[Emerging-updates] Daily Ruleset Update Summary 3/31/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Thu Mar 31 19:31:02 EST 2011


Quite a few new malware and drive by sigs added today, many thanks to the spectacular Emerging Threats Community!

[+++]          Added rules:          [+++]

 2012611 - ET USER_AGENTS Suspicious User-Agent Sample (user_agents.rules)
 2012612 - ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers (trojan.rules)
 2012613 - ET TROJAN SpyeEye Trojan Request file=grabbers (trojan.rules)
 2012614 - ET CURRENT_EVENTS Internal WebServer Compromised By Lizamoon Mass SQL-Injection Attacks (current_events.rules)
 2012615 - ET MALWARE Unknown Malware PUTLINK Command Message (malware.rules)
 2012616 - ET CURRENT_EVENTS Unknown Malware PatchTimeCheck.dat Request (current_events.rules)
 2012617 - ET CURRENT_EVENTS Unknown Malware PatchPathNewS3.dat Request (current_events.rules)
 2012618 - ET MALWARE .dll Request Without User-Agent Likely Malware (malware.rules)
 2012619 - ET USER_AGENTS Suspicious User-Agent Mozilla/3.0 (user_agents.rules)
 2012620 - ET TROJAN Unknown Fake antivirus check-in (trojan.rules)
 2012621 - ET CURRENT_EVENTS Adobe Flash SWF File Embedded in XLS FILE Caution - Could be Exploit (current_events.rules)
 2012622 - ET CURRENT_EVENTS Adobe Flash Unicode SWF File Embedded in XLS FILE Caution - Could be Exploit (current_events.rules)

And your Pro signatures:

 2801928 - ETPRO SCADA Bacnet OPC Client Malicious .csv File Detected (scada.rules)
 2801929 - ETPRO WEB_CLIENT Microsoft Office Excel Pivot Item Index Boundary Error Memory Corruption 1 (web_client.rules)
 2801930 - ETPRO WEB_CLIENT Microsoft Office Excel Pivot Item Index Boundary Error Memory Corruption 2 (web_client.rules)
 2801931 - ETPRO WEB_CLIENT Microsoft Office Excel Pivot Item Index Boundary Error Memory Corruption 3 (web_client.rules)
 2801932 - ETPRO WEB_CLIENT Microsoft Office Powerpoint OEPlaceholderAtom placementId Parameter Handling Remote Code Execution (web_client.rules)
 2801933 - ETPRO WEB_CLIENT Microsoft Office Word RTF Document Control Word Parsing Memory Corruption (web_client.rules)
 2801934 - ETPRO WEB_SPECIFIC_APPS WSN Links SQL Injection Attempt search.php namecondition SELECT (web_specific_apps.rules)
 2801935 - ETPRO WEB_SPECIFIC_APPS WSN Links SQL Injection Attempt -- search.php namecondition UNION SELECT (web_specific_apps.rules)
 2801936 - ETPRO WEB_SPECIFIC_APPS WSN Links SQL Injection Attempt -- search.php namecondition INSERT (web_specific_apps.rules)
 2801937 - ETPRO WEB_SPECIFIC_APPS WSN Links SQL Injection Attempt -- search.php namecondition DELETE (web_specific_apps.rules)
 2801938 - ETPRO WEB_SPECIFIC_APPS WSN Links SQL Injection Attempt -- search.php namecondition ASCII (web_specific_apps.rules)
 2801939 - ETPRO WEB_SPECIFIC_APPS WSN Links SQL Injection Attempt -- search.php namecondition UPDATE (web_specific_apps.rules)
 2801940 - ETPRO WEB_SPECIFIC_APPS WSN Links SQL Injection Attempt search.php namesearch SELECT (web_specific_apps.rules)
 2801941 - ETPRO WEB_SPECIFIC_APPS WSN Links SQL Injection Attempt -- search.php namesearch UNION SELECT (web_specific_apps.rules)
 2801942 - ETPRO WEB_SPECIFIC_APPS WSN Links SQL Injection Attempt -- search.php namesearch INSERT (web_specific_apps.rules)
 2801943 - ETPRO WEB_SPECIFIC_APPS WSN Links SQL Injection Attempt -- search.php namesearch DELETE (web_specific_apps.rules)
 2801944 - ETPRO WEB_SPECIFIC_APPS WSN Links SQL Injection Attempt -- search.php namesearch ASCII (web_specific_apps.rules)
 2801945 - ETPRO WEB_SPECIFIC_APPS WSN Links SQL Injection Attempt -- search.php namesearch UPDATE (web_specific_apps.rules)
 2801946 - ETPRO WEB_SPECIFIC_APPS Majordomo Directory Traversal Attempt (web_specific_apps.rules)
 2801947 - ETPRO WEB_SPECIFIC_APPS jQuery Mega Menu 1.0 Wordpress Plugin Local File Inclusion Attempt (web_specific_apps.rules)


[///]     Modified active rules:     [///]

 2008664 - ET TROJAN Generic Dropper HTTP Bot grabbing config (trojan.rules)
 2010497 - ET CURRENT_EVENTS Facebook Spam Inbound (1) (current_events.rules)
 2011348 - ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for PDF exploit (current_events.rules)
 2011349 - ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java exploit (current_events.rules)
 2011350 - ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java and PDF exploits (current_events.rules)
 2011813 - ET CURRENT_EVENTS SEO Exploit Kit - client exploited (current_events.rules)
 2011924 - ET SCAN Havij SQL Injection Tool User-Agent Outbound (scan.rules)
 2012533 - ET TROJAN Win32/Virut.BN Checkin (trojan.rules)


[---]         Removed rules:         [---]

These were combined into one rule.

 2011814 - ET CURRENT_EVENTS SEO Exploit Kit - client exploited by SMB (current_events.rules)
 2011815 - ET CURRENT_EVENTS SEO Exploit Kit - client exploited by Acrobat (current_events.rules)


This was duplicated by a rule submitted to the community, so we drop the pro sig if equivalent.
 2801876 - ETPRO USER_AGENTS Suspicious User Agent SAMPLE (user_agents.rules)



----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list