[Emerging-updates] Daily Update Summary 3/14/2011 Supplemental

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Mar 14 20:21:36 EST 2011


A second ruleset release today, have some important things to get out there that shouldn't wait until tomorrow. 

Most importantly, the Adobe Flash 0-day that is being used in targeted attacks. We've got an exploit specific set of signatures for this we recommend running immediately. We'll have something for the vulnerability itself soon if it's feasible, not sure about it yet. More here:

http://isc.sans.org/diary.html?n&storyid=10549

Also a lot of other ET Pro sigs in this release. We're getting some more wide-ranging coverage for the Insecure DLL loading issues that plague many MS apps. 


[+++]          Added rules:          [+++]

 2012494 - ET CURRENT_EVENTS FakeAV InstallInternetDefender Download (current_events.rules)
 2012495 - ET CURRENT_EVENTS FakeAV campaign related JavaScript eval document obfuscation (current_events.rules)
 2012496 - ET WEB_SPECIFIC_APPS Sahana Agasti AccessController.php approot Parameter Remote File Inclusion Attempt (web_specific_apps.rules)
 2012497 - ET WEB_SPECIFIC_APPS Sahana Agasti dao.php approot Parameter Remote File Inclusion Attempt (web_specific_apps.rules)
 2012498 - ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id SELECT (web_specific_apps.rules)
 2012499 - ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id UNION SELECT (web_specific_apps.rules)
 2012500 - ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id INSERT (web_specific_apps.rules)
 2012501 - ET WEB_SPECIFIC_APPS Constructr CMS Injection Attempt -- constructrXmlOutput.content.xml.php page_id DELETE (web_specific_apps.rules)
 2012502 - ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id ASCII (web_specific_apps.rules)


And your ET Pro Subscriber rules:

