[Emerging-updates] Weekly Ruleset Update Summary 2/2/2013

Matt Jonkman jonkman at emergingthreats.net
Sat Feb 2 05:52:18 HAST 2013


49 new Open rules, 27 new Pro Subscriber rules, for 66 total new this week
alongside a good number of updates and tweaks.




[+++]          Added rules:          [+++]

 2016282 - ET WEB_SPECIFIC_APPS Openconstructor CMS result Parameter Cross
Site Scripting Attempt (web_specific_apps.rules)
 2016283 - ET WEB_SPECIFIC_APPS Openconstructor CMS keyword Parameter Cross
Site Scripting Attempt (web_specific_apps.rules)
 2016284 - ET WEB_SPECIFIC_APPS CubeCart loc parameter Local File Inclusion
Attempt (web_specific_apps.rules)
 2016285 - ET WEB_SPECIFIC_APPS GetSimple CMS path parameter Local File
Inclusion Attempt (web_specific_apps.rules)
 2016286 - ET ACTIVEX Possible Aloaha PDF Crypter activex SaveToFile method
arbitrary file overwrite (activex.rules)
 2016287 - ET WEB_SPECIFIC_APPS Banana Dance name Parameter Local File
Inclusion Attempt (web_specific_apps.rules)
 2016288 - ET WEB_SPECIFIC_APPS Joomla com_collector Component Arbitrary
File Upload Vulnerability (web_specific_apps.rules)
 2016289 - ET WEB_SPECIFIC_APPS web wiz forums ForumID Parameter Cross Site
Scripting Attempt (web_specific_apps.rules)
 2016290 - ET WEB_SPECIFIC_APPS web wiz forums ThreadPage Parameter Cross
Site Scripting Attempt (web_specific_apps.rules)
 2016291 - ET WEB_SPECIFIC_APPS phpMiniAdmin db Parameter Cross Site
Scripting Attempt (web_specific_apps.rules)
 2016292 - ET TROJAN RevProxy ClickFraud - hello (trojan.rules)
 2016293 - ET TROJAN RevProxy - ClickFraud - MIDUIDEND (trojan.rules)
 2016294 - ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Can be Used
to Spawn Shell) (web_specific_apps.rules)
 2016295 - ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit
Windows CMD Shell) (web_specific_apps.rules)
 2016296 - ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit
Unix Shell) (web_specific_apps.rules)
 2016297 - ET CURRENT_EVENTS Malicious iframe (current_events.rules)
 2016298 - ET CURRENT_EVENTS Malicious iframe (current_events.rules)
 2016299 - ET CURRENT_EVENTS Redkit Class Request (3) (current_events.rules)
 2016300 - ET TROJAN Simda.C Checkin (trojan.rules)
 2016302 - ET INFO UPnP Discovery Search Response vulnerable UPnP device 1
(info.rules)
 2016303 - ET INFO UPnP Discovery Search Response vulnerable UPnP device 2
(info.rules)
 2016304 - ET INFO UPnP Discovery Search Response vulnerable UPnP device 3
(info.rules)
 2016305 - ET CURRENT_EVENTS Ruby on Rails CVE-2013-0333 Attempt
(current_events.rules)
 2016306 - ET CURRENT_EVENTS JDB Exploit Kit Landing URL structure
(current_events.rules)
 2016307 - ET CURRENT_EVENTS JDB Exploit Kit Landing Page
(current_events.rules)
 2016308 - ET CURRENT_EVENTS Possible JDB Exploit Kit Class Request
(current_events.rules)
 2016309 - ET CURRENT_EVENTS JDB Exploit Kit JAR Download
(current_events.rules)
 2016310 - ET CURRENT_EVENTS JDB Exploit Kit Fake Adobe Download
(current_events.rules)
 2016311 - ET CURRENT_EVENTS Non-Standard HTML page in Joomla /com_content/
dir (Observed in Recent Pharma Spam) (current_events.rules)
 2016312 - ET TROJAN W32/DownloaderAgent.fajk Successful Infection CnC
Beacon (trojan.rules)
 2016313 - ET TROJAN W32/DownloaderAgent.fajk Second Stage Download List
Requested (trojan.rules)
 2016314 - ET TROJAN Linux/SSHDoor.A Reporting Backdoor CnC Beacon
(trojan.rules)
 2016316 - ET TROJAN W32/StartPage.eba Dropper CnC Beacon (trojan.rules)
 2016317 - ET TROJAN Suspicious user-agent (f**king) (trojan.rules)
 2016318 - ET MOBILE_MALWARE Android/Ksapp.A Checkin (mobile_malware.rules)
 2016319 - ET CURRENT_EVENTS Impact Exploit Kit Landing Page
(current_events.rules)
 2016320 - ET CURRENT_EVENTS Exploit Kit Java gif download
(current_events.rules)
 2016321 - ET CURRENT_EVENTS Possible g01pack Jar download
(current_events.rules)
 2016322 - ET DOS LibuPnP CVE-2012-5958 ST DeviceType Buffer Overflow
(dos.rules)
 2016323 - ET DOS LibuPnP CVE-2012-5963 ST UDN Buffer Overflow (dos.rules)
 2016324 - ET DOS LibuPnP CVE-2012-5964 ST URN ServiceType Buffer Overflow
(dos.rules)
 2016325 - ET DOS LibuPnP CVE-2012-5965 ST URN DeviceType Buffer Overflow
(dos.rules)
 2016326 - ET DOS LibuPnP CVE-2012-5961 ST UDN Buffer Overflow (dos.rules)
 2016327 - ET CURRENT_EVENTS PHISH Generic - POST to myform.php
(current_events.rules)
 2016328 - ET TROJAN ZeuS Post to C&C footer.php (trojan.rules)
 2016329 - ET TROJAN W32/SecVerif.Downloader Initial CnC Beacon
(trojan.rules)
 2016330 - ET TROJAN W32/SecVerif.Downloader Second Stage Download Request
(trojan.rules)
 2016331 - ET TROJAN W32/Jabberbot.A Trednet XMPP CnC Beacon (trojan.rules)
 2016333 - ET CURRENT_EVENTS Possible g01pack Landing Page
(current_events.rules)



