[Emerging-updates] Daily Ruleset Update Summary 2017/04/20

Travis Green tgreen at emergingthreats.net
Thu Apr 20 18:27:15 EDT 2017


[***]            Summary:            [***]

4 new Open, 34 new Pro (4 + 30). Lets Encrypt w/Punycode, Various Phishing,
Various Mobile

Thanks: Kevin Ross

[+++]          Added rules:          [+++]

Open:

 2024227 - ET INFO Lets Encrypt Free SSL Cert Observed with IDN/Punycode
Domain - Possible Phishing (info.rules)
 2024228 - ET INFO Suspicious HTML Decimal Obfuscated Title - Possible
Phishing Landing Apr 19 2017 (info.rules)
 2024229 - ET CURRENT_EVENTS Known Malicious Expires Header Seen In
Malicious JavaScript Downloader Campaign (current_events.rules)
 2024230 - ET CURRENT_EVENTS iCloud Phishing Landing Sept 2 2016
(current_events.rules)

Pro:

 2826036 - ETPRO CURRENT_EVENTS Successful Generic SSN Financial Phish Apr
19 2017 (current_events.rules)
 2826037 - ETPRO CURRENT_EVENTS Successful Dropbox Phish Apr 19
(current_events.rules)
 2826038 - ETPRO CURRENT_EVENTS Successful Adobe Phish Apr 19 2017
(current_events.rules)
 2826039 - ETPRO CURRENT_EVENTS Successful Google Drive Phish Apr 19 2017
(current_events.rules)
 2826040 - ETPRO CURRENT_EVENTS Successful Western Union Phish M1 Apr 20
2017 (current_events.rules)
 2826041 - ETPRO CURRENT_EVENTS Successful Western Union Phish M2 Apr 20
2017 (current_events.rules)
 2826042 - ETPRO CURRENT_EVENTS Successful Western Union Phish M3 Apr 20
2017 (current_events.rules)
 2826043 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Apr 20
2017 (current_events.rules)
 2826044 - ETPRO TROJAN Oilrig VBS DNS Lookup (trojan.rules)
 2826045 - ETPRO MALWARE PUP Win32/ELEX Checkin 3 (malware.rules)
 2826046 - ETPRO MOBILE_MALWARE Android.Trojan.SLocker.TX CnC Beacon
(mobile_malware.rules)
 2826047 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Rootnik.bw CnC Beacon
(mobile_malware.rules)
 2826048 - ETPRO CURRENT_EVENTS Microsoft Word Nemucod Phishing Landing Apr
20 2017 (current_events.rules)
 2826049 - ETPRO CURRENT_EVENTS Successful Nemucod Zipped JS Download -
Possible Miuref/Kovter/Panda Banker Apr 20 2017 (current_events.rules)
 2826050 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate
Detected (trojan.rules)
 2826051 - ETPRO MOBILE_MALWARE Android.Trojan.Agent.EZ CnC Beacon
(mobile_malware.rules)
 2826052 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate
Detected (trojan.rules)
 2826053 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.zs Checkin
(mobile_malware.rules)
 2826054 - ETPRO EXPLOIT Huawei HG532n - Enable Portmapping (exploit.rules)
 2826055 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Boogr.gsh DNS Lookup
(mobile_malware.rules)
 2826056 - ETPRO TROJAN DNS Query to Cerber Domain (1j2ien . top)
(trojan.rules)
 2826057 - ETPRO TROJAN DNS Query to Cerber Domain (12smak . top)
(trojan.rules)
 2826058 - ETPRO TROJAN ZLoader Malicious SSL Cert Observed (trojan.rules)
 2826059 - ETPRO TROJAN DNS Query to Cerber Domain (15bjqq . top)
(trojan.rules)
 2826060 - ETPRO TROJAN DNS Query to Cerber Domain (1ms2rx . top)
(trojan.rules)
 2826061 - ETPRO MOBILE_MALWARE Android.Trojan.Guerrilla.n Checkin
(mobile_malware.rules)
 2826062 - ETPRO TROJAN DNS Query to Cerber Domain (12zucf . top)
(trojan.rules)
 2826063 - ETPRO TROJAN DNS Query to Cerber Domain (1ntyds . top)
(trojan.rules)
 2826064 - ETPRO TROJAN DNS Query to Cerber Domain (1c7osg . top)
(trojan.rules)
 2826065 - ETPRO TROJAN DNS Query to Cerber Domain (1cnkik . top)
(trojan.rules)


