[Emerging-updates] Daily Ruleset Update Summary 2017/01/08

Travis Green tgreen at emergingthreats.net
Wed Mar 8 19:29:36 EST 2017


 [***]            Summary:            [***]

 6 new Open signatures, 28 new Pro (6 + 22). TrumpLocker/VenusLocker,
StoneDrill Wiper, (?:Drupal|Struts) Vulns, TorrentLocker, Various mobile,
Phishing.

Thanks: Kevin Ross, @DidierStevens

 [+++]          Added rules:          [+++]

 Open:

  2024034 - ET WEB_CLIENT Possible MacOSX HelpViewer 10.12.1 XSS Arbitrary
File Execution and Arbitrary File Read (CVE-2017-2361) (web_client.rules)
  2024035 - ET TROJAN WS/JS Downloader Mar 07 2017 M1 (trojan.rules)
  2024036 - ET TROJAN WS/JS Downloader Mar 07 2017 M2 (trojan.rules)
  2024037 - ET CURRENT_EVENTS Evil Redirect Leading to EK March 07 2017
(current_events.rules)
  2024038 - ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression
Injection (CVE-2017-5638) (web_specific_apps.rules)
  2024039 - ET WEB_SPECIFIC_APPS Possible Drupal Object Unserialize Exploit
Attempt (web_specific_apps.rules)

 Pro:

  2823837 - ETPRO WEB_CLIENT Microsoft Edge Memory Corruption Vulnerability
(CVE-2016-7286) (web_client.rules)
  2825293 - ETPRO TROJAN StoneDrill CnC Server Selection Request
(trojan.rules)
  2825294 - ETPRO TROJAN StoneDrill POST Login Request (trojan.rules)
  2825295 - ETPRO TROJAN MSIL/Neptune Reporting System Information
(trojan.rules)
  2825296 - ETPRO TROJAN Win32/Agent.YDZ CnC Initial Request DNS Beacon
(trojan.rules)
  2825297 - ETPRO CURRENT_EVENTS Successful HSBC Phish M1 Mar 07 2017
(current_events.rules)
  2825298 - ETPRO CURRENT_EVENTS Successful HSBC Phish M2 Mar 07 2017
(current_events.rules)
  2825299 - ETPRO CURRENT_EVENTS Successful HSBC Phish M3 Mar 07 2017
(current_events.rules)
  2825300 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.IC File Download
(mobile_malware.rules)
  2825301 - ETPRO TROJAN August Stealer CnC Checkin M2 (trojan.rules)
  2825302 - ETPRO TROJAN TorrentLocker C2 Domain (trojan.rules)
  2825303 - ETPRO TROJAN TorrentLocker C2 Domain (trojan.rules)
  2825304 - ETPRO TROJAN TorrentLocker C2 Domain (trojan.rules)
  2825305 - ETPRO MOBILE_MALWARE PUA Android/Agent.K Checkin
(mobile_malware.rules)
  2825306 - ETPRO TROJAN TorrentLocker C2 Domain (trojan.rules)
  2825307 - ETPRO CURRENT_EVENTS Docusign Phishing Landing Mar 08 2017
(current_events.rules)
  2825308 - ETPRO MOBILE_MALWARE AndroidOS/Secapk.A Checkin
(mobile_malware.rules)
  2825309 - ETPRO TROJAN Win32.Emdivi CnC Beacon (trojan.rules)
  2825310 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Dowgin.d CnC Beacon 3
(mobile_malware.rules)
  2825311 - ETPRO TROJAN Unknown Coinminer .onion Proxy Domain
(trojan.rules)
  2825312 - ETPRO MALWARE Win32/Amonetize CnC Beacon (malware.rules)
  2825313 - ETPRO TROJAN TrumpLocker/VenusLocker .onion Proxy Domain
(trojan.rules)


 [///]     Modified active rules:     [///]

