cannot Be Run in DOS Mode (web_client.rules)
 2011866 - ET WEB_CLIENT Suspicious Embedded Shockwave Flash In PDF (web_client.rules)
 2011868 - ET WEB_CLIENT Possible Javascript obfuscation using app.setTimeOut in PDF in Order to Run Code (web_client.rules)
 2011910 - ET WEB_CLIENT Possible Adobe Reader 9.4 this.printSeps Memory Corruption Attempt (web_client.rules)
 2012064 - ET WEB_CLIENT Foxit PDF Reader Title Stack Overflow (web_client.rules)


The below were modified to fit in some of the new MS vulnerabilities

 2801468 - ETPRO WEB_CLIENT Insecure Library Loading Flowbit Set (web_client.rules)
 2801469 - ETPRO WEB_CLIENT Insecure Library Loading Code Execution .dll (web_client.rules)
 2801470 - ETPRO NETBIOS Insecure Library Loading .dll SMB-DS ASCII (netbios.rules)
 2801471 - ETPRO NETBIOS Insecure Library Loading .dll SMB-DS Unicode (netbios.rules)
 2801472 - ETPRO NETBIOS Insecure Library Loading .dll SMB ASCII (netbios.rules)
 2801473 - ETPRO NETBIOS Insecure Library Loading .dll SMB Unicode (netbios.rules)
 2801475 - ETPRO NETBIOS Microsoft Address Book msoeres32.dll Insecure Library Loading - SMB-DS Unicode (netbios.rules)
 2801476 - ETPRO NETBIOS Microsoft Address Book msoeres32.dll Insecure Library Loading - SMB ASCII (netbios.rules)





----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list