[Emerging-updates] Daily Ruleset Update Summary 2016/01/21 (Sorry for yelling yesterday)

Francis Trudeau ftrudeau at emergingthreats.net
Thu Jan 21 18:14:39 EST 2016


 [***] Summary: [***]

 15 new Open signatures, 32 new Pro (15 + 17).  Kivars, Keylogger.Bedrun, Gurim.

 Thanks:  @rmkml, @abuse_ch and @jaimeblascob.

 [+++]          Added rules:          [+++]

 Open:

  2022386 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Qadars CnC) (trojan.rules)
  2022387 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Qadars CnC) (trojan.rules)
  2022388 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Qadars CnC) (trojan.rules)
  2022389 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Qadars CnC) (trojan.rules)
  2022390 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Qadars CnC) (trojan.rules)
  2022391 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gozi MITM) (trojan.rules)
  2022392 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gozi MITM) (trojan.rules)
  2022393 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gozi MITM) (trojan.rules)
  2022394 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gozi MITM) (trojan.rules)
  2022395 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gozi MITM) (trojan.rules)
  2022396 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gozi MITM) (trojan.rules)
  2022397 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex) (trojan.rules)
  2022398 - ET TROJAN Cryptolocker Payment Page (4nauizsaaopuj3qj)
(trojan.rules)
  2022399 - ET TROJAN Cryptolocker Payment Page (aynfksddnnfwkd) (trojan.rules)
  2022400 - ET TROJAN Cryptolocker Payment Page (krfdnhfnsai3d) (trojan.rules)

 Pro:

  2815867 - ETPRO TROJAN MSIL/Gurim.A Downloader Request (trojan.rules)
  2815868 - ETPRO TROJAN Kivars CnC Beacon (trojan.rules)
  2815869 - ETPRO TROJAN Kivars DNS Lookup (trojan.rules)
  2815870 - ETPRO TROJAN Keylogger.Bedrun DNS Lookup (trojan.rules)
  2815873 - ETPRO TROJAN Malicious SSL Certificate Detected (Gootkit
C2) (trojan.rules)
  2815874 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Tiny.ag Checkin
(mobile_malware.rules)
  2815875 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Tiny.ag Checkin
2 (mobile_malware.rules)
  2815876 - ETPRO POLICY DNS Query to .onion proxy Domain
(belladonnamonna.com) (policy.rules)
  2815877 - ETPRO POLICY DNS Query to .onion proxy Domain
(praypartnerstodo.com) (policy.rules)
  2815878 - ETPRO POLICY DNS Query to .onion proxy Domain
(hiltonpaytoo.com) (policy.rules)
  2815879 - ETPRO POLICY DNS Query to .onion proxy Domain
(barklpaypartners.com) (policy.rules)
  2815880 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2016-01-21 1) (trojan.rules)
  2815881 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2016-01-21 2) (trojan.rules)
  2815882 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2016-01-21 3) (trojan.rules)
  2815883 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(dG9waG9zdHMuNTp4) (trojan.rules)
  2815884 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(MTVnWHRZdkZaYWVaeHo4YXFmd0hQaHE2UkJ5Y29VeEJvRjp4) (trojan.rules)
  2815885 - ETPRO TROJAN Win32/LockScreen CnC Beacon 5 (trojan.rules)


 [///]     Modified active rules:     [///]

  2022377 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsalias.ru Domain
(info.rules)
  2022379 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyn-dns.ru Domain
(info.rules)
  2022380 - ET INFO DYNAMIC_DNS HTTP Request to a *.dns-free.ru Domain
(info.rules)
  2022381 - ET INFO DYNAMIC_DNS Query to a Suspicious *.dnsalias.ru
Domain (info.rules)
  2022383 - ET INFO DYNAMIC_DNS Query to a Suspicious *.dyn-dns.ru
Domain (info.rules)
  2022384 - ET INFO DYNAMIC_DNS Query to a Suspicious *.dns-free.ru
Domain (info.rules)
  2814577 - ETPRO DNS SkullSecurity Encrypted Shell Possible Tunnel 1
(dns.rules)
  2814578 - ETPRO DNS SkullSecurity Encrypted Shell Possible Tunnel 2
(dns.rules)
  2814905 - ETPRO DNS SkullSecurity Encrypted Shell Possible Tunnel 3
(dns.rules)
  2814906 - ETPRO DNS SkullSecurity Encrypted Shell Possible Tunnel 4
(dns.rules)
  2815781 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Jan
14 (current_events.rules)


 [---]         Removed rules:         [---]

  2011335 - ET TROJAN Sality Variant Checkin Activity (trojan.rules)\
  2802155 - ETPRO TROJAN Sality CnC Checkin ping (trojan.rules)
  2803253 - ETPRO WEB_CLIENT Microsoft Windows LNK File Code Execution
(web_client.rules)
  2804264 - ETPRO TROJAN Win32/Sality.AM CnC Channel traffic (trojan.rules)
  2815811 - ETPRO TROJAN Qadars CnC SSL Cert (trojan.rules)
  2815812 - ETPRO TROJAN Qadars CnC SSL Cert (trojan.rules)
  2815813 - ETPRO TROJAN Qadars CnC SSL Cert (trojan.rules)
  2815843 - ETPRO TROJAN Qadars CnC SSL Cert (trojan.rules)
  2815844 - ETPRO TROJAN Qadars CnC SSL Cert (trojan.rules)


More information about the Emerging-updates mailing list