[Emerging-updates] Daily Ruleset Update Summary 2017/03/14

Travis Green tgreen at emergingthreats.net
Tue Mar 14 18:53:53 EDT 2017


 [***]            Summary:            [***]

 6 new Open signatures, 94 new Pro (6 + 88). MAPP, Terror EK, Various
Phishing.

 CVE to ET Sid mapping for MAPP:

 CVE-2017-0007->2825374
 CVE-2017-0008->2825375
 CVE-2017-0010->2825376
 CVE-2017-0011->2825377
 CVE-2017-0022->2825378
 CVE-2017-0023->2825379
 CVE-2017-0023->2825380
 CVE-2017-0024->2825381
 CVE-2017-0026->2825382
 CVE-2017-0030->2825383
 CVE-2017-0031->2825384
 CVE-2017-0037->2825385
 CVE-2017-0038->2825387
 CVE-2017-0039->2825388
 CVE-2017-0042->2825389
 CVE-2017-0046->2825390
 CVE-2017-0049->2825391
 CVE-2017-2984->2825392
 CVE-2017-2984->2825393
 CVE-2017-2984->2825394
 CVE-2017-2986->2825395
 CVE-2017-2990->2825396
 CVE-2017-2990->2825397
 CVE-2017-2992->2825398
 CVE-2017-2991->2825399
 CVE-2017-0009->2825400
 CVE-2017-0015->2825401
 CVE-2017-0017->2825402
 CVE-2017-0018->2825403
 CVE-2017-0034->2825404
 CVE-2017-0055->2825405
 CVE-2017-0059->2825406
 CVE-2017-0060->2825407
 CVE-2017-0062->2825408
 CVE-2017-0066->2825410
 CVE-2017-0067->2825409
 CVE-2017-0069->2825411
 CVE-2017-0070->2825412
 CVE-2017-0071->2825413
 CVE-2017-0072->2825414
 CVE-2017-0073->2825415
 CVE-2017-0078->2825416
 CVE-2017-0079->2825417
 CVE-2017-0080->2825418
 CVE-2017-0081->2825419
 CVE-2017-0082->2825420
 CVE-2017-0083->2825421
 CVE-2017-0086->2825422
 CVE-2017-0087->2825423
 CVE-2017-0088->2825424
 CVE-2017-0089->2825425
 CVE-2017-0090->2825426
 CVE-2017-0094->2825427
 CVE-2017-0100->2825428
 CVE-2017-0108->2825430
 CVE-2017-0121->2825431
 CVE-2017-0130->2825432
 CVE-2017-0131->2825433
 CVE-2017-0133->2825434
 CVE-2017-0140->2825435
 CVE-2017-0141->2825436
 CVE-2017-0154->2825437
 CVE-2017-2998->2825438
 CVE-2017-2997->2825439
 CVE-2017-2999->2825440
 CVE-2017-3002->2825441


 [+++]          Added rules:          [+++]

