[Emerging-updates] Daily Ruleset Update Summary 2017/02/14

Francis Trudeau ftrudeau at emergingthreats.net
Tue Feb 14 18:21:13 EST 2017


 [***] Summary: [***]

 9 new Open signatures, 44 new Pro (9 + 35).  Adobe MAPP, Bunitu,
Dragon BR Banker.

 Thanks:  Shane Boissevain, @rmkml and @CERT_Polska_en.

 Adobe CVE to ET Sid mapping:

 CVE-2017-2984 -> 2824933
 CVE-2017-2984 -> 2824934
 CVE-2017-2984 -> 2824935
 CVE-2017-2986 -> 2824936
 CVE-2017-2990 -> 2824937
 CVE-2017-2990 -> 2824938
 CVE-2017-2992 -> 2824939
 CVE-2017-2991 -> 2824940

 [+++]          Added rules:          [+++]

 Open:

  2023900 - ET INFO MP4 in HTTP Flowbit Set M3 (info.rules)
  2023901 - ET TELNET busybox MEMES Hackers - Possible Brute Force
Attack (telnet.rules)
  2023902 - ET TROJAN Unknown Malicious SSL Cert 1 (trojan.rules)
  2023903 - ET TROJAN Unknown Malicious SSL Cert 2 (trojan.rules)
  2023904 - ET TROJAN Unknown Malicious SSL Cert 3 (trojan.rules)
  2023905 - ET TROJAN Unknown Malicious SSL Cert 4 (trojan.rules)
  2023906 - ET TROJAN Unknown Malicious SSL Cert 5 (trojan.rules)
  2023907 - ET TROJAN Unknown Malicious SSL Cert 6 (trojan.rules)
  2023908 - ET TROJAN Unknown Malicious SSL Cert 7 (trojan.rules)

 Pro:

  2824932 - ETPRO TROJAN Banker.Win32.Alreay SSL SNI (trojan.rules)
  2824933 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB
Memory Access M1 (CVE-2017-2984) (web_client.rules)
  2824934 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB
Memory Access M2 (CVE-2017-2984) (web_client.rules)
  2824935 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB
Memory Access M3 (CVE-2017-2984) (web_client.rules)
  2824936 - ETPRO WEB_CLIENT Possible Adobe Flash FLV parsing OOB
Memory Access (CVE-2017-2986) (web_client.rules)
  2824937 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB
Memory Access M1 (CVE-2017-2990) (web_client.rules)
  2824938 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB
Memory Access M2 (CVE-2017-2990) (web_client.rules)
  2824939 - ETPRO EXPLOIT Flash Player Heap Overflow (CVE-2017-2992)
(exploit.rules)
  2824940 - ETPRO EXPLOIT Flash Player Memory Corruption
(CVE-2017-2991) (exploit.rules)
  2824941 - ETPRO TROJAN Observed Malicious JS Checkin (trojan.rules)
  2824942 - ETPRO TROJAN Possible Observed Malicious JS Connectivity
Check (trojan.rules)
  2824943 - ETPRO TROJAN Win32.Bunitu DNS Lookup (trojan.rules)
  2824944 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.san
SMS/Contacts Exfil via SMTP (mobile_malware.rules)
  2824945 - ETPRO MOBILE_MALWARE Android/Styricka.A Checkin 2
(mobile_malware.rules)
  2824946 - ETPRO CURRENT_EVENTS Microsoft Live External Link Phishing
Landing Feb 14 2017 (current_events.rules)
  2824947 - ETPRO CURRENT_EVENTS Successful Microsoft Live External
Link Phish Feb 14 2017 (current_events.rules)
  2824948 - ETPRO TROJAN W32/Dragon BR Banker v1.x Checkin M1 (trojan.rules)
  2824949 - ETPRO TROJAN W32/Dragon BR Banker v1.x Checkin M2 (trojan.rules)
  2824950 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ay SMS
Exfil via SMTP (mobile_malware.rules)
  2824951 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.eg SMS
Exfil via SMTP 2 (mobile_malware.rules)
  2824952 - ETPRO TROJAN DNS Query to Cerber Domain (1nmrtq . top)
(trojan.rules)
  2824953 - ETPRO TROJAN DNS Query to Cerber Domain (1gnlsi . top)
(trojan.rules)
  2824954 - ETPRO TROJAN DNS Query to Cerber Domain (1cglxz . top)
(trojan.rules)
  2824955 - ETPRO TROJAN DNS Query to Cerber Domain (1ktjse . top)
(trojan.rules)
  2824956 - ETPRO TROJAN DNS Query to Cerber Domain (12umzf . top)
(trojan.rules)
  2824957 - ETPRO TROJAN DNS Query to Cerber Domain (1psts4 . top)
(trojan.rules)
  2824958 - ETPRO TROJAN VanToM RAT Checkin Response 2 (trojan.rules)
  2824959 - ETPRO POLICY SmartEmailExtractor Checkin (policy.rules)
  2824960 - ETPRO TROJAN MSIL/Unknown PWS CnC Checkin (trojan.rules)
  2824961 - ETPRO TROJAN MSIL/Unknown PWS Data Exfil (trojan.rules)
  2824962 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish to
myjino.ru hosted domain Feb 14 2017 (current_events.rules)
  2824963 - ETPRO CURRENT_EVENTS Unknown Phishing DNS Lookup
(current_events.rules)
  2824968 - ETPRO CURRENT_EVENTS Successful Excel Online Phish Feb 14
2017 (current_events.rules)
  2824969 - ETPRO CURRENT_EVENTS Microsoft Live External Link Phishing
Landing M2 Feb 14 2017 (current_events.rules)
  2824970 - ETPRO CURRENT_EVENTS Successful Microsoft Live External
Link Phish M2 Feb 14 2017 (current_events.rules)


 [///]     Modified active rules:     [///]

  2008052 - ET MALWARE User-Agent (Internet Explorer) (malware.rules)
  2014726 - ET POLICY Outdated Windows Flash Version IE (policy.rules)
  2021030 - ET TROJAN BePush/Kilim CnC Beacon (trojan.rules)
  2815653 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Ewind.ao Checkin
(mobile_malware.rules)
  2823937 - ETPRO CURRENT_EVENTS Successful Generic Phish (302) Dec 16
2016 (current_events.rules)
  2824590 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.dj SMS
Exfil via SMTP (mobile_malware.rules)
  2824669 - ETPRO TROJAN APT.ChChes CnC Beacon 1 (trojan.rules)
  2824670 - ETPRO TROJAN APT.ChChes CnC Beacon 2 (trojan.rules)


 [---]         Removed rules:         [---]

  2023529 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL Certificate
Detected (Malware CnC) (trojan.rules)
  2023881 - ET CURRENT_EVENTS Possible Craigslist Phishing Domain Feb
07 2017 (current_events.rules)


More information about the Emerging-updates mailing list