  2010969 - ET POLICY Possible ProxyShell Anonymous Access Connection
(policy.rules)
  2010972 - ET POLICY Possible ProxyShell Hide IP Installation file
download (policy.rules)
  2011769 - ET TROJAN Shiz/Rohimafo Binary Download Request (trojan.rules)
  2011871 - ET POLICY SubmitToTDWTF.asmx DailyWTF Potential Source Code
Leakage (policy.rules)
  2012201 - ET WORM Possible Worm Sohanad.Z or Other Infection Request for
setting.nql (worm.rules)
  2012955 - ET POLICY HTTP Request to a *.co.tv domain (policy.rules)
  2014116 - ET TROJAN Suspicious User-Agent build - possibly
Delf/Troxen/Zema (trojan.rules)
  2014566 - ET TROJAN W32/UltimateDefender.FakeAV Checkin (trojan.rules)
  2014802 - ET CURRENT_EVENTS Fragus Exploit jar Download
(current_events.rules)
  2014843 - ET TROJAN Blackhole Exploit Kit Request tkr (trojan.rules)
  2014864 - ET TROJAN W32.Gimemo/Aldibot CnC POST (trojan.rules)
  2014884 - ET CURRENT_EVENTS Request to malicious SutraTDS - lonly= in
cookie (current_events.rules)
  2015015 - ET POLICY Download Request to Hotfile.com (policy.rules)
  2015019 - ET TROJAN W32/Icoo CnC Checkin (trojan.rules)
  2015547 - ET TROJAN Pakes2 - EXE Download Request (trojan.rules)
  2015581 - ET TROJAN Atadommoc.C - HTTP CnC (trojan.rules)
  2015907 - ET CURRENT_EVENTS BoA -Account Phished (current_events.rules)
  2016170 - ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (2)
(current_events.rules)
  2016328 - ET TROJAN ZeuS Post to C&C footer.php (trojan.rules)
  2016693 - ET INFO SUSPICIOUS UA starting with Mozilla/8 (info.rules)
  2016773 - ET TROJAN Mutter Backdoor Checkin (trojan.rules)
  2016912 - ET TROJAN W32/KeyLogger.ACQH!tr Checkin (trojan.rules)
  2017927 - ET POLICY check.torproject.org IP lookup/Tor Usage check over
HTTP (policy.rules)
  2018026 - ET MALWARE W32/BettrExperience.Adware Update Checkin
(malware.rules)
  2018667 - ET TROJAN Possible Zeus P2P Variant Check-in (trojan.rules)
  2020847 - ET CURRENT_EVENTS Chrome Form Data Theft April 06 2015
(current_events.rules)
  2021226 - ET TROJAN Poweliks Clickfraud CnC M1 (trojan.rules)
  2021270 - ET CURRENT_EVENTS Angler EK Landing URI Struct Jun 15 M2
(current_events.rules)
  2021271 - ET CURRENT_EVENTS Angler EK Landing URI Struct Jun 15 M3
(current_events.rules)
  2022123 - ET POLICY IP Lookup Geoip.co.uk (policy.rules)
  2022245 - ET TROJAN NetBackdoor User-Agent (.net backdor) (trojan.rules)
  2022246 - ET TROJAN Backdoor User-Agent (InstallCapital) (trojan.rules)
  2022351 - ET POLICY External IP Lookup - ipecho.net (policy.rules)
  2022377 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsalias.ru Domain
(info.rules)
  2022378 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsip.ru Domain
(info.rules)
  2022379 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyn-dns.ru Domain
(info.rules)
  2022380 - ET INFO DYNAMIC_DNS HTTP Request to a *.dns-free.ru Domain
(info.rules)
  2022519 - ET TROJAN Bedep Connectivity Check M3 (trojan.rules)
  2023240 - ET MOBILE_MALWARE iOS DualToy Checkin (mobile_malware.rules)
  2023520 - ET POLICY External IP Lookup (tinytools.nu) (policy.rules)
  2023653 - ET TROJAN TeleBots BCS-server User-Agent (trojan.rules)
  2023654 - ET TROJAN TeleBots VBS Backdoor CnC Beacon 1 (trojan.rules)
  2023874 - ET POLICY Hamas Terrorist Propaganda TV Channel (aqsatv.ps)
(policy.rules)
  2024028 - ET TROJAN Infostealer.Bancos ProxyChanger Checkin (trojan.rules)
