[Emerging-updates] Daily Ruleset Update Summary 02/08/2013

Will Metcalf wmetcalf at emergingthreatspro.com
Fri Feb 8 14:52:29 HAST 2013


[***]          Summary:          [***]

30 new Open rules. 38 new Pro rules. A big update today. Flash 0-day
(Exploit Specific), Multi(Bot|locker), Various EK's, StillSecure, etc.

[+++]          Added rules:          [+++]

  2016366 - ET TROJAN Umbra/Multibot Loader User-Agent (umbra)
(trojan.rules)
  2016367 - ET TROJAN Umbra/MultiBot Plugin access (trojan.rules)
  2016368 - ET TROJAN Win32/Toby.N Multilocker Checkin (trojan.rules)
  2016369 - ET TROJAN Win32/Toby.N Multilocker Request (trojan.rules)
  2016370 - ET TROJAN Win32/Toby.N Multilocker Image Request (trojan.rules)
  2016371 - ET CURRENT_EVENTS Exploit Kit Java jpg download
(current_events.rules)
  2016373 - ET CURRENT_EVENTS Unknown_MM EK - Landing Page
(current_events.rules)
  2016374 - ET CURRENT_EVENTS Unknown_MM - Java Exploit - jaxws.jar
(current_events.rules)
  2016375 - ET CURRENT_EVENTS Unknown_MM - Java Exploit - jre.jar
(current_events.rules)
  2016377 - ET CURRENT_EVENTS Unknown_MM - Payload Download
(current_events.rules)
  2016378 - ET CURRENT_EVENTS Unknown_MM EK - Java Exploit - fbyte.jar
(current_events.rules)
  2016379 - ET CURRENT_EVENTS DRIVEBY Generic - JAR Containing Windows
Executable (current_events.rules)
  2016380 - ET CURRENT_EVENTS Sakura Exploit Kit Encrypted Binary (1)
(current_events.rules)
  2016381 - ET WEB_SPECIFIC_APPS WordPress WP ecommerce Shop Styling Plugin
dompdf RFI Attempt (web_specific_apps.rules)
  2016382 - ET ACTIVEX Possible Ecava IntegraXor save method Remote ActiveX
Buffer Overflow (activex.rules)
  2016383 - ET WEB_SPECIFIC_APPS Wordpress Audio Player Plugin playerID
parameter XSS attempt in swf (web_specific_apps.rules)
  2016384 - ET WEB_SPECIFIC_APPS WordPress CommentLuv Plugin _ajax_nonce
Parameter XSS Attempt (web_specific_apps.rules)
  2016385 - ET MOBILE_MALWARE Android/DNightmare - Task Killer Checkin 1
(mobile_malware.rules)
  2016386 - ET MOBILE_MALWARE Android/DNightmare - Task Killer Checkin 2
(mobile_malware.rules)
  2016387 - ET MOBILE_MALWARE Android/DNightmare -Task Killer Checkin 3
(mobile_malware.rules)
  2016388 - ET WEB_SPECIFIC_APPS SiteGo file parameter Local File Inclusion
Attempt (web_specific_apps.rules)
  2016389 - ET WEB_SPECIFIC_APPS SiteGo OpenFolder parameter Local File
Inclusion Attempt (web_specific_apps.rules)
  2016390 - ET WEB_SPECIFIC_APPS Glossword gw_admin.php Cross Site
Scripting Attempt (web_specific_apps.rules)
  2016391 - ET CURRENT_EVENTS Adobe Flash Zero Day LadyBoyle Infection
Campaign (current_events.rules)
  2016393 - ET CURRENT_EVENTS Impact Exploit Kit Landing Page
(current_events.rules)
  2016394 - ET WEB_CLIENT Adobe Flash Uncompressed (web_client.rules)
  2016395 - ET WEB_CLIENT Microsoft OLE Compound File With Flash
(web_client.rules)
  2016396 - ET CURRENT_EVENTS Exploit Specific Uncompressed Flash
CVE-2013-0634 (current_events.rules)
  2016397 - ET CURRENT_EVENTS Exploit Specific Uncompressed Flash Inside of
OLE CVE-2013-0634 (current_events.rules)
  2016399 - ET TROJAN W32/FloatingCloud.Banker CnC Beacon (trojan.rules)

  Pro:
  2805988 - ETPRO TROJAN Trojan-Spy.Win32.KeyLogger.acqh Checkin
(trojan.rules)
  2805989 - ETPRO MOBILE_MALWARE Android Unknown Malware Checkin
(mobile_malware.rules)
  2805990 - ETPRO MALWARE Adware.Keenval Checkin (malware.rules)
  2805991 - ETPRO TROJAN Win32.Dapato.bsyi Checkin (trojan.rules)
  2805992 - ETPRO TROJAN Win32/Farfli.AC Checkin (trojan.rules)
  2805993 - ETPRO TROJAN Win32/Gippers.A Client Checkin (trojan.rules)
  2805994 - ETPRO TROJAN Win32/Gippers.A Server Response (trojan.rules)
  2805996 - ETPRO TROJAN Trojan-PWS.Banker6 sending info via SMTP
(trojan.rules)



 [///]     Modified active rules:     [///]

