[Emerging-updates] Daily Ruleset Update Summary 03/18/2014

Francis Trudeau ftrudeau at emergingthreats.net
Tue Mar 18 13:14:20 HADT 2014


 [***] Summary: [***]

 20 new Open rules, 25 new Pro (20/5).  Winspy, Zeus, Torlocker, Operation
Windigo.

 Thanks:  @MalwareMustDie and Kevin Ross

 Emerging Threats would also like to thank ESET for their excellent
write-up on Operation Windigo and allowing us to publish associated rules
in our ruleset.


http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

 [+++]          Added rules:          [+++]

 Open:

  2018264 - ET TROJAN Linux/Kimodin SSH backdoor activity (trojan.rules)
  2018265 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
  2018266 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
  2018267 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
  2018268 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
  2018269 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
  2018270 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
  2018271 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
  2018272 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
  2018273 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
  2018274 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
  2018275 - ET TROJAN Linux/Onimiki DNS trojan activity long format
(Outbound) (trojan.rules)
  2018276 - ET TROJAN Linux/Onimiki DNS trojan activity long format
(Inbound) (trojan.rules)
  2018290 - ET WEB_SERVER WEBSHELL CFM Shell Access (web_server.rules)
  2018291 - ET TROJAN MultiThreat/Winspy.RAT Keep-Alive (flowbit set)
(trojan.rules)
  2018292 - ET TROJAN MultiThreat/Winspy.RAT Keep-Alive Server Response
(trojan.rules)
  2018293 - ET TROJAN MultiThreat/Winspy.RAT SMTP Data Exfiltration
(trojan.rules)
  2018294 - ET TROJAN MultiThreat/Winspy.RAT FTP File Download Command
(trojan.rules)
  2018295 - ET TROJAN Mal/Ransom-CE Connectivity Check (trojan.rules)
  2018296 - ET TROJAN Zeus GameOver Checkin (trojan.rules)

 Pro:

  2807850 - ETPRO TROJAN Trojan/MSIL.bfsx Checkin (trojan.rules)
  2807851 - ETPRO MOBILE_MALWARE Android/Nopoc.A Checkin
(mobile_malware.rules)
  2807852 - ETPRO MALWARE AdWare.Win32.ScreenSaver.ablp Checkin
(malware.rules)
  2807853 - ETPRO TROJAN TorLocker Downloading Tor (trojan.rules)
  2807854 - ETPRO CURRENT_EVENTS SUSPICIOUS Non-SSL Tor Executable Download
as (Observed in TorLocker) (current_events.rules)


 [///]     Modified active rules:     [///]

  2001306 - ET MALWARE Gator/Clarian Agent (malware.rules)
  2013361 - ET CURRENT_EVENTS HTran/SensLiceld.A response to infected host
(current_events.rules)
  2016794 - ET CURRENT_EVENTS Possible Linux/Cdorked.A Incoming Command
(current_events.rules)
  2017417 - ET TROJAN Bladabindi/njrat CnC Keep-Alive (INBOUND)
(trojan.rules)
  2018019 - ET TROJAN Win32.WinSpy.pob Sending Data over SMTP (trojan.rules)
  2018020 - ET TROJAN Win32.WinSpy.pob Sending Data over SMTP 2
(trojan.rules)
  2807179 - ETPRO TROJAN Trojan.DownLoader10.36780 User-Agent (odin)
(trojan.rules)


 [///]    Modified inactive rules:    [///]

  2009582 - ET SCAN NMAP -sS window 1024 (scan.rules)
  2009583 - ET SCAN NMAP -sS window 3072 (scan.rules)
  2009584 - ET SCAN NMAP -sS window 4096 (scan.rules)


 [---]  Disabled and modified rules:  [---]

  2807462 - ETPRO TROJAN Net-Worm.Win32.Koobface.ght Ping (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20140318/685dd07c/attachment.html>


More information about the Emerging-updates mailing list