[Emerging-updates] Daily Ruleset Update Summary 2016/02/11

Francis Trudeau ftrudeau at emergingthreats.net
Thu Feb 11 17:42:59 EST 2016


 [***] Summary: [***]

 5 new Open signatures, 30 new Pro (5 + 25).  Dridex, CVE-2016-1287, PlugX.

 Thanks:  @abuse_ch & @MalwareMustDie.

 [+++]          Added rules:          [+++]

 Open:

  2022505 - ET TROJAN W32/Gaudox Checkin (trojan.rules)
  2022506 - ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size
Inbound (exploit.rules)
  2022507 - ET TROJAN TeslaCrypt/AlphaCrypt Payment DNS Lookup (trojan.rules)
  2022508 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex) (trojan.rules)
  2022509 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex) (trojan.rules)

 Pro:

  2816191 - ETPRO CURRENT_EVENTS USPS Phishing Landing Feb 10
(current_events.rules)
  2816193 - ETPRO TROJAN PCRat/Gh0st CnC Beacon Request (symbol
variant) (trojan.rules)
  2816194 - ETPRO POLICY DNS Query to .onion proxy Domain
(fileinvestpaytor.com) (policy.rules)
  2816195 - ETPRO POLICY DNS Query to .onion proxy Domain
(worldoptionstopaytor.com) (policy.rules)
  2816196 - ETPRO TROJAN PlugX UDP Beacon 1 (trojan.rules)
  2816197 - ETPRO TROJAN PlugX UDP Beacon 2 (trojan.rules)
  2816198 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816199 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816200 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816201 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816202 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816203 - ETPRO TROJAN Win32/TrojanProxy.Agent.NZU HTTP Request to
Baidu (trojan.rules)
  2816204 - ETPRO MOBILE_MALWARE Android/Spy.SmsSpy.CM Checkin
(mobile_malware.rules)
  2816205 - ETPRO POLICY DNS Query to .onion proxy Domain
(toragent.ch) (policy.rules)
  2816206 - ETPRO POLICY DNS Query to .onion proxy Domain
(torgateway.ch) (policy.rules)
  2816207 - ETPRO POLICY DNS Query to .onion proxy Domain
(privacytoday.ch) (policy.rules)
  2816208 - ETPRO POLICY DNS Query to .onion proxy Domain
(torconnection.ch) (policy.rules)
  2816209 - ETPRO POLICY DNS Query to .onion proxy Domain
(torwebsites.ch) (policy.rules)
  2816210 - ETPRO POLICY DNS Query to .onion proxy Domain
(tordevice.ch) (policy.rules)
  2816211 - ETPRO POLICY DNS Query to .onion proxy Domain (ip2tor.be)
(policy.rules)
  2816212 - ETPRO POLICY DNS Query to .onion proxy Domain
(torfilter.ch) (policy.rules)
  2816213 - ETPRO POLICY DNS Query to .onion proxy Domain (torway.ch)
(policy.rules)
  2816214 - ETPRO POLICY DNS Query to .onion proxy Domain
(torapplication.ch) (policy.rules)
  2816215 - ETPRO MOBILE_MALWARE Android.Monitor.SilentTracker.B
Checkin (mobile_malware.rules)
  2816216 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.ib Checkin
(mobile_malware.rules)


 [///]     Modified active rules:     [///]

  2012900 - ET DNS DNS Query for a Suspicious *.ae.am domain (dns.rules)
  2012903 - ET DNS DNS Query for a Suspicious *.qc.cx domain (dns.rules)
  2012956 - ET DNS DNS Query for a Suspicious *.co.tv domain (dns.rules)
  2019165 - ET TROJAN Possible Banload Downloading Executable (trojan.rules)
  2800862 - ETPRO EXPLOIT IBM Informix Dynamic Server DBINFO Stack
Buffer Overflow (exploit.rules)
  2804579 - ETPRO EXPLOIT TrendMicro Control Manger <= v5.5
CmdProcessor.exe Stack Buffer Overflow (exploit.rules)
  2815638 - ETPRO CURRENT_EVENTS Successful WZ-REKLAMA Phish Jan 6
(current_events.rules)
  2815661 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a
Checkin (mobile_malware.rules)


 [---]  Disabled and modified rules:  [---]

