[Emerging-updates] Daily Ruleset Update Summary 2016/02/10

Francis Trudeau ftrudeau at emergingthreats.net
Wed Feb 10 18:54:58 EST 2016


 [***] Summary: [***]

 5 new Open signatures, 23 new Pro (5 + 18).  TeslaCrypt/AlphaCrypt,
Dridex, Nymaim, Sharik/Smoke.

 Thanks:  Kevin Ross and @PietroDelsante.

 [+++]          Added rules:          [+++]

 Open:

  2022500 - ET CURRENT_EVENTS Xbagger Macro Encrypted DL (current_events.rules)
  2022501 - ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Payment
Domain(fwgrhsao3aoml7ej) (trojan.rules)
  2022502 - ET TROJAN Suspicious Accept in HTTP POST - Possible
Alphacrypt/TeslaCrypt (trojan.rules)
  2022503 - ET CURRENT_EVENTS Dridex AlphaNum DL Feb 10 2016
(current_events.rules)
  2022504 - ET TROJAN Alphacrypt/TeslaCrypt Ransomware CnC Beacon (trojan.rules)

 Pro:

  2816173 - ETPRO TROJAN Malicious SSL certificate detected
(Backdoor.Mizzmo) (trojan.rules)
  2816174 - ETPRO MALWARE Win32/Zlob.APW Checkin (malware.rules)
  2816175 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.hd
Checkin (mobile_malware.rules)
  2816176 - ETPRO TROJAN Malicious SSL certificate detected
(Backdoor.Mizzmo) (trojan.rules)
  2816177 - ETPRO TROJAN W32/Nymaim Checkin 4 (trojan.rules)
  2816178 - ETPRO TROJAN Malicious SSL certificate detected
(Backdoor.Mizzmo) (trojan.rules)
  2816179 - ETPRO TROJAN Malicious SSL certificate detected
(Backdoor.Mizzmo) (trojan.rules)
  2816180 - ETPRO TROJAN Backdoor.Mizzmo CnC Beacon 3 (trojan.rules)
  2816181 - ETPRO TROJAN Backdoor.Mizzmo Service-Proxied CnC Beacon
(trojan.rules)
  2816182 - ETPRO TROJAN PoisonIvy Keepalive to CnC 294 (trojan.rules)
  2816183 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.hf Checkin
(mobile_malware.rules)
  2816184 - ETPRO MOBILE_MALWARE Android.Trojan.Deviceadmin.Auto
Checkin (mobile_malware.rules)
  2816185 - ETPRO MOBILE_MALWARE Android.Trojan.Deviceadmin.Auto
Checkin 2 (mobile_malware.rules)
  2816186 - ETPRO TROJAN Dipsind POST CnC Beacon (trojan.rules)
  2816187 - ETPRO TROJAN Dipsind GET CnC Beacon 1 (trojan.rules)
  2816188 - ETPRO TROJAN Dipsind GET CnC Beacon 2 (trojan.rules)
  2816189 - ETPRO TROJAN Dipsind GET CnC Beacon 3 (trojan.rules)
  2816190 - ETPRO TROJAN Sharik/Smoke CnC Beacon 6 (trojan.rules)


 [///]     Modified active rules:     [///]

  2013184 - ET TROJAN Artro Downloader User-Agent Detected (trojan.rules)
  2020470 - ET TROJAN Dridex POST Retrieving Second Stage (trojan.rules)
  2020825 - ET TROJAN Dridex POST Retrieving Second Stage M2 (trojan.rules)
  2021001 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M6
(current_events.rules)
  2804439 - ETPRO TROJAN Worm.Win32.Qvod Install (trojan.rules)
  2812394 - ETPRO TROJAN Dropper.Dapato Retrieving js (trojan.rules)
  2812818 - ETPRO TROJAN Backdoor.Telnneru CnC Beacon (INBOUND) 3 (trojan.rules)
  2815723 - ETPRO EXPLOIT MS16-007 Office DLL Loading RCE M2
(CVE-2016-0018) (exploit.rules)
  2815835 - ETPRO TROJAN Derusbi Variant CnC Beacon (trojan.rules)
  2816166 - ETPRO TROJAN Backdoor.Mizzmo CnC Beacon Response (trojan.rules)


 [---]  Disabled and modified rules:  [---]

  2001329 - ET POLICY RDP connection request (policy.rules)
  2001331 - ET POLICY RDP disconnect request (policy.rules)
  2003286 - ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request
(Windows Source) (malware.rules)
  2003287 - ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request
(Linux Source) (malware.rules)
  2020630 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020631 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020632 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020633 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020659 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020660 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020662 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020663 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020664 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020665 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020666 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020667 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020668 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020669 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2020995 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M0
(current_events.rules)
  2020996 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M1
(current_events.rules)
  2020997 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M2
(current_events.rules)
  2021000 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M5
(current_events.rules)
  2021002 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M7
(current_events.rules)
  2021003 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M8
(current_events.rules)
  2021004 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M9
(current_events.rules)
  2021124 - ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server
(exploit.rules)
  2021125 - ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server
(exploit.rules)
  2800107 - ETPRO EXPLOIT HP OpenView Products OVTrace Service Stack
Buffer Overflow (exploit.rules)
  2800500 - ETPRO EXPLOIT Dnsmasq TFTP Service Remote Heap Buffer
Overflow (exploit.rules)
  2800549 - ETPRO EXPLOIT MIT Kerberos KDC Authentication Denial of
Service (exploit.rules)
  2800567 - ETPRO SQL Oracle MySQL Database COM_FIELD_LIST Buffer
Overflow (sql.rules)
  2800685 - ETPRO EXPLOIT Sun Directory Server LDAP Denial of Service
(exploit.rules)
  2800720 - ETPRO EXPLOIT IBM Lotus Domino LDAP Server Memory
Exception Vulnerability via ASN.1 (exploit.rules)
  2801379 - ETPRO EXPLOIT Novell ZENworks Configuration Management
TFTPD Remote Code Execution 1 (exploit.rules)
  2801957 - ETPRO TROJAN Backdoor.Win32.Mooplids.A Checkin 2 (trojan.rules)
  2802206 - ETPRO EXPLOIT HP Intelligent Management Center TFTP Server
MODE Remote Code Execution 2 (exploit.rules)
  2809906 - ETPRO TROJAN Dridex Post Checkin Activity 5 (trojan.rules)


 [---]         Removed rules:         [---]

  2020999 - ET CURRENT_EVENTS Fiesta Payload/Exploit URI Struct M4
(current_events.rules)
  2810561 - ETPRO TROJAN Win32/TrojanDownloader.Banload.VKN CnC Beacon
(trojan.rules)
  2815533 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload Dec 30
2015 M1 (fb set) (current_events.rules)
  2815770 - ETPRO TROJAN Alphacrypt/TeslaCrypt Ransomware CnC Beacon
(trojan.rules)


More information about the Emerging-updates mailing list