[Emerging-updates] Daily Ruleset Update Summary 4/6/2012

Matt Jonkman jonkman at emergingthreatspro.com
Fri Apr 6 17:27:47 EDT 2012


12 new open rules, 14 new Pro Subscriber rules. 

Lots on the flashback trojan. have a great weekend!


[+++]          Added rules:          [+++]

Moved over from the pro ruleset:
 2014522 - ET TROJAN OSX/Flashback.K/I reporting successful infection (trojan.rules)
 2014523 - ET TROJAN OSX/Flashback.K/I reporting successful infection 2 (trojan.rules)
 2014524 - ET TROJAN OSX/Flashback.K/I reporting failed infection (trojan.rules)
 2014525 - ET TROJAN OSX/Flashback.K first execution checkin (trojan.rules)

 2014526 - ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client (current_events.rules)
 2014527 - ET CURRENT_EVENTS Exploit Kit Delivering Compressed Flash Content to Client (current_events.rules)
 2014528 - ET TROJAN W32/Taidoor.Backdoor Command Request CnC Checkin (trojan.rules)
 2014529 - ET TROJAN W32/Taidoor.Backdoor CnC Checkin With Default Substitute MAC Address Field (trojan.rules)
 2014530 - ET ATTACK_RESPONSE Metasploit Meterpreter stdapi_* Command Request (attack_response.rules)
 2014531 - ET ATTACK_RESPONSE Metasploit Meterpreter core_channel_* Command Request (attack_response.rules)
 2014532 - ET ATTACK_RESPONSE Metasploit Meterpreter stdapi_* Command Response (attack_response.rules)
 2014533 - ET ATTACK_RESPONSE Metasploit Meterpreter core_channel_* Command Response (attack_response.rules)

Pro Subscriber rules:
 2804768 - ETPRO TROJAN Win32.AutoTsifiri.n Related 0-0-0.info Checkin 2 (trojan.rules)
 2804769 - ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-6-2012 (trojan.rules)
 2804770 - ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-6-2012 (trojan.rules)
 2804771 - ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-7-2012 (trojan.rules)
 2804772 - ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-7-2012 (trojan.rules)
 2804773 - ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-8-2012 (trojan.rules)
 2804774 - ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-8-2012 (trojan.rules)
 2804775 - ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-9-2012 (trojan.rules)
 2804776 - ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-9-2012 (trojan.rules)
 2804777 - ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-10-2012 (trojan.rules)
 2804778 - ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-10-2012 (trojan.rules)
 2804779 - ETPRO TROJAN Win32/Comisproc Checkin (trojan.rules)
 2804780 - ETPRO TROJAN Win32/Comisproc Checkin 2 (trojan.rules)
 2804781 - ETPRO POLICY DynDNS IP Check getip (policy.rules)


[///]     Modified active rules:     [///]

 2009931 - ET WEB_SPECIFIC_APPS Possible OpenSiteAdmin pageHeader.php Remote File Inclusion Attempt (web_specific_apps.rules)
 2014309 - ET TROJAN W32/LockScreen Scareware Geolocation Request (trojan.rules)

Performance:
 2802860 - ETPRO DNS Query to a Suspicious *-0-0.info domain (dns.rules)
 2803740 - ETPRO TROJAN Worm.Win32.Balucaf.A Checkin (trojan.rules)
 2804243 - ETPRO TROJAN Win32.AutoTsifiri.n Related 0-0-0.info Checkin 1 (trojan.rules)


[---]         Removed rules:         [---]

 2804758 - ETPRO CURRENT_EVENTS OSX/Flashback.K/I reporting successful infection (current_events.rules)
 2804759 - ETPRO TROJAN OSX/Flashback.K/I reporting successful infection 2 (trojan.rules)
 2804760 - ETPRO TROJAN OSX/Flashback.K/I reporting failed infection (trojan.rules)
 2804761 - ETPRO TROJAN OSX/Flashback.K first execution checkin (trojan.rules)



        2014309 || ET TROJAN W32/LockScreen Scareware Geolocation Request || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf || url,www.abuse.ch/?p=3610
        2014522 || ET TROJAN OSX/Flashback.K/I reporting successful infection || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml
        2014523 || ET TROJAN OSX/Flashback.K/I reporting successful infection 2 || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml
        2014524 || ET TROJAN OSX/Flashback.K/I reporting failed infection || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml
        2014525 || ET TROJAN OSX/Flashback.K first execution checkin || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml
        2014526 || ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client
        2014527 || ET CURRENT_EVENTS Exploit Kit Delivering Compressed Flash Content to Client
        2014528 || ET TROJAN W32/Taidoor.Backdoor Command Request CnC Checkin || url,www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks
        2014529 || ET TROJAN W32/Taidoor.Backdoor CnC Checkin With Default Substitute MAC Address Field || url,www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks
        2014530 || ET ATTACK_RESPONSE Metasploit Meterpreter stdapi_* Command Request
        2014531 || ET ATTACK_RESPONSE Metasploit Meterpreter core_channel_* Command Request
        2014532 || ET ATTACK_RESPONSE Metasploit Meterpreter stdapi_* Command Response
        2014533 || ET ATTACK_RESPONSE Metasploit Meterpreter core_channel_* Command Response
        2404202 || ET DROP Known Bot C&C Server Traffic (group 102)  || url,abuse.ch || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/ShadowServerCC
        2501726 || ET COMPROMISED Known Compromised or Hostile Host Traffic (864) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2802860 || ETPRO DNS Query to a Suspicious *-0-0.info domain
        2804243 || ETPRO TROJAN Win32.AutoTsifiri.n Related 0-0-0.info Checkin 1 || md5,330d2ba6af1f18031157bbcfae5c3256
        2804768 || ETPRO TROJAN Win32.AutoTsifiri.n Related 0-0-0.info Checkin 2 || md5,94d7a8ade3ecc4957920c944cd23540b
        2804769 || ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-6-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
        2804770 || ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-6-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
        2804771 || ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-7-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
        2804772 || ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-7-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
        2804773 || ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-8-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
        2804774 || ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-8-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
        2804775 || ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-9-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
        2804776 || ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-9-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
        2804777 || ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-10-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
        2804778 || ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-10-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
        2804779 || ETPRO TROJAN Win32/Comisproc Checkin
        2804780 || ETPRO TROJAN Win32/Comisproc Checkin 2
        2804781 || ETPRO POLICY DynDNS IP Check getip




----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-updates mailing list