[Emerging-updates] Daily Update Summary 18/1/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Jan 18 15:35:58 EST 2011


A lot of changes today. We have a major RBN list update based on new intel. We've done a number of maintenance updates, reclasstyping a number of things, and some good new malware sigs.

[+++]          Added rules:          [+++]

 2012199 - ET CURRENT_EVENTS Possible Worm W32.Svich or Other Infection Request for setting.xls (current_events.rules)
 2012200 - ET CURRENT_EVENTS Possible Worm W32.Svich or Other Infection Request for setting.doc (current_events.rules)
 2012202 - ET CURRENT_EVENTS DNS Lookup of Known BlackEnergy DDOS Botnet CnC Server greenter.ru (current_events.rules)
 2012203 - ET CURRENT_EVENTS DNS Lookup of Known BlackEnergy DDOS Botnet CnC Server globdomain.ru (current_events.rules)

Good open rules. The last 2 may not be here long, but valuable while they are. This is a tough TLD to get domains taken down in.


 2801264 - ETPRO USER_AGENTS Unknown Malware UA RSDN (user_agents.rules)
 2801265 - ETPRO USER_AGENTS Fortunelounge.com or related Game/Spyware Installer (user_agents.rules)
 2801266 - ETPRO TROJAN Backdoor.Win32.Coofus.RFM Checkin 1 (trojan.rules)
 2801267 - ETPRO TROJAN Backdoor.Win32.Coofus.RFM Activity 2 (trojan.rules)

All 4 reliable, blockable.


 2801268 - ETPRO EXPLOIT Microsoft Office XP URL Handling Buffer Overflow (exploit.rules)
 2801269 - ETPRO WEB_CLIENT Microsoft Windows Kodak Image Viewer Flowbit Set Big Endian (web_client.rules)
 2801270 - ETPRO WEB_CLIENT Microsoft Windows Kodak Image Viewer Flowbit Set Little Endian (web_client.rules)
 2801271 - ETPRO WEB_CLIENT Microsoft Windows Kodak Image Viewer Code Execution (web_client.rules)
 2801272 - ETPRO EXPLOIT CA BrightStor ARCserve Backup Media Server SUN RPC Service Buffer Overflow (exploit.rules)

Ans some of the latest and greatest vulns from the pro research team!


[///]     Modified active rules:     [///]

Below we have a few performance modifications, but mostly this is the classtyping I mentioned. Nothing big here.

