[Emerging-updates] Daily Ruleset Update Summary 5/4/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Wed May 4 15:32:58 EDT 2011


We have a significant update today! RBN updates, Spamhaus updates, and a veritable cornucopia of new Pro rules. Enjoy!



[+++]          Added rules:          [+++]


This is for a dns name with "antiv" in it. You may expect, as I did, that this would come up very commonly. We ran this through every FP testing pcap and test sensor we have and got only two false positives. And those were grey area legitimate or not. We've put it in disabled by default, but I'd recommend giving it a go.

 2012786 Disabled - ET TROJAN DNS Query for Possible FakeAV Domain (trojan.rules)


And the Pro rules for today:


First some iPhone work. User=agents, locationd reporting to apple, etc. Useful if you want to know what your phone is doing, or if you're not supposed to have those devices on your network.

 2802102 - ETPRO POLICY iPhone locationd update to Apple (policy.rules)
 2802103 - ETPRO USER_AGENTS iPhone locationd User-Agent Detected (user_agents.rules)
 2802104 - ETPRO USER_AGENTS iPhone securityd User-Agent Detected (user_agents.rules)
 2802105 - ETPRO USER_AGENTS iPhone Data Access User-Agent Detected (user_agents.rules)
 2802106 - ETPRO USER_AGENTS iPhone iTunes User-Agent Detected (user_agents.rules)


Some fun new trojans, we love these!

 2802108 - ETPRO TROJAN Backdoor.Win32.Shaddsm.A Checkin (trojan.rules)
 2802110 - ETPRO TROJAN Trojan.Win32.Banker.bgcp Checkin (trojan.rules)
 2802111 - ETPRO TROJAN Trojan.Win32.TAvesto.A Checkin (trojan.rules)
 2802112 - ETPRO TROJAN Worm.Win32.Autorun.BPT Checkin (trojan.rules)
 2802121 - ETPRO WORM Worm.Win32.Cospet.A Checkin (worm.rules)


More security holes in security products....  (not us... knock on wood...)

 2802109 - ETPRO EXPLOIT CA Total Defense Suite UNCWS getDBConfigSettings Credential Information Disclosure (exploit.rules)
 2802113 - ETPRO EXPLOIT CA Total Defense Suite UNCWS Multiple Report Stored Procedure SQL Injections 1 (exploit.rules)
 2802114 - ETPRO EXPLOIT CA Total Defense Suite UNCWS Multiple Report Stored Procedure SQL Injections 2 (exploit.rules)
 2802115 - ETPRO EXPLOIT CA Total Defense Suite UNCWS Multiple Report Stored Procedure SQL Injections 3 (exploit.rules)
 2802116 - ETPRO EXPLOIT CA Total Defense Suite UNCWS Multiple Report Stored Procedure SQL Injections 4 (exploit.rules)
 2802117 - ETPRO EXPLOIT CA Total Defense Suite UNCWS Multiple Report Stored Procedure SQL Injections 5 (exploit.rules)
 2802118 - ETPRO EXPLOIT CA Total Defense Suite UNCWS Multiple Report Stored Procedure SQL Injections 6 (exploit.rules)
 2802119 - ETPRO EXPLOIT CA Total Defense Suite UNCWS Multiple Report Stored Procedure SQL Injections 7 (exploit.rules)
 2802120 - ETPRO EXPLOIT CA Total Defense Suite UNCWS Multiple Report Stored Procedure SQL Injections 8 (exploit.rules)


New specific exploits for the last round of MS crud:

 2802107 - ETPRO WEB_CLIENT Microsoft Windows Fax Services Cover Page Editor Double Free Memory Corruption (Published Exploit) Flowbit Set (web_client.rules)
 2802122 - ETPRO WEB_CLIENT Microsoft Internet Explorer Potential Use-After-Free Heap Overflow attempt (Exploit Specific) (web_client.rules)
 2802123 - ETPRO WEB_CLIENT Microsoft Excel Workspace docx download (web_client.rules)
 2802124 - ETPRO WEB_CLIENT Microsoft Excel Workspace rtf download (web_client.rules)
 2802125 - ETPRO WEB_CLIENT Microsoft Excel Workspace xlt download (web_client.rules)
 2802126 - ETPRO WEB_CLIENT Microsoft Excel Workspace xlsx download (web_client.rules)
 2802128 - ETPRO WEB_CLIENT Microsoft Internet Explorer Word Document Uninitialized Memory Corruption (web_client.rules)
 2802129 - ETPRO WEB_CLIENT Microsoft Internet Explorer Word Document Uninitialized Memory Corruption via docx (web_client.rules)
 2802130 - ETPRO WEB_CLIENT Microsoft Internet Explorer Word Document Uninitialized Memory Corruption via xls (web_client.rules)
 2802131 - ETPRO WEB_CLIENT Microsoft Internet Explorer Word Document Uninitialized Memory Corruption via xlsx (web_client.rules)
 2802132 - ETPRO WEB_CLIENT Microsoft Internet Explorer Word Document Uninitialized Memory Corruption via rtf (web_client.rules)
 2802133 - ETPRO WEB_CLIENT Microsoft Internet Explorer Word Document Uninitialized Memory Corruption via xlt (web_client.rules)
 2802134 - ETPRO WEB_CLIENT Microsoft Internet Explorer Word Document Uninitialized Memory Corruption via doc 2 (web_client.rules)
 2802135 - ETPRO WEB_CLIENT Microsoft Internet Explorer Word Document Uninitialized Memory Corruption via docx 2 (web_client.rules)
 2802136 - ETPRO WEB_CLIENT Microsoft Internet Explorer Word Document Uninitialized Memory Corruption via xls 2 (web_client.rules)
 2802137 - ETPRO WEB_CLIENT Microsoft Internet Explorer Word Document Uninitialized Memory Corruption via xlsx 2 (web_client.rules)
 2802138 - ETPRO WEB_CLIENT Microsoft Internet Explorer Word Document Uninitialized Memory Corruption via xlt 2 (web_client.rules)
 2802139 - ETPRO WEB_CLIENT Microsoft Internet Explorer Word Document Uninitialized Memory Corruption via rtf 2 (web_client.rules)
 2802140 - ETPRO WEB_CLIENT Microsoft Internet Explorer HtmlDlgHelper Memory Corruption via doc (web_client.rules)
 2802141 - ETPRO WEB_CLIENT Microsoft Internet Explorer HtmlDlgHelper Memory Corruption via docx (web_client.rules)
 2802142 - ETPRO WEB_CLIENT Microsoft Internet Explorer HtmlDlgHelper Memory Corruption via xls (web_client.rules)
 2802143 - ETPRO WEB_CLIENT Microsoft Internet Explorer HtmlDlgHelper Memory Corruption via xlsx (web_client.rules)
 2802144 - ETPRO WEB_CLIENT Microsoft Internet Explorer HtmlDlgHelper Memory Corruption via rtf (web_client.rules)
 2802145 - ETPRO WEB_CLIENT Microsoft Internet Explorer HtmlDlgHelper Memory Corruption via xlt (web_client.rules)


And some SCADA coverage.

 2802146 - ETPRO SCADA ICONICS WebHMI ActiveX Stack Overflow (scada.rules)


[///]     Modified active rules:     [///]


Just made the name what we'd all agreed to for easier management.

 2012171 - ET POLICY DYNAMIC_DNS Lookup of Chinese Dynamic DNS Provider 3322.org Likely Malware Related (policy.rules)
 2012738 - ET POLICY DYNAMIC_DNS Lookup of Chinese Dynamic DNS Provider 8866.org Likely Malware Related (policy.rules)
 2012758 - ET POLICY DYNAMIC_DNS .dyndns.org DNS Lookup - Possible Malware (policy.rules)

----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list