[Emerging-updates] Daily Ruleset Update Summary 2015/01/26

Francis Trudeau ftrudeau at emergingthreats.net
Mon Jan 26 17:23:20 EST 2015


 [***] Summary: [***]

 5 new Open signatures, 22 new Pro (5 + 17).  Regin, Dyre, PlugX,
Citroni/CTB locker.

 Thanks:  @rmkml, black_ip and @abuse_ch

 [+++]          Added rules:          [+++]

 Open:

  2020308 - ET TROJAN Dyre Downloading Mailer (trojan.rules)
  2020309 - ET TROJAN Regin Hopscotch Module Accessing SMB2 Named Pipe
(Unicode) 1 (trojan.rules)
  2020310 - ET TROJAN Regin Hopscotch Module Accessing SMB Named Pipe
(Unicode) 2 (trojan.rules)
  2020313 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS CnC) (trojan.rules)
  2020314 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS CnC) (trojan.rules)

 Pro:

  2809575 - ETPRO TROJAN Potential PlugX DNS Command and Control via
TXT queries (trojan.rules)
  2809576 - ETPRO EXPLOIT Arris Cable Modem Backdoor Cookie 2 (exploit.rules)
  2809577 - ETPRO TROJAN Critroni Variant .onion Proxy Domain (trojan.rules)
  2809578 - ETPRO TROJAN Critroni Variant .onion Proxy Domain (trojan.rules)
  2809579 - ETPRO TROJAN Win32/Sality.AT Checkin (trojan.rules)
  2809580 - ETPRO TROJAN Python.a Checkin (trojan.rules)
  2809581 - ETPRO TROJAN WIN32/ZUPDAX.A!DHA Checkin (trojan.rules)
  2809582 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.ja Checkin
(mobile_malware.rules)
  2809583 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.m Checkin
3 (mobile_malware.rules)
  2809584 - ETPRO MOBILE_MALWARE Android.Trojan.Banker.Z Checkin
(mobile_malware.rules)
  2809585 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.EI Checkin
(mobile_malware.rules)
  2809586 - ETPRO TROJAN Win32/Neshta.A Checkin 4 (trojan.rules)
  2809587 - ETPRO TROJAN Win32/Spy.Agent.OLV Checkin (trojan.rules)
  2809588 - ETPRO TROJAN W32/Sourtoff Receiving Config (trojan.rules)
  2809589 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.SO Checkin
(mobile_malware.rules)
  2809590 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.Frime.a Checkin
(mobile_malware.rules)
  2809591 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.DL Checkin
(mobile_malware.rules)


 [///]     Modified active rules:     [///]

  2015891 - ET CURRENT_EVENTS CoolEK - Landing Page - Title
(current_events.rules)
  2019764 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Payload Nov 20
2014 (current_events.rules)
  2020212 - ET CURRENT_EVENTS Upatre Redirector IE Requesting Payload
Jan 19 2015 (current_events.rules)
  2805820 - ETPRO MOBILE_MALWARE Android/FkToken.A Checkin
(mobile_malware.rules)


 [---]         Removed rules:         [---]

  2015501 - ET TROJAN ProxyBox - HTTP CnC - Checkin Response (trojan.rules)
  2015815 - ET CURRENT_EVENTS CoolEK Font File Download (32-bit Host)
Dec 11 2012 (current_events.rules)
  2015816 - ET CURRENT_EVENTS CoolEK Font File Download (64-bit Host)
Dec 11 2012 (current_events.rules)
  2015892 - ET CURRENT_EVENTS CoolEK - PDF Exploit - pdf_new.php
(current_events.rules)
  2016059 - ET CURRENT_EVENTS CoolEK - Old PDF Exploit - Dec 18 2012
(current_events.rules)
  2016278 - ET CURRENT_EVENTS CoolEK - New PDF Exploit - Jan 24 2013
(current_events.rules)
  2016547 - ET CURRENT_EVENTS CoolEK Payload Download (6) (current_events.rules)
  2016559 - ET CURRENT_EVENTS CoolEK Payload Download (7) (current_events.rules)
  2016782 - ET CURRENT_EVENTS CoolEK Payload Download (8) (current_events.rules)
  2020283 - ET TROJAN DNS Query for Suspicious torwoman.com Domain -
Possible CryptoWall Activity (trojan.rules)
  2808452 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Faketoken.a
Checkin 2 (mobile_malware.rules)


More information about the Emerging-updates mailing list