 2011738 - ET GAMES TeamSpeak2 Standard/Login Part 2 (games.rules)
 2012078 - ET POLICY Stunnel Encrypted Tunnel Connection Outbound (policy.rules)
 2012178 - ET TROJAN Carberp CnC request POST /set/task.html (trojan.rules)
  2800030 - ETPRO TELNET Multiple Vendor Telnet Client LINEMODE Buffer Overflow (telnet.rules)
 2800031 - ETPRO TELNET Multiple Vendor Telnet Client env_opt_add Buffer Overflow (telnet.rules)
 2800032 - ETPRO EXPLOIT BakBone NetVault Buffer Overflow (exploit.rules)
 2800033 - ETPRO WEB_CLIENT Microsoft Windows Shell MSHTA Script Execution flowbit set (web_client.rules)
 2800034 - ETPRO WEB_CLIENT Microsoft Windows Shell MSHTA Script Execution (web_client.rules)
 2800035 - ETPRO EXPLOIT CA BrightStor ARCserve Backup Universal Agent Buffer Overflow (exploit.rules)
 2800036 - ETPRO DOS Multiple Vendor ICMP Source Quench Denial of Service (dos.rules)
 2800037 - ETPRO EXPLOIT CVS Annotate Command Long Revision String Buffer Overflow (exploit.rules)
 2800038 - ETPRO SQL ORACLE HTTP Server mod_access Restriction Bypass (sql.rules)
 2800040 - ETPRO WEB_SPECIFIC_APPS MailEnable HTTP Authorization Header Buffer Overflow (web_specific_apps.rules)
 2800041 - ETPRO NETBIOS Microsoft Windows Message Queuing Buffer Overflow 1 (netbios.rules)
 2800042 - ETPRO NETBIOS Microsoft Windows Message Queuing Buffer Overflow 2 (netbios.rules)
 2800043 - ETPRO NETBIOS Microsoft Windows Message Queuing Buffer Overflow 3 (netbios.rules)
 2800044 - ETPRO NETBIOS Microsoft Windows Message Queuing Buffer Overflow 4 (netbios.rules)
 2800045 - ETPRO NETBIOS Microsoft Windows Message Queuing Buffer Overflow 5 (netbios.rules)
 2800046 - ETPRO NETBIOS Microsoft Windows Message Queuing Buffer Overflow 6 (netbios.rules)
 2800047 - ETPRO NETBIOS Microsoft Windows Message Queuing Buffer Overflow 7 (netbios.rules)
 2800048 - ETPRO NETBIOS Microsoft Windows Message Queuing Buffer Overflow 8 (netbios.rules)
 2800049 - ETPRO NETBIOS Microsoft Windows Message Queuing Buffer Overflow 9 (netbios.rules)
 2800050 - ETPRO NETBIOS Microsoft Windows Message Queuing Buffer Overflow 10 (netbios.rules)
 2800137 - ETPRO EXPLOIT Trend Micro ServerProtect SPNT Engine RPC Buffer Overflows 3 (exploit.rules)
 2800138 - ETPRO EXPLOIT Trend Micro ServerProtect SPNT Engine RPC Buffer Overflows 4 (exploit.rules)
 2800139 - ETPRO EXPLOIT Trend Micro ServerProtect EarthAgent RPC RPCFN_CopyAUSrc Buffer Overflow 1 (exploit.rules)
 2800373 - ETPRO NETBIOS Microsoft Windows Internet Printing Service Bind (netbios.rules)
 2800374 - ETPRO NETBIOS Microsoft Windows Internet Printing Service Request (netbios.rules)
 2800375 - ETPRO NETBIOS Microsoft Windows Internet Printing Service Integer Overflow (netbios.rules)
 2800376 - ETPRO NETBIOS Microsoft Windows SMB Search Request Buffer Overflow 1 (netbios.rules)
 2800377 - ETPRO NETBIOS Microsoft Windows SMB Search Request Buffer Overflow 2 (netbios.rules)
 2800378 - ETPRO WEB_CLIENT VideoLAN VLC Media Player XSPF Memory Corruption (web_client.rules)
 2800379 - ETPRO EXPLOIT Sun Solstice AdminSuite sadmind service adm_build_path Buffer Overflow high ports (exploit.rules)
 2800382 - ETPRO EXPLOIT Trend Micro OfficeScan Multiple CGI Modules HTTP Form Processing Buffer Overflow (exploit.rules)
 2800384 - ETPRO WEB_CLIENT Adobe PDF in HTTP Flowbit Set (web_client.rules)
