[Emerging-updates] Daily Ruleset Update Summary 06/07/2013

Will Metcalf wmetcalf at emergingthreatspro.com
Fri Jun 7 17:13:23 HADT 2013


[***]         Summary:          [***]

7 new open rules. 12 new Pro rules (7/5). Sweet Orange, Alina, Webshell,
KeyBoy, etc.

Thanks to Claudio Guarnieri from Rapid7 for his great KeyBoy write-up and
for allowing ET to use his rule. Read the full write-up here.

https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india

Suri LuaJIT sigs updated. Thanks to Chris Wakelin for his help!

https://github.com/EmergingThreats/et-luajit-scripts


[+++]          Added rules:          [+++]

  Open:
  2016986 - ET TROJAN KeyBoy Backdoor Login (trojan.rules)
  2016987 - ET TROJAN KeyBoy Backdoor SysInfo Response header (trojan.rules)
  2016988 - ET TROJAN KeyBoy Backdoor File Manager Response Header
(trojan.rules)
  2016989 - ET TROJAN KeyBoy Backdoor File Download Response Header
(trojan.rules)
  2016990 - ET TROJAN KeyBoy Backdoor File Upload Response Header
(trojan.rules)
  2016991 - ET TROJAN Alina Server Response Code (trojan.rules)
  2016992 - ET WEB_SERVER WebShell Generic - *.tar.gz in POST body
(web_server.rules)

  Pro:
  2806468 - ETPRO TROJAN Win32.Sality-GR Checkin 2 (trojan.rules)
  2806469 - ETPRO MALWARE Alina Checkin 2 (malware.rules)
  2806470 - ETPRO TROJAN Trojan.Win32.VBKrypt.pqwb Checkin (trojan.rules)
  2806471 - ETPRO TROJAN Win32/Wagiclas.B / Backdoor.Win32.DarkMoon.B
Checkin (trojan.rules)
  2806472 - ETPRO TROJAN Hupigon Variant Checkin (trojan.rules)


 [///]     Modified active rules:     [///]

  Open:
  2016860 - ET CURRENT_EVENTS Sweet Orange Landing Page May 16 2013
(current_events.rules)

  Pro:
  2806459 - ETPRO TROJAN Win32.Sality-GR Checkin (trojan.rules)


 [---]  Disabled and modified rules:  [---]

  2015724 - ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending Jar
(current_events.rules)
  2015738 - ET CURRENT_EVENTS pamdql obfuscated javascript --- padding
(current_events.rules)


 [---]         Removed rules:         [---]

  Open:
  2015725 - ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending PDF
(current_events.rules)
  2015739 - ET CURRENT_EVENTS pamdql applet with obfuscated URL
(current_events.rules)
  2015785 - ET CURRENT_EVENTS pamdql obfuscated javascript _222_ padding
(current_events.rules)
  2015801 - ET CURRENT_EVENTS pamdql obfuscated javascript -_-- padding
(current_events.rules)
  2015845 - ET CURRENT_EVENTS pamdql obfuscated javascript __-_ padding
(current_events.rules)

  Pro:
  2805494 - ETPRO TROJAN Virus.Win32.Sality.baka Checkin (trojan.rules)
  2805497 - ETPRO TROJAN Virus.Win32.Sality.baka Checkin 2 (trojan.rules)
  2805518 - ETPRO TROJAN Virus.Win32.Sality.baka Checkin 3 (trojan.rules)
  2805519 - ETPRO TROJAN Virus.Win32.Sality.baka Checkin 4 (trojan.rules)
  2805539 - ETPRO TROJAN Virus.Win32.Sality.baka Checkin 5 (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20130607/2f717c71/attachment.html>


More information about the Emerging-updates mailing list