 2805948 - ETPRO WEB_SPECIFIC_APPS Nagios3 history.cgi Host Command
Execution (web_specific_apps.rules)
 2805949 - ETPRO WEB_SPECIFIC_APPS PHP-Charts v1.0 PHP Code Execution
(web_specific_apps.rules)
 2805950 - ETPRO TROJAN Trojan-Spy.Win32.Zbot.hmcm Checkin (trojan.rules)
 2805951 - ETPRO TROJAN Win32/Ranbyus.G Checkin (trojan.rules)
 2805952 - ETPRO TROJAN Win32/AgentBypass.B CnC - SET (trojan.rules)
 2805953 - ETPRO TROJAN Win32/AgentBypass.B CnC - Download exe command
(trojan.rules)
 2805956 - ETPRO TROJAN W32/Zbot.ANQ!tr Checkin (trojan.rules)
 2805957 - ETPRO TROJAN Win32/Necurs Checkin (trojan.rules)
 2805958 - ETPRO TROJAN Backdoor.Win32.Y3KRat.16 reporting via ICQ WWW
script (trojan.rules)
 2805959 - ETPRO TROJAN Trojan.SubSeven.215-srv reporting via ICQ WWW
script (trojan.rules)
 2805960 - ETPRO TROJAN Trojan-Dropper.Win32.Neblso reporting via ICQ WWW
script (trojan.rules)
 2805961 - ETPRO TROJAN Backdoor.Win32.Asylum.013 reporting via ICQ WWW
script (trojan.rules)
 2805962 - ETPRO TROJAN TrojanDownloader Win32/MultiDL.30.A reporting via
ICQ WWW script (trojan.rules)
 2805963 - ETPRO TROJAN
Trojan-Dropper.Win32.Mudrop.mu<http://trojan-dropper.win32.mudrop.mu/>
reporting
via ICQ WWW script (trojan.rules)
 2805964 - ETPRO TROJAN TrojanDropper.Win32/Juntador.F reporting via ICQ
WWW script (trojan.rules)
 2805965 - ETPRO TROJAN TrojanDropper.Win32/Joiner.G reporting via ICQ WWW
script (trojan.rules)
 2805966 - ETPRO TROJAN Win32/IllNotifier reporting via ICQ WWW script
(trojan.rules)
 2805967 - ETPRO TROJAN Trojan.Larhife.A reporting via ICQ WWW script
(trojan.rules)
 2805968 - ETPRO TROJAN Backdoor.Win32/LittleWitch.T reporting via ICQ WWW
script (trojan.rules)
 2805969 - ETPRO TROJAN Backdoor.Win32.Oblivion reporting via ICQ WWW
script (trojan.rules)
 2805970 - ETPRO TROJAN Backdoor.Win32.MoSucker.23 reporting via ICQ WWW
script (trojan.rules)
 2805971 - ETPRO TROJAN RemoteAccess.Win32/OptixClient reporting via ICQ
WWW script (trojan.rules)
 2805972 - ETPRO TROJAN Backdoor.Assasin reporting via ICQ WWW script
(trojan.rules)
 2805973 - ETPRO TROJAN Backdoor.Win32/Psychwar.B reporting via ICQ WWW
script (trojan.rules)
 2805974 - ETPRO TROJAN RemoteAccess.Win32/Prorat reporting via ICQ WWW
script (trojan.rules)
 2805975 - ETPRO TROJAN Backdoor.Win32/Asylum_Web.A reporting via ICQ WWW
script (trojan.rules)
 2805976 - ETPRO TROJAN Fareit/Pony Downloader CnC response (trojan.rules)


