[Emerging-updates] Weekly Ruleset Update Summary 11/30/2012

Matt Jonkman jonkman at emergingthreats.net
Mon Dec 3 05:57:14 HAST 2012


73 new rules last week. Quite a few great ones both in open and Pro for
exploit kits and malware.


[+++]          Added rules:          [+++]

 2015922 - ET CURRENT_EVENTS Possible Glazunov Java exploit request
/10-/5-digit (current_events.rules)
 2015923 - ET CURRENT_EVENTS Possible Glazunov Java payload request
/5-digit (current_events.rules)
 2015924 - ET WEB_SERVER WebShell - PHP eMailer (web_server.rules)
 2015925 - ET WEB_SERVER WebShell - Unknown - self-kill (web_server.rules)
 2015926 - ET WEB_SERVER WebShell - Unknown - .php?x=img&img=
(web_server.rules)
 2015927 - ET CURRENT_EVENTS Possible RedKit /hmXX.htm(l) Landing Page -
Set (current_events.rules)
 2015928 - ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar
(1) (current_events.rules)
 2015929 - ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar
(2) (current_events.rules)
 2015930 - ET CURRENT_EVENTS RedKit Exploit Kit Vulnerable Java Payload
Request URI (1) (current_events.rules)
 2015931 - ET CURRENT_EVENTS RedKit Exploit Kit vulnerable Java Payload
Request to URI (2) (current_events.rules)
 2015932 - ET CURRENT_EVENTS Blackhole 2 Landing Page (7)
(current_events.rules)
 2015933 - ET CURRENT_EVENTS Blackhole 2 Landing Page (8)
(current_events.rules)
 2015936 - ET CURRENT_EVENTS Nuclear Exploit Kit HTTP Off-port Landing Page
Request (current_events.rules)
 2015937 - ET WEB_SERVER WebShell - PostMan (web_server.rules)
 2015938 - ET CURRENT_EVENTS Unknown Banking PHISH - Login.php?LOB=RBG
(current_events.rules)
 2015939 - ET CURRENT_EVENTS g01pack Exploit Kit .blogsite. Landing Page
(current_events.rules)
 2015940 - ET SCAN SFTP/FTP Password Exposure via sftp-config.json
(scan.rules)
 2015941 - ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (1)
(current_events.rules)
 2015942 - ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (2)
(current_events.rules)
 2015943 - ET CURRENT_EVENTS Crimeboss - Java Exploit - Recent Jar (3)
(current_events.rules)
 2015944 - ET CURRENT_EVENTS CrimeBoss - Stats Access (current_events.rules)
 2015945 - ET CURRENT_EVENTS CrimeBoss - Stats Java On
(current_events.rules)
 2015946 - ET CURRENT_EVENTS CrimeBoss - Setup (current_events.rules)
 2015947 - ET WEB_SPECIFIC_APPS Piwik Backdoor Access
(web_specific_apps.rules)
 2015948 - ET WEB_SPECIFIC_APPS Piwik Backdoor Access 2
(web_specific_apps.rules)
 2015949 - ET CURRENT_EVENTS Propack Recent Jar (1) (current_events.rules)
 2015950 - ET CURRENT_EVENTS Propack Payload Request (current_events.rules)
 2015951 - ET CURRENT_EVENTS SibHost Jar Request (current_events.rules)
 2015952 - ET CURRENT_EVENTS PHISH Generic -SSN - ssn1 ssn2 ssn3
(current_events.rules)
 2015953 - ET WEB_SERVER PIWIK Backdored Version calls home
(web_server.rules)
 2015954 - ET INFO PDF /FlateDecode and PDF version 1.0 (info.rules)
 2015955 - ET CURRENT_EVENTS PDF /FlateDecode and PDF version 1.1 (seen in
pamdql EK) (current_events.rules)
 2015956 - ET CURRENT_EVENTS Serenity Exploit Kit Landing Page HTML Header
(current_events.rules)
 2015957 - ET TROJAN Lyposit Ransomware Checkin 1 (trojan.rules)
 2015958 - ET TROJAN Lyposit Ransomware Checkin 2 (trojan.rules)
 2015959 - ET SNMP Samsung Printer SNMP Hardcode RW Community String
(snmp.rules)
 2015960 - ET CURRENT_EVENTS CritXPack Jar Request (current_events.rules)
 2015961 - ET CURRENT_EVENTS CritXPack PDF Request (current_events.rules)
 2015962 - ET CURRENT_EVENTS CritXPack Payload Request
(current_events.rules)
 2015963 - ET INFO PHISH Generic - Bank and Routing (info.rules)
 2015964 - ET CURRENT_EVENTS Unknown EK Landing URL (current_events.rules)
 2015965 - ET INFO EXE SCardForgetReaderGroupA (Used in Malware
Anti-Debugging) (info.rules)
 2015966 - ET P2P QVOD P2P Sharing Traffic detected (udp) beacon (p2p.rules)
 2015967 - ET P2P QVOD P2P Sharing Traffic detected (udp) payload
(p2p.rules)
 2015968 - ET TROJAN WORM_VOBFUS Checkin 1 (trojan.rules)
 2015969 - ET TROJAN WORM_VOBFUS Requesting exe (trojan.rules)
 2015970 - ET CURRENT_EVENTS Zuponcic EK Payload Request
(current_events.rules)
 2015971 - ET CURRENT_EVENTS Zuponcic EK Java Exploit Jar
(current_events.rules)
 2015972 - ET CURRENT_EVENTS PHISH PayPal - Account Phished
(current_events.rules)
 2015973 - ET CURRENT_EVENTS PHISH Gateway POST to gateway-p
(current_events.rules)
 2015974 - ET CURRENT_EVENTS Sibhost Status Check (current_events.rules)



