[Emerging-updates] Daily Ruleset Update Summary 4/18/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Apr 18 22:19:40 EDT 2011


We have an update to the RBN ruleset today, and some significant malware rules. More detail inline:

[+++]          Added rules:          [+++]

Another showmyip site in use. A good sign of infection.

 2012691 - ET POLICY Internal Host visiting Showmyipaddress.com - Possible Trojan (policy.rules)


This is a very interesting one. Microsoft is apparently replying to many automated connectivity checks with a page saying your computer is infected if the UA is a known bad. This sig will let you know about those.

 2012692 - ET TROJAN Microsoft user-agent automated process response to infected request (trojan.rules)


And a couple of the usual new malware sigs:

 2012693 - ET MALWARE overtls.com adware request (malware.rules)
 2802045 - ETPRO TROJAN Fakeav.clgq Checkin (trojan.rules)


[---]         Removed rules:         [---]

These were duplicates once we altered the originals to be more general.

 2008888 - ET TROJAN Gh0st Remote Access Trojan Client Connect (trojan.rules)
 2008889 - ET TROJAN Gh0st Remote Access Trojan Server Response (trojan.rules)

----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list