[Emerging-updates] Weekly Ruleset Update Summary 6/14/2013

Matt Jonkman jonkman at emergingthreats.net
Fri Jun 14 07:25:42 HADT 2013


33 open, 39 new Pro, 72 total new this week! As well as quite a few tweaks.

Have a great weekend!

[+++]          Added rules:          [+++]


 2016986 - ET TROJAN KeyBoy Backdoor Login (trojan.rules)
 2016987 - ET TROJAN KeyBoy Backdoor SysInfo Response header (trojan.rules)
 2016988 - ET TROJAN KeyBoy Backdoor File Manager Response Header
(trojan.rules)
 2016989 - ET TROJAN KeyBoy Backdoor File Download Response Header
(trojan.rules)
 2016990 - ET TROJAN KeyBoy Backdoor File Upload Response Header
(trojan.rules)
 2016991 - ET TROJAN Alina Server Response Code (trojan.rules)
 2016992 - ET WEB_SERVER WebShell Generic - *.tar.gz in POST body
(web_server.rules)
 2016993 - ET TROJAN Connection to Annibus Sinkhole IP (Possible Infected
Host) (trojan.rules)
 2016994 - ET TROJAN Connection to Georgia Tech Sinkhole IP (Possible
Infected Host) (trojan.rules)
 2016995 - ET TROJAN Connection to 1&1 Sinkhole IP (Possible Infected Host)
(trojan.rules)
 2016996 - ET TROJAN Connection to Zinkhole Sinkhole IP (Possible Infected
Host) (trojan.rules)
 2016997 - ET TROJAN Connection to Dr Web Sinkhole IP(Possible Infected
Host) (trojan.rules)
 2016998 - ET TROJAN Connection to Fitsec Sinkhole IP (Possible Infected
Host) (trojan.rules)
 2016999 - ET TROJAN Connection to Microsoft Sinkhole IP (Possbile Infected
Host) (trojan.rules)
 2017000 - ET TROJAN Connection to unallocated address space
1.1.1.0/24(trojan.rules)
 2017001 - ET TROJAN Connection to a cert.pl Sinkhole IP (Possible Infected
Host) (trojan.rules)
 2017002 - ET CURRENT_EVENTS Kuluoz.B Shipping Label Spam Campaign
(current_events.rules)
 2017003 - ET CURRENT_EVENTS Kuluoz.B Spam Campaign Shipment_Label.exe in
Zip (current_events.rules)
 2017004 - ET TROJAN Win32/Tobfy.S (trojan.rules)
 2017005 - ET CURRENT_EVENTS Possible Microsoft Office PNG overflow attempt
invalid tEXt chunk length (current_events.rules)
 2017006 - ET EXPLOIT CVE-2013-1331 Microft Office PNG Exploit
plugin-detect script access (exploit.rules)
 2017007 - ET EXPLOIT CVE-2013-1331 Microft Office PNG Exploit
plugin-detect script access (exploit.rules)
 2017008 - ET EXPLOIT CVE-2013-1331 Microft Office PNG Exploit Specific
(exploit.rules)
 2017009 - ET TROJAN KimJongRAT cnc exe pull (trojan.rules)
 2017010 - ET WEB_SERVER Possible SQLi xp_cmdshell POST body
(web_server.rules)
 2017011 - ET CURRENT_EVENTS Glazunov EK Downloading Jar
(current_events.rules)
 2017012 - ET CURRENT_EVENTS Possible 2012-1533 altjvm (jvm.dll) Requested
Over WeBDAV (current_events.rules)
 2017013 - ET CURRENT_EVENTS Possible 2012-1533 altjvm RCE via JNLP command
injection (current_events.rules)
 2017014 - ET CURRENT_EVENTS Unknown EK Landing (Payload Downloaded Via
Dropbox) (current_events.rules)
 2017015 - ET POLICY DropBox User Content Access over SSL (policy.rules)
 2017016 - ET CURRENT_EVENTS Unknown EK Jar 1 June 12 2013
(current_events.rules)
 2017017 - ET CURRENT_EVENTS Unknown EK Jar 2 June 12 2013
(current_events.rules)
 2017018 - ET CURRENT_EVENTS Unknown EK Jar 3 June 12 2013
(current_events.rules)


