[Emerging-updates] Daily Ruleset Update Summary 12/12/2012

Will Metcalf wmetcalf at emergingthreatspro.com
Wed Dec 12 12:02:02 HAST 2012


 [***]          Summary:          [***]

11 new Open rules. 45 Pro rules (34/11).  A couple of detection updates.
Outdated flash sigs updated.

2016018 Dexter EOT file seen in CoolEK
2016020 - 2016021 FakeAV Landing/Download
2016022 - 2016023 Flash redirect used in Malvertising
2016024 - 2016025 Blackhole TDS redirect
2016026 NuclearPack
2016027 g01pack
2016028 Generic Metasploit jar sig (seen used in various kits)
2016029 Kehlios DGA + EXE

2805801 - 2805834 Daily Pro Coverage

 [+++]          Added rules:          [+++]

  Open:
  2016018 - ET CURRENT_EVENTS Embedded Open Type Font file .eot seeing at
Cool Exploit Kit (current_events.rules)
  2016020 - ET CURRENT_EVENTS FakeScan - Landing Page - Title - Microsoft
Antivirus 2013 (current_events.rules)
  2016021 - ET CURRENT_EVENTS FakeScan - Payload Download Received
(current_events.rules)
  2016022 - ET CURRENT_EVENTS MALVERTISING FlashPost - Redirection IFRAME
(current_events.rules)
  2016023 - ET CURRENT_EVENTS MALVERTISING FlashPost - POST to *.stats
(current_events.rules)
  2016024 - ET CURRENT_EVENTS Blackhole - TDS Redirection To Exploit Kit -
Loading (current_events.rules)
  2016025 - ET CURRENT_EVENTS Blackhole - TDS Redirection To Exploit Kit -
/head/head1.html (current_events.rules)
  2016026 - ET CURRENT_EVENTS NuclearPack - Landing Page Received - <applet
and 32HexChar.jar (current_events.rules)
  2016027 - ET CURRENT_EVENTS g01pack - Landing Page Received - <applet and
32AlphaNum.jar (current_events.rules)
  2016028 - ET EXPLOIT Metasploit -Java Atomic Exploit Downloaded
(exploit.rules)
  2016029 - ET CURRENT_EVENTS Kelihos.K Executable Download DGA
(current_events.rules)

  Pro:
  2805801 - ETPRO TROJAN Win32.TrojDownloader.AutoIt.qu Checkin
(trojan.rules)
  2805802 - ETPRO POLICY GEOIP info online service (freegeoip.net)
(policy.rules)
  2805803 - ETPRO TROJAN Taidoor Checkin 2 (trojan.rules)
  2805804 - ET TROJAN DNS Query to Pseudo Random Domain for Web Malware (.
mynumber.org) (trojan.rules)
  2805805 - ETPRO TROJAN Win32.Downloader-RGC Downloading executable
(trojan.rules)
  2805807 - ETPRO TROJAN Win32/Comisproc Checkin (trojan.rules)
  2805808 - ETPRO TROJAN Trojan.Win32.Jorik.Agent.cqn Checkin (trojan.rules)
  2805809 - ETPRO TROJAN PWS-Zbot.gen.asb Checkin (trojan.rules)
  2805810 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.GingerMaster.a Checkin 1
(mobile_malware.rules)
  2805811 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.GingerMaster.a Checkin 2
(mobile_malware.rules)
  2805812 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.GingerMaster.a Checkin 3
(mobile_malware.rules)
  2805813 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.GingerMaster.a Checkin 4
(mobile_malware.rules)
  2805814 - ETPRO POLICY Internal Host Retrieving External IP via
whatismyip.everdot.org - Possible Infection (policy.rules)
  2805815 - ETPRO POLICY Internal Host Retrieving External IP via
whatismyipaddress.com - Possible Infection (policy.rules)
  2805816 - ETPRO POLICY Internal Host Retrieving External IP via
showmyipaddress.com - Possible Infection (policy.rules)
  2805817 - ETPRO MALWARE Adware.Solimba requesting install (malware.rules)
  2805818 - ETPRO MALWARE Adware/W32.KrAdword Checkin (malware.rules)
  2805819 - ETPRO TROJAN W32/Daws.AKWI!tr Checkin (trojan.rules)
  2805820 - ETPRO MOBILE_MALWARE Android/FkToken.A Checkin
(mobile_malware.rules)
  2805821 - ETPRO MOBILE_MALWARE Android/Ksapp.A Checkin
(mobile_malware.rules)
  2805822 - ETPRO TROJAN Android/Gmaster.A Checkin (trojan.rules)
  2805823 - ETPRO TROJAN Win32/Injector.Autoit.CI Checkin (trojan.rules)
  2805824 - ETPRO TROJAN Mal/FakeSg-B Checkin (trojan.rules)
  2805825 - ETPRO TROJAN Backdoor.Win32.Rbot.kkw Checkin (trojan.rules)
  2805826 - ETPRO MOBILE_MALWARE Android/Adware.AdsWo.A Checkin
(mobile_malware.rules)
  2805827 - ETPRO MOBILE_MALWARE Android.Mobigapp / Android/FakeUpdates.A
Checkin (mobile_malware.rules)
  2805828 - ETPRO MOBILE_MALWARE Andr/Frogonal-A /
Backdoor.AndroidOS.GinMaster.a Checkin (mobile_malware.rules)
  2805829 - ETPRO MOBILE_MALWARE AndroidOS/Anserver.A Checkin
(mobile_malware.rules)
  2805830 - ETPRO MOBILE_MALWARE AndroidOS/Spitmo.A Checkin
(mobile_malware.rules)
  2805831 - ETPRO MOBILE_MALWARE Android.Rabbhome /
Backdoor.AndroidOS.Fjcon.a Checkin (mobile_malware.rules)
  2805832 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.FA /
Trojan-SMS.AndroidOS.Opfake.a Checkin (mobile_malware.rules)
  2805833 - ETPRO TROJAN W32/KeyLogger.ACQH!tr Checkin (trojan.rules)
  2805834 - ETPRO TROJAN Win32/Votwup.W /
Backdoor.Win32.DarkHole.lyCheckin (trojan.rules)

 [///]     Modified active rules:     [///]

  Open:
  2014726 - ET POLICY Outdated Windows Flash Version IE (policy.rules)
  2014727 - ET POLICY Outdated Mac Flash Version (policy.rules)

  Pro:
  2015815 - ET CURRENT_EVENTS CoolEK Font File Download (32-bit Host) Dec
11 2012 (current_events.rules)
  2015816 - ET CURRENT_EVENTS CoolEK Font File Download (64-bit Host) Dec
11 2012 (current_events.rules)
  2015978 - ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Dec
03 2012 (current_events.rules)

 [---]        Moved from Pro to Open:         [---]

  Pro:
  2805532 - ETPRO TROJAN PWS-Zbot.gen.als Checkin (trojan.rules)

  Open:
  2016019 - ET TROJAN PWS-Zbot.gen.als Checkin (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20121212/b182b464/attachment.html>


More information about the Emerging-updates mailing list