[Emerging-updates] Daily Ruleset Update Summary 08/27/2014

Francis Trudeau ftrudeau at emergingthreats.net
Wed Aug 27 18:02:40 EDT 2014


 [***] Summary: [***]

 54 new Open signatures, 77 new Pro (54+23).  Lots of Upatre SSL,
NullHole EK, Various Android.

 Thanks:  Nathan Fowler and @kafeine

 [+++]          Added rules:          [+++]

  2019025 - ET CURRENT_EVENTS Possible Upatre SSL Cert freeb4u.com
(current_events.rules)
  2019026 - ET CURRENT_EVENTS Possible Upatre SSL Cert
developmentinn.com (current_events.rules)
  2019027 - ET CURRENT_EVENTS Possible Upatre SSL Cert directory92.com
(current_events.rules)
  2019028 - ET CURRENT_EVENTS Possible Upatre SSL Cert epr-co.ch
(current_events.rules)
  2019029 - ET CURRENT_EVENTS Possible Upatre SSL Cert pouyasazan.org
(current_events.rules)
  2019030 - ET CURRENT_EVENTS Possible Upatre SSL Cert ara-photos.net
(current_events.rules)
  2019031 - ET CURRENT_EVENTS Possible Upatre SSL Cert tecktalk.com
(current_events.rules)
  2019032 - ET CURRENT_EVENTS Possible Upatre SSL Cert cyclivate.com
(current_events.rules)
  2019033 - ET CURRENT_EVENTS Possible Upatre SSL Cert
mentoringgroup.com (current_events.rules)
  2019034 - ET CURRENT_EVENTS Possible Upatre SSL Cert
dineshuthayakumar.in (current_events.rules)
  2019035 - ET CURRENT_EVENTS Possible Upatre SSL Cert ssshosting.net
(current_events.rules)
  2019036 - ET CURRENT_EVENTS Possible Upatre SSL Cert erotikturk.com
(current_events.rules)
  2019037 - ET CURRENT_EVENTS Possible Upatre SSL Cert
mtnoutfitters.com (current_events.rules)
  2019038 - ET CURRENT_EVENTS Possible Upatre SSL Cert
jojik-international.com (current_events.rules)
  2019039 - ET CURRENT_EVENTS Possible Upatre SSL Cert
abarsolutions.com (current_events.rules)
  2019040 - ET CURRENT_EVENTS Possible Upatre SSL Cert
eastwoodvalley.com (current_events.rules)
  2019041 - ET CURRENT_EVENTS Possible Upatre SSL Cert ara-photos.net
(current_events.rules)
  2019042 - ET CURRENT_EVENTS Possible Upatre SSL Cert pejlain.se
(current_events.rules)
  2019043 - ET CURRENT_EVENTS Possible Upatre SSL Cert dominionthe.com
(current_events.rules)
  2019044 - ET CURRENT_EVENTS Possible Upatre SSL Cert delanecanada.ca
(current_events.rules)
  2019045 - ET CURRENT_EVENTS Possible Upatre SSL Cert
hebergement-solutions.com (current_events.rules)
  2019046 - ET CURRENT_EVENTS Possible Upatre SSL Cert
sportofteniq.com (current_events.rules)
  2019047 - ET CURRENT_EVENTS Possible Upatre SSL Cert adoraacc.com
(current_events.rules)
  2019048 - ET CURRENT_EVENTS Possible Upatre SSL Cert tristacey.com
(current_events.rules)
  2019049 - ET CURRENT_EVENTS Possible Upatre SSL Cert nbc-mail.com
(current_events.rules)
  2019050 - ET CURRENT_EVENTS Possible Upatre SSL Cert
tridayacipta.com (current_events.rules)
  2019051 - ET CURRENT_EVENTS Possible Upatre SSL Cert
trainthetrainerinternational.com (current_events.rules)
  2019052 - ET CURRENT_EVENTS Possible Upatre SSL Cert
lingayasuniversity.edu.in (current_events.rules)
  2019053 - ET CURRENT_EVENTS Possible Upatre SSL Cert uleideargan.com
(current_events.rules)
  2019054 - ET CURRENT_EVENTS Possible Upatre SSL Cert
picklingtank.com (current_events.rules)
  2019055 - ET CURRENT_EVENTS Possible Upatre SSL Cert vcomdesign.com
(current_events.rules)
  2019056 - ET CURRENT_EVENTS Possible Upatre SSL Cert technosysuk.com
(current_events.rules)
  2019057 - ET CURRENT_EVENTS Possible Upatre SSL Cert
slmp-550-105.slc.westdc.net (current_events.rules)
  2019058 - ET CURRENT_EVENTS Possible Upatre SSL Cert
itiltrainingcertworkshop.com (current_events.rules)
  2019059 - ET CURRENT_EVENTS Possible Upatre SSL Cert
udderperfection.com (current_events.rules)
  2019060 - ET CURRENT_EVENTS Possible Upatre SSL Cert efind.co.il
(current_events.rules)
  2019061 - ET CURRENT_EVENTS Possible Upatre SSL Cert bloodsoft.com
(current_events.rules)
  2019062 - ET CURRENT_EVENTS Possible Upatre SSL Cert walletmix.com
(current_events.rules)
  2019063 - ET CURRENT_EVENTS Possible Upatre SSL Cert
turnaliinsaat.com (current_events.rules)
  2019064 - ET CURRENT_EVENTS Possible Upatre SSL Cert
mdus-pp-wb12.webhostbox.net (current_events.rules)
  2019065 - ET CURRENT_EVENTS Possible Upatre SSL Cert
plastics-technology.com (current_events.rules)
  2019066 - ET CURRENT_EVENTS Possible Upatre SSL Cert
slmp-550-105.slc.westdc.net (current_events.rules)
  2019067 - ET CURRENT_EVENTS Possible Upatre SSL Cert deserve.org.uk
(current_events.rules)
  2019068 - ET CURRENT_EVENTS Possible Upatre SSL Cert worldbuy.biz
(current_events.rules)
  2019069 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2019070 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2019071 - ET CURRENT_EVENTS NullHole EK Landing Aug 27 2014
(current_events.rules)
  2019072 - ET CURRENT_EVENTS RIG EK Landing URI Struct (current_events.rules)
  2019073 - ET CURRENT_EVENTS NullHole EK Landing Redirect Aug 27 2014
(current_events.rules)
  2019074 - ET TROJAN Vawtrak/NeverQuest Posting Data (trojan.rules)
  2019075 - ET CURRENT_EVENTS Possible Upatre SSL Cert
paydaypedro.co.uk (current_events.rules)
  2019076 - ET CURRENT_EVENTS Possible Upatre SSL Cert chatso.com
(current_events.rules)
  2019077 - ET CURRENT_EVENTS Possible Upatre SSL Cert
ventureonsite.com (current_events.rules)
  2019078 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Aug 27 2014
(current_events.rules)