  2024050 - ET CURRENT_EVENTS Successful ANZ Internet Banking Phish Mar 14
2017 (current_events.rules)
  2024051 - ET CURRENT_EVENTS Successful Instagram Phish Mar 14 2017
(current_events.rules)
  2024052 - ET CURRENT_EVENTS Successful Paypal Phish Mar 14 2017
(current_events.rules)
  2024053 - ET CURRENT_EVENTS Terror EK Payload Download M1 Mar 14 2017
(current_events.rules)
  2024054 - ET CURRENT_EVENTS Terror EK Payload Download M2 Mar 14 2017
(current_events.rules)
  2024055 - ET CURRENT_EVENTS Terror EK Payload RC4 Key M1 Mar 14 2017
(current_events.rules)
  2825374 - ETPRO WEB_CLIENT Possible Microsoft Windows Script Signature
Checking Bypass (CVE-2017-0007) (web_client.rules)
  2825375 - ETPRO WEB_CLIENT Possible Internet Explorer Information
Disclosure Vulnerability (CVE-2017-0008) (web_client.rules)
  2825376 - ETPRO WEB_CLIENT Possible Scripting Engine Memory Corruption
Vulnerability (CVE-2017-0010) (web_client.rules)
  2825377 - ETPRO WEB_CLIENT Microsoft Edge OOB Read Information Disclosure
(CVE-2017-0011) (web_client.rules)
  2825378 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer
Information Disclosure (CVE-2017-0022) (web_client.rules)
  2825379 - ETPRO WEB_CLIENT Microsoft Edge PDF Parsing RCE M1
(CVE-2017-0023) (web_client.rules)
  2825380 - ETPRO WEB_CLIENT Microsoft Edge PDF Parsing RCE M2
(CVE-2017-0023) (web_client.rules)
  2825381 - ETPRO EXPLOIT Possible Windows DLL Loading RCE Vulnerability
(CVE-2017-0024) (exploit.rules)
  2825382 - ETPRO EXPLOIT Possible Win32k Elevation of Privilege
Vulnerability (CVE-2017-0026) (exploit.rules)
  2825383 - ETPRO EXPLOIT MS Word Buffer Overflow (CVE-2017-0030)
(exploit.rules)
  2825384 - ETPRO EXPLOIT MS Word UAF RCE (CVE-2017-0031) (exploit.rules)
  2825385 - ETPRO WEB_CLIENT Internet Explorer Type Confusion
(CVE-2017-0037) (web_client.rules)
  2825386 - ETPRO TROJAN Observed Malicious SSL Cert (Zeus Variant)
(trojan.rules)
  2825387 - ETPRO EXPLOIT Possible Windows Graphics Component Info
Disclosure (CVE-2017-0038) (exploit.rules)
  2825388 - ETPRO EXPLOIT Possible Windows DLL Loading RCE Vulnerability
(CVE-2017-0039) (exploit.rules)
  2825389 - ETPRO EXPLOIT Possible Windows Media Player Info Disclosure
Vulnerability (CVE-2017-0042) (exploit.rules)
  2825390 - ETPRO WEB_CLIENT Microsoft Edge Type Confusion Vulnerability
(CVE-2017-0046) (web_client.rules)
  2825391 - ETPRO EXPLOIT Possible Scripting Engine Information Disclosure
Vulnerability (CVE-2017-0049) (exploit.rules)
  2825392 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory
Access M1 (CVE-2017-2984) (web_client.rules)
  2825393 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory
Access M2 (CVE-2017-2984) (web_client.rules)
  2825394 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory
Access M3 (CVE-2017-2984) (web_client.rules)
  2825395 - ETPRO WEB_CLIENT Possible Adobe Flash FLV parsing OOB Memory
Access (CVE-2017-2986) (web_client.rules)
  2825396 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory
Access M1 (CVE-2017-2990) (web_client.rules)
  2825397 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory
Access M2 (CVE-2017-2990) (web_client.rules)
  2825398 - ETPRO EXPLOIT Flash Player Heap Overflow (CVE-2017-2992)
(exploit.rules)
  2825399 - ETPRO EXPLOIT Flash Player Memory Corruption (CVE-2017-2991)
(exploit.rules)
  2825400 - ETPRO WEB_CLIENT Microsoft Browser Information Disclosure
