[Emerging-updates] Daily Ruleset Update Summary 08/28/2014

Francis Trudeau ftrudeau at emergingthreats.net
Thu Aug 28 18:35:40 EDT 2014


 [***] Summary: [***]

 5 new Open signatures, 18 new Pro (5+13).  ABUSE.CH SSL Blacklist,
PCRat/Gh0st, Various Android.

 Thanks:  @rmkml and @abuse_ch

 [+++]          Added rules:          [+++]

 Open:

  2019079 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2019080 - ET TROJAN Windows arp -a Microsoft Windows DOS prompt
command exit OUTBOUND (trojan.rules)
  2019081 - ET TROJAN Windows set Microsoft Windows DOS prompt command
exit OUTBOUND (trojan.rules)
  2019082 - ET TROJAN Windows route Microsoft Windows DOS prompt
command exit OUTBOUND (trojan.rules)
  2019083 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 41 (trojan.rules)

  Pro:

  2808683 - ETPRO TROJAN Win32/VB.VX Checkin (trojan.rules)
  2808684 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Talp.a Checkin
(mobile_malware.rules)
  2808685 - ETPRO TROJAN Carbon FormGrabber/Retgate.A Checkin (trojan.rules)
  2808686 - ETPRO TROJAN WIN32.AGENT.ADRNK Checkin FTP (trojan.rules)
  2808687 - ETPRO TROJAN Trojan.Win32.Jorik.IRCbot USER command (trojan.rules)
  2808688 - ETPRO TROJAN Win32/Dynamer Checkin (trojan.rules)
  2808689 - ETPRO TROJAN Win32/Kaaneut.A Callback (trojan.rules)
  2808690 - ETPRO MOBILE_MALWARE DroidKungFu Checkin 4 (mobile_malware.rules)
  2808691 - ETPRO POLICY Showmypc.com remote access (SSH Futty) (policy.rules)
  2808692 - ETPRO TROJAN Win32.Hyteod Checkin (trojan.rules)
  2808693 - ETPRO TROJAN Win32.Rogue Checkin (trojan.rules)
  2808694 - ETPRO TROJAN Win32.Hyteod Checkin Response (trojan.rules)
  2808695 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.SpamSold.a Checkin
(mobile_malware.rules)


 [+++]         Enabled rules:         [+++]

  2010909 - ET TROJAN Arucer Command Execution (trojan.rules)
  2010910 - ET TROJAN Arucer DIR Listing (trojan.rules)
  2010911 - ET TROJAN Arucer WRITE FILE command (trojan.rules)
  2010912 - ET TROJAN Arucer READ FILE Command (trojan.rules)
  2010914 - ET TROJAN Arucer FIND FILE Command (trojan.rules)
  2010915 - ET TROJAN Arucer YES Command (trojan.rules)
  2010916 - ET TROJAN Arucer ADD RUN ONCE Command (trojan.rules)
  2010917 - ET TROJAN Arucer DEL FILE Command (trojan.rules)


 [+++]  Enabled and modified rules:   [+++]

  2012045 - ET EXPLOIT VMware Tools Update OS Command Injection
Attempt (exploit.rules)
  2014153 - ET CURRENT_EVENTS High Orbit Ion Cannon (HOIC) Attack
Inbound Generic Detection Double Spaced UA (current_events.rules)


 [///]     Modified active rules:     [///]

