[Emerging-updates] Daily Ruleset Update Summary 10/31/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 31 16:01:14 EST 2011


Happy Halloween to those that are celebrating!

12 new pro rules, one of which came over form the Pro side. 
20 new Pro subscriber sigs.

[+++]          Added rules:          [+++]

 2013807 - ET TROJAN Jorik FakeAV GET (trojan.rules)
 2013808 - ET TROJAN Dooptroop Dropper Checkin (trojan.rules)
 2013809 - ET ACTIVEX Oracle AutoVue Activex Insecure method (SaveViewStateToFile) (activex.rules)
 2013810 - ET ACTIVEX Oracle AutoVue Activex Insecure method (SaveViewStateToFile) Format String Function Call (activex.rules)
 2013811 - ET ACTIVEX Oracle AutoVue Activex Insecure method (Export3DBom) (activex.rules)
 2013812 - ET ACTIVEX Oracle AutoVue Activex Insecure method (Export3DBom) Format String Function Call (activex.rules)
 2013813 - ET ACTIVEX Oracle AutoVue Activex Insecure method (ExportEdaBom) (activex.rules)
 2013814 - ET ACTIVEX Oracle AutoVue Activex Insecure method (ExportEdaBom) Format String Function Call (activex.rules)
 2013815 - ET WEB_SPECIFIC_APPS PHool mainnav Parameter Remote File inclusion Attempt (web_specific_apps.rules)
 2013816 - ET WEB_SPECIFIC_APPS Joomla YJ Contact Local File Inclusion Vulnerability (web_specific_apps.rules)
 2013817 - ET WEB_SPECIFIC_APPS Wordpress Easy Stats plugin homep Parameter Remote File inclusion Attempt (web_specific_apps.rules)
 2013818 - ET WEB_SPECIFIC_APPS WHMCompleteSolution templatefile Parameter Local File Inclusion Attempt (web_specific_apps.rules)

Pro Subscriber rules:
 2803931 - ETPRO TROJAN W32/Gabpath.A.gen!Eldorado User-Agent (OCRecover) (trojan.rules)
 2803932 - ETPRO TROJAN Scar.evje/Fraudtool.AvSoft DDoS Traffic (Munged UA) Outbound (trojan.rules)
 2803933 - ETPRO TROJAN Scar.evje/Fraudtool.AvSoft DDoS Traffic (Munged UA) Inbound (trojan.rules)
 2803934 - ETPRO TROJAN Backdoor.Win32.Sheldor.dt User-Agent (x3) (trojan.rules)
 2803935 - ETPRO TROJAN Trojan.Generic.KDV.135143 Checkin (trojan.rules)
 2803936 - ETPRO TROJAN Backdoor.Win32.Sheldor.dt Checkin (trojan.rules)
 2803937 - ETPRO TROJAN Scar.evje/Fraudtool.AvSoft DDoS Bot Checkin 1 (trojan.rules)
 2803938 - ETPRO TROJAN Scar.evje/Fraudtool.AvSoft DDoS Bot Checkin 2 (trojan.rules)
 2803939 - ETPRO TROJAN Scar.evje/Fraudtool.AvSoft DDoS Traffic (Munged UA) Inbound 2 (trojan.rules)
 2803940 - ETPRO TROJAN Scar.evje/Fraudtool.AvSoft DDoS Traffic (Munged UA) Outbound 2 (trojan.rules)
 2803941 - ETPRO TROJAN Win32/Bofang.B Checkin (trojan.rules)
 2803943 - ETPRO TROJAN Win32/BHO.KG Checkin (trojan.rules)
 2803944 - ETPRO TROJAN Trojan-Spy.Win32.Zbot.ckdx Checkin (trojan.rules)
 2803945 - ETPRO TROJAN Win32/VBInject.T User-Agent ([Mozilla Firefox Cool]) (trojan.rules)
 2803946 - ETPRO TROJAN Win32/VBInject.T Checkin (trojan.rules)
 2803947 - ETPRO MALWARE Win32/Gabpath User-Agent (WhereSphere) (malware.rules)
 2803948 - ETPRO TROJAN Win32/Trafog!rts Checkin (trojan.rules)
 2803949 - ETPRO MALWARE Win32/Jinzie User-Agent (PopRocks) (malware.rules)
 2803950 - ETPRO TROJAN Trojan.Win32.Jorik.IRCbot.ddj Joining IRC channel - SET (trojan.rules)
 2803951 - ETPRO TROJAN Trojan.Win32.Jorik.IRCbot.ddj Joining IRC channel (trojan.rules)


[///]     Modified active rules:     [///]

 2003180 - ET TROJAN Possible Warezov/Stration Data Post to Controller (trojan.rules)
 2006366 - ET TROJAN Bot Backdoor Checkin/registration Request (trojan.rules)
 2006385 - ET TROJAN PWS-LDPinch posting data (trojan.rules)
 2006613 - ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D ASCII (web_specific_apps.rules)
 2007668 - ET TROJAN Blackenergy Bot Checkin to C&C (trojan.rules)
 2007756 - ET TROJAN PWS-LDPinch posting data (2) (trojan.rules)
 2008213 - ET TROJAN LDPinch Checkin (9) (trojan.rules)
 2009179 - ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion (web_specific_apps.rules)
 2009181 - ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion (web_specific_apps.rules)
 2009513 - ET WEB_SPECIFIC_APPS Possible Rentventory SQL Injection Attempt (web_specific_apps.rules)


[---]         Removed rules:         [---]

Deduplications primarily:
 2008784 - ET TROJAN Lighty Variant or UltimateDefender POST (trojan.rules)
 2009542 - ET TROJAN Silentbanker/Yaludle Checkin to C&C (trojan.rules)

Moved to the Open ruleset:
 2801994 - ETPRO TROJAN Dooptroop Dropper Checkin (trojan.rules)

Dedupe of the above sig:
 2802181 - ETPRO TROJAN Backdoor.Win32.Buterat.azi Checkin 2 (trojan.rules)

----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-updates mailing list