[Emerging-updates] Daily Ruleset Update Summary 2016/02/16

Francis Trudeau ftrudeau at emergingthreats.net
Tue Feb 16 17:58:18 EST 2016


 [***] Summary: [***]

 7 new Open signatures, 54 new Pro (7 + 47).  CVE-2016-0061,
CVE-2016-0063, PlugX, Superman APT, Locky.

 Thanks:  Kevin Ross, Matt Clairmont & @berendjanwever.

 [+++]          Added rules:          [+++]

 Open:

  2022523 - ET WEB_CLIENT Internet Explorer Memory Corruption
Vulnerability (CVE-2016-0063) (web_client.rules)
  2022524 - ET EXPLOIT MS16-009 IE MSHTML Form Element Type Confusion
(CVE-2016-0061) (exploit.rules)
  2022525 - ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb
16 M1 (current_events.rules)
  2022526 - ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb
16 M2 (current_events.rules)
  2022527 - ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb
16 M3 (current_events.rules)
  2022528 - ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb
16 M4 (current_events.rules)
  2022529 - ET TROJAN W32/GCman.Backdoor CnC Beacon (trojan.rules)

Pro:

  2816235 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2016-02-16 1) (trojan.rules)
  2816236 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816237 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816238 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816239 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816240 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816241 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816242 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816243 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816244 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816245 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816246 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816247 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816248 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816249 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816250 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816251 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816252 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816253 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816254 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816255 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816256 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816257 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816258 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816259 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816260 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816261 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816262 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816263 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
  2816264 - ETPRO TROJAN Possible Superman APT DNS Lookup (trojan.rules)
  2816265 - ETPRO TROJAN Possible APT.HTTPBrowser DNS Lookup (trojan.rules)
  2816266 - ETPRO TROJAN Possible APT.HTTPBrowser DNS Lookup (trojan.rules)
  2816267 - ETPRO TROJAN Possible Fowap DNS Lookup (trojan.rules)
  2816268 - ETPRO TROJAN PoisonIvy Keepalive to CnC 295 (trojan.rules)
  2816269 - ETPRO TROJAN PoisonIvy Keepalive to CnC 296 (trojan.rules)
  2816270 - ETPRO TROJAN Win32/Banker.BestaFera.ihk C2 Outbound (trojan.rules)
  2816271 - ETPRO TROJAN Win32/Banker.BestaFera.ihk C2 Inbound (trojan.rules)
  2816272 - ETPRO TROJAN Ransomware Locky CnC Beacon (trojan.rules)
  2816273 - ETPRO TROJAN Ransomware Locky .onion Payment Domain (trojan.rules)
  2816274 - ETPRO TROJAN Ransomware Locky Possible Payment Page (trojan.rules)
  2816275 - ETPRO TROJAN Win32/Skeeyah.A!bit Variant Checkin (trojan.rules)
  2816276 - ETPRO TROJAN Win32/Suloc.A CnC Client Command (update
client) (trojan.rules)
  2816277 - ETPRO TROJAN Win32/Suloc.A Receiving Command (dirs list)
(trojan.rules)
  2816278 - ETPRO TROJAN Win32/Suloc.A Receiving Command (folders
list) (trojan.rules)
  2816279 - ETPRO TROJAN Win32/Suloc.A Receiving Command (files list)
(trojan.rules)
  2816280 - ETPRO TROJAN Win32/Suloc.A Receiving Command (ping) (trojan.rules)
  2816281 - ETPRO TROJAN Win32/PornoAsset.Ransom HTTP Activity (trojan.rules)


 [///]     Modified active rules:     [///]

  2007994 - ET MALWARE Suspicious User-Agent (1 space) (malware.rules)
  2017174 - ET WEB_SERVER Possible Apache Struts OGNL Command
Execution CVE-2013-2251 redirect (web_server.rules)
  2017175 - ET WEB_SERVER Possible Apache Struts OGNL Command
Execution CVE-2013-2251 redirectAction (web_server.rules)
  2017176 - ET WEB_SERVER Possible Apache Struts OGNL Command
Execution CVE-2013-2251 action (web_server.rules)
  2022500 - ET CURRENT_EVENTS Xbagger Macro Encrypted DL (current_events.rules)
  2816057 - ETPRO TROJAN Win32/iSpySoft PWS Asset Download (trojan.rules)


 [---]         Removed rules:         [---]

  2816141 - ETPRO WEB_CLIENT Internet Explorer Memory Corruption
Vulnerability (CVE-2016-0063) (web_client.rules)


More information about the Emerging-updates mailing list