  2008052 - ET MALWARE User-Agent (Internet Explorer) (malware.rules)
  2010621 - ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts)
(web_server.rules)
  2010667 - ET WEB_SERVER /bin/bash In URI, Possible Shell Command
Execution Attempt Within Web Exploit (web_server.rules)
  2010698 - ET WEB_SERVER Possible D-Link Router HNAP Protocol
Security Bypass Attempt (web_server.rules)
  2010720 - ET WEB_SERVER PHP Scan Precursor (web_server.rules)
  2010872 - ET TROJAN Pragma hack Detected Outbound - Likely Infected
Source (trojan.rules)
  2010954 - ET SCAN crimscanner User-Agent detected (scan.rules)
  2010956 - ET SCAN Skipfish Web Application Scan Detected (2) (scan.rules)
  2011028 - ET SCAN HZZP Scan in Progress calc in Headers (scan.rules)
  2011088 - ET SCAN Possible DavTest WebDav Vulnerability Scanner
Initial Check Detected (scan.rules)
  2011124 - ET MALWARE Suspicious FTP 220 Banner on Local Port
(spaced) (malware.rules)
  2011174 - ET WEB_SERVER SQL Injection Attempt (Agent CZxt2s)
(web_server.rules)
  2011175 - ET WEB_SERVER Casper Bot Search RFI Scan (web_server.rules)
  2011243 - ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like,
planetwork) (web_server.rules)
  2011285 - ET WEB_SERVER Bot Search RFI Scan (Casper-Like, Jcomers
Bot scan) (web_server.rules)
  2011389 - ET SCAN w3af Scan Remote File Include Retrieval (scan.rules)
  2011390 - ET SCAN Nikto Scan Remote File Include Retrieval (scan.rules)
  2011720 - ET SCAN Possible WafWoof Web Application Firewall
Detection Scan (scan.rules)
  2011767 - ET TROJAN Avzhan DDOS Bot Inbound Hardcoded Malformed GET
Request Denial Of Service Attack Detected (trojan.rules)
  2011821 - ET CURRENT_EVENTS User-Agent used in known DDoS Attacks
Detected outbound (current_events.rules)
  2011822 - ET CURRENT_EVENTS User-Agent used in known DDoS Attacks
Detected inbound (current_events.rules)
  2011823 - ET CURRENT_EVENTS User-Agent used in known DDoS Attacks
Detected outbound 2 (current_events.rules)
  2011824 - ET CURRENT_EVENTS User-Agent used in known DDoS Attacks
Detected inbound 2 (current_events.rules)
  2011887 - ET SCAN Medusa User-Agent (scan.rules)
  2011915 - ET SCAN DotDotPwn User-Agent (scan.rules)
  2011966 - ET CURRENT_EVENTS Trojan downloader (AS8514) (current_events.rules)
  2011968 - ET CURRENT_EVENTS Trojan Banker (AS33182) (current_events.rules)
  2011980 - ET CURRENT_EVENTS Suspicious executable download possible
Ircbrute Trojan (current_events.rules)
  2011981 - ET CURRENT_EVENTS Suspicious executable download possible
Eleonore Exploit Pack / Trojan Brebolab (current_events.rules)
  2011982 - ET CURRENT_EVENTS Suspicious executable download possible
Trojan Ransom.AM (current_events.rules)