 Pro:

  2808649 - ETPRO TROJAN Backdoor.Win32.Stantinko.A Checkin 3 (trojan.rules)
  2808661 - ETPRO MALWARE Adware.Win32.Midia.A Checkin (malware.rules)
  2808662 - ETPRO TROJAN Win32.Boaxxe Variant Callback (trojan.rules)
  2808663 - ETPRO MOBILE_MALWARE Android/Adware.MobWin.A Checkin
(mobile_malware.rules)
  2808664 - ETPRO MALWARE Win32/ExpressDownloader Callback (malware.rules)
  2808665 - ETPRO MALWARE KopHack Checkin (malware.rules)
  2808666 - ETPRO MALWARE Adware.Winner Uploading Host Info (malware.rules)
  2808667 - ETPRO TROJAN Win32/ProxyChanger.RD Checkin (trojan.rules)
  2808668 - ETPRO TROJAN TROJAN.WIN32.DIZTAKUN.ATK Checkin FTP (trojan.rules)
  2808669 - ETPRO TROJAN TROJANSPY.MSIL/GOLROTED.A Checkin FTP (trojan.rules)
  2808670 - ETPRO TROJAN POSCARDSTEALER.Q Checkin (trojan.rules)
  2808671 - ETPRO TROJAN MONITOR.MSIL.KEYLOGGER Checkin (trojan.rules)
  2808672 - ETPRO TROJAN Win32/Spy.Agent.OKH Checkin (trojan.rules)
  2808673 - ETPRO MOBILE_MALWARE Android/Spyoo.I Checkin (mobile_malware.rules)
  2808674 - ETPRO MOBILE_MALWARE Android/Spyoo.I Checkin 2
(mobile_malware.rules)
  2808675 - ETPRO MOBILE_MALWARE Android/Spyoo.I Checkin 3
(mobile_malware.rules)
  2808676 - ETPRO MALWARE Win32/GameHack.CSO Checkin (malware.rules)
  2808677 - ETPRO MOBILE_MALWARE Android/SMForw.AT Checkin
(mobile_malware.rules)
  2808678 - ETPRO MOBILE_MALWARE Android/SMForw.AT Checkin 2
(mobile_malware.rules)
  2808679 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.BK Checkin
(mobile_malware.rules)
  2808680 - ETPRO MOBILE_MALWARE Adware.Youmi.A Checkin (mobile_malware.rules)
  2808681 - ETPRO MALWARE Win32/InstallRex.Adware Checkin (malware.rules)
  2808682 - ETPRO MOBILE_MALWARE AndroidOS/UUPay.B Checkin 2
(mobile_malware.rules)


