[Emerging-updates] Daily Ruleset Update Summary 4/20/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Apr 20 16:17:34 EDT 2011


Lots of good malware today, and an update to the CI-Army ruleset. 


[+++]          Added rules:          [+++]

 2012694 - ET POLICY request to .xxx TLD (policy.rules)
 2012695 - ET USER_AGENTS suspicious User Agent (Lotto) (user_agents.rules)


And the ET Pro rules:

 2802046 - ETPRO TROJAN Backdoor.Win32.XDAPR.A Checkin (trojan.rules)
 2802047 - ETPRO TROJAN Backdoor.Win32.Vertexbot.B Checkin (trojan.rules)
 2802048 - ETPRO TROJAN Trojan.Win32.Managee.A Checkin (trojan.rules)
 2802049 - ETPRO TROJAN Backdoor.Win32.Sbtob.A Checkin (trojan.rules)
 2802052 - ETPRO TROJAN Backdoor.Win32.WhiteGBlgr.A Checkin (trojan.rules)
 2802053 - ETPRO TROJAN Trojan.Win32.SharkQWT.A Checkin 1 (trojan.rules)
 2802054 - ETPRO TROJAN Trojan.Win32.SharkQWT.A Checkin 2 (trojan.rules)
 2802055 - ETPRO TROJAN Trojan.Win32.SharkQWT.A Checkin 3 (trojan.rules)
 2802056 - ETPRO TROJAN Backdoor.Win32.Knockwxp.A Checkin (trojan.rules)
 2802057 - ETPRO TROJAN Backdoor.Win32.Knockwxp.A Checkin (trojan.rules)
 2802058 - ETPRO TROJAN Win32.AutoRun.cftw Checkin (trojan.rules)
 2802059 - ETPRO TROJAN Win32.Bankwabfoto.A Checkin (trojan.rules)
 2802061 - ETPRO TROJAN Win32.Banker.bjxx Checkin flowbit set (trojan.rules)
 2802062 - ETPRO TROJAN Win32.Banker.bjxx Checkin (trojan.rules)
 2802063 - ETPRO TROJAN Win32.UFRStealer.A issuing MKD command FTP (trojan.rules)
 2802064 - ETPRO TROJAN Win32.UFRStealer.A Sending stolen info via FTP (trojan.rules)
 2802065 - ETPRO TROJAN Win32.UFRStealer.A issuing CD command via FTP (trojan.rules)
 2802066 - ETPRO USER_AGENTS Trojan-Downloader.Win32.Diple.A User-Agent (user_agents.rules)
 2802067 - ETPRO WEB_CLIENT Microsoft Excel Office Drawing Layer Remote Code Execution (web_client.rules)
 2802068 - ETPRO WEB_CLIENT Microsoft Internet Explorer Object Management Memory Corruption 2 (web_client.rules)
 2802069 - ETPRO WEB_CLIENT Microsoft Internet Explorer Object Management Memory Corruption (web_client.rules)


[+++]         Enabled rules:         [+++]

Enabled as per discussion on the lists, high value rule.

 2012628 - ET CURRENT_EVENTS Java Exploit Attempt Request for .id from octal host (current_events.rules)


[///]     Modified active rules:     [///]

Just some fast pattern adjustments here for some versions:

 2012261 - ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-8 Encoding (web_client.rules)
 2012262 - ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-16 Encoding (web_client.rules)
 2012263 - ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding (web_client.rules)
 2012264 - ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-8 Encoding (web_client.rules)
 2012265 - ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-16 Encoding (web_client.rules)
 2012266 - ET WEB_CLIENT Hex Obfuscation of unescape % Encoding (web_client.rules)
 2012267 - ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-8 Encoding (web_client.rules)
 2012268 - ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-16 Encoding (web_client.rules)
 2012269 - ET WEB_CLIENT Hex Obfuscation of substr % Encoding (web_client.rules)
 2012270 - ET WEB_CLIENT Hex Obfuscation of substr %u UTF-8 Encoding (web_client.rules)
 2012271 - ET WEB_CLIENT Hex Obfuscation of substr %u UTF-16 Encoding (web_client.rules)
 2012272 - ET WEB_CLIENT Hex Obfuscation of eval % Encoding (web_client.rules)
 2012273 - ET WEB_CLIENT Hex Obfuscation of eval %u UTF-8 Encoding (web_client.rules)
 2012274 - ET WEB_CLIENT Hex Obfuscation of eval %u UTF-16 Encoding (web_client.rules)


[---]         Removed rules:         [---]

Moved to deleted.

 2009076 - ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF) (current_events.rules)

----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list