[Emerging-updates] Daily Update Summary 15/1/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Sat Jan 15 11:30:40 EST 2011

[+++]          Added rules:          [+++]

 2012177 - ET CURRENT_EVENTS p2pshares.org Related Malware (emerging-current_events.rules)

Added to the sister sig for p2pshare.org. It's a bad one if you get hits on this. Seeing several different strains of malware pushed via here.

 2012178 - ET TROJAN Carberp CnC request POST /set/task.html (emerging-trojan.rules)

An old sig refined, should be quite reliable now.

 2012180 - ET USER_AGENTS Suspicious User Agent no space (emerging-user_agents.rules)

Experimental, but should be very interesting! Please report your experience with this.

 2012179 - ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt (emerging-web_client.rules)
 2012181 - ET WEB_SPECIFIC_APPS Nucleus action.php Remote File Inclusion Attempt (emerging-web_specific_apps.rules)
 2012182 - ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt (emerging-web_specific_apps.rules)
 2012184 - ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt (emerging-web_specific_apps.rules)
 2012185 - ET WEB_SPECIFIC_APPS Nucleus PLUGINADMIN.php Remote File Inclusion Attempt (emerging-web_specific_apps.rules)
 2012186 - ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt (emerging-web_specific_apps.rules)
 2012187 - ET WEB_SPECIFIC_APPS bizdir.cgi f_srch Parameter Cross Site Scripting Attempt (emerging-web_specific_apps.rules)
 2012188 - ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt (emerging-web_specific_apps.rules)
 2012189 - ET WEB_SPECIFIC_APPS phpscripte24 Vor und Ruckwarts Auktions System Blind SQL Injection Attempt (emerging-web_specific_apps.rules)
 2012190 - ET WEB_SPECIFIC_APPS Zimplit CMS client Parameter Cross Site Scripting Attempt (emerging-web_specific_apps.rules)
 2012191 - ET WEB_SPECIFIC_APPS Zimplit CMS file Parameter Cross Site Scripting Attempt (emerging-web_specific_apps.rules)
 2012192 - ET ACTIVEX NewV SmartClient NewvCommon.ocx DelFile Method Arbitrary File Deletion Attempt (emerging-activex.rules)
 2012193 - ET EXPLOIT Lexmark Printer RDYMSG Cross Site Scripting Attempt (emerging-exploit.rules)
 2012194 - ET ACTIVEX Real Networks RealPlayer SP RecordClip Method Remote Code Execution Attempt (emerging-activex.rules)

A slew of the usual. I don't think any of these will be a FP issue.

Now a set of ET Pro rules. 

 2801252 - ETPRO CURRENT_EVENTS Win32.Renos Trojan Checkin (current_events.rules)
 2801253 - ETPRO EXPLOIT Microsoft Office XP URL Handling Buffer Overflow (exploit.rules)
 2801254 - ETPRO TROJAN Backdoor.Win32.Zewit.A Activity (trojan.rules)
 2801255 - ETPRO ACTIVEX Microsoft Windows Data Access Components ADO Record Code Execution (activex.rules)
 2801256 - ETPRO ACTIVEX Microsoft Windows Data Access Components ADO Record Code Execution  (activex.rules)
 2801257 - ETPRO EXPLOIT Microsoft Sharepoint Document Conversions Launcher Code Execution (exploit.rules)
 2801258 - ETPRO WORM Worm.Win32.Busifom.A Runtime Detection (worm.rules)
 2801260 - ETPRO TROJAN Backdoor.Win32.Meciv.A Checkin 1 exploits CVE-2010-3333 (trojan.rules)
 2801261 - ETPRO TROJAN Malware Backdoor.Win32.Meciv.A Checkin 2 exploits CVE-2010-3333 (trojan.rules)

All should be reliable, and the Office ones especially are of high importance. We recommend pushing these asap!

[///]     Modified active rules:     [///]

 2009678 - ET WEB_SERVER Possible DD-WRT Metacharacter Injection Command Execution Attempt (web_server.rules)
 2012132 - ET CURRENT_EVENTS p2pshare.org Malware Related Activity (current_events.rules)
 2012139 - ET TROJAN Storm/Waledac 3.0 Checkin 2 (trojan.rules)
 2012149 - ET WEB_CLIENT MS10-090 IE CSS Exploit Metasploit POC Specific Unicoded (web_client.rules)
 2012172 - ET USER_AGENTS Suspicious User-Agent mrgud (user_agents.rules)
 2012174 - ET EXPLOIT Microsoft Windows Common Control Library Heap Buffer Overflow (exploit.rules)
 2801240 - ETPRO WEB_CLIENT Internet Explorer Memory Corruption in Microsoft Data Access Object (web_client.rules)
 2801244 - ETPRO EXPLOIT CA ARCserve D2D Axis2 Default Credentials Remote Code Execution (exploit.rules)
 2801251 - ETPRO TROJAN Win32.Refroso CnC Response from Server (trojan.rules)

Matthew Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-updates mailing list