[Emerging-updates] Daily Update Summary 5/1/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Jan 5 16:18:15 EST 2011


Lots of new and quite important rules in today's push. RBN changed, and some new Storm/Waledac sigs. 


[+++]          Added rules:          [+++]

 2012122 - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1 (web_specific_apps.rules)
 2012123 - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2 (web_specific_apps.rules)
 2012124 - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3 (web_specific_apps.rules)
 2012125 - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4 (web_specific_apps.rules)
 2012126 - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5 (web_specific_apps.rules)
 2012127 - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6 (web_specific_apps.rules)
 2012128 - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7 (web_specific_apps.rules)
 2012129 - ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8 (web_specific_apps.rules)
 2012130 - ET WEB_SPECIFIC_APPS myBloggie mybloggie_root_path Parameter Remote File Inclusion Attempt (web_specific_apps.rules)
 2012131 - ET WEB_SPECIFIC_APPS Joomla Seyret Video com_seyret Component Blind SQL Injection Attempt (web_specific_apps.rules)

The usual LFI stuff, run if you have the apps.


 2012132 - ET CURRENT_EVENTS Misc Malware Related Activity (current_events.rules)

We are seeing a very large number of samples going to p2pshare.org:999. This will catch that. Attempts to down the domain haven't worked yet.


 2012133 - ET ACTIVEX FathFTP 1.8 EnumFiles Method ActiveX Buffer Overflow (activex.rules)
 2012134 - ET ACTIVEX SigPlus Pro 3.74 ActiveX LCDWriteString Method Remote Buffer Overflow (activex.rules)
 2012145 - ET ACTIVEX Netcraft Toolbar Remote Code Execution (activex.rules)
 2012146 - ET ACTIVEX ImageShack Toolbar Remote Code Execution (activex.rules)
 2012147 - ET ACTIVEX Advanced File Vault Activex Heap Spray Attempt (activex.rules)
 2012148 - ET ACTIVEX dBpowerAMP Audio Player 2 FileExists Method ActiveX Buffer Overflow (activex.rules)

Thanks to Sujit, some good activex sigs. 


 2012135 - ET SMTP IBM Lotus Domino iCalendar Email Address Stack Buffer Overflow Attempt (smtp.rules)

Definitely relevant if you run Lotus, but this shouldn't happen regardless. So even if you're not a lotus shop I'd run this. It's suspicious regardless.


 2012136 - ET TROJAN Waledac 2.0/Storm Worm 3.0 GET request detected (trojan.rules)
 2012137 - ET TROJAN Storm/Waledac 3.0 Checkin 1 (trojan.rules)
 2012139 - ET TROJAN Storm/Waledac 3.0 Checkin 2 (trojan.rules)

Please report falses with these. Storm is back (yeah!). 


 2012140 - ET CURRENT_EVENTS Android Trojan Command & Control Communication (current_events.rules)

Hunt this down if you get hits. Someone is on wifi with an infection. Nasty one.


 2012141 - ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active (policy.rules)

If you don't run this on purpose it's presence is very very suspicious!


 2012142 - ET WEB_CLIENT AVI RIFF Chunk Access Flowbit Set (web_client.rules)
 2012143 - ET WEB_CLIENT Microsoft Windows MPEG Layer-3 Audio Decoder Buffer Overflow (web_client.rules)

Exploitation in the wild!


 2012144 - ET CURRENT_EVENTS Possible Malware Related Numerical .co Domain (current_events.rules)

Related to a sans post, and .in domain names as well.


 2012149 - ET WEB_CLIENT MS10-090 IE CSS Exploit Metasploit POC Specific Unicoded (web_client.rules)

More ways. This vuln is being exploited in the wild, and it's so easy to evade any sigs. Do NOT count on catching all attempts with any of our sigs (we have 5 now in open and pro). They are ALL evadable.


 2801212 - ET DOS iCal Null pointer de-reference Count Variable (dos.rules)
 2801213 - ET DOS iCal Null pointer de-reference Trigger Variable (dos.rules)
 2801214 - ET DOS iCal improper resource liberation (dos.rules)

So far no word of being exploitable, but still a bad thing.


 2801215 - ETPRO TROJAN Backdoor.Win32.Badpuck.A Checkin (trojan.rules)

Interesting one, reliable sig. port 443.


 2801216 - ETPRO WEB_CLIENT Microsoft Windows Fax Services Cover Page Editor Flowbit Set (web_client.rules)
 2801217 - ETPRO WEB_CLIENT Microsoft Windows Fax Services Cover Page Editor Heap Buffer Overflow (Published Exploit) (web_client.rules)

We haven't heard of mass exploitation, but it'll be here soon I'm sure.


 2801218 - ETPRO TROJAN Backdoor.Win32.Riken.A Login via FTP (trojan.rules)
 2801219 - ETPRO TROJAN Backdoor.Win32.Riken.A Reporting via FTP (trojan.rules)

Another interesting one, up and coming star!



[///]     Modified active rules:     [///]

 2010963 - ET WEB_SERVER SELECT USER SQL Injection Attempt in URI (web_server.rules)
 2011365 - ET TROJAN Sinowal/sinonet/mebroot infected host checkin (trojan.rules)
 2011482 - ET TROJAN IMDDOS Botnet User-Agent kav (trojan.rules)

Mostly performance updates.


[///]    Modified inactive rules:    [///]

 2001342 - ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization (web_server.rules)

Reference added.


[---]         Disabled rules:        [---]

 2012075 - ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt (web_client.rules)

Falsing like mad. Easily evadable.

Sorry there's not better news today!

Matt


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list