  2003379 - ET EXPLOIT Computer Associates BrightStor ARCserve Backup
for Laptops LGServer.exe DoS (exploit.rules)
  2015987 - ET EXPLOIT MySQL Heap based buffer overrun Exploit
Specific (exploit.rules)
  2016952 - ET CURRENT_EVENTS Probable Nuclear exploit kit landing
page (current_events.rules)
  2800071 - ETPRO EXPLOIT Symantec Discovery XFERWAN Service Buffer
Overflow (exploit.rules)
  2800153 - ETPRO EXPLOIT IBM Tivoli Storage Manager Express CAD
Service Buffer Overflow (exploit.rules)
  2800230 - ETPRO EXPLOIT Apple QuickTime RTSP Response Crafted
Content-Type Header Buffer Overflow 1 (exploit.rules)
  2800266 - ETPRO SQL MySQL yaSSL SSL Hello Message Buffer Overflow (sql.rules)
  2800280 - ETPRO EXPLOIT Cisco Unified Communications Manager CTL
Provider Heap Overflow (exploit.rules)
  2800311 - ETPRO EXPLOIT Informix Server Argument Processing Overflow
Attempt (exploit.rules)
  2800435 - ETPRO EXPLOIT IBM Tivoli Storage Manager Express Backup
Heap Corruption 3 (exploit.rules)
  2800436 - ETPRO EXPLOIT IBM Tivoli Storage Manager Express Backup
Heap Corruption 4 (exploit.rules)
  2800462 - ETPRO EXPLOIT Symantec Alert Management System Intel Alert
Originator Service Buffer Overflow 1 (exploit.rules)
  2800463 - ETPRO EXPLOIT Symantec Alert Management System Intel Alert
Originator Service Buffer Overflow 2 (exploit.rules)
  2800480 - ETPRO EXPLOIT CA ARCserve Backup Message Engine UUID (exploit.rules)
  2800481 - ETPRO EXPLOIT CA ARCserve Backup Message Engine Denial of
Service 1 (exploit.rules)
  2800482 - ETPRO EXPLOIT CA ARCserve Backup Message Engine Denial of
Service 2 (exploit.rules)
  2800483 - ETPRO EXPLOIT CA ARCserve Backup Message Engine Denial of
Service 3 (exploit.rules)
  2800484 - ETPRO EXPLOIT CA ARCserve Backup Message Engine RPC Opcode
59 Denial of Service 1 (exploit.rules)
  2800485 - ETPRO EXPLOIT CA ARCserve Backup Message Engine RPC Opcode
59 Denial of Service 2 (exploit.rules)
  2800551 - ETPRO EXPLOIT Novell ZENworks Configuration Management
Preboot Service Code Execution (exploit.rules)
  2800557 - ETPRO EXPLOIT Multiple Vendors AgentX receive_agentx
Integer Overflow (exploit.rules)
  2800661 - ETPRO EXPLOIT Novell eDirectory LDAP NULL Search Parameter
Buffer Overflow 2 (exploit.rules)
  2800662 - ETPRO EXPLOIT Novell eDirectory LDAP NULL Search Parameter
Buffer Overflow 3 (exploit.rules)
  2800667 - ETPRO EXPLOIT Borland InterBase Database Message Handling
Buffer Overflow (exploit.rules)
  2800715 - ETPRO EXPLOIT Tivoli Storage Manager Initial Sign-on
Request Buffer Overflow (exploit.rules)
  2800839 - ETPRO EXPLOIT HP Data Protector Express DtbClsLogin Stack
Buffer Overflow (exploit.rules)
  2800947 - ETPRO EXPLOIT Novell ZENworks Handheld Management
ZfHIPCND.exe Buffer Overflow (exploit.rules)
  2801380 - ETPRO EXPLOIT Novell ZENworks Configuration Management
TFTPD Remote Code Execution 2 (exploit.rules)
  2801381 - ETPRO EXPLOIT Novell ZENworks Configuration Management
TFTPD Remote Code Execution 3 (exploit.rules)
  2801382 - ETPRO EXPLOIT Novell ZENworks Configuration Management
TFTPD Remote Code Execution 4 (exploit.rules)
  2801407 - ETPRO EXPLOIT IBM Lotus Domino LDAP Bind Request Integer
Overflow (exploit.rules)
  2802905 - ETPRO EXPLOIT HP Data Protector Client EXEC_CMD Command
Execution (Unicode UTF-16 Little Endian) (exploit.rules)
  2802906 - ETPRO EXPLOIT HP Data Protector Client EXEC_CMD Command
Execution (Unicode UTF-16 Big Endian) (exploit.rules)
  2803192 - ETPRO EXPLOIT HP OpenView Storage Data Protector Stack
Overflow (Published Expoit) (exploit.rules)


 [---]         Disabled rules:        [---]

  2800660 - ETPRO EXPLOIT Novell eDirectory LDAP NULL Search Parameter
Buffer Overflow 1 (exploit.rules)


 [---]         Removed rules:         [---]

  2815810 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload VarLen
XOR (Nulls) (current_events.rules)


More information about the Emerging-updates mailing list