[Emerging-updates] Daily Ruleset Update Summary 2017/11/01

Travis Green tgreen at emergingthreats.net
Wed Nov 1 17:34:01 EDT 2017


[***]            Summary:            [***]

1 new Open, 9 new Pro (1 + 8). Oracle Identity Manager Attempt,
Win32/LockeR, Various Phishing, Various Mobile.


[+++]          Added rules:          [+++]

Open:

 2024941 - ET EXPLOIT Possible Oracle Identity Manager Attempt to Logon
with default account (exploit.rules)

Pro:

 2828482 - ETPRO TROJAN Win32/LockeR Ransomware CnC Activity (trojan.rules)
 2828483 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
241 (mobile_malware.rules)
 2828484 - ETPRO CURRENT_EVENTS Successful Spotify Phish M1 Nov 01 2017
(current_events.rules)
 2828485 - ETPRO CURRENT_EVENTS Successful Spotify Phish M2 Nov 01 2017
(current_events.rules)
 2828486 - ETPRO CURRENT_EVENTS Successful Generic Mailbox Phish Nov 01
2017 (current_events.rules)
 2828488 - ETPRO POLICY External IP Lookup Domain (iplogger .com in TLS
SNI) (policy.rules)
 2828489 - ETPRO TROJAN Win32.Trojan.hh CnC Activity (trojan.rules)
 2828490 - ETPRO TROJAN Meterpreter SSL Certificate (trojan.rules)


[///]     Modified active rules:     [///]

 2011456 - ET WEB_CLIENT PROPFIND Flowbit Set (web_client.rules)
 2011457 - ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share
Possible DLL Preloading Exploit Attempt (web_client.rules)
 2016530 - ET TROJAN W32/Asprox.FakeAV Affiliate Second Stage Download
Location Request (trojan.rules)
 2016531 - ET TROJAN W32/Asprox.FakeAV Affiliate Download Location Response
- Likely Pay-Per-Install For W32/Papras.Spy or W32/ZeroAccess (trojan.rules)
 2024937 - ET TROJAN Downeks/Quasar DNS Lookup (cloudns .club)
(trojan.rules)
 2024938 - ET TROJAN Downeks/Quasar DNS Lookup (topsite .life)
(trojan.rules)
 2024939 - ET TROJAN Downeks/Quasar DNS Lookup (updatesforme .club)
(trojan.rules)
 2816609 - ETPRO CURRENT_EVENTS Successful Free.fr Phish Mar 10 2016
(current_events.rules)
 2826070 - ETPRO TROJAN Silence Downloader Dropped by CVE-2017-0199
(trojan.rules)
 2826518 - ETPRO TROJAN DNS Query matching Cerber Domain Format (.top TLD)
(trojan.rules)
 2827133 - ETPRO POLICY Observed DNS Request to iplogger.com for External
IP Address Lookup (policy.rules)
 2827246 - ETPRO TROJAN DNS Query matching Cerber Domain Format (.bid TLD)
(trojan.rules)


[///]    Modified inactive rules:    [///]

 2800656 - ETPRO DOS Microsoft Windows Active Directory LDAP SearchRequest
Denial of Service Attempt 2 (dos.rules)


[---]  Disabled and modified rules:  [---]

 2003479 - ET POLICY Radmin Remote Control Session Setup Initiate
(policy.rules)
 2013936 - ET POLICY SSH banner detected on TCP 443 likely proxy evasion
(policy.rules)
 2021307 - ET CURRENT_EVENTS CottonCastle/Niteris EK Exploit URI Struct
June 19 2015 (current_events.rules)
 2021309 - ET CURRENT_EVENTS CottonCastle/Niteris EK Flash Exploit URI
Struct June 19 2015 (current_events.rules)
 2023017 - ET TELNET SUSPICIOUS busybox shell (telnet.rules)
 2023018 - ET TELNET SUSPICIOUS busybox enable (telnet.rules)
 2800654 - ETPRO DOS Microsoft Windows Active Directory LDAP SearchRequest
Denial of Service Attempt Flowbit Set (dos.rules)
 2800701 - ETPRO EXPLOIT Nullsoft Winamp Midi File Header Handling Buffer
Overflow (exploit.rules)
 2802960 - ETPRO TROJAN Win32.SpyEye.cuk Checkin flowbit SET (trojan.rules)
 2803427 - ETPRO TROJAN Common Trojan Header Pattern Accept with double
slash (trojan.rules)
 2804964 - ETPRO TROJAN Win32.Nitol.B/Ahea.gen Checkin (trojan.rules)
 2816338 - ETPRO CURRENT_EVENTS Possible Angler EK SilverLight Exploit Feb
22 M1 (current_events.rules)
 2821706 - ETPRO CURRENT_EVENTS Docusign Phishing Landing Aug 17 2016
(current_events.rules)
 2823170 - ETPRO CURRENT_EVENTS MalDoc Requesting Payload Nov 08
(current_events.rules)
 2823253 - ETPRO CURRENT_EVENTS MalDoc Requesting Payload Nov 14 2016
(current_events.rules)
 2823861 - ETPRO CURRENT_EVENTS Successful Captcha Entered Leading to
Ursnif Download Dec 13 2016 (current_events.rules)
 2823894 - ETPRO CURRENT_EVENTS Magnitude EK Landing Dec 14 2016
(current_events.rules)


