[Emerging-updates] Daily Ruleset Update Summary 4/9/2012

Matthew Jonkman mjonkman at emergingthreatspro.com
Mon Apr 9 20:49:29 EDT 2012


A light update today. Getting ready for the Patch Tuesday ruleset for tomorrow!

1 new Open rule, 1 rule moved from Pro to Open, and 4 new Pro Subscriber rules.

Enjoy!



[+++]          Added rules:          [+++]

 2014534 - ET TROJAN OSX/Flashback.K/I User-Agent (trojan.rules)
 2014535 - ET MALWARE BitCoinPlus Embedded site forcing visitors to mine BitCoins (malware.rules)

Pro rules:
 2804782 - ETPRO TROJAN Virus.Win32.Sality.aa Checkin (trojan.rules)
 2804783 - ETPRO TROJAN Win32.Sality.bh Checkin (trojan.rules)
 2804784 - ETPRO TROJAN W32/Spyrat.A Checkin (trojan.rules)
 2804785 - ETPRO TROJAN Likely Bot User Joining IRC (trojan.rules)


[///]     Modified active rules:     [///]

FN and performance fixes, most thanks to rmkml!
 2001949 - ET WEB_SPECIFIC_APPS Athena Web Registration Remote Command Execution Attempt (web_specific_apps.rules)
 2002671 - ET WEB_SPECIFIC_APPS Galerie ShowGallery.php SQL Injection attempt (web_specific_apps.rules)
 2009005 - ET MALWARE Simbar Spyware User-Agent Detected (malware.rules)
 2013500 - ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com (current_events.rules)

Rotated to the next few days of CnC Domains:
 2804769 - ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-11-2012 (trojan.rules)
 2804770 - ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-11-2012 (trojan.rules)
 2804771 - ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-12-2012 (trojan.rules)
 2804772 - ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-12-2012 (trojan.rules)
 2804773 - ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-13-2012 (trojan.rules)
 2804774 - ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-13-2012 (trojan.rules)


[---]         Removed rules:         [---]

Dupes and obsoletes:
 2002863 - ET WEB_SERVER osCommerce vulnerable web application extras update.php exists (web_server.rules)
 2013501 - ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com 2 (current_events.rules)
 2013667 - ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?v Download Secondary Request (current_events.rules)

Moved to the Open ruleset:
 2804762 - ETPRO TROJAN OSX/Flashback.K/I User-Agent (trojan.rules)



        2002863 || ET DELETED osCommerce vulnerable web application extras update.php exists || url,doc.emergingthreats.net/2002863 || url,retrogod.altervista.org/oscommerce_22_adv.html
        2013500 || ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com || url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx
        2013501 || ET DELETED Known Fraudulent DigiNotar SSL Certificate for google.com 2 || url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx
        2013667 || ET DELETED Likely Blackhole Exploit Kit Driveby ?v Download Secondary Request
        2014534 || ET TROJAN OSX/Flashback.K/I User-Agent || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml
        2014535 || ET MALWARE BitCoinPlus Embedded site forcing visitors to mine BitCoins || url,www.bitcoinplus.com/miner/whatsthis || url,www.bitcoinplus.com/miner/embeddable
        2501728 || ET COMPROMISED Known Compromised or Hostile Host Traffic (865) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2501730 || ET COMPROMISED Known Compromised or Hostile Host Traffic (866) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2501732 || ET COMPROMISED Known Compromised or Hostile Host Traffic (867) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2520162 || ET TOR Known Tor Exit Node Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/TorRules
        2804769 || ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-11-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
        2804770 || ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-11-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
        2804771 || ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-12-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
        2804772 || ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-12-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
        2804773 || ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-13-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
        2804774 || ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-13-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed
        2804782 || ETPRO TROJAN Virus.Win32.Sality.aa Checkin || md5,1e0e6717f72b66f6fc83f2ef6c00dcb7
        2804783 || ETPRO TROJAN Win32.Sality.bh Checkin || md5,c15f4fe2e180150dc511aa64427404c5
        2804784 || ETPRO TROJAN W32/Spyrat.A Checkin || md5,aadfb22d04e958092a3940fd5f274b9e
        2804785 || ETPRO TROJAN Likely Bot User Joining IRC || md5,ab6513796297104d0cbba5268e2228a2



----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-updates mailing list