[///]     Modified active rules:     [///]

 2014411 - ET TROJAN Fareit/Pony Downloader Checkin 2 (trojan.rules)
 2014616 - ET TROJAN Win32/Usteal.B Checkin (trojan.rules)
 2014954 - ET INFO Vulnerable iTunes Version 10.6.x (info.rules)
 2016073 - ET CURRENT_EVENTS SofosFO - possible second stage landing page
(current_events.rules)

 2802015 - ETPRO TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive
(trojan.rules)
 2805697 - ETPRO TROJAN Backdoor.Win32.Shiz.dkg Checkin (trojan.rules)
 2805779 - ETPRO MOBILE_MALWARE Android/OpFake.A!tr.dial Checkin
(mobile_malware.rules)


[---]  Disabled and modified rules:  [---]

 2800328 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops
LGServer Handshake Buffer Overflow 1 (exploit.rules)
 2800329 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops
LGServer Handshake Buffer Overflow 2 (exploit.rules)
 2800330 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops
LGServer Handshake Buffer Overflow 3 (exploit.rules)
 2800331 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops
LGServer Handshake Buffer Overflow 4 (exploit.rules)
 2802188 - ETPRO TROJAN GET in ICMP Payload - Likely Covert Channel
(trojan.rules)
 2802189 - ETPRO TROJAN POST in ICMP Payload - Likely Covert Channel
(trojan.rules)
 2804603 - ETPRO TROJAN Lethic.B XOR key (trojan.rules)


[---]         Removed rules:         [---]

 2001034 - ET MALWARE Fun Web Products Adware Agent Traffic (malware.rules)
 2802895 - ETPRO POLICY Suspicious user agent(Industry Update Control)
(policy.rules)
 2803235 - ETPRO TROJAN AutoIt.Agent-H Checkin (trojan.rules)
 2805206 - ETPRO TROJAN Simda.C Checkin (trojan.rules)
 2805821 - ETPRO MOBILE_MALWARE Android/Ksapp.A Checkin
(mobile_malware.rules)
 2805943 - ETPRO WEB_SPECIFIC_APPS Jenkins Script Console Usage (Can be
Used to Spawn Shell) (web_specific_apps.rules)
 2805944 - ETPRO WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit
Windows CMD Shell) (web_specific_apps.rules)
 2805945 - ETPRO WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit
Unix Shell) (web_specific_apps.rules)


-- 

----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20130202/d03aef51/attachment-0001.html>


More information about the Emerging-updates mailing list