 2800569 - ETPRO WEB_SERVER Microsoft SharePoint Server Help.aspx Denial of Service 1 (web_server.rules)
 2800570 - ETPRO WEB_SERVER Microsoft SharePoint Server Help.aspx Denial of Service 2 (web_server.rules)
 2800571 - ETPRO DOS ISC DHCP Server Zero Length Client ID Denial of Service (dos.rules)
 2800572 - ETPRO EXPLOIT iSCSI target Multiple Implementations iSNS Stack Buffer Overflow (exploit.rules)
 2800573 - ETPRO WEB_SERVER Microsoft IIS Directory Authentication Security Bypass (web_server.rules)
 2800578 - ETPRO SMTP Ipswitch IMail Server List Mailer Reply-To Address Buffer Overflow (smtp.rules)
 2800579 - ETPRO SMTP Ipswitch IMail Server Mailing List Message Subject Buffer Overflow (smtp.rules)
 2800580 - ETPRO IMAP Novell GroupWise Internet Agent IMAP Service Stack Buffer Overflow (imap.rules)
 2800581 - ETPRO EXPLOIT HP OpenView Network Node Manager webappmon.exe execvp_nc Buffer Overflow (exploit.rules)
 2800582 - ETPRO WEB_SERVER Novell Teaming ajaxUploadImageFile Remote Code Execution (web_server.rules)
 2800585 - ETPRO EXPLOIT Symantec Alert Management System HNDLRSVC Arbitrary Command Execution (exploit.rules)
 2800587 - ETPRO SQL Oracle WebLogic Server Node Manager Command Execution (sql.rules)
 2800588 - ETPRO EXPLOIT IBM Lotus Domino LDAP Heap Buffer Overflow (exploit.rules)
 2800589 - ETPRO EXPLOIT IBM Informix Dynamic Server librpc.dll Multiple Buffer Overflow 1 (exploit.rules)
 2800594 - ETPRO FTP Novell Netware FTP Server Remote Stack Buffer Overflow 1 (ftp.rules)
 2800595 - ETPRO FTP Novell Netware FTP Server Remote Stack Buffer Overflow 2 (ftp.rules)
 2800597 - ETPRO WEB_CLIENT Apple QuickTime FlashPix Movie File Integer Overflow (web_client.rules)
 2800654 - ETPRO DOS Microsoft Windows Active Directory LDAP SearchRequest Denial of Service Attempt Flowbit Set (dos.rules)
 2800794 - ETPRO NETBIOS Microsoft Windows SMB Pool Overflow Code Execution 1 (netbios.rules)
 2800795 - ETPRO NETBIOS Microsoft Windows SMB Pool Overflow Code Execution 2 (netbios.rules)
 2800796 - ETPRO NETBIOS Microsoft Windows SMB Pool Overflow Code Execution 3 (netbios.rules)
 2800797 - ETPRO NETBIOS Microsoft Windows SMB Pool Overflow Code Execution 4 (netbios.rules)
 2800798 - ETPRO WEB_SERVER Microsoft IIS Repeated Parameter Request Denial Of Service (web_server.rules)
 2800799 - ETPRO DOS OpenLDAP Modrdn RDN NULL String Denial of Service Attempt (dos.rules)
 2800840 - ETPRO WEB_CLIENT Adobe Shockwave Director dcr access (web_client.rules)
 2800841 - ETPRO WEB_CLIENT Adobe Shockwave Director pamm Chunk Memory Corruption (web_client.rules)
 2800845 - ETPRO WEB_CLIENT RealNetworks RealPlayer CDDA URI Uninitialized Pointer Code Execution (web_client.rules)
 2800850 - ETPRO WEB_SERVER Microsoft ASP.NET PKCS Padding Information Disclosure via 500 normal oracle response (web_server.rules)
 2800851 - ETPRO WEB_SERVER Microsoft ASP.NET PKCS Padding Information Disclosure via 500 abnormal oracle response (web_server.rules)
 2800854 - ETPRO EXPLOIT Oracle Java Runtime CMM readMabCurveData Buffer Overflow ICC DL (exploit.rules)
 2800855 - ETPRO EXPLOIT Oracle Java Runtime CMM readMabCurveData Buffer Overflow ICM DL (exploit.rules)
 2800856 - ETPRO EXPLOIT Oracle Java Runtime CMM readMabCurveData Buffer Overflow (exploit.rules)
 2800861 - ETPRO WEB_SPECIFIC_APPS FreePBX Recording Interface Directory Traversal (2) (web_specific_apps.rules)