[///]     Modified active rules:     [///]

 2024104 - ET TROJAN ABUSE.CH Ransomware/Cerber Onion Domain Lookup
(trojan.rules)
 2810640 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.BW Checkin
(mobile_malware.rules)
 2815174 - ETPRO CURRENT_EVENTS Successful iCloud Phish Dec 2
(current_events.rules)


[---]         Disabled rules:        [---]

 2003000 - ET MALWARE PopupSh.ocx Access Attempt (malware.rules)
 2003039 - ET EXPLOIT UPnP DLink M-Search Overflow Attempt (exploit.rules)
 2003048 - ET POLICY Proxy Judge Discovery/Evasion (proxyjudge.cgi)
(policy.rules)
 2003055 - ET MALWARE Suspicious FTP 220 Banner on Local Port (-)
(malware.rules)
 2003057 - ET MALWARE 180solutions Spyware Actionlibs Download
(malware.rules)
 2003058 - ET MALWARE 180solutions (Zango) Spyware Installer Download
(malware.rules)
 2003059 - ET MALWARE 180solutions (Zango) Spyware TB Installer Download
(malware.rules)
 2003061 - ET MALWARE 180solutions (Zango) Spyware Event Activity Post
(malware.rules)
 2003072 - ET EXPLOIT Linksys WRT54g Authentication Bypass Attempt
(exploit.rules)
 2003074 - ET MALWARE Content-loader.com Spyware Install (malware.rules)
 2003075 - ET MALWARE Content-loader.com Spyware Install 2 (malware.rules)
 2003076 - ET MALWARE Content-loader.com (ownusa.info) Spyware Install
(malware.rules)
 2003081 - ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request
(possible MS06-040) (netbios.rules)
 2003082 - ET NETBIOS NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request
(possible MS06-040) (netbios.rules)
 2003083 - ET TROJAN Dialer (trojan.rules)
 2003084 - ET MALWARE TROJAN_VB Microjoin (malware.rules)
 2003086 - ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote
Command Execution (web_server.rules)
 2003087 - ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote
Directory Traversal Attempt (web_server.rules)
 2003302 - ET TROJAN psyBNC IRC Server Connection (trojan.rules)
 2003304 - ET MALWARE Effectivebrands.com Spyware Checkin (malware.rules)
 2003307 - ET MALWARE Comet Systems Spyware Cursor DL (malware.rules)
 2003308 - ET P2P Edonkey IP Request (p2p.rules)
 2003309 - ET P2P Edonkey IP Reply (p2p.rules)
 2003314 - ET P2P Edonkey Search Request (by file hash) (p2p.rules)
 2003316 - ET P2P Edonkey IP Query End (p2p.rules)
 2003318 - ET P2P Edonkey Get Sources Request (by hash) (p2p.rules)
 2003323 - ET P2P Edonkey Client to Server Hello (p2p.rules)
 2003324 - ET P2P Edonkey Server Status (p2p.rules)
 2003329 - ET VOIP Centrality IP Phone (PA-168 Chipset) Session Hijacking
(voip.rules)
 2003348 - ET MALWARE Gamehouse.com Activity (malware.rules)
 2003353 - ET MALWARE Winferno Registry Fix Spyware Download (malware.rules)
 2003354 - ET MALWARE Yourscreen.com Spyware Download (malware.rules)
 2003358 - ET MALWARE Catchonlife.com Spyware (malware.rules)
 2003360 - ET MALWARE Effectivebrands.com Spyware Checkin 2 (malware.rules)
 2003362 - ET MALWARE Freeze.com Spyware/Adware (Pulling Ads)
(malware.rules)
 2003364 - ET MALWARE Hotbar Agent Adopt/Zango (malware.rules)
 2003370 - ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC
Server (Catirpc.dll) DoS (exploit.rules)
 2003375 - ET MALWARE Spy-Not.com Spyware Pulling Fake Sigs (malware.rules)
 2003376 - ET MALWARE Instafinder.com spyware (malware.rules)
 2003377 - ET MALWARE Spy-Not.com Spyware Updating (malware.rules)
 2003378 - ET EXPLOIT Computer Associates Mobile Backup Service
LGSERVER.EXE Stack Overflow (exploit.rules)
 2003388 - ET MALWARE Hotbar Keywords Download (malware.rules)
 2003391 - ET MALWARE SurfAccuracy.com Spyware Pulling Ads (malware.rules)
 2003400 - ET EXPLOIT US-ASCII Obfuscated script (exploit.rules)
 2003401 - ET EXPLOIT US-ASCII Obfuscated VBScript download file
(exploit.rules)
 2003403 - ET EXPLOIT US-ASCII Obfuscated VBScript (exploit.rules)
 2003410 - ET POLICY FTP Login Successful (policy.rules)
 2003411 - ET EXPLOIT Solaris telnet USER environment vuln Attack inbound
(exploit.rules)
 2003412 - ET EXPLOIT Solaris telnet USER environment vuln Attack outbound
(exploit.rules)
 2003414 - ET MALWARE Epilot.com Spyware Reporting (malware.rules)
 2003416 - ET MALWARE Epilot.com Spyware Reporting Clicks (malware.rules)
 2003417 - ET MALWARE CNSMIN (3721.com) Spyware Activity (malware.rules)
 2003418 - ET MALWARE CNSMIN (3721.com) Spyware Activity 2 (malware.rules)