Vulnerability (CVE-2017-0009) (web_client.rules)
  2825401 - ETPRO WEB_CLIENT Microsoft Edge Scripting Engine Memory
Corruption Vulnerability (CVE-2017-0015) (web_client.rules)
  2825402 - ETPRO WEB_CLIENT Microsoft Edge Information Disclosure
Vulnerability (CVE-2017-0017) (web_client.rules)
  2825403 - ETPRO WEB_CLIENT Internet Explorer Scripting Engine Memory
Corruption Vulnerability (CVE-2017-0018) (web_client.rules)
  2825404 - ETPRO WEB_CLIENT Microsoft Edge Memory Corruption Vulnerability
(CVE-2017-0034) (web_client.rules)
  2825405 - ETPRO WEB_CLIENT Microsoft IIS Server XSS Elevation of
Privilege Vulnerability (CVE-2017-0055) (web_client.rules)
  2825406 - ETPRO WEB_CLIENT Internet Explorer Information Disclosure
Vulnerability (CVE-2017-0059) (web_client.rules)
  2825407 - ETPRO EXPLOIT Windows GDI Information Disclosure vulnerability
(CVE-2017-0060) (exploit.rules)
  2825408 - ETPRO EXPLOIT GDI+ Information Disclosure Vulnerability
(CVE-2017-0062) (exploit.rules)
  2825409 - ETPRO WEB_CLIENT Microsoft Edge Scripting Engine Memory
Corruption Vulnerability (CVE-2017-0067) (web_client.rules)
  2825410 - ETPRO EXPLOIT Possible Edge SOP Bypass (CVE-2017-0066)
(exploit.rules)
  2825411 - ETPRO WEB_CLIENT Microsoft Edge Spoofing Vulnerability
(CVE-2017-0069) (web_client.rules)
  2825412 - ETPRO WEB_CLIENT Possible Edge JS UAF (CVE-2017-0070)
(web_client.rules)
  2825413 - ETPRO WEB_CLIENT Scripting Engine Memory Corruption
Vulnerability (CVE-2017-0071) (web_client.rules)
  2825414 - ETPRO EXPLOIT Uniscribe Remote Code Execution Vulnerability
(CVE-2017-0072) (exploit.rules)
  2825415 - ETPRO WEB_CLIENT Windows GDI+ Information Disclosure
Vulnerability (CVE-2017-0073) (web_client.rules)
  2825416 - ETPRO EXPLOIT Possible EXE Exploiting Win32k DDI EoP Inbound
(CVE-2017-0078) (exploit.rules)
  2825417 - ETPRO EXPLOIT Possible EXE Exploiting Win32k DDI EoP Inbound
(CVE-2017-0079) (exploit.rules)
  2825418 - ETPRO EXPLOIT Possible EXE Exploiting Win32k DDI Vulnerablity
Inbound (CVE-2017-0080) (exploit.rules)
  2825419 - ETPRO EXPLOIT Possible EXE Exploiting Win32k DDI Vulnerablity
Inbound (CVE-2017-0081) (exploit.rules)
  2825420 - ETPRO EXPLOIT Possible EXE Exploiting Win32k Vulnerablity
Inbound (CVE-2017-0082) (exploit.rules)
  2825421 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution
Vulnerability (CVE-2017-0083) (exploit.rules)
  2825422 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution
Vulnerability (CVE-2017-0086) (exploit.rules)
  2825423 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution
Vulnerability (CVE-2017-0087) (exploit.rules)
  2825424 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution
Vulnerability (CVE-2017-0088) (exploit.rules)
  2825425 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution
Vulnerability (CVE-2017-0089) (exploit.rules)
  2825426 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution
Vulnerability (CVE-2017-0090) (exploit.rules)
  2825427 - ETPRO WEB_CLIENT Internet Explorer Information Disclosure
Vulnerability (CVE-2017-0094) (web_client.rules)
  2825428 - ETPRO EXPLOIT Windows COM Elevation of Privilege Vulnerability
(CVE-2017-0100) (exploit.rules)
  2825429 - ETPRO CURRENT_EVENTS Successful Scotiabank Phish Mar 14 2017
(current_events.rules)
  2825430 - ETPRO EXPLOIT Windows Graphics Component Remote Code Execution
Vulnerability (CVE-2017-0108) (exploit.rules)
  2825431 - ETPRO EXPLOIT Windows Uniscribe Information Disclosure
