[Emerging-updates] Daily Ruleset Update Summary 2017/11/27

Travis Green tgreen at emergingthreats.net
Mon Nov 27 12:05:37 EST 2017


[***]            Summary:            [***]

4 new Open, 17 new Pro (4 + 13). Exim4 UAF, Scarab IP Check, Chrome Cred
Stealing via Reflected SCF.

Note: about 250 rules have been updated to Suricata 4.0 rule syntax in the
4.0 rule fork as of today.


[+++]          Added rules:          [+++]


 2025060 - ET WEB_CLIENT Google Chrome Credential Stealing via SCF file
Reflected Request (web_client.rules)
 2025061 - ET WEB_CLIENT PowerShell call in script 1 (web_client.rules)
 2025062 - ET WEB_CLIENT PowerShell call in script 2 (web_client.rules)
 2025063 - ET EXPLOIT Exim4 UAF Attempt (BDAT with non-printable chars)
(exploit.rules)

Pro:

 2828652 - ETPRO MALWARE LabTechAgent PUA CnC Checkin (malware.rules)
 2828667 - ETPRO MALWARE Win32/Adware.Adposhel.A Checkin 5 (malware.rules)
 2828700 - ETPRO TROJAN W32/LTTMoney Checkin (trojan.rules)
 2828701 - ETPRO TROJAN Observed Malicious IP Check (W32/LTTMoney)
(trojan.rules)
 2828702 - ETPRO TROJAN Scarab Ransomware IP Check (trojan.rules)
 2828703 - ETPRO POLICY IP Check Domain (iplogger .co in DNS Lookup)
(policy.rules)
 2828704 - ETPRO POLICY IP Check Domain (iplogger .co in TLS SNI)
(policy.rules)
 2828705 - ETPRO POLICY IP Check Domain (iplogger .org in DNS Lookup)
(policy.rules)
 2828706 - ETPRO POLICY IP Check Domain (iplogger .org in TLS SNI)
(policy.rules)
 2828707 - ETPRO POLICY IP Check Domain (iplogger .info in DNS Lookup)
(policy.rules)
 2828708 - ETPRO POLICY IP Check Domain (iplogger .info in TLS SNI)
(policy.rules)
 2828709 - ETPRO INFO Commonly Abused File Sharing Site Domain Observed (a
.pomfe .co in DNS Lookup) (info.rules)
 2828710 - ETPRO INFO Commonly Abused File Sharing Site Domain Observed (a
.pomfe .co in TLS SNI) (info.rules)


[///]     Modified active rules:     [///]