 2003419 - ET MALWARE CNSMIN (3721.com) Spyware Activity 3 (malware.rules)
 2003434 - ET EXPLOIT Trend Micro Web Interface Auth Bypass Vulnerable
Cookie Attempt (exploit.rules)
 2003435 - ET TROJAN Stormy Variant HTTP Request (trojan.rules)
 2003437 - ET P2P Ares over UDP (p2p.rules)
 2003438 - ET MALWARE Abcsearch.com Spyware Reporting (malware.rules)
 2003444 - ET MALWARE Deskwizz.com Spyware Install Code Download
(malware.rules)
 2003450 - ET MALWARE Specificclick.net Spyware Activity (malware.rules)
 2003451 - ET MALWARE K8l.info Spyware Activity (malware.rules)
 2003462 - ET MALWARE CoolDeskAlert Spyware Activity (malware.rules)
 2003466 - ET WEB_SERVER PHP Attack Tool Morfeus F Scanner
(web_server.rules)
 2003472 - ET MALWARE DelFin Project Spyware (setup-alt) (malware.rules)
 2003473 - ET MALWARE DelFin Project Spyware (payload-alt) (malware.rules)
 2003474 - ET VOIP Asterisk Register with no URI or Version DOS Attempt
(voip.rules)
 2003479 - ET POLICY Radmin Remote Control Session Setup Initiate
(policy.rules)
 2003480 - ET POLICY Radmin Remote Control Session Setup Response
(policy.rules)
 2003481 - ET POLICY Radmin Remote Control Session Authentication Initiate
(policy.rules)
 2003482 - ET POLICY Radmin Remote Control Session Authentication Response
(policy.rules)
 2003504 - ET MALWARE E2give Spyware Reporting (check url) (malware.rules)
 2003518 - ET EXPLOIT Computer Associates Brightstor ARCServe Backup
Mediasvr.exe Remote Exploit (exploit.rules)
 2003525 - ET MALWARE Supergames.aavalue.com Spyware (malware.rules)
 2003533 - ET MALWARE Sytes.net Related Spyware Reporting (malware.rules)
 2003537 - ET TROJAN Trojan.Duntek establishing remote connection
(trojan.rules)
 2003538 - ET TROJAN Klom.A Connecting to Controller (trojan.rules)
 2003543 - ET MALWARE Winfixmaster.com Fake Anti-Spyware Install
(malware.rules)
 2003547 - ET MALWARE Privacyprotector.com Fake Anti-Spyware Install
(malware.rules)
 2003556 - ET TROJAN Bandook v1.35 Keepalive Send (trojan.rules)
 2003557 - ET TROJAN Bandook v1.35 Keepalive Reply (trojan.rules)
 2003558 - ET TROJAN Bandook v1.35 Create Registry Key Command Send
(trojan.rules)
 2003559 - ET TROJAN Bandook v1.35 Create Directory Command Send
(trojan.rules)
 2003560 - ET TROJAN Bandook v1.35 Window List Command Send (trojan.rules)
 2003561 - ET TROJAN Bandook v1.35 Window List Reply (trojan.rules)
 2003562 - ET TROJAN Bandook v1.35 Get Processes Command Send (trojan.rules)
 2003563 - ET TROJAN Bandook v1.35 Start Socks5 Proxy Command Send
(trojan.rules)
 2003564 - ET TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply
(trojan.rules)
 2003565 - ET TROJAN Bandook v1.35 Get Processes Command Reply
(trojan.rules)
 2003577 - ET MALWARE Mirarsearch.com Spyware Posting Data (malware.rules)
 2003579 - ET MALWARE Findwhat.com Spyware (clickthrough) (malware.rules)
 2003581 - ET MALWARE Findwhat.com Spyware (sendmedia) (malware.rules)
 2003605 - ET MALWARE Baidu.com Spyware Bar Activity (malware.rules)
 2003606 - ET MALWARE Alexa Spyware Reporting URL Visited (malware.rules)
 2003610 - ET MALWARE Zango Spyware (tbrequest data post) (malware.rules)
 2003611 - ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Updating
(malware.rules)
 2003612 - ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Download
(malware.rules)
 2003617 - ET MALWARE MyWebSearch Toolbar Posting Activity Report
(malware.rules)
 2003619 - ET MALWARE Alexa Spyware Redirecting User (malware.rules)
 2003630 - ET MALWARE Baidu.com Spyware Sobar Bar Activity (malware.rules)
 2003631 - ET POLICY Centralops.net Probe (policy.rules)
 2003750 - ET EXPLOIT CA Brightstor ARCServe caloggerd DoS (exploit.rules)
 2003751 - ET EXPLOIT CA Brightstor ARCServe Mediasvr DoS (exploit.rules)
 2003869 - ET SCAN ProxyReconBot CONNECT method to Mail (scan.rules)
 2003870 - ET SCAN ProxyReconBot POST method to Mail (scan.rules)
 2003903 - ET WEB_SERVER Microsoft SharePoint XSS Attempt default.aspx
(web_server.rules)
 2003904 - ET WEB_SERVER Microsoft SharePoint XSS Attempt index.php form
mail (web_server.rules)
 2003936 - ET TROJAN Bandok phoning home (xor by 0xe9 to decode)
(trojan.rules)
 2003937 - ET TROJAN Bandook iwebho/BBB-phish trojan leaking user data
(trojan.rules)
 2009799 - ET WEB_SERVER PHP Attack Tool Morfeus F Scanner - M
(web_server.rules)
 2011527 - ET NETBIOS windows recycler .exe request - suspicious
(netbios.rules)