Vulnerability (CVE-2017-0121) (exploit.rules)
  2825432 - ETPRO EXPLOIT Possible Internet Explorer Type Confusion
(CVE-2017-0130) (exploit.rules)
  2825433 - ETPRO EXPLOIT Possible Edge OOB Read Vulnerability
(CVE-2017-0131) (exploit.rules)
  2825434 - ETPRO EXPLOIT Possible Edge Core Type Confusion (CVE-2017-0133)
(exploit.rules)
  2825435 - ETPRO EXPLOIT Possible Edge Fetch API Vulnerability
(CVE-2017-0140) (exploit.rules)
  2825436 - ETPRO EXPLOIT Possible Edge Heap Overflow Access Violation
(CVE-2017-0141) (exploit.rules)
  2825437 - ETPRO EXPLOIT Possible Internet Explorer 11 UXSS
(CVE-2017-0154) (exploit.rules)
  2825438 - ETPRO WEB_CLIENT Possible Flash Memory Corruption Vulnerability
(CVE-2017-2998) (web_client.rules)
  2825439 - ETPRO WEB_CLIENT Possible Flash Memory Corruption Vulnerability
(CVE-2017-2997) (web_client.rules)
  2825440 - ETPRO WEB_CLIENT Possible Flash Memory Corruption Vulnerability
(CVE-2017-2999) (web_client.rules)
  2825441 - ETPRO WEB_CLIENT Possible Flash Memory Corruption Vulnerability
(CVE-2017-3002) (web_client.rules)
  2825442 - ETPRO WEB_CLIENT Possible Flash Memory Corruption Vulnerability
(CVE-2017-3003) (web_client.rules)
  2825443 - ETPRO CURRENT_EVENTS Successful Paypal Phish Mar 14 2017
(current_events.rules)
  2825444 - ETPRO MOBILE_MALWARE Android/TrojanDownloader.Agent.BF APK
Download (mobile_malware.rules)
  2825445 - ETPRO CURRENT_EVENTS INTERAC Payment Multibank Phishing Landing
Mar 14 2017 (current_events.rules)
  2825446 - ETPRO CURRENT_EVENTS Successful IRS Phish Mar 14 2017
(current_events.rules)
  2825447 - ETPRO TROJAN DNS Query to Cerber Domain (14udep . top)
(trojan.rules)
  2825448 - ETPRO TROJAN DNS Query to Cerber Domain (1bzolk . top)
(trojan.rules)
  2825449 - ETPRO TROJAN DNS Query to Cerber Domain (1axzcw . top)
(trojan.rules)
  2825450 - ETPRO TROJAN DNS Query to Cerber Domain (1jhnvt . top)
(trojan.rules)
  2825451 - ETPRO TROJAN DNS Query to Cerber Domain (1dsdm4 . top)
(trojan.rules)
  2825452 - ETPRO TROJAN DNS Query to Cerber Domain (13xwn9 . top)
(trojan.rules)
  2825453 - ETPRO TROJAN NexusLogger SSL Certificate (trojan.rules)
  2825454 - ETPRO CURRENT_EVENTS Successful Yahoo Phish Mar 14 2017
(current_events.rules)
  2825455 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.EzSpy.a CnC Beacon
(mobile_malware.rules)
  2825456 - ETPRO CURRENT_EVENTS Successful Email Settings Error Phish Mar
14 2017 (current_events.rules)
  2825457 - ETPRO CURRENT_EVENTS Successful Chase Phish Mar 14 2017
(current_events.rules)
  2825458 - ETPRO TROJAN Banload Variant Checkin (trojan.rules)
  2825459 - ETPRO TROJAN ZLoader Malicious SSL Cert Observed (trojan.rules)
  2825460 - ETPRO MOBILE_MALWARE Android.Adware.Iadpush.C Checkin
(mobile_malware.rules)
  2825461 - ETPRO CURRENT_EVENTS Successful Excel Online Phish Mar 14 2017
(current_events.rules)


 [///]     Modified active rules:     [///]

  2014726 - ET POLICY Outdated Windows Flash Version IE (policy.rules)
  2821014 - ETPRO WEB_CLIENT suspicious .CAB containing single executable
file (observed in maldoc campaign) (web_client.rules)
  2825239 - ETPRO TROJAN Lets Encrypt Free SSL Cert Observed in Possible
Apple Phishing (trojan.rules)


 [---]         Removed rules:         [---]


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20170314/44c9a145/attachment-0001.html>


More information about the Emerging-updates mailing list