[Emerging-updates] Daily Ruleset Update Summary 4/4/2012

Matt Jonkman jonkman at emergingthreatspro.com
Wed Apr 4 17:17:25 EDT 2012

Lots of great stuff today, and a new category added. 

15 new Open rules, 12 new Pro Subscriber rules for 27 total!

The new category is info.rules, or emerging-info.rules. This will essentially be correlation engine foddeer rules. Not stuff you'll likely want humans going through, but good for post incident analysis. 

Don't forget to check out the Suricata 1.3beta1 release at http://openinfosecfoundation.org. SSL analysis, md5sum a file in stream, all sorts of new goodness!

[+++]          Added rules:          [+++]

 2014460 - ET TROJAN Zeus CnC Checkin POST to Config.php (trojan.rules)
 2014461 - ET WEB_CLIENT Java Atomic Reference Exploit Attempt Metasploit Specific (web_client.rules)
 2014462 - ET TROJAN LuckyCat/TROJ_WIMMIE Checkin (trojan.rules)
 2014463 - ET WEB_CLIENT Internet Explorer CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free Attempt (web_client.rules)
 2014464 - ET TROJAN DwnLdr-JMZ Downloading Binary (trojan.rules)
 2014465 - ET TROJAN DwnLdr-JMZ Downloading Binary 2 (trojan.rules)
 2014466 - ET TROJAN Downloader.Win32.Datamaikon Unique User-Agent (trojan.rules)
 2014467 - ET TROJAN Downloader.Win32.Datamaikon User-Agent NewAgent (trojan.rules)
 2014468 - ET TROJAN Downloader.Win32.Datamaikon User-Agent myAgent (trojan.rules)
 2014470 - ET CURRENT_EVENTS Likely Blackhole PDF served from iframe (current_events.rules)
 2014471 - ET POLICY DRIVEBY Generic - EXE Download by Java (policy.rules)
 2014476 - ET TROJAN HTTP Request to Zaletelly CnC Domain zaletellyxx.be (trojan.rules)
 2014477 - ET TROJAN HTTP Request to Zaletelly CnC Domain atserverxx.info (trojan.rules)
 2104469 - ET CURRENT_EVENTS Likely Blackhole eval haha (current_events.rules)

Pro rules:
 2804746 - ETPRO MALWARE Rogue.Win32/Onescan Checkin (malware.rules)
 2804747 - ETPRO MALWARE Rogue.Win32/Onescan User-Agent (fileboan_install) (malware.rules)
 2804748 - ETPRO TROJAN W32/Banker.JGT Checkin 2 (trojan.rules)
 2804749 - ETPRO TROJAN Win32/Shodi.G Checkin (trojan.rules)
 2804750 - ETPRO TROJAN Backdoor.Win32.VB.hes Checkin (trojan.rules)
 2804751 - ETPRO TROJAN Win32/Bancos.AGN Checkin (trojan.rules)
 2804752 - ETPRO TROJAN Trojan-Banker.Win32.Banker2.bwv Checkin (trojan.rules)
 2804753 - ETPRO TROJAN Win32/Wadolin.A Checkin (trojan.rules)
 2804754 - ETPRO TROJAN Trojan-Banker.Win32.Agent.hpx Checkin (trojan.rules)
 2804755 - ETPRO TROJAN Sus/BancDl-A Checkin (trojan.rules)
 2804756 - ETPRO TROJAN pandora-ddos-bot User-Agent (Mozilla/100) (trojan.rules)
 2804757 - ETPRO MALWARE Adware/Kikin.A Checkin (malware.rules)

[///]     Modified active rules:     [///]

Added a negation for Bluecoat referrer as well:
 2014002 - ET TROJAN Fake Variation of Mozilla 4.0 - Likely Trojan (trojan.rules)

Perf tweak:
 2804479 - ETPRO TROJAN Trojan.Win32.Generic Checkin (trojan.rules)

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

More information about the Emerging-updates mailing list