 2801474 - ETPRO NETBIOS Microsoft Address Book msoeres32.dll Insecure Library Loading  - SMB-DS ASCII (netbios.rules)
 2801475 - ETPRO NETBIOS Microsoft Address Book msoeres32.dll Insecure Library Loading - SMB-DS Unicode (netbios.rules)
 2801476 - ETPRO NETBIOS Microsoft Address Book msoeres32.dll Insecure Library Loading - SMB ASCII (netbios.rules)
 2801477 - ETPRO NETBIOS Microsoft Address Book msoeres32.dll Insecure Library Loading - SMB Unicode (netbios.rules)
 2801478 - ETPRO WEB_CLIENT Microsoft Address Book Insecure msoeres32.dll Library Loading - Set (web_client.rules)
 2801479 - ETPRO WEB_CLIENT Microsoft Address Book msoeres32.dll Insecure Library Loading (web_client.rules)
 2801480 - ETPRO NETBIOS Microsoft Address Book wab32res.dll Insecure Library Loading - SMB-DS ASCII (netbios.rules)
 2801481 - ETPRO NETBIOS Microsoft Address Book wab32res.dll Insecure Library Loading - SMB-DS Unicode (netbios.rules)
 2801482 - ETPRO NETBIOS Microsoft Address Book wab32res.dll Insecure Library Loading - SMB ASCII (netbios.rules)
 2801483 - ETPRO NETBIOS Microsoft Address Book wab32res.dll Insecure Library Loading - SMB Unicode (netbios.rules)
 2801484 - ETPRO WEB_CLIENT Microsoft Address Book wab32res.dll Insecure Library Loading msoeres32.dll - Set (web_client.rules)
 2801485 - ETPRO WEB_CLIENT Microsoft Address Book wab32res.dll Insecure Library Loading (web_client.rules)
 2801486 - ETPRO NETBIOS Microsoft Windows Backup Manager fveapi.dll Insecure Library Loading  - SMB-DS ASCII (netbios.rules)
 2801487 - ETPRO NETBIOS Microsoft Windows Backup Manager fveapi.dll Insecure Library Loading - SMB-DS Unicode (netbios.rules)
 2801488 - ETPRO NETBIOS Microsoft Windows Backup Manager fveapi.dll Insecure Library Loading - SMB ASCII (netbios.rules)
 2801489 - ETPRO NETBIOS Microsoft Windows Backup Manager fveapi.dll Insecure Library Loading - SMB Unicode (netbios.rules)
 2801490 - ETPRO WEB_CLIENT Microsoft Windows Backup Manager fveapi.dll Insecure Library Loading fveapi.dll - Set (web_client.rules)
 2801491 - ETPRO WEB_CLIENT Microsoft Windows Backup Manager fveapi.dll Insecure Library Loading (web_client.rules)
 2801492 - ETPRO NETBIOS Microsoft Internet Connection Signup Wizard smmscrpt.dll Insecure Library Loading  - SMB-DS ASCII (netbios.rules)
 2801493 - ETPRO NETBIOS Microsoft Internet Connection Signup Wizard smmscrpt.dll Insecure Library Loading - SMB-DS Unicode (netbios.rules)
 2801494 - ETPRO NETBIOS Microsoft Internet Connection Signup Wizard smmscrpt.dll Insecure Library Loading - SMB ASCII (netbios.rules)
 2801495 - ETPRO NETBIOS Microsoft Internet Connection Signup Wizard smmscrpt.dll Insecure Library Loading - SMB Unicode (netbios.rules)
 2801496 - ETPRO WEB_CLIENT Microsoft Internet Connection Signup Wizard smmscrpt.dll Insecure Library Loading - Set (web_client.rules)
 2801497 - ETPRO WEB_CLIENT Microsoft Internet Connection Signup Wizard smmscrpt.dll Insecure Library Loading (web_client.rules)
 2801606 - ETPRO TROJAN Generic Trojan Checkin 4 (trojan.rules)
 2801607 - ETPRO TROJAN Generic Trojan Checkin 5 (trojan.rules)
 2801608 - ETPRO WEB_SPECIFIC_APPS Z-Vote Plugin for WordPress SQL Injection Attempt zvote.php topic SELECT (web_specific_apps.rules)
 2801609 - ETPRO WEB_SPECIFIC_APPS Z-Vote Plugin for WordPress SQL Injection Attempt zvote.php topic UNION SELECT (web_specific_apps.rules)
 2801610 - ETPRO WEB_SPECIFIC_APPS Z-Vote Plugin for WordPress SQL Injection Attempt zvote.php topic INSERT (web_specific_apps.rules)
 2801611 - ETPRO WEB_SPECIFIC_APPS Z-Vote Plugin for WordPress SQL Injection Attempt zvote.php topic DELETE (web_specific_apps.rules)
 2801612 - ETPRO WEB_SPECIFIC_APPS Z-Vote Plugin for WordPress SQL Injection Attempt zvote.php topic ASCII (web_specific_apps.rules)
 2801613 - ETPRO WEB_SPECIFIC_APPS Z-Vote Plugin for WordPress SQL Injection Attempt zvote.php topic UPDATE (web_specific_apps.rules)
 2801615 - ETPRO TROJAN Backdoor.Win32.Trup.CX Checkin 1 (trojan.rules)
 2801616 - ETPRO TROJAN Backdoor.Win32.Trup.CX Checkin 2 (trojan.rules)
 2801617 - ETPRO WEB_SPECIFIC_APPS Wikipad pages.php id Parameter Traversal Arbitrary.txt File Access Attempt (web_specific_apps.rules)
 2801618 - ETPRO WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin Cross-Site Scripting (web_specific_apps.rules)
 2801619 - ETPRO WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin Remote File Inclusion (web_specific_apps.rules)
 2801620 - ETPRO TROJAN Backdoor.Win32.CBgate.A Checkin (trojan.rules)
 2801621 - ETPRO TROJAN Trojan.Win32.StartPage.DFI Checkin (trojan.rules)
 2801622 - ETPRO EXPLOIT Citrix Provisioning Services streamprocess.exe Stack Buffer Overflow (exploit.rules)
 2801623 - ETPRO TROJAN Backdoor.Win32.Dorkbot.A Join IRC channel (trojan.rules)
 2801624 - ETPRO TROJAN Backdoor.Win32.Dorkbot.A IRC Login (trojan.rules)
 2801625 - ETPRO WEB_CLIENT Realplayer AVI Header Flowbit Set (web_client.rules)
 2801626 - ETPRO WEB_CLIENT Realplayer AVI Header Parsing Code Execution (web_client.rules)
 2801627 - ETPRO TROJAN Backdoor.Win32.TBubz.DL Checkin 1 (trojan.rules)
 2801628 - ETPRO TROJAN Backdoor.Win32.TBubz.DL Checkin 2 (trojan.rules)


And the Adobe 0-day
 2801629 - ETPRO EXPLOIT Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit (exploit.rules)
 2801630 - ETPRO EXPLOIT Adobe 0day Exploit Specific Shellcode Noop (exploit.rules)
 2801631 - ETPRO EXPLOIT Adobe 0day Exploit Specific Downloaded Keyword Specific (exploit.rules)


[///]     Modified active rules:     [///]

Minor update to catch more variations.

 2801439 - ETPRO TROJAN Generic Spanish or Portugese Trojan Infection Report (trojan.rules)



----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list