[---]         Disabled rules:        [---]

 2002850 - ET FTP USER login flowbit (ftp.rules)
 2010647 - ET TROJAN Lethic Spambot CnC Initial Connect Bot Response
(trojan.rules)
 2011241 - ET EXPLOIT M3U File Request Flowbit Set (exploit.rules)
 2018855 - ET TROJAN Possible ClickFraud Trojan Socks5 Connection
(trojan.rules)
 2021630 - ET TROJAN MS Terminal Server Single Character Login possible
Morto inbound (trojan.rules)
 2800615 - ETPRO EXPLOIT MailEnable IMAP Service Name Buffer Overflow
(exploit.rules)
 2800710 - ETPRO WEB_CLIENT Apple QuickTime RTSP URL Buffer Overflow
(web_client.rules)
 2802909 - ETPRO TROJAN Backdoor.Win32.Dorkbot.B IRC Login (trojan.rules)
 2802912 - ETPRO TROJAN Backdoor.Nervos.A Checkin to Server (trojan.rules)
 2803051 - ETPRO NETBIOS Microsoft Windows OLE Automation Remote Code
Execution SMB-DS Unicode (netbios.rules)
 2803052 - ETPRO NETBIOS Microsoft Windows OLE Automation Remote Code
Execution SMB-DS ASCII (netbios.rules)
 2803054 - ETPRO NETBIOS Microsoft Windows OLE Automation Remote Code
Execution SET (netbios.rules)
 2803209 - ETPRO TROJAN Trojan.Win32.Orsam Checkin Flowbit Set
(trojan.rules)
 2803384 - ETPRO EXPLOIT Sybase Open Server Null Byte Stack Memory
Corruption - SET (exploit.rules)
 2803403 - ETPRO WORM Worm.Win32.Autorun.hi Checkin - SET (worm.rules)
 2803453 - ETPRO TROJAN PSWTool.Win32.PassView.b FTP Push of User Data
Flowbit SET (trojan.rules)
 2803563 - ETPRO WORM Worm.Win32.Morto.A Propagating via Windows Remote
Desktop Protocol Flowbit Set (worm.rules)
 2803603 - ETPRO TROJAN Trojan.Win32.Agent.dcir Checkin (trojan.rules)
 2803617 - ETPRO TROJAN Trojan.Win32.Buzus.hond Checkin 2 - SET
(trojan.rules)
 2803781 - ETPRO TROJAN Trojan-Spy.W32/Banker.JGT Checkin - SET
(trojan.rules)
 2803950 - ETPRO TROJAN Trojan.Win32.Jorik.IRCbot.ddj Joining IRC channel -
SET (trojan.rules)
 2803964 - ETPRO SCADA IGSS 8 ODBC Server Multiple Remote Uninitialized
Pointer Free DoS - SET (scada.rules)
 2803992 - ETPRO TROJAN Backdoor.Win32/Rbot.gen Joining IRC channel - SET
(trojan.rules)
 2804019 - ETPRO TROJAN Trojan-Downloader.Win32.Generic Install - SET
(trojan.rules)
 2804041 - ETPRO TROJAN PSW.Banker6.KTO Checkin - SET (trojan.rules)
 2804534 - ETPRO TROJAN worm.win32/duptwux.a Checkin - SET (trojan.rules)
 2804583 - ETPRO MALWARE Generic AdClicker.p Install - SET (malware.rules)
 2804839 - ETPRO TROJAN Trojan-Dropper.Win32.Injector.dvnk Checkin - SET
(trojan.rules)
 2804912 - ETPRO WEB_CLIENT RTMPmsg Traffic (web_client.rules)
 2804913 - ETPRO WEB_CLIENT RTMPmsg Traffic 2 (web_client.rules)
 2805016 - ETPRO TROJAN Unknown Chinese Malware getting config INSTALL
(trojan.rules)
 2805142 - ETPRO CURRENT_EVENTS Possible WORM W32.Printlove spreading via
cve 2010-2729 (SPOOLSS StartDocPrinter request SET) (current_events.rules)
 2805363 - ETPRO TROJAN DATCK/BYCC DDOS bot Checkin - SET (trojan.rules)
 2807198 - ETPRO WEB_CLIENT SUSPICIOUS WordPerfect Document with .doc
extension 1 (web_client.rules)
 2807199 - ETPRO WEB_CLIENT SUSPICIOUS WordPerfect Document with .doc
extension 2 (web_client.rules)
 2807719 - ETPRO TROJAN PSW.Win32.Agent.afag Checkin (trojan.rules)
 2825622 - ETPRO WEB_SERVER JexBoss Common URI struct Observed 3 (INBOUND)
(web_server.rules)
 2825623 - ETPRO WEB_SERVER JexBoss Common URI struct Observed 4 (INBOUND)
(web_server.rules)
 2826174 - ETPRO TROJAN Possible Hajime Beacon (set) (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20171101/5687aeb3/attachment.html>


More information about the Emerging-updates mailing list