 2003626 - ET MALWARE Double User-Agent (User-Agent User-Agent)
(malware.rules)
 2007727 - ET P2P possible torrent download (p2p.rules)
 2011540 - ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
(policy.rules)
 2011699 - ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)
(p2p.rules)
 2013907 - ET TROJAN ZAccess/Sirefef/MAX++/Jorik/Smadow Checkin
(trojan.rules)
 2016550 - ET TROJAN Win32/Fareit Checkin 2 (trojan.rules)
 2018380 - ET TROJAN Ixeshe/Mecklow Checkin 2 (trojan.rules)
 2018518 - ET TROJAN Trojan.Win32.VBKrypt.cugq/Umbra Checkin (trojan.rules)
 2019755 - ET TROJAN Bamital Headers - Likely CnC Beacon (trojan.rules)
 2021384 - ET USER_AGENTS WildTangent User-Agent (WT Games App)
(user_agents.rules)
 2022464 - ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 27 2016
(Evil Keitaro FB Set) (current_events.rules)
 2022465 - ET CURRENT_EVENTS Evil Redirector Leading to EK (Known Evil
Keitaro TDS) (current_events.rules)
 2023022 - ET TROJAN ProjectSauron Remsec DNS Lookup (myhomemusic. com)
(trojan.rules)
 2024218 - ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response
(exploit.rules)
 2024220 - ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)
(exploit.rules)
 2025020 - ET TROJAN Win32/Nivdort Checkin (trojan.rules)
 2025021 - ET CURRENT_EVENTS Successful Tesco Bank Phish (set) Jul 17 2017
(current_events.rules)
 2025022 - ET CURRENT_EVENTS Successful Tesco Phish (set) M1 Jul 18 2017
(current_events.rules)
 2025023 - ET CURRENT_EVENTS Successful Tesco Phish (set) M2 Jul 18 2017
(current_events.rules)
 2025024 - ET CURRENT_EVENTS Successful Tesco Phish (set) M3 Jul 18 2017
(current_events.rules)
 2025025 - ET CURRENT_EVENTS Successful Tesco Phish (set) M4 Jul 18 2017
(current_events.rules)
 2025026 - ET CURRENT_EVENTS Successful Generic Phish (set) Aug 21 2017
(current_events.rules)
 2025027 - ET CURRENT_EVENTS Possible Successful Generic Phish (set) Aug 22
2017 (current_events.rules)
 2025028 - ET CURRENT_EVENTS Possible Successful Generic Phish (set) Sep 19
2017 (current_events.rules)
 2025029 - ET CURRENT_EVENTS Successful Generic Phish (set) Sep 28 2017
(current_events.rules)
 2025030 - ET CURRENT_EVENTS Successful Generic Credit Card Information
Phish Oct 10 2017 (current_events.rules)
 2025031 - ET CURRENT_EVENTS Successful Office 365 Phish Oct 10 2017 (set)
(current_events.rules)
 2025032 - ET CURRENT_EVENTS Possible Successful Generic Phish (set) Oct 26
2017 (current_events.rules)
 2025033 - ET CURRENT_EVENTS Successful Generic Phish (set) Oct 30 2017
(current_events.rules)
 2025034 - ET CURRENT_EVENTS Possible Successful Generic Phish Nov 09 2017
(set) (current_events.rules)
 2025035 - ET TROJAN Netwire RAT Check-in 2 (trojan.rules)
 2025036 - ET TROJAN Netwire RAT Check-in 2 (trojan.rules)
 2025037 - ET CURRENT_EVENTS Dadong Exploit Kit Downloaded
(current_events.rules)
 2025038 - ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 24 2016
(Evil Keitaro FB Set) (current_events.rules)
 2025039 - ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 29 2016
(Evil Keitaro FB Set) (current_events.rules)
 2025040 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Jan 07 2015
(current_events.rules)
 2025041 - ET CURRENT_EVENTS Possible Job314/Neutrino Reboot EK Flash
Exploit Jan 07 2015 M1 (current_events.rules)
 2025042 - ET CURRENT_EVENTS Possible Job314/Neutrino Reboot EK Flash
Exploit Jan 07 2015 M2 (current_events.rules)
 2025043 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing May 31 2016
(current_events.rules)
 2025044 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11 2016
(current_events.rules)
 2025045 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11 2016
M2 (current_events.rules)
 2025046 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11 2016
M2 (current_events.rules)
 2025047 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11 2016
M3 (current_events.rules)
 2025048 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11 2016
M4 (with URI Primer) (current_events.rules)
 2025049 - ET CURRENT_EVENTS Job314/Neutrino EK Landing Jul 04 2016 M1
(current_events.rules)
 2025050 - ET CURRENT_EVENTS Job314/Neutrino EK Landing Jul 04 2016 M2
(current_events.rules)
 2025051 - ET CURRENT_EVENTS Job314/Neutrino EK Landing Jul 04 2016 M3
(current_events.rules)
 2025052 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016
M1 (current_events.rules)
 2025053 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016
M2 (current_events.rules)
 2025054 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016
M3 (current_events.rules)
 2025055 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016
M4 (current_events.rules)
 2025056 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016
M5 (current_events.rules)
 2025057 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016
M6 (current_events.rules)
 2025058 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016
M7 (current_events.rules)
 2025059 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07 2016
M8 (current_events.rules)
 2801292 - ETPRO USER_AGENTS Yoyo-DDoS Bot UA Detected Outbound
(user_agents.rules)
 2803437 - ETPRO TROJAN Backdoor.Win32.Shiz.ivr Checkin (trojan.rules)
 2804855 - ETPRO TROJAN Win32.Simda.Y/Win32.Shiz.awez DNS Query to
jecijyjudew.eu Domain (trojan.rules)
 2805803 - ETPRO TROJAN Taidoor Checkin 2 (trojan.rules)
 2809131 - ETPRO MALWARE PUP Optimizer Pro Checkin (malware.rules)
 2809343 - ETPRO MALWARE Win32/Techsnab.B Checkin (malware.rules)
 2809671 - ETPRO TROJAN Backdoor.Win32.Vawtrak Connectivity Check
(trojan.rules)
 2819999 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Shedun.V Checkin
(mobile_malware.rules)
 2820706 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Shedun.V Checkin 2
(mobile_malware.rules)


[---]  Disabled and modified rules:  [---]