 2806469 - ETPRO MALWARE Alina Checkin 2 (malware.rules)
 2806470 - ETPRO TROJAN Trojan.Win32.VBKrypt.pqwb Checkin (trojan.rules)
 2806471 - ETPRO TROJAN Win32/Wagiclas.B / Backdoor.Win32.DarkMoon.B
Checkin (trojan.rules)
 2806472 - ETPRO TROJAN Hupigon Variant Checkin (trojan.rules)
 2806473 - ETPRO TROJAN Trojan-Downloader.Win32.Agent.cvby Checkin
(trojan.rules)
 2806474 - ETPRO TROJAN TR/Dldr.Delphi.Gen Checkin (trojan.rules)
 2806475 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Obad.a Checkin
(mobile_malware.rules)
 2806476 - ETPRO TROJAN Trojan-Spy/W32.Banker.990208.K Checkin
(trojan.rules)
 2806481 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
 2806482 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
 2806483 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
 2806484 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
 2806485 - ETPRO WEB_CLIENT Internet Explorer Double Free CVE-2013-3118
(web_client.rules)
 2806486 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
 2806487 - ETPRO WEB_CLIENT Interent Explorer Use-After-Free CVE-2013-3120
(web_client.rules)
 2806488 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
 2806489 - ETPRO WEB_CLIENT Interent Explorer onscroll CVE-2013-3123
(web_client.rules)
 2806490 - ETPRO WEB_CLIENT Interent Explorer onscroll CVE-2013-3123
(web_client.rules)
 2806491 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
 2806492 - ETPRO TROJAN Win32/TrojanDownloader.Banload.RVP Checkin 1
(trojan.rules)
 2806493 - ETPRO TROJAN Win32/TrojanDownloader.Banload.RVP Checkin 2
(trojan.rules)
 2806494 - ETPRO TROJAN Heur.Bodegun.1 Checkin (trojan.rules)
 2806495 - ETPRO TROJAN Trojan-Downloader.Win32.VB.gzui Checkin
(trojan.rules)
 2806496 - ETPRO TROJAN Unknown checkin (trojan.rules)
 2806497 - ETPRO MALWARE Adware.Ebiz.K checkin (malware.rules)
 2806498 - ETPRO TROJAN Win32/SniperSpy Checkin 2 (trojan.rules)
 2806499 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
 2806500 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free
(web_client.rules)
 2806501 - ETPRO TROJAN Win32.Jorik.Agent.ppv POST (trojan.rules)
 2806502 - ETPRO TROJAN Win32.Jorik.Agent.ppv GET (trojan.rules)
 2806503 - ETPRO TROJAN Win32/Injector.Autoit.P Checkin (trojan.rules)
 2806504 - ETPRO TROJAN Trojan-Dropper.Win32.FriJoiner.awr Checkin
(trojan.rules)
 2806505 - ETPRO MALWARE AdWare.Win32.Barogo.br Checkin (malware.rules)
 2806506 - ETPRO TROJAN Trojan.Win32.Autoit variant download request
(trojan.rules)
 2806507 - ETPRO TROJAN Win32/Injector.Autoit.P variant response
(trojan.rules)
 2806508 - ETPRO TROJAN Worm.Mydoom spreading via SMTP 10 (trojan.rules)
 2806509 - ETPRO TROJAN Backdoor.Win32.SdBot.baa CnC at IRC Channel
(trojan.rules)
 2806510 - ETPRO TROJAN Trojan.Heur.VP2.cm0 at aeaegnG Checkin (trojan.rules)
 2806511 - ETPRO TROJAN Win32/Delf.MT Checkin (trojan.rules)


[///]     Modified active rules:     [///]

 2008754 - ET TROJAN Possible Rar'd Malware sent when remote host claims to
send an Image (trojan.rules)
 2009909 - ET TROJAN Possible Windows executable sent when remote host
claims to send HTML/CSS Content (trojan.rules)
 2012707 - ET TROJAN Suspicious double Server Header (trojan.rules)
 2013441 - ET TROJAN EXE Download When Server Claims To Send Audio File -
Must Be Win32 (trojan.rules)
 2002175 - ET TROJAN Srv.SSA-KeyLogger Checkin Traffic (trojan.rules)
 2003408 - ET TROJAN Zhelatin Variant Checkin (trojan.rules)
 2008523 - ET TROJAN Proxy.Win32.Fackemo.g/Katusha/FakeAlert Checkin
(trojan.rules)
 2012279 - ET CURRENT_EVENTS SpyEye HTTP Library Checkin
(current_events.rules)
 2014726 - ET POLICY Outdated Windows Flash Version IE (policy.rules)
 2014727 - ET POLICY Outdated Mac Flash Version (policy.rules)
 2015808 - ET TROJAN Taidoor Checkin (trojan.rules)
 2015877 - ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Landing Page URI
(current_events.rules)
 2015978 - ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Dec
03 2012 (current_events.rules)
 2016104 - ET TROJAN DNS Reply for unallocated address space - Potentially
Malicious 1.1.1.0/24 (trojan.rules)
 2016229 - ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Jar Download
(current_events.rules)
 2016368 - ET TROJAN Win32/Toby.N Multilocker Checkin (trojan.rules)
 2016578 - ET TROJAN Dorkbot Loader Payload Request (trojan.rules)
 2016588 - ET CURRENT_EVENTS Redkit Jar Naming Pattern March 03 2013
(current_events.rules)
 2016705 - ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL April
01 2013 (current_events.rules)
 2016751 - ET CURRENT_EVENTS RedKit/Sakura applet + obfuscated URL Apr 10
2013 (current_events.rules)
 2016840 - ET CURRENT_EVENTS FlimKit Landing (current_events.rules)
 2016860 - ET CURRENT_EVENTS Sweet Orange Landing Page May 16 2013
(current_events.rules)
 2016943 - ET CURRENT_EVENTS Sakura - Payload Requested
(current_events.rules)


