[Emerging-updates] Daily Ruleset Update Summary 5/3/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Tue May 3 18:08:00 EDT 2011

We have some great new mobile rules, an update to the CI-Army ruleset, and we've put the IAT rules through their paces and have those posted, thanks to Kevin Ross for those. 

[+++]          Added rules:          [+++]

 2012762 - ET USER_AGENTS Suspicious user agent (asd) (user_agents.rules)

These are all new but disabled by default. Please use where appropriate. They shouldn't be significant load.

 2012763 - ET TROJAN Suspicious IAT Checking for Debugger (trojan.rules)
 2012764 - ET TROJAN Suspicious IAT NtQueryInformationProcess Possibly Checking for Debugger (trojan.rules)
 2012765 - ET TROJAN Suspicious IAT GetStartupInfo (trojan.rules)
 2012766 - ET TROJAN Suspicious IAT GetComputerName (trojan.rules)
 2012767 - ET TROJAN Suspicious IAT HttpAddRequestHeader - Can Be Used For HTTP CnC (trojan.rules)
 2012768 - ET TROJAN Suspicious IAT ZwProtectVirtualMemory - Undocumented API Which Can be Used for Rootkit Functionality (trojan.rules)
 2012769 - ET TROJAN Suspicious IAT ZwSetSystemInformation - Undocumented API Which Can be Used for Rootkit Functionality (trojan.rules)
 2012770 - ET TROJAN Suspicious IAT ZwWriteVirtualMemory - Undocumented API Which Can be Used for CnC Functionality (trojan.rules)
 2012771 - ET TROJAN Suspicious IAT SetSfcFileException - Undocumented API Which Can be Used for Disabling Windows File Protections (trojan.rules)
 2012772 - ET TROJAN Suspicious IAT NtQueueApcThread - Undocumented API Which Can be Used for Thread Injection/Downloading (trojan.rules)
 2012773 - ET TROJAN Suspicious IAT NtResumeThread - Undocumented API Which Can be Used to Resume Thread Injection (trojan.rules)
 2012774 - ET TROJAN Suspicious IAT NoExecuteAddFileOptOutList - Undocumented API to Add Executable to DEP Exception List (trojan.rules)
 2012775 - ET TROJAN Suspicious IAT ModifyExecuteProtectionSupport - Undocumented API to Modify DEP (trojan.rules)
 2012776 - ET TROJAN Suspicious IAT LdrLoadDll - Undocumented Low Level API to Load DLL (trojan.rules)
 2012777 - ET TROJAN Suspicious IAT EnableExecuteProtectionSupport - Undocumented API to Modify DEP (trojan.rules)
 2012778 - ET TROJAN Suspicious IAT NamedPipe - May Indicate Reverse Shell/Backdoor Functionality (trojan.rules)
 2012779 - ET TROJAN Suspicious IAT FTP File Interaction (trojan.rules)
 2012780 - ET TROJAN Suspicious IAT SetKeyboardState - Can Be Used for Keylogging (trojan.rules)

And some malware:

 2012781 - ET CURRENT_EVENTS Possible Hiloti DNS Checkin Message explorer_exe (current_events.rules)

And some mobile malware, symbos related:

 2012782 - ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request (mobile_malware.rules)
 2012783 - ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini Missing File HTTP Request (mobile_malware.rules)
 2012784 - ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File HTTP Request (mobile_malware.rules)

 2012785 - ET USER_AGENTS Egypack/1.0 User-Agent Likely Malware (user_agents.rules)

[///]     Modified active rules:     [///]

Adding DYNDNS for easier identification and enabling/disabling:

 2012171 - ET POLICY DYNDNS Lookup of Chinese Dynamic DNS Provider 3322.org Likely Malware Related (policy.rules)
 2012738 - ET POLICY DYNDNS Lookup of Chinese Dynamic DNS Provider 8866.org Likely Malware Related (policy.rules)
 2012758 - ET POLICY DYNDNS .dyndns.org DNS Lookup - Possible Malware (policy.rules)

Matthew Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-updates mailing list