 2018394 - ET TROJAN Common Upatre Header Structure (trojan.rules)
 2018481 - ET TROJAN Trojan.Win32.Webprefix checkin (trojan.rules)
 2020022 - ET TROJAN Possible VirLock Connectivity Check (trojan.rules)


[---]         Removed rules:         [---]

 2804614 - ETPRO CURRENT_EVENTS Dadong Exploit Kit Downloaded
(current_events.rules)
 2809785 - ETPRO TROJAN Win32/Nivdort Checkin (trojan.rules)
 2815643 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Jan 07
2015 (current_events.rules)
 2815662 - ETPRO CURRENT_EVENTS Possible Job314/Neutrino Reboot EK Flash
Exploit Jan 07 2015 M1 (current_events.rules)
 2815663 - ETPRO CURRENT_EVENTS Possible Job314/Neutrino Reboot EK Flash
Exploit Jan 07 2015 M2 (current_events.rules)
 2816388 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Feb 24 2016
(Evil Keitaro FB Set) (current_events.rules)
 2816439 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Feb 29 2016
(Evil Keitaro FB Set) (current_events.rules)
 2820400 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing May 31
2016 (current_events.rules)
 2820569 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11
2016 (current_events.rules)
 2820570 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11
2016 M2 (current_events.rules)
 2820849 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11
2016 M2 (current_events.rules)
 2820850 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11
2016 M3 (current_events.rules)
 2820852 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing June 11
2016 M4 (with URI Primer) (current_events.rules)
 2820967 - ETPRO CURRENT_EVENTS Job314/Neutrino EK Landing Jul 04 2016 M1
(current_events.rules)
 2820968 - ETPRO CURRENT_EVENTS Job314/Neutrino EK Landing Jul 04 2016 M2
(current_events.rules)
 2820969 - ETPRO CURRENT_EVENTS Job314/Neutrino EK Landing Jul 04 2016 M3
(current_events.rules)
 2821002 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07
2016 M1 (current_events.rules)
 2822174 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07
2016 M2 (current_events.rules)
 2822175 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07
2016 M3 (current_events.rules)
 2822176 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07
2016 M4 (current_events.rules)
 2822177 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07
2016 M5 (current_events.rules)
 2822178 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07
2016 M6 (current_events.rules)
 2822179 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07
2016 M7 (current_events.rules)
 2822180 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing July 07
2016 M8 (current_events.rules)
 2823498 - ETPRO TROJAN Netwire RAT Check-in 2 (trojan.rules)
 2823499 - ETPRO TROJAN Netwire RAT Check-in 2 (trojan.rules)
 2827180 - ETPRO CURRENT_EVENTS Successful Tesco Bank Phish (set) Jul 17
2017 (current_events.rules)
 2827183 - ETPRO CURRENT_EVENTS Successful Tesco Phish (set) M1 Jul 18 2017
(current_events.rules)
 2827184 - ETPRO CURRENT_EVENTS Successful Tesco Phish (set) M2 Jul 18 2017
(current_events.rules)
 2827185 - ETPRO CURRENT_EVENTS Successful Tesco Phish (set) M3 Jul 18 2017
(current_events.rules)
 2827186 - ETPRO CURRENT_EVENTS Successful Tesco Phish (set) M4 Jul 18 2017
(current_events.rules)
 2827597 - ETPRO CURRENT_EVENTS Successful Generic Phish (set) Aug 21 2017
(current_events.rules)
 2827609 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish (set) Aug
22 2017 (current_events.rules)
 2827894 - ETPRO USER_AGENTS Win32.Vaubeg.A UA (user_agents.rules)
 2827997 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish (set) Sep
19 2017 (current_events.rules)
 2828084 - ETPRO CURRENT_EVENTS Successful Generic Phish (set) Sep 28 2017
(current_events.rules)
 2828210 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish Oct 10 2017 (current_events.rules)
 2828230 - ETPRO CURRENT_EVENTS Successful Office 365 Phish Oct 10 2017
(set) (current_events.rules)
 2828443 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish (set) Oct
26 2017 (current_events.rules)
 2828473 - ETPRO CURRENT_EVENTS Successful Generic Phish (set) Oct 30 2017
(current_events.rules)
 2828586 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Nov 09
2017 (set) (current_events.rules)
 2828652 - ETPRO POLICY LabTechAgent PUA CnC Checkin (policy.rules)
 2828667 - ETPRO TROJAN MSIL/Agent.ATK POST to CnC (trojan.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20171127/17e5ecce/attachment-0001.html>


More information about the Emerging-updates mailing list