[Emerging-updates] Daily Ruleset Update Summary 3/10/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Thu Mar 10 16:06:57 EST 2011


New ruleset added today, mobile_malware.rules. There are some great rules in there, see the ET Blog (http://blog.emergingthreats.net) for more information. 

The CiArmy rules have also been updated. They're proving reliable in all sites testing!


[+++]          Added rules:          [+++]

 2012446 - ET TROJAN Possible Eleonore Exploit pack download (trojan.rules)
 2012447 - ET TROJAN Possible Fast Flux Rogue Antivirus (trojan.rules)
 2012448 - ET TROJAN Downloader Win32.Agent.FakeAV.AVG 1 (trojan.rules)
 2012449 - ET TROJAN Downloader Win32.Agent.FakeAV.AVG 2 (trojan.rules)
 2012450 - ET MOBILE_MALWARE Android Trojan HongTouTou Command and Control Communication
 2012451 - ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1
 2012452 - ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 2
 2012453 - ET MOBILE_MALWARE Android Trojan DroidDream Command and Control Communication
 2012454 - ET MOBILE_MALWARE Android Trojan Fake10086 checkin 1
 2012455 - ET MOBILE_MALWARE Android Trojan Fake10086 checkin 2
 2012456 - ET CURRENT_EVENTS Possible JKDDOS download 500.exe (current_events.rules)
 2012457 - ET CURRENT_EVENTS Possible JKDDOS download ddos.exe (current_events.rules)
 2012458 - ET CURRENT_EVENTS Possible JKDDOS download desyms.exe (current_events.rules)
 2012459 - ET CURRENT_EVENTS Possible JKDDOS download 1691.exe (current_events.rules)
 2012460 - ET CURRENT_EVENTS Possible JKDDOS download wm.exe (current_events.rules)
 2012461 - ET CURRENT_EVENTS Possible JKDDOS download cl.exe (current_events.rules)
 2012466 - ET CURRENT_EVENTS Possible JKDDOS download b.exe (current_events.rules)
 2012467 - ET P2P Ocelot BitTorrent Server in Use (p2p.rules)


And more ET Pro DLL loading vulnerability rules. We've got a lot more of these in the pipeline to release tomorrow as well!

 2801470 - ETPRO WEB_CLIENT Microsoft Remote Desktop Connection Insecure Library Loading  - SMB-DS ASCII (web_client.rules)
 2801471 - ETPRO WEB_CLIENT Microsoft Remote Desktop Connection Insecure Library Loading - SMB-DS Unicode (web_client.rules)
 2801472 - ETPRO WEB_CLIENT Microsoft Remote Desktop Connection Insecure Library Loading - SMB ASCII (web_client.rules)
 2801473 - ETPRO WEB_CLIENT Microsoft Remote Desktop Connection Insecure Library Loading - SMB Unicode (web_client.rules)


[///]     Modified active rules:     [///]

 2012046 - ET MOBILE_MALWARE Android Use-After-Free Remote Code Execution on Webkit
 2012140 - ET MOBILE_MALWARE Android Trojan Command and Control Communication
 2012251 - ET MOBILE_MALWARE Google Android Device HTTP Request
 2012410 - ET MOBILE_MALWARE DroidDream Android Trojan info upload
 2007757 - ET SCAN w3af User Agent (scan.rules)
 2009752 - ET TROJAN Monkif/DlKroha Trojan Activity HTTP Outbound (trojan.rules)
 2011124 - ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced) (malware.rules)
 2012445 - ET CURRENT_EVENTS Post Express Inbound bad attachment (current_events.rules)


[---]         Disabled rules:        [---]


Disabling for obsolescence

 2007930 - ET TROJAN Delf/Hupigon C&C Channel Version Report (trojan.rules)
 2008041 - ET TROJAN Hupigon CnC init (variant abb) (trojan.rules)
 2008042 - ET TROJAN Hupigon CnC Data Post (variant abb) (trojan.rules)
 2008258 - ET TROJAN Hupigon CnC Communication (variant bysj) (trojan.rules)
 2008540 - ET TROJAN Hupigon.dkxh Checkin to CnC (trojan.rules)
 2009052 - ET TROJAN Hupigon System Stats Report (I-variant) (trojan.rules)
 2009290 - ET TROJAN Possible Hupigon Connect (trojan.rules)
 2009291 - ET TROJAN Hupigon CnC Client Status (trojan.rules)
 2009292 - ET TROJAN Hupigon CnC Server Response (trojan.rules)
 2009350 - ET TROJAN Win32.Hupigon Control Server Response (trojan.rules)



----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list