 2804607 - ETPRO TROJAN Net-Worm.Win32.Kolab.gen Checkin (trojan.rules)
 2804817 - ETPRO TROJAN Win32/Autoit.NJT Checkin (trojan.rules)
 2806365 - ETPRO TROJAN PWS-Zbot-FEN!C447D364A9DA checkin (trojan.rules)
 2806459 - ETPRO TROJAN Win32.Sality-GR Checkin (trojan.rules)


[///]    Modified inactive rules:    [///]

 2010377 - ET POLICY JBOSS/JMX port 80 access from outside (policy.rules)


[---]  Disabled and modified rules:  [---]

 2010762 - ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery
UserCommand Attempt (web_specific_apps.rules)
 2011881 - ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP
Parameter Remote File inclusion Attempt (web_specific_apps.rules)
 2015724 - ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending Jar
(current_events.rules)
 2015738 - ET CURRENT_EVENTS pamdql obfuscated javascript --- padding
(current_events.rules)


[---]         Disabled rules:        [---]

 2016563 - ET CURRENT_EVENTS Blackhole 16-hex/q.php Landing Page/Java
exploit URI (current_events.rules)
 2016564 - ET CURRENT_EVENTS Blackhole 16-hex/q.php Jar Download
(current_events.rules)
 2016971 - ET CURRENT_EVENTS Blackhole 32-hex/a.php Landing Page/Java
exploit URI (current_events.rules)
 2016972 - ET CURRENT_EVENTS Blackhole 32-hex/a.php Jar Download
(current_events.rules)
 2016973 - ET CURRENT_EVENTS Blackhole 16-hex/a.php Landing Page/Java
exploit URI (current_events.rules)
 2016974 - ET CURRENT_EVENTS Blackhole 16-hex/a.php Jar Download
(current_events.rules)


[---]         Removed rules:         [---]

 2006425 - ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Install
Checkin (malware.rules)
 2006426 - ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin
(malware.rules)
 2008754 - ET MALWARE Possible Rar'd Malware sent when remote host claims
to send an Image (malware.rules)
 2009909 - ET MALWARE Possible Windows executable sent when remote host
claims to send HTML/CSS Content (malware.rules)
 2011474 - ET TROJAN FakeAV Checkin (trojan.rules)
 2012707 - ET CURRENT_EVENTS Suspicious double HTTP Header possible botnet
CnC (current_events.rules)
 2013441 - ET MALWARE EXE Download When Server Claims To Send Audio File -
Must Be Win32 (malware.rules)
 2015725 - ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending PDF
(current_events.rules)
 2015739 - ET CURRENT_EVENTS pamdql applet with obfuscated URL
(current_events.rules)
 2015785 - ET CURRENT_EVENTS pamdql obfuscated javascript _222_ padding
(current_events.rules)
 2015801 - ET CURRENT_EVENTS pamdql obfuscated javascript -_-- padding
(current_events.rules)
 2015845 - ET CURRENT_EVENTS pamdql obfuscated javascript __-_ padding
(current_events.rules)


 2804050 - ETPRO TROJAN Win32/Malushka.A Checkin (trojan.rules)
 2805494 - ETPRO TROJAN Virus.Win32.Sality.baka Checkin (trojan.rules)
 2805497 - ETPRO TROJAN Virus.Win32.Sality.baka Checkin 2 (trojan.rules)
 2805518 - ETPRO TROJAN Virus.Win32.Sality.baka Checkin 3 (trojan.rules)
 2805519 - ETPRO TROJAN Virus.Win32.Sality.baka Checkin 4 (trojan.rules)
 2805539 - ETPRO TROJAN Virus.Win32.Sality.baka Checkin 5 (trojan.rules)


-- 

----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20130614/6dcfacef/attachment-0001.html>


More information about the Emerging-updates mailing list