 2800862 - ETPRO EXPLOIT IBM Informix Dynamic Server DBINFO Stack Buffer Overflow (exploit.rules)
 2800871 - ETPRO WEB_CLIENT Microsoft Office RTF Stack Buffer Overflow (web_client.rules)
 2800872 - ETPRO WEB_CLIENT Microsoft Office RTF Stack Buffer Overflow Trigger (web_client.rules)
 2800877 - ETPRO WEB_SPECIFIC_APPS Symantec IM Manager LoggedInUsers.lgx Definition File SQL Injection (web_specific_apps.rules)
 2800887 - ETPRO WEB_SPECIFIC_APPS Symantec IM Manager Administrative Interface rdpageimlogic.aspx SQL Injection (web_specific_apps.rules)
 2800909 - ETPRO WEB_CLIENT Adobe Reader printSeps Memory Corruption (web_client.rules)
 2800913 - ETPRO WEB_CLIENT ADOBE ActionScript SetTarget Denial of Service (web_client.rules)
 2800930 - ETPRO EXPLOIT IBM Informix Dynamic Server DBINFO Stack Buffer Overflow (exploit.rules)
 2800931 - ETPRO EXPLOIT IBM Informix Dynamic Server DBINFO Stack Buffer Overflow (exploit.rules)
 2800934 - ETPRO EXPLOIT Novell GroupWise Agents HTTP 7100 Request Remote Code Execution (exploit.rules)
 2800935 - ETPRO EXPLOIT Novell GroupWise Agents HTTP 7101 Request Remote Code Execution (exploit.rules)
 2800938 - ETPRO EXPLOIT Novell GroupWise Agents HTTP 7100 Request Remote Code Execution (exploit.rules)
 2800939 - ETPRO EXPLOIT Novell GroupWise Agents HTTP 7101 Request Remote Code Execution (exploit.rules)
 2800947 - ETPRO EXPLOIT Novell ZENworks Handheld Management ZfHIPCND.exe Buffer Overflow (exploit.rules)
 2800956 - ETPRO EXPLOIT HP Data Protector Manager MMD Service Stack Buffer Overflow (exploit.rules)
 2801178 - ETPRO EXPLOIT Microsoft IIS FTP Server Telnet IAC Buffer Overflow (exploit.rules)
 2801212 - ET DOS iCal Null pointer de-reference Count Variable (dos.rules)
 2801213 - ET DOS iCal Null pointer de-reference Trigger Variable (dos.rules)
 2801214 - ET DOS iCal improper resource liberation (dos.rules)
 2801217 - ETPRO WEB_CLIENT Microsoft Windows Fax Services Cover Page Editor Heap Buffer Overflow (Published Exploit) (web_client.rules)
 2801241 - ETPRO DOS HP Data Protector Manager RDS Denial of Service (dos.rules)
 2801242 - ETPRO EXPLOIT CA ARCserve D2D Axis2 Default Credentials (exploit.rules)
 2801257 - ETPRO EXPLOIT Microsoft Sharepoint Document Conversions Launcher Code Execution (exploit.rules)
 2010312 - ET ACTIVEX COM Object MS06-042 CLSID 21 Access Attempt (activex.rules)
 2010896 - ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad flow 2) (web_specific_apps.rules)
 2010897 - ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad flow 2) (web_specific_apps.rules)
 2011542 - ET POLICY OpenSSL Demo CA - Cryptsoft Pty (O) (policy.rules)
 2011874 - ET POLICY NSPlayer User-Agent Windows Media Player streaming detected (policy.rules)
 2012047 - ET CURRENT_EVENTS Inbound Low Orbit Ion Cannon LOIC DDOS Tool (current_events.rules)
 2012048 - ET CURRENT_EVENTS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS (current_events.rules)
 2012049 - ET CURRENT_EVENTS Inbound Low Orbit Ion Cannon LOIC DDOS Tool desu string (current_events.rules)
 2012050 - ET CURRENT_EVENTS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS desu string (current_events.rules)
 2012137 - ET TROJAN Storm/Waledac 3.0 Checkin 1 (trojan.rules)
 2800380 - ETPRO EXPLOIT Sun Solstice AdminSuite sadmind service adm_build_path Set (exploit.rules)