  2800868 - ETPRO EXPLOIT Powerpoint Download (exploit.rules)
  2800888 - ETPRO WEB_SPECIFIC_APPS Microsoft Forefront Unified Access
Gateway Signurl.asp Cross-Site Scripting (web_specific_apps.rules)
  2800957 - ETPRO USER_AGENTS RogueSoftware.Win32.RClean User-Agent
(user_agents.rules)
  2800966 - ETPRO WEB_CLIENT Microsoft Office Insecure Library Loading
WebDAV PROPFIND pptimpconv.dll (web_client.rules)
  2801000 - ETPRO WEB_CLIENT Microsoft Windows Movie Maker Insecure Library
Loading WebDAV PROPFIND hhctrl.ocx (web_client.rules)
  2801001 - ETPRO WEB_CLIENT Microsoft Windows Movie Maker Insecure Library
Loading WebDAV GET hhctrl.ocx (web_client.rules)
  2801248 - ETPRO USER_AGENTS Malware Related User-Agent RepairR
(user_agents.rules)
  2803027 - ETPRO WEB_CLIENT Microsoft Excel Malformed Selection (type
0x1D) BIFF record (web_client.rules)
  2804168 - ETPRO INFO DYNAMIC_DNS HTTP Request to a *.ddns.mobi Domain
(info.rules)
  2804956 - ETPRO TROJAN herpnet C&C (trojan.rules)
  2805036 - ETPRO TROJAN TrojanDownloader.Banload.brce Checkin
(trojan.rules)
  2805273 - ETPRO MALWARE ApplicUnwnt.Win32.AdWare.InstallCore.2
 (malware.rules)
  2805434 - ETPRO TROJAN Trojan-Downloader.Win32.SpyAgent.r Checkin
(trojan.rules)
  2805685 - ETPRO WEB_CLIENT Microsoft .NET Framework Insecure Library
Loading (web_client.rules)
  2805772 - ETPRO TROJAN Trojan-Ransomware Checkin (trojan.rules)
  2805824 - ETPRO TROJAN Mal/FakeSg-B Checkin (trojan.rules)
  2805865 - ETPRO TROJAN TROJ_MOTMOT.CI Checkin (trojan.rules)
  2806172 - ETPRO TROJAN Trojan-Clicker.Win32.Galepo.bu Checkin
(trojan.rules)
  2806422 - ETPRO TROJAN Trojan-Dropper.Win32.Dapato.bfjn Download
(trojan.rules)
  2806779 - ETPRO TROJAN Trojan-PSW.Win32.Delf.qc Checkin (trojan.rules)
  2806807 - ETPRO MOBILE_MALWARE AndroidOS/GingerMaster.A
(mobile_malware.rules)
  2806866 - ETPRO TROJAN Win32/TrojanDropper.Agent.POP Checkin
(trojan.rules)
  2807035 - ETPRO TROJAN Trojan.Win32.Delf Variant Checkin (trojan.rules)
  2807215 - ETPRO TROJAN Orbit downloader checkin 2 (trojan.rules)
  2807287 - ETPRO TROJAN Trojan-Dropper.Win32.Agent.iish Checkin
(trojan.rules)
  2807411 - ETPRO POLICY geo IP lookup service ip-who-is.com (policy.rules)
  2808248 - ETPRO TROJAN Win32/Poweliks.A Checkin (trojan.rules)
  2808357 - ETPRO MOBILE_MALWARE Android/TelMan.A Checkin
(mobile_malware.rules)
  2810116 - ETPRO MOBILE_MALWARE AndroidOS/DroidDream.A Checkin
(mobile_malware.rules)
  2810737 - ETPRO TROJAN Simda CnC Beacon (trojan.rules)
  2810766 - ETPRO MOBILE_MALWARE Unknown Checkin (mobile_malware.rules)
  2811058 - ETPRO POLICY External IP Lookup - ip.42.pl (policy.rules)
  2811246 - ETPRO TROJAN Win32/Nivdort Empty Checkin (trojan.rules)
  2811451 - ETPRO TROJAN Asterope CnC Beacon (trojan.rules)
  2811662 - ETPRO MALWARE PUP.PricePeep.A Checkin (malware.rules)
  2812176 - ETPRO CURRENT_EVENTS Possible Successful Google Drive Phish
July 27 M2 (current_events.rules)
  2812251 - ETPRO MALWARE Win32/Stocksoft.Downloader PUP Activity
(malware.rules)
  2812790 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.fj Checkin
(mobile_malware.rules)
  2812962 - ETPRO TROJAN Backdoor.Bot Activity (trojan.rules)
  2813047 - ETPRO MOBILE_MALWARE Android/Andup.Y Checkin
(mobile_malware.rules)
  2815026 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.MobiDash.c Checkin
(mobile_malware.rules)