 [+++]  Enabled and modified rules:   [+++]

  2010463 - ET WEB_SERVER RFI Scanner Success (Fx29ID) (web_server.rules)


 [///]     Modified active rules:     [///]

  2001616 - ET ATTACK_RESPONSE Zone-H.org defacement notification
(attack_response.rules)
  2009029 - ET WEB_SERVER SQL Injection Attempt (Agent NV32ts)
(web_server.rules)
  2009038 - ET SCAN SQLNinja MSSQL Version Scan (scan.rules)
  2009039 - ET SCAN SQLNinja MSSQL XPCmdShell Scan (scan.rules)
  2009158 - ET SCAN WebShag Web Application Scan Detected (scan.rules)
  2009359 - ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap
NSE) (scan.rules)
  2009480 - ET SCAN Grendel Web Scan - Default User Agent Detected (scan.rules)
  2009799 - ET WEB_SERVER PHP Attack Tool Morfeus F Scanner - M
(web_server.rules)
  2009827 - ET SCAN Pavuk User Agent Detected - Website Mirroring Tool
for Off-line Analysis (scan.rules)
  2009833 - ET SCAN WITOOL SQL Injection Scan (scan.rules)
  2009882 - ET SCAN Default Mysqloit User Agent Detected - Mysql
Injection Takover Tool (scan.rules)
  2009883 - ET SCAN Possible Mysqloit Operating System Fingerprint/SQL
Injection Test Scan Detected (scan.rules)
  2010004 - ET WEB_SERVER SQL sp_start_job attempt (web_server.rules)
  2010037 - ET WEB_SERVER Possible SQL Injection INTO OUTFILE
Arbitrary File Write Attempt (web_server.rules)
  2010215 - ET SCAN SQL Injection Attempt (Agent uil2pn) (scan.rules)
  2010267 - ET TROJAN Sinowal/Torpig Checkin (trojan.rules)
  2010268 - ET TROJAN W32.SillyFDC Checkin (trojan.rules)
  2806067 - ETPRO MALWARE Casino.E Install (malware.rules)


 [///]    Modified inactive rules:    [///]

  2010231 - ET CURRENT_EVENTS
FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF
download 1 (current_events.rules)
  2010281 - ET WEB_SERVER Apache mod_perl Apache Status and Apache2
Status Cross Site Scripting Attempt (web_server.rules)
  2010343 - ET SCAN pangolin SQL injection tool (scan.rules)


 [---]         Removed rules:         [---]

  2009036 - ET TROJAN Armitage Loader Check-in (trojan.rules)
  2009797 - ET TROJAN Bifrose Response from victim (trojan.rules)
  2010289 - ET TROJAN Clod/Sereki Communication with C&C (trojan.rules)
  2010290 - ET TROJAN Clod/Sereki Checkin with C&C (noalert) (trojan.rules)
  2010291 - ET TROJAN Clod/Sereki Checkin Response (trojan.rules)
  2101377 - GPL FTP wu-ftp bad file completion attempt (ftp.rules)
  2101378 - GPL FTP wu-ftp bad file completion attempt with brace (ftp.rules)


More information about the Emerging-updates mailing list