[Emerging-updates] [Emerging-Sigs] Daily Ruleset Update Summary 2016/02/16

Will Metcalf wmetcalf at emergingthreatspro.com
Wed Feb 17 10:11:37 EST 2016


I'm guessing if you see this in the wild it will be what is outlined in the
PoC i.e. TCP fallback via truncated responses. I'm also guessing you will
see  will see valid large tcp responses. Travis Green and I have been
playing around with the following, it is def exploit specific though, this
will ship today more than likely and we will continue to look at this.

alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547
Malformed Server response"; flow:from_server; content:"|00 01 00 00 00 00
00 00|"; offset:4; depth:8; isdataat:2049; byte_test:1,&,128,2;
byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2;
byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3;
byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3;
pcre:"/^[^\x00]+\x00\x00\x01/R"; classtype:attempted-user;
reference:cve,2015-7547; sid:50000051; rev:1;)

Regards,

Will

On Wed, Feb 17, 2016 at 8:13 AM, Adam Bradbury <adam.bradbury at zepko.com>
wrote:

> Hi All,
>
> Any rules on the horizon for CVE-2015-7547? I have seen some PoC's
> surfacing. All the ones I can see are looking for odd sized DNS packets (
> http://seclists.org/snort/2016/q1/285). Are they worth deploying?
>
> Cheers
>
> Adam
>
> -----Original Message-----
> From: emerging-sigs-bounces at lists.emergingthreats.net [mailto:
> emerging-sigs-bounces at lists.emergingthreats.net] On Behalf Of Francis
> Trudeau
> Sent: Tuesday, February 16, 2016 10:58 PM
> To: Emerging Sigs <emerging-sigs at emergingthreats.net>; Emerging-updates
> redirect <emerging-updates at emergingthreats.net>; ETPro-sigs List <
> etpro-sigs at emergingthreatspro.com>
> Subject: [Emerging-Sigs] Daily Ruleset Update Summary 2016/02/16
>
>  [***] Summary: [***]
>
>  7 new Open signatures, 54 new Pro (7 + 47).  CVE-2016-0061,
> CVE-2016-0063, PlugX, Superman APT, Locky.
>
>  Thanks:  Kevin Ross, Matt Clairmont & @berendjanwever.
>
>  [+++]          Added rules:          [+++]
>
>  Open:
>
>   2022523 - ET WEB_CLIENT Internet Explorer Memory Corruption
> Vulnerability (CVE-2016-0063) (web_client.rules)
>   2022524 - ET EXPLOIT MS16-009 IE MSHTML Form Element Type Confusion
> (CVE-2016-0061) (exploit.rules)
>   2022525 - ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb
> 16 M1 (current_events.rules)
>   2022526 - ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb
> 16 M2 (current_events.rules)
>   2022527 - ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb
> 16 M3 (current_events.rules)
>   2022528 - ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb
> 16 M4 (current_events.rules)
>   2022529 - ET TROJAN W32/GCman.Backdoor CnC Beacon (trojan.rules)
>
> Pro:
>
>   2816235 - ETPRO TROJAN CoinMiner Known malicious stratum authline
> (2016-02-16 1) (trojan.rules)
>   2816236 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816237 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816238 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816239 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816240 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816241 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816242 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816243 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816244 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816245 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816246 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816247 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816248 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816249 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816250 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816251 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816252 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816253 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816254 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816255 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816256 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816257 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816258 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816259 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816260 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816261 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816262 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816263 - ETPRO TROJAN Possible PlugX DNS Lookup (trojan.rules)
>   2816264 - ETPRO TROJAN Possible Superman APT DNS Lookup (trojan.rules)
>   2816265 - ETPRO TROJAN Possible APT.HTTPBrowser DNS Lookup (trojan.rules)
>   2816266 - ETPRO TROJAN Possible APT.HTTPBrowser DNS Lookup (trojan.rules)
>   2816267 - ETPRO TROJAN Possible Fowap DNS Lookup (trojan.rules)
>   2816268 - ETPRO TROJAN PoisonIvy Keepalive to CnC 295 (trojan.rules)
>   2816269 - ETPRO TROJAN PoisonIvy Keepalive to CnC 296 (trojan.rules)
>   2816270 - ETPRO TROJAN Win32/Banker.BestaFera.ihk C2 Outbound
> (trojan.rules)
>   2816271 - ETPRO TROJAN Win32/Banker.BestaFera.ihk C2 Inbound
> (trojan.rules)
>   2816272 - ETPRO TROJAN Ransomware Locky CnC Beacon (trojan.rules)
>   2816273 - ETPRO TROJAN Ransomware Locky .onion Payment Domain
> (trojan.rules)
>   2816274 - ETPRO TROJAN Ransomware Locky Possible Payment Page
> (trojan.rules)
>   2816275 - ETPRO TROJAN Win32/Skeeyah.A!bit Variant Checkin (trojan.rules)
>   2816276 - ETPRO TROJAN Win32/Suloc.A CnC Client Command (update
> client) (trojan.rules)
>   2816277 - ETPRO TROJAN Win32/Suloc.A Receiving Command (dirs list)
> (trojan.rules)
>   2816278 - ETPRO TROJAN Win32/Suloc.A Receiving Command (folders
> list) (trojan.rules)
>   2816279 - ETPRO TROJAN Win32/Suloc.A Receiving Command (files list)
> (trojan.rules)
>   2816280 - ETPRO TROJAN Win32/Suloc.A Receiving Command (ping)
> (trojan.rules)
>   2816281 - ETPRO TROJAN Win32/PornoAsset.Ransom HTTP Activity
> (trojan.rules)
>
>
>  [///]     Modified active rules:     [///]
>
>   2007994 - ET MALWARE Suspicious User-Agent (1 space) (malware.rules)
>   2017174 - ET WEB_SERVER Possible Apache Struts OGNL Command Execution
> CVE-2013-2251 redirect (web_server.rules)
>   2017175 - ET WEB_SERVER Possible Apache Struts OGNL Command Execution
> CVE-2013-2251 redirectAction (web_server.rules)
>   2017176 - ET WEB_SERVER Possible Apache Struts OGNL Command Execution
> CVE-2013-2251 action (web_server.rules)
>   2022500 - ET CURRENT_EVENTS Xbagger Macro Encrypted DL
> (current_events.rules)
>   2816057 - ETPRO TROJAN Win32/iSpySoft PWS Asset Download (trojan.rules)
>
>
>  [---]         Removed rules:         [---]
>
>   2816141 - ETPRO WEB_CLIENT Internet Explorer Memory Corruption
> Vulnerability (CVE-2016-0063) (web_client.rules)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20160217/136a3b07/attachment-0001.html>


More information about the Emerging-updates mailing list