[---]         Removed rules:         [---]

 2821995 - ETPRO CURRENT_EVENTS iCloud Phishing Landing Sept 2 2016
(current_events.rules)
 2824170 - ETPRO TROJAN DNS Query to Cerber Domain (1bpfr1 . top)
(trojan.rules)
 2824490 - ETPRO TROJAN DNS Query to Cerber Domain (19ob95 . top)
(trojan.rules)
 2824491 - ETPRO TROJAN DNS Query to Cerber Domain (16gjpm . top)
(trojan.rules)
 2824492 - ETPRO TROJAN DNS Query to Cerber Domain (12gzrv . top)
(trojan.rules)
 2824494 - ETPRO TROJAN DNS Query to Cerber Domain (17ldrv . top)
(trojan.rules)
 2824495 - ETPRO TROJAN DNS Query to Cerber Domain (15rnwa . top)
(trojan.rules)
 2824498 - ETPRO TROJAN DNS Query to Cerber Domain (1pbu64 . top)
(trojan.rules)
 2824499 - ETPRO TROJAN DNS Query to Cerber Domain (191jcq . top)
(trojan.rules)
 2824500 - ETPRO TROJAN DNS Query to Cerber Domain (1kdfj8 . top)
(trojan.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20170420/4fc1ce55/attachment-0001.html>


More information about the Emerging-updates mailing list