[Emerging-updates] Daily Ruleset Update Summary 12/27/2012

Will Metcalf wmetcalf at emergingthreatspro.com
Thu Dec 27 16:03:45 HAST 2012


[***]          Summary:          [***]

20 new Open rules 21 new Pro rules (20/1). A few older FP prone sigs
removed.

Open:
2016090 - 2016093 pamdql/Sweet Orange updates.
2016094 Android/Updtkiller
http://www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2012-082308-1823-99&tabid=2
2016095 W32/Dexter
2016096 W32/Stabuniq
www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers
2016098 - 2016099 Drupal Mass Injection campaign.
http://blog.sucuri.net/2012/12/website-malware-drupal-iframe-injections-stealing-user-cookies.html
2016100 Wordpress access to W3TC dbcache directory
http://blog.sucuri.net/2012/12/w3-total-cache-implementation-vulnerability.html
2016101 - 2016105 DNS reply with address of various sinkholes. (Usually
indicates an infected host)
2016106 - 2016108 Unknown EK as seen here
http://urlquery.net/report.php?id=529657
2016109  WP-Property insecure uploadify.php  script
http://www.securityfocus.com/bid/53787/info

Pro:
2805857 - Virus.Win32.Virut.a Proxy Registration

[+++]          Added rules:          [+++]

  2016090 - ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet
Orange /in.php?q= (current_events.rules)
  2016091 - ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet
Orange base64 (current_events.rules)
  2016092 - ET CURRENT_EVENTS pamdql/Sweet Orange delivering hostile XOR
trojan payload from robots.php (current_events.rules)
  2016093 - ET CURRENT_EVENTS pamdql/Sweet Orange delivering exploit kit
payload (current_events.rules)
  2016094 - ET MOBILE_MALWARE Android/Updtkiller Sending Device Information
(mobile_malware.rules)
  2016095 - ET TROJAN W32/Dexter Infostealer CnC POST (trojan.rules)
  2016096 - ET TROJAN W32/Stabuniq CnC POST (trojan.rules)
  2016097 - ET TROJAN Unknown - Loader - Check .exe Updated (trojan.rules)
  2016098 - ET CURRENT_EVENTS Drupal Mass Injection Campaign Inbound
(current_events.rules)
  2016099 - ET CURRENT_EVENTS Drupal Mass Injection Campaign Outbound
(current_events.rules)
  2016100 - ET WEB_SPECIFIC_APPS Request to Wordpress W3TC Plug-in dbcache
Directory (web_specific_apps.rules)
  2016101 - ET TROJAN DNS Reply Sinkhole - Microsoft -
131.253.18.0/24(trojan.rules)
  2016102 - ET TROJAN DNS Reply Sinkhole - Microsoft -
199.2.137.0/24(trojan.rules)
  2016103 - ET TROJAN DNS Reply Sinkhole - Microsoft -
207.46.90.0/24(trojan.rules)
  2016104 - ET TROJAN DNS Reply Sinkhole - Google - 1.1.1.0/24(trojan.rules)
  2016105 - ET TROJAN DNS Reply Sinkhole - zeus.redheberg.com -
95.130.14.32 (trojan.rules)
  2016106 - ET CURRENT_EVENTS Unknown EK Landing Page (current_events.rules)
  2016107 - ET CURRENT_EVENTS Unknown EK Requesting Jar
(current_events.rules)
  2016108 - ET CURRENT_EVENTS Unknown EK Requesting PDF
(current_events.rules)
  2016109 - ET WEB_SPECIFIC_APPS WordPress WP-Property Plugin uploadify.php
Arbitrary File Upload Vulnerability (web_specific_apps.rules)
  2805857 - ETPRO TROJAN Virus.Win32.Virut.a Proxy Registration 2
(trojan.rules)


 [---]         Removed rules:         [---]

  2001508 - ET MALWARE Medialoads.com Spyware Reporting (download.cgi)
(malware.rules)
  2804588 - ETPRO POLICY HTTP Get on port 53 DNS (policy.rules)
  2805850 - ETPRO MALWARE Mail.ru Downloader Checkin 1 (malware.rules)
  2805851 - ETPRO MALWARE Mail.ru Downloader Checkin 2 (malware.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20121227/ef51bc83/attachment.html>


More information about the Emerging-updates mailing list