[Emerging-updates] Daily Ruleset Update Summary 5/9/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Mon May 9 15:54:38 EDT 2011


We've got some GREAT malware stuff for you today, both in the open and Pro ruleset. Also a significant update to the RBN list, and a load of sigs from Stillsecure for specific web apps. 

We'll have your MS Patch Tuesday sigs out for pro subscribers tomorrow. 



[+++]          Added rules:          [+++]

This was submitted by Stillsecure and very close to a Pro rule, so we've moved the Pro rule over to the open ruleset.

 2012787 - ET SCADA ICONICS WebHMI ActiveX Stack Overflow (scada.rules)


Thanks to Stillsecure for these:

 2012788 - ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
 2012789 - ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
 2012790 - ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter UNION SELECT SQL Injection Attempt (web_specific_apps.rules)
 2012791 - ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
 2012792 - ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
 2012793 - ET WEB_SPECIFIC_APPS E-Xoopport Samsara Sections module secid Parameter Blind SQL Injection Exploit (web_specific_apps.rules)
 2012794 - ET WEB_SPECIFIC_APPS ClanSphere CurrentFolder Parameter Local File Inclusion Attempt (web_specific_apps.rules)
 2012795 - ET WEB_SPECIFIC_APPS Golem Gaming Portal root_path Parameter Remote File inclusion Attempt (web_specific_apps.rules)
 2012797 - ET WEB_SPECIFIC_APPS WebAuction lang parameter Cross Site Scripting Attempt (web_specific_apps.rules)

New drive by stuff from the community, Thanks all!

 2012796 - ET CURRENT_EVENTS Malicious SEO landing in.cgi with URI HTTP_REFERER (current_events.rules)


And the Pro rules, some great new stuff courtesy of the ET Sandnet:

 2802155 - ETPRO TROJAN Sality CnC Checkin ping (trojan.rules)
 2802156 - ETPRO TROJAN Siscos/Finloski CnC Keepalive Traffic (trojan.rules)
 2802157 - ETPRO TROJAN Vundo/Cryptic/Backdoor.24 Checkin (trojan.rules)
 2802158 - ETPRO USER_AGENTS Win32.VB.aqeg UA Checkin (user_agents.rules)
 2802159 - ETPRO TROJAN Delf/Hupigon/PWS.Banker.54377 Checkin Response from CnC (trojan.rules)
 2802160 - ETPRO TROJAN Delf/Hupigon/PWS.Banker.54377 Checkin Response from Client (trojan.rules)
 2802161 - ETPRO TROJAN VBCrypt/Spy.582013.2 Keepalive to CnC (trojan.rules)
 2802163 - ETPRO TROJAN VBCrypt/Spy.582013.2 Keepalive from CnC (trojan.rules)
 2802169 - ETPRO TROJAN Backdoor.Win32.Wergimog.A Checkin 1 (trojan.rules)
 2802170 - ETPRO TROJAN Backdoor.Win32.Wergimog.A Checkin 2 (trojan.rules)
 2802171 - ETPRO WORM Worm.Win32.Nokpuda.A Checkin (worm.rules)
 2802172 - ETPRO TROJAN Trojan.Win32.Tspsl.C Checkin (trojan.rules)
 2802173 - ETPRO TROJAN Trojan.Win32.Bamital.F Checkin (trojan.rules)
 2802174 - ETPRO TROJAN ProRat Keylogger Infection Report via Email (trojan.rules)

And some regular exploit stuff.

 2802164 - ETPRO EXPLOIT Embarcadero InterBase Connect Request Multiple Stack Buffer Overflows 1 (exploit.rules)
 2802165 - ETPRO EXPLOIT Embarcadero InterBase Connect Request Multiple Stack Buffer Overflows 2 (exploit.rules)
 2802166 - ETPRO EXPLOIT Embarcadero InterBase Connect Request Multiple Stack Buffer Overflows 3 (exploit.rules)
 2802167 - ETPRO EXPLOIT Embarcadero InterBase Connect Request Multiple Stack Buffer Overflows 4 (exploit.rules)
 2802168 - ETPRO EXPLOIT Embarcadero InterBase Connect Request Multiple Stack Buffer Overflows 5 (exploit.rules)


[///]     Modified active rules:     [///]

Performance tweak:

 2012725 - ET TROJAN Win32/FakeSysdef Rogue AV Checkin (trojan.rules)



[---]         Removed rules:         [---]

Moved to open.

 2802146 - ETPRO SCADA ICONICS WebHMI ActiveX Stack Overflow (scada.rules)

----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list