[Emerging-updates] [Emerging-Sigs] Daily Update Summary 2/22/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Feb 23 20:56:30 EST 2011


Hmmm, that's an issue. 

We have a malware dropper using the same UQ.

I'll disable this for now, we'll have to find another factor to look for. Thanks Martin!

matt

On Feb 23, 2011, at 4:36 PM, Martin Holste wrote:

> Massive FP's on 2801364.  Why exactly is the Google Tool Bar suspicious?
> 
> On Tue, Feb 22, 2011 at 3:58 PM, Matthew Jonkman
> <jonkman at emergingthreatspro.com> wrote:
>> Slimmer ruleset update today. Significant RBN list update is in here, as well as some more hosts in the Bot-cc list. We've added the Palevo tracker to the mix. Be sure to thank the guys at abuse.ch for the incredible work they do if you get the chance!
>> 
>> [+++]          Added rules:          [+++]
>> 
>>  2010440 - ET CURRENT_EVENTS Potential Malware Download flash-HQ-plugin exe (current_events.rules)
>>  2012332 - ET CURRENT_EVENTS Possible Fast Flux Trojan Rogue Antivirus (current_events.rules)
>>  2012333 - ET CURRENT_EVENTS Possible Neosploit Toolkit download (current_events.rules)
>> 
>> Pro rules:
>>  2801364 - ETPRO USER_AGENTS Suspicious user agent GTB (user_agents.rules)
>>  2801365 - ETPRO MALWARE Packed.Win32.Krap Checkin (malware.rules)
>>  2801366 - ETPRO MALWARE Trojan.Win32.Biter.g Checkin (malware.rules)
>>  2801367 - ETPRO TROJAN Backdoor.Win32.Talsab.B Checkin Request (trojan.rules)
>>  2801368 - ETPRO TROJAN Backdoor.Win32.Talsab.B Reporting Information (trojan.rules)
>>  2801369 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER ELECTION Buffer Overflow Inbound Netbios 138 1 (netbios.rules)
>>  2801370 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER ELECTION Buffer Overflow Inbound Netbios 138 2 (netbios.rules)
>>  2801371 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER ELECTION Buffer Overflow Inbound Netbios 139 (netbios.rules)
>>  2801372 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER ELECTION Buffer Overflow SMB (netbios.rules)
>>  2801373 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER ELECTION Buffer Overflow CIFS (netbios.rules)
>>  2801374 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER ELECTION Buffer Overflow Internal Netbios 138 1 (netbios.rules)
>>  2801375 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER ELECTION Buffer Overflow Internal Netbios 138 2 (netbios.rules)
>>  2801376 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER ELECTION Buffer Overflow Internal Netbios 139 (netbios.rules)
>>  2801377 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER ELECTION Buffer Overflow Internal SMB (netbios.rules)
>>  2801378 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER ELECTION Buffer Overflow Internal CIFS (netbios.rules)
>> 
>> 
>> [///]     Modified active rules:     [///]
>> 
>>  2011904 - ET CURRENT_EVENTS fast flux rogue antivirus download.php?id=2004 (current_events.rules)
>>  2011983 - ET CURRENT_EVENTS Suspicious executable download possible Fast Flux Trojan (current_events.rules)
>> 
>> 
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emergingthreats.net
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 765-807-8630
>> Fax 312-264-0205
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>> 
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>> 
>> 
>> 
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list