[Emerging-updates] Daily Ruleset Update Summary 02/21/2013

Will Metcalf wmetcalf at emergingthreatspro.com
Thu Feb 21 20:39:36 HAST 2013


 [***]          Summary:          [***]

41 new Open rules. 50 new Pro rules (41/9).  More APT1/CommentCrew Sigs,
CoolEK updates, CBeplay etc.  I highly recommend reading the Mandiant
report which can be found here http://intelreport.mandiant.com/

2016452-2016472 Signatures Based off of APT1 Mandiant Report
2016474-2016488 More APT1/CommentCrew sigs courtesy of Jamie Blasco @
AlienVault Thanks!
2016489 CBeplay Ransomware Thanks @kafeine!
2016490-2016493 Seems to be an artifact of latest Java7 Exploit shared by
popular EK's.

2806036 -  2806044 Daily Pro TROJAN Coverage

 [+++]          Added rules:          [+++]

  Open:
  2016452 - ET TROJAN WEBC2-CLOVER Checkin APT1 Related (trojan.rules)
  2016453 - ET TROJAN WEBC2-CLOVER Download UA (trojan.rules)
  2016454 - ET TROJAN WEBC2-DIV UA (trojan.rules)
  2016455 - ET TROJAN Possible WEBC2-GREENCAT Response - Embedded CnC APT1
Related (trojan.rules)
  2016456 - ET TROJAN WEBC2-KT3 Intial Connection Beacon APT1 Related
(trojan.rules)
  2016457 - ET TROJAN WEBC2-KT3 Intial Connection Beacon Server Response
APT1 Related (trojan.rules)
  2016458 - ET TROJAN WEBC2-RAVE UA (trojan.rules)
  2016459 - ET TROJAN Win32/Small.XR Checkin 2 WEBC2-CSON APT1 Related
(trojan.rules)
  2016460 - ET TROJAN WEBC2-CSON Checkin - APT1 Related (trojan.rules)
  2016461 - ET TROJAN Win32.Sluegot.A Checkin WEBC2-YAHOO APT1 Related
(trojan.rules)
  2016462 - ET TROJAN Fake Virtually SSL Cert APT1 (trojan.rules)
  2016463 - ET TROJAN Fake IBM SSL Cert APT1 (trojan.rules)
  2016464 - ET TROJAN EMAIL SSL Cert APT1 (trojan.rules)
  2016465 - ET TROJAN LAME SSL Cert APT1 (trojan.rules)
  2016466 - ET TROJAN NS SSL Cert APT1 (trojan.rules)
  2016467 - ET TROJAN SERVER SSL Cert APT1 (trojan.rules)
  2016468 - ET TROJAN SUR SSL Cert APT1 (trojan.rules)
  2016469 - ET TROJAN FAKE AOL SSL Cert APT1 (trojan.rules)
  2016470 - ET TROJAN FAKE YAHOO SSL Cert APT1 (trojan.rules)
  2016471 - ET TROJAN WEBC2-UGX User-Agent (Windows+NT+5.x) APT1
(trojan.rules)
  2016472 - ET TROJAN WEBC2-UGX Embedded CnC Response APT1 (trojan.rules)
  2016473 - ET CURRENT_EVENTS Possible DNS Data Exfiltration to SSHD
Rootkit Last Resort CnC (current_events.rules)
  2016474 - ET CURRENT_EVENTS - CommentCrew UGX Backdoor initial connection
(current_events.rules)
  2016475 - ET CURRENT_EVENTS - CommentCrew downloader without user-agent
string exe download without User Agent (current_events.rules)
  2016476 - ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications
get system (current_events.rules)
  2016477 - ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications
html return 1  (current_events.rules)
  2016478 - ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications
sleep (current_events.rules)
  2016479 - ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications
sleep2 (current_events.rules)
  2016480 - ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications
sleep3 (current_events.rules)
  2016482 - ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications
sleep5 (current_events.rules)
  2016483 - ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications
download client.png (current_events.rules)
  2016484 - ET CURRENT_EVENTS - CommentCrew Possible APT crabdance backdoor
base64 head 2 (current_events.rules)
  2016485 - ET CURRENT_EVENTS - CommentCrew Possible APT crabdance backdoor
base64 head (current_events.rules)
  2016486 - ET CURRENT_EVENTS - CommentCrew Possible APT backdoor stage 2
download base64 update.gif (current_events.rules)
  2016487 - ET CURRENT_EVENTS - CommentCrew Possible APT backdoor download
logo.png (current_events.rules)
  2016488 - ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications
get command client key (current_events.rules)
  2016489 - ET TROJAN CBeplay Downloading Design (trojan.rules)
  2016490 - ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class
Request (1) (current_events.rules)
  2016491 - ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class
Request (2) (current_events.rules)
  2016492 - ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class
Request (3) (current_events.rules)
  2016493 - ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class
Request (3) (current_events.rules)

  Pro:
  2806036 - ETPRO TROJAN Trojan.Win32.Pasta.thg Checkin (trojan.rules)
  2806037 - ETPRO TROJAN Trojan-Banker.Win32.Bancos.ulx Checkin
(trojan.rules)
  2806038 - ETPRO TROJAN Backdoor.Win32.Rbot.ajwo Checkin (trojan.rules)
  2806039 - ETPRO TROJAN Downloader.Win32.FraudLoad.jh Checkin
(trojan.rules)
  2806040 - ETPRO TROJAN TROJ_ARCHSMS.B Checkin (trojan.rules)
  2806041 - ETPRO TROJAN Trojan.Generic.KDZ.7051 Checkin (trojan.rules)
  2806042 - ETPRO TROJAN Trojan.Generic.8632390 Checkin (trojan.rules)
  2806043 - ETPRO TROJAN HackTool.Sniffer.WpePro Checkin (trojan.rules)
  2806044 - ETPRO TROJAN W32/QQhelper.C.gen General Downloader User-Agent
(Mozil1a/4.0+(compatible) (trojan.rules)


 [///]     Modified active rules:     [///]

  2009486 - ET TROJAN APT1 WEBC2-UGX Related Pingbed/Downbot User-Agent
(Windows+NT+5.x) (trojan.rules)
  2016060 - ET CURRENT_EVENTS CoolEK - Jar - Dec 18 2012
(current_events.rules)


 [---]         Removed rules:         [---]

  2803065 - ETPRO TROJAN Win32.Sluegot.A Checkin (trojan.rules)
  2803833 - ETPRO TROJAN WEBC2-CSON Checkin - APT1 Related (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20130222/eabf83b3/attachment-0001.html>


More information about the Emerging-updates mailing list