  2011983 - ET CURRENT_EVENTS Suspicious executable download possible
Fast Flux Trojan (current_events.rules)
  2011984 - ET CURRENT_EVENTS Suspicious executable download possible
Fast Flux Rogue Antivirus MalvRem (current_events.rules)
  2011985 - ET CURRENT_EVENTS Suspicious executable download possible
Fast Flux Rogue Antivirus avdistr (current_events.rules)
  2011986 - ET CURRENT_EVENTS Suspicious executable download possible
Fast Flux Rogue Antivirus RunAV (current_events.rules)
  2011990 - ET CURRENT_EVENTS Suspicious executable download possible
Rogue AV (installer.xxxx.exe) (current_events.rules)
  2011995 - ET CURRENT_EVENTS invoice.scr download most likely a
TROJAN (current_events.rules)
  2011999 - ET TROJAN Trojan.Spy.YEK MAC and IP POST (trojan.rules)
  2012101 - ET EXPLOIT Oracle Virtual Server Agent Command Injection
Attempt (exploit.rules)
  2012116 - ET WEB_SERVER DD-WRT Information Disclosure Attempt
(web_server.rules)
  2012117 - ET WEB_SERVER Successful DD-WRT Information Disclosure
(web_server.rules)
  2012150 - ET WEB_SERVER PHP Large Subnormal Double Precision
Floating Point Number PHP DoS in URI (web_server.rules)
  2012286 - ET WEB_SERVER Automated Site Scanning for backupdata
(web_server.rules)
  2012287 - ET WEB_SERVER Automated Site Scanning for backup_data
(web_server.rules)
  2012586 - ET TROJAN Suspicious User-Agent Im Luo (trojan.rules)
  2013170 - ET CURRENT_EVENTS HTTP Request to a *.cu.cc domain
(current_events.rules)
  2804240 - ETPRO TROJAN TrojanDownloader.Win32/Delf.NK (trojan.rules)
  2804288 - ETPRO TROJAN Win32/OnLineGames.NM Install (trojan.rules)
  2804301 - ETPRO TROJAN Win32/TrojanDownloader.Banload.QOM Checkin
(trojan.rules)
  2804317 - ETPRO TROJAN TrojanDownloader.Win32/Banload.ACI Checkin
(trojan.rules)
  2804400 - ETPRO TROJAN Win32/DelpBanc.A Checkin (trojan.rules)
  2804414 - ETPRO TROJAN TrojanDropper.Win32/Agent.KA Checkin (trojan.rules)
  2804423 - ETPRO TROJAN TrojanDownloader.Win32/Banload.ACK receiving
config (trojan.rules)
  2804457 - ETPRO TROJAN TrojanSpy.Win32/Bancos.gen!A sending info via
smtp (trojan.rules)
  2804460 - ETPRO TROJAN Infostealer.Onlinegame Checkin (trojan.rules)
  2804565 - ETPRO TROJAN TrojanDropper.Win32/Buzus.B Checkin (trojan.rules)
  2804642 - ETPRO TROJAN Trojan.Win32.Buzus.jytd Checkin (trojan.rules)
  2804678 - ETPRO MALWARE Spyware.Known_Bad_Sites Install (malware.rules)
  2804752 - ETPRO TROJAN Trojan-Banker.Win32.Banker2.bwv Checkin (trojan.rules)
  2804881 - ETPRO TROJAN Trojan.Agent-275138 Checkin (trojan.rules)
  2804885 - ETPRO TROJAN Win32/TrojanDownloader.Banload.QYJ Checkin
(trojan.rules)
  2808624 - ETPRO TROJAN Password Stealer PWS.Y!B2F Checkin 1 (trojan.rules)