  2815148 - ETPRO CURRENT_EVENTS Successful MCB Bank Phish Nov 30
(current_events.rules)
  2815177 - ETPRO CURRENT_EVENTS PowerShell Empire Session via Excel Macro
(current_events.rules)
  2815281 - ETPRO MALWARE Unknown PUP/KR Checkin (malware.rules)
  2815658 - ETPRO TROJAN W32.Unknown Checkin (trojan.rules)
  2815726 - ETPRO MOBILE_MALWARE AndroidOS/SMSreg.CC Checkin
(mobile_malware.rules)
  2815854 - ETPRO CURRENT_EVENTS Shared Document Base64 Phishing Landing
Jan 19 (current_events.rules)
  2816907 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.Agent.i Checkin
(mobile_malware.rules)
  2819953 - ETPRO TROJAN Ransomware TrueCrypter CnC Beacon (trojan.rules)
  2820935 - ETPRO MOBILE_MALWARE Android/Agent.UH Checkin
(mobile_malware.rules)
  2821362 - ETPRO TROJAN R980 Ransomware Requesting Image 1 (trojan.rules)
  2821363 - ETPRO TROJAN R980 Ransomware Requesting Image 2 (trojan.rules)
  2821594 - ETPRO CURRENT_EVENTS Successful TD Commercial Banking Phish Aug
10 2016 (current_events.rules)
  2821603 - ETPRO TROJAN Win32.Getapula Stealer Checkin (trojan.rules)
  2821735 - ETPRO TROJAN Cromwi Fake User-Agent (trojan.rules)
  2821761 - ETPRO CURRENT_EVENTS Successful Adobe Shared Document Phish Aug
19 2016 (current_events.rules)
  2821978 - ETPRO CURRENT_EVENTS Successful Google Drive Phish Sept M2 1
2016 (current_events.rules)
  2821979 - ETPRO CURRENT_EVENTS Successful Google Drive Phish Sept M1 1
2016 (current_events.rules)
  2821988 - ETPRO TROJAN MSIL/Unknown HTTP Bot Screenshot Upload
(trojan.rules)
  2822639 - ETPRO CURRENT_EVENTS Successful Google Drive Phish Oct 14 2016
(current_events.rules)
  2822685 - ETPRO TROJAN TheTrick Banking Trojan Affiliate Download
(trojan.rules)
  2822756 - ETPRO CURRENT_EVENTS Successful Credit Agricole Bank (FR) Phish
M1 Oct 19 2016 (current_events.rules)
  2824672 - ETPRO TROJAN Rerdom Variant CnC M2 (trojan.rules)
  2824971 - ETPRO TROJAN Fareit/Pony Variant CnC Beacon (trojan.rules)
  2825084 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Shedun.Z Config
Download (mobile_malware.rules)
  2825142 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Dowgin.d CnC Beacon
(mobile_malware.rules)
  2825191 - ETPRO TROJAN MSIL/Unk HTTP CnC Activity (trojan.rules)
  2825273 - ETPRO TROJAN MSIL/Enjey Crypter Ransomware CnC Checkin
(trojan.rules)


 [---]  Disabled and modified rules:  [---]

  2806627 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free 3
CVE-2013-3115 (web_client.rules)
  2806628 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free 4
CVE-2013-3115 (web_client.rules)
  2807936 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free
(CVE-2014-1755) (web_client.rules)
  2808998 - ETPRO WEB_CLIENT Possible Internet Explorer Memory Corruption
Vulnerability CVE-2014-4137 (web_client.rules)
  2810028 - ETPRO WEB_CLIENT MS15-018 Internet Explorer Elevation of
Privilege Vulnerability CVE-2015-1623 (web_client.rules)
  2823145 - ETPRO WEB_CLIENT Possible Microsoft Edge Buffer Overflow M1
(CVE-2016-7202) (web_client.rules)
  2823160 - ETPRO WEB_CLIENT Possible Microsoft Edge JSON.parse RCE
(CVE-2016-7241) (web_client.rules)


 [---]         Removed rules:         [---]

  2823837 - ETPRO EXPLOIT Microsoft Edge Memory Corruption Vulnerability
(CVE-2016-7286) (exploit.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20170308/c369cd88/attachment-0001.html>


More information about the Emerging-updates mailing list