[Emerging-updates] Daily Ruleset Update Summary 4/28/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Thu Apr 28 19:53:59 EDT 2011

We have a significant RBN ruleset update today, and some great new sigs both for the open ruleset and for Pro. 

[+++]          Added rules:          [+++]

These should be very useful for browser exploits. 

 2012731 - ET CURRENT_EVENTS Likely Redirector to Exploit Page /in/rdrct/rckt/? (current_events.rules)
 2012732 - ET CURRENT_EVENTS Unknown .ru Exploit Redirect Page (current_events.rules)

Some new user-agents and trojans from the sandnet:

 2012734 - ET USER_AGENTS Suspicious User-Agent String (AskPartnerCobranding) (user_agents.rules)
 2012735 - ET USER_AGENTS Suspicious User-Agent String (Babylon) (user_agents.rules)
 2012736 - ET TROJAN Trojan-GameThief.Win32.OnLineGames.bnye Checkin (trojan.rules)

More experimental, please give feedback:
 2012737 - ET CURRENT_EVENTS Suspicious HTTP Request to a *.cw.cm Domain (current_events.rules)
 2012738 - ET MALWARE Lookup of Chinese Dynamic DNS Provider 8866.org Likely Malware Related (malware.rules)

And the Pro rules for today, some great malware first with a rather unique CnC:

 2802087 - ETPRO TROJAN Backdoor.Win32.Quejob.evl Checkin 1 (trojan.rules)
 2802088 - ETPRO TROJAN Backdoor.Win32.Quejob.evl Checkin 2 (trojan.rules)
 2802092 - ETPRO TROJAN Trojan.Win32.VBKrypt.cugq Checkin (trojan.rules)
 2802093 - ETPRO USER_AGENTS Trojan.Win32.VBKrypt.cugq User-Agent (user_agents.rules)
 2802094 - ETPRO TROJAN Trojan.Win32.TMaquina.A Checkin (trojan.rules)
 2802095 - ETPRO TROJAN Trojan.Win32.Pirminay.A Checkin (trojan.rules)

And some new exploits (in the same old apps....)

 2802089 - ETPRO EXPLOIT IBM Tivoli Directory Server ibmslapd.exe Integer Overflow (exploit.rules)
 2802090 - ETPRO EXPLOIT CA Total Defense Suite UNCWS UnassignFunctionalRoles Stored Procedure SQL Injection 1 (exploit.rules)
 2802091 - ETPRO EXPLOIT CA Total Defense Suite UNCWS UnassignFunctionalRoles Stored Procedure SQL Injection 2 (exploit.rules)

[///]     Modified active rules:     [///]

All performance tweaks, primarily for Suricata.

 2003494 - ET USER_AGENTS AskSearch Toolbar Spyware User-Agent (AskTBar) (user_agents.rules)
 2006381 - ET USER_AGENTS Ask.com Toolbar/Spyware User Agent (user_agents.rules)
 2011125 - ET POLICY Maxthon Browser Background Agent UA (MxAgent) (policy.rules)
 2011800 - ET USER_AGENTS Potential Avzhan DDOS Bot or abnormal User-Agent (user_agents.rules)
 2012299 - ET TROJAN W32 Bamital or Backdoor.Win32.Shiz CnC Communication (trojan.rules)
 2802083 - ETPRO ATTACK_RESPONSE MediaCast Password Dump Attack Response (attack_response.rules)

[---]         Removed rules:         [---]

Moved to Policy.

 2011125 - ET USER_AGENTS Suspicious User-Agent (MxAgent) (user_agents.rules)

Matthew Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-updates mailing list