New Pro Subscriber rules:

 2805635 - ETPRO MALWARE Adware.DirectDownloader Checkin (malware.rules)
 2805732 - ETPRO TROJAN Backdoor Boomie.A Checkin Response/Egg Download
Command (trojan.rules)
 2805733 - ETPRO TROJAN Win32/Virut.BN Checkin 3 (trojan.rules)
 2805734 - ETPRO TROJAN Unknown Trojan Checkin (trojan.rules)
 2805735 - ETPRO TROJAN Backdoor Boomie.A Checkin Command 2 (trojan.rules)
 2805736 - ETPRO TROJAN Trojan.Fakesec-309 Checkin (trojan.rules)
 2805737 - ETPRO TROJAN Win32.Worm.Winko.I Checkin (trojan.rules)
 2805738 - ETPRO TROJAN Win32/Bublik.B Checkin 2 (trojan.rules)
 2805739 - ETPRO TROJAN Email-Worm.Win32.Warezov spreading via SMTP
(trojan.rules)
 2805740 - ETPRO TROJAN BanBra Checkin (trojan.rules)
 2805741 - ETPRO TROJAN TROJ_FAKEAV.SMNA Checkin (trojan.rules)
 2805742 - ETPRO TROJAN Win32.HLLW.MyBot sending info (trojan.rules)
 2805743 - ETPRO TROJAN Dropper.Win32.Binder.ihv Checkin (trojan.rules)
 2805744 - ETPRO MALWARE Adware.Kraddare!11iB0o+IEDU CnC 1 (malware.rules)
 2805745 - ETPRO MALWARE Adware.Kraddare!11iB0o+IEDU CnC 2 (malware.rules)
 2805746 - ETPRO TROJAN W32/Onlinegames.QNT!tr Checkin (trojan.rules)
 2805747 - ETPRO TROJAN Win32/Zegost.B CnC (trojan.rules)
 2805748 - ETPRO TROJAN TROJ_GEN.F47V1018 Checkin (trojan.rules)
 2805749 - ETPRO TROJAN W32/Chinflej.AC!tr Command Response (trojan.rules)
 2805750 - ETPRO MALWARE Adware.Agent.FJ <http://adware.agent.fj/> Checkin
(malware.rules)
 2805751 - ETPRO TROJAN Trojan-Proxy.Win32.Ranky Checkin (trojan.rules)
 2805752 - ETPRO TROJAN Win32/Ksare.A /
Trojan-Dropper.Win32.Mudrop.kg<http://trojan-dropper.win32.mudrop.kg/>
Checkin
(trojan.rules)


[///]     Modified active rules:     [///]

 2009078 - ET TROJAN Backdoor Lanfiltrator Checkin (trojan.rules)
 2011409 - ET DNS DNS Query for Suspicious .co.cc Domain (dns.rules)
 2011410 - ET DNS DNS Query for Suspicious .cz.cc Domain (dns.rules)
 2014459 - ET P2P QVOD P2P Sharing Traffic detected (tcp) (p2p.rules)
 2015739 - ET CURRENT_EVENTS pamdql applet with obfuscated URL
(current_events.rules)
 2015783 - ET CURRENT_EVENTS BegOp Exploit Kit Payload
(current_events.rules)
 2015887 - ET CURRENT_EVENTS Possible exploitation of CVE-2012-5076 by an
exploit kit Nov 13 2012 (current_events.rules)

 2805028 - ETPRO TROJAN Flamer Blacklisted key 1 Seen over HTTP
(trojan.rules)
 2805219 - ETPRO MALWARE Win32/InstallMonetizer.AC Checkin (malware.rules)


[///]    Modified inactive rules:    [///]

 2011407 - ET DNS DNS Query for Suspicious .com.ru Domain (dns.rules)
 2011408 - ET DNS DNS Query for Suspicious .com.cn Domain (dns.rules)
 2011411 - ET DNS DNS Query for Suspicious .co.kr Domain (dns.rules)


[---]         Removed rules:         [---]

 2008064 - ET POLICY Nginx Server with no version string - Often Hostile
Traffic (policy.rules)
 2015525 - ET CURRENT_EVENTS Blackhole try eval prototype string splitting
evasion Jul 24 2012 (current_events.rules)
 2805635 - ETPRO TROJAN Trojan.Kazy-237 Checkin (trojan.rules)

-- 

----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20121203/bbdb0904/attachment-0001.html>


More information about the Emerging-updates mailing list