  2014726 - ET POLICY Outdated Windows Flash Version IE (policy.rules)
  2014727 - ET POLICY Outdated Mac Flash Version (policy.rules)
  2016214 - ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/nt/th
(trojan.rules)
  2016217 - ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/ms/check
(trojan.rules)
  2016218 - ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/ms/flush
(trojan.rules)
  2016219 - ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/win/wcx
(trojan.rules)
  2016220 - ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/win/cab
(trojan.rules)
  2016320 - ET CURRENT_EVENTS Exploit Kit Java gif download
(current_events.rules)
  2016321 - ET CURRENT_EVENTS Possible g01pack Jar download
(current_events.rules)
  2016329 - ET TROJAN W32/SecVerif.Downloader Initial Checkin (trojan.rules)
  2016333 - ET CURRENT_EVENTS Possible g01pack Landing Page
(current_events.rules)
  2016358 - ET TROJAN W32/ZeroAccess Counter.img Checkin (trojan.rules)


 [---]         Removed rules:         [---]

  2402000 - ET DROP Dshield Block Listed Source (dshield.rules)

  [-+-]          Moved rules:         [-+-]

  Old:
  2803343 - ETPRO TROJAN Common Trojan User-Agent Pattern Mozilla5.0
wget3.0 (trojan.rules)
  2805113 - ETPRO TROJAN Variant.Graftor.5628 CnC Traffic (trojan.rules)

  New: (Previously Missing rules)
  2001764 - ET TROJAN Bugbear at MM virus via SMTP (trojan.rules)
  2002389 - ET EXPLOIT Vulnerable Mercury 4.01a IMAP Banner (exploit.rules)
  2002784 - ET EXPLOIT Java private function call sun.misc.unsafe
(exploit.rules)
  2002938 - ET TROJAN elitekeylogger v1.0 reporting - Inbound (trojan.rules)
  2002941 - ET TROJAN elitekeylogger v1.0 reporting - Outbound
(trojan.rules)
  2003138 - ET TROJAN SpamThru trojan peer exchange (trojan.rules)
  2003141 - ET TROJAN SpamThru trojan AV DLL request (trojan.rules)
  2003434 - ET EXPLOIT Trend Micro Web Interface Auth Bypass Vulnerable
Cookie Attempt (exploit.rules)
  2007608 - ET TROJAN Win32.Agent.bea C&C connection (trojan.rules)
  2007673 - ET TROJAN E-Jihad 3.0 DNS Activity TCP (1) (trojan.rules)
  2007674 - ET TROJAN E-Jihad 3.0 DNS Activity TCP (2) (trojan.rules)
  2007677 - ET TROJAN E-Jihad 3.0 DNS Activity TCP (5) (trojan.rules)
  2007678 - ET TROJAN E-Jihad 3.0 DNS Activity UDP (1) (trojan.rules)
  2007680 - ET TROJAN E-Jihad 3.0 DNS Activity UDP (3) (trojan.rules)
  2007917 - ET TROJAN Dropper-497 (Yumato) Initial Checkin (trojan.rules)
  2007918 - ET TROJAN Dropper-497 (Yumato) System Stats Report
(trojan.rules)
  2007919 - ET TROJAN Dropper-497 Yumato Reply from server (trojan.rules)
  2007920 - ET TROJAN Dropper-497 (Yumato) Status Reply from server
(trojan.rules)
  2008017 - ET TROJAN Philis.J ICMP Sweep (Payload Hello,World)
(trojan.rules)
  2008221 - ET TROJAN Asprox-style Message ID (trojan.rules)
  2008222 - ET TROJAN Asprox phishing email detected (trojan.rules)
  2008269 - ET TROJAN Emogen Infection Checkin Initial Packet (trojan.rules)
  2008270 - ET TROJAN Emogen Infection Checkin CnC Keepalive (trojan.rules)
  2008327 - ET TROJAN Perfect Keylogger FTP Initial Install Log Upload
(Null obfuscated) (trojan.rules)
  2008341 - ET TROJAN Themida Packed Binary - Likely Hostile (trojan.rules)
  2008730 - ET TROJAN Ipbill.com Related Dialer Trojan Checkin
(trojan.rules)
  2008905 - ET TROJAN Trojan.Delf-5496 Checkin Error (trojan.rules)
  2008906 - ET TROJAN Trojan.Delf-5496 Egg Request (trojan.rules)
  2008907 - ET TROJAN Trojan.Delf-5496 File Manager Access Report
(trojan.rules)
  2010056 - ET CURRENT_EVENTS TROJAN Likely TDSS Download (197.exe)
(current_events.rules)
  2010796 - ET CURRENT_EVENTS MALWARE Unknown Malware Download Attempt
(current_events.rules)
  2010798 - ET WEB_CLIENT Possible Microsoft Internet Explorer URI
Validation Remote Code Execution Attempt (web_client.rules)
  2011486 - ET CURRENT_EVENTS Phoenix landing page - valium
(current_events.rules)
  2016398 - ET TROJAN Variant.Graftor.5628 CnC Traffic (trojan.rules)
 100000167 - GPL SMTP SMTP Hydra Activity Detected (smtp.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20130208/85f15482/attachment.html>


More information about the Emerging-updates mailing list