 2800381 - ETPRO EXPLOIT Sun Solstice AdminSuite sadmind service adm_build_path Buffer Overflow (exploit.rules)
 2800800 - ETPRO WEB_CLIENT RealNetworks RealPlayer FLV Parsing Two Integer Overflow Vulnerability 1 (web_client.rules)
 2800803 - ETPRO WEB_CLIENT RealNetworks RealPlayer FLV Parsing Two Integer Overflow Vulnerability 2 (web_client.rules)
 2800889 - ETPRO SMTP Novell GroupWise Internet Agent Content-Type Buffer Overflow (smtp.rules)
 2800891 - ETPRO NETBIOS Microsoft Windows WRITE_ANDX SMB Processing Denial Of Service (Published Exploit Only) (netbios.rules)
 2800892 - ETPRO NETBIOS Novell Client nwspool.dll EnumPrinters Function Stack Buffer Overflow UUID set (netbios.rules)
 2800893 - ETPRO NETBIOS Novell Client nwspool.dll EnumPrinters Function Stack Buffer Overflow (netbios.rules)
 2800894 - ETPRO NETBIOS Novell Client nwspool.dll EnumPrinters Function Stack Buffer Overflow (netbios.rules)
 2800895 - ETPRO NETBIOS Novell Client nwspool.dll EnumPrinters Function Stack Buffer Overflow (netbios.rules)
 2800896 - ETPRO NETBIOS Novell Client nwspool.dll EnumPrinters Function Stack Buffer Overflow (netbios.rules)
 2800897 - ETPRO NETBIOS Novell Client nwspool.dll EnumPrinters Function Stack Buffer Overflow (netbios.rules)
 2800898 - ETPRO EXPLOIT CA Multiple Products Alert Notification Server Buffer Overflow (exploit.rules)
 2800899 - ETPRO EXPLOIT CA Multiple Products Alert Notification Server Buffer Overflow (exploit.rules)
 2800900 - ETPRO EXPLOIT CA Multiple Products Alert Notification Server Buffer Overflow (exploit.rules)
 2800901 - ETPRO EXPLOIT CA Multiple Products Alert Notification Server Buffer Overflow (exploit.rules)
 2800902 - ETPRO EXPLOIT CA Multiple Products Alert Notification Server Buffer Overflow (exploit.rules)
 2800903 - ETPRO EXPLOIT CA Multiple Products Alert Notification Server Buffer Overflow set (exploit.rules)
 2800904 - ETPRO EXPLOIT CA Multiple Products Alert Notification Server Buffer Overflow 1 (exploit.rules)
 2800905 - ETPRO EXPLOIT CA Multiple Products Alert Notification Server Buffer Overflow 2 (exploit.rules)
 2800906 - ETPRO EXPLOIT CA Multiple Products Alert Notification Server Buffer Overflow 3 (exploit.rules)
 2800907 - ETPRO EXPLOIT CA Multiple Products Alert Notification Server Buffer Overflow 4 (exploit.rules)
 2801255 - ETPRO ACTIVEX Microsoft Windows Data Access Components ADO Record Code Execution (activex.rules)


[---]         Removed rules:         [---]

Below are moved to DELETED. Old, not useful, off to the graveyard.

 2002171 - ET ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 1) (activex.rules)
 2002172 - ET ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 2) (activex.rules)
 2002173 - ET ACTIVEX COM Object Instantiation Memory Corruption Vulnerability (group 3) (activex.rules)
 2002308 - ET ACTIVEX Internet Explorer Vulnerable CLSID (Msdds.dll) (activex.rules)
 2002491 - ET ACTIVEX COM Object MS05-052 (group 1) (activex.rules)
 2002492 - ET ACTIVEX COM Object MS05-052 (group 2) (activex.rules)
 2002493 - ET ACTIVEX COM Object MS05-052 (group 3) (activex.rules)
 2003104 - ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID (activex.rules)
 2011252 - ET ACTIVEX FathFTP ActiveX Control RasIsConnected Method Buffer Overflow Attempt (activex.rules)



Matt


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list