 [///]    Modified inactive rules:    [///]

  2010721 - ET USER_AGENTS Suspicious Non-Escaping backslash in
User-Agent Outbound (user_agents.rules)
  2010722 - ET USER_AGENTS Suspicious Non-Escaping backslash in
User-Agent Inbound (user_agents.rules)


 [---]  Disabled and modified rules:  [---]

  2011759 - ET WEB_SERVER TIEHTTP User-Agent (web_server.rules)


 [---]         Disabled rules:        [---]

  2010913 - ET TROJAN Arucer NOP Command (trojan.rules)


 [---]         Removed rules:         [---]

  2000900 - ET P2P JoltID Agent Probing or Announcing UDP (p2p.rules)
  2000901 - ET P2P JoltID Agent Communicating TCP (p2p.rules)
  2001015 - ET P2P JoltID Agent Keep-Alive (p2p.rules)
  2001654 - ET P2P JoltID Agent Requesting File (p2p.rules)
  2010706 - ET USER_AGENTS Internet Explorer 6 in use - Significant
Security Risk (user_agents.rules)
  2010797 - ET POLICY Twitter Status Update (policy.rules)
  2010815 - ET POLICY Incoming Connection Attempt From Amazon EC2
Cloud (policy.rules)
  2011233 - ET TROJAN Troxen GetSpeed Request (trojan.rules)
  2011416 - ET TROJAN General Trojan FakeAV Downloader (trojan.rules)
  2011897 - ET CURRENT_EVENTS vb exploits / trojan vietshow
(current_events.rules)
  2011899 - ET CURRENT_EVENTS Trojan perflogger ~duydati/inst_PCvw.exe
(current_events.rules)
  2011901 - ET CURRENT_EVENTS Hacked server to exploits
~rio1/admin/login.php (current_events.rules)
  2011902 - ET CURRENT_EVENTS Phishing
~mbscom/moneybookers/app/login/login.html (current_events.rules)
  2011903 - ET CURRENT_EVENTS iframe Phoenix Exploit & ZBot
vt073pd/photo.exe (current_events.rules)
  2011904 - ET CURRENT_EVENTS fast flux rogue antivirus
download.php?id=2004 (current_events.rules)
  2011905 - ET CURRENT_EVENTS exploit kit x/index.php?s=dexc
(current_events.rules)
  2011907 - ET CURRENT_EVENTS exploit kit x/l.php?s=dexc (current_events.rules)
  2011908 - ET CURRENT_EVENTS exploit kit x/exe.php?x=mdac
(current_events.rules)
  2011909 - ET CURRENT_EVENTS trojan renos Flash.HD.exe (current_events.rules)
  2011916 - ET CURRENT_EVENTS SEO/Malvertising Executable Landing
exe2.php (current_events.rules)
  2011919 - ET CURRENT_EVENTS FAKEAV Gemini - packupdate*.exe download
(current_events.rules)
  2011951 - ET CURRENT_EVENTS DRIVEBY SEO Client Exploited By
SMB/JavaWebStart (current_events.rules)
  2011952 - ET CURRENT_EVENTS DRIVEBY SEO Client Exploited By PDF
(current_events.rules)
  2011953 - ET CURRENT_EVENTS DRIVEBY SEO Client Requesting Malicious
jjar.jar (current_events.rules)
  2011954 - ET CURRENT_EVENTS DRIVEBY SEO Client Requesting Malicious
loadjjar.php (current_events.rules)
  2011955 - ET CURRENT_EVENTS DRIVEBY SEO Client Requesting Malicious
lib.pdf (current_events.rules)
  2011956 - ET CURRENT_EVENTS DRIVEBY SEO Client Requesting Malicious
loadpeers.php (current_events.rules)
  2011958 - ET CURRENT_EVENTS DRIVEBY SEO Obfuscated JavaScript
desttable (current_events.rules)
  2011959 - ET CURRENT_EVENTS DRIVEBY SEO Obfuscated JavaScript
srctable (current_events.rules)
  2011993 - ET CURRENT_EVENTS ProFTPD Backdoor outbound Request Sent
(current_events.rules)
  2012156 - ET WEB_CLIENT Possible Adobe Reader 9.4 doc.printSeps
Memory Corruption Attempt (web_client.rules)
  2012275 - ET CURRENT_EVENTS Post Express Inbound SPAM (possible
Spyeye) (current_events.rules)
  2012301 - ET TROJAN Potential Trojan dropper Wlock.A (AS1680) (trojan.rules)
  2012332 - ET CURRENT_EVENTS Possible Fast Flux Trojan Rogue
Antivirus (current_events.rules)
  2012410 - ET MOBILE_MALWARE DroidDream Android Trojan info upload
(mobile_malware.rules)
  2012447 - ET TROJAN Possible Fast Flux Rogue Antivirus (trojan.rules)
  2012450 - ET MOBILE_MALWARE Android Trojan HongTouTou Command and
Control Communication (mobile_malware.rules)
  2012538 - ET CURRENT_EVENTS Possible Zbot Trojan (current_events.rules)
  2012539 - ET CURRENT_EVENTS Possible Rogue Antivirus (current_events.rules)
  2012540 - ET CURRENT_EVENTS Possible Win32 Backdoor Poison
(current_events.rules)
  2012685 - ET CURRENT_EVENTS Win32/CazinoSilver Download
VegasVIP_setup.exe (current_events.rules)
  2012688 - ET CURRENT_EVENTS Potential Blackhole Exploit Pack landing
(current_events.rules)
  2012802 - ET MALWARE Spoofed MSIE 8 User-Agent Likely Ponmocup (malware.rules)
  2013406 - ET POLICY SSL MiTM Vulnerable or EOL iOS 3.x device (policy.rules)
  2013407 - ET POLICY SSL MiTM Vulnerable or EOL iOS 4.x device (policy.rules)
  2013753 - ET TROJAN Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-2
(trojan.rules)
  2013754 - ET TROJAN Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-2
(trojan.rules)
  2014041 - ET WORM AirOS .css Worm Outbound Propagation Sweep (worm.rules)
  2014042 - ET WORM AirOS admin.cgi/css Exploit Attempt (worm.rules)
  2019041 - ET CURRENT_EVENTS Possible Upatre SSL Cert ara-photos.net
(current_events.rules)
  2019066 - ET CURRENT_EVENTS Possible Upatre SSL Cert
slmp-550-105.slc.westdc.net (current_events.rules)
  2800490 - ETPRO WEB_CLIENT Mozilla Network Security Services Regexp
Heap Overflow (web_client.rules)
  2808625 - ETPRO TROJAN Password Stealer PWS.Y!B2F Checkin 2 (trojan.rules)


More information about the Emerging-updates mailing list