[Emerging-updates] Daily Ruleset Update Summary 2016/08/09

Francis Trudeau ftrudeau at emergingthreats.net
Tue Aug 9 18:54:06 EDT 2016


 [***] Summary: [***]

 6 new Open signatures, 34 new Pro (6 + 28).  RAMNIT, CryptFile2, Locky,
Patch Tuesday.

 Thanks:  Waldo Kitty (Sorry I forgot you yesterday).

 MS Patch Tuesday CVE to SID map:

    CVE-2016-3288->2821571
    CVE-2016-3288->2821572
    CVE-2016-3289->2821573
    CVE-2016-3290->2821574
    CVE-2016-3293->2821575
    CVE-2016-3308->2821576
    CVE-2016-3309->2821577
    CVE-2016-3310->2821578
    CVE-2016-3311->2821579
    CVE-2016-3321->2821580
    CVE-2016-3322->2821581
    CVE-2016-3327->2821582
    CVE-2016-3327->2821583
    CVE-2016-3327->2821584
    CVE-2016-3327->2821585
    CVE-2016-3327->2821586


 [+++]          Added rules:          [+++]

 Open:

  2023028 - ET TROJAN RAMNIT.A M1 (trojan.rules)
  2023029 - ET TROJAN RAMNIT.A M2 (trojan.rules)
  2023030 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
Certificate Detected (Gootkit C2) (trojan.rules)
  2023031 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
Certificate Detected (Gootkit C2) (trojan.rules)
  2023033 - ET TROJAN Win32/Radonskra.B C2 Check-in (trojan.rules)

 Pro:

  2821561 - ETPRO TROJAN Win32/CryptFile2 Ransomware Fake Image Request
(trojan.rules)
  2821562 - ETPRO TROJAN Win32/CryptFile2 Ransomware Fake Image Response
(trojan.rules)
  2821563 - ETPRO TROJAN iSpy Keylogger Reporting Infection via SMTP M2
(trojan.rules)
  2821564 - ETPRO TROJAN MSIL/Unknown Facebook Stealer Activiy
(trojan.rules)
  2821565 - ETPRO POLICY External IP Address Lookup -
ip-address.domaintools.com (policy.rules)
  2821566 - ETPRO TROJAN Unknown CnC Beacon (trojan.rules)
  2821567 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2821568 - ETPRO TROJAN Possible Ursnif Injects Domain in SNI
(trojan.rules)
  2821569 - ETPRO TROJAN Locky CnC checkin Aug 03 2016 M2 (trojan.rules)
  2821570 - ETPRO WEB_CLIENT Microsoft Internet Explorer Possible Memory
Corruption Vulnerability (CVE-2016-3288) SET (web_client.rules)
  2821571 - ETPRO WEB_CLIENT Microsoft Internet Explorer Possible Memory
Corruption Vulnerability (CVE-2016-3288) (web_client.rules)
  2821572 - ETPRO WEB_CLIENT Microsoft Internet Explorer Possible Memory
Corruption Vulnerability (CVE-2016-3289) (web_client.rules)
  2821573 - ETPRO WEB_CLIENT Microsoft Internet Explorer Possible Memory
Corruption Vulnerability (CVE-2016-3290) (web_client.rules)
  2821574 - ETPRO EXPLOIT Microsoft Edge Browser RCE (CVE-2016-3293)
(exploit.rules)
  2821575 - ETPRO EXPLOIT Microsoft Windows Possible win32kfull Out Of
Bound Memory Access Executable Inbound (CVE-2016-3308) (exploit.rules)
  2821576 - ETPRO EXPLOIT Microsoft Windows Possible gdi32 Out Of Bound
Memory Access Executable Inbound (CVE-2016-3309) (exploit.rules)
  2821577 - ETPRO EXPLOIT Microsoft Windows Possible Out Of Bound Memory
Access Executable Inbound (CVE-2016-3310) (exploit.rules)
  2821578 - ETPRO EXPLOIT Microsoft Windows Win32k Privilege Elevation
Vulnerability (CVE-2016-3311) (exploit.rules)
  2821579 - ETPRO WEB_CLIENT Microsoft Internet Explorer Possible
Information Disclosure Vulnerability (CVE-2016-3321) (web_client.rules)
  2821580 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After Free
(CVE-2016-3322) (web_client.rules)
  2821581 - ETPRO WEB_CLIENT Microsoft Internet Explorer Information
Disclosure Vulnerability M1 (CVE-2016-3327) (web_client.rules)
  2821582 - ETPRO WEB_CLIENT Microsoft Internet Explorer Information
Disclosure Vulnerability M2 (CVE-2016-3327) (web_client.rules)
  2821583 - ETPRO WEB_CLIENT Microsoft Internet Explorer Information
Disclosure Vulnerability M3 (CVE-2016-3327) (web_client.rules)
  2821584 - ETPRO WEB_CLIENT Microsoft Internet Explorer Information
Disclosure Vulnerability M4 (CVE-2016-3327) (web_client.rules)
  2821585 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Congur.al Checkin
(mobile_malware.rules)
  2821586 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Inoco.f Checkin
(mobile_malware.rules)
  2821587 - ETPRO TROJAN PoisonIvy Keepalive to CnC 470 (trojan.rules)
  2821588 - ETPRO TROJAN Unknown .onion Proxy Domain (trojan.rules)


 [///]     Modified active rules:     [///]

  2008438 - ET MALWARE Possible Windows executable sent when remote host
claims to send a Text File (malware.rules)
  2009897 - ET MALWARE Possible Windows executable sent when remote host
claims to send html content (malware.rules)
  2009909 - ET TROJAN Possible Windows executable sent when remote host
claims to send HTML/CSS Content (trojan.rules)
  2013800 - ET POLICY Outgoing Chromoting Session Response (policy.rules)
  2013801 - ET POLICY Incoming Chromoting Session Response (policy.rules)
  2023018 - ET TELNET SUSPICIOUS busybox enable (telnet.rules)
  2811686 - ETPRO CURRENT_EVENTS SUSPICIOUS Encoded Plugin Detect
(Previously observed in ScanBox) (current_events.rules)
  2821358 - ETPRO TROJAN AZORult Variant Checkin (trojan.rules)
  2821424 - ETPRO TROJAN Win32/Daserf CnC Beacon 1 (trojan.rules)


 [---]         Removed rules:         [---]

  2821560 - ETPRO TROJAN Unknown CnC Beacon (hardcoded HTTP headers)
(trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20160809/14e44a3d/attachment.html>


More information about the Emerging-updates mailing list