[Emerging-updates] Daily Ruleset Update Summary 2017/11/28

Travis Green tgreen at emergingthreats.net
Tue Nov 28 13:49:33 EST 2017


[***]            Summary:            [***]

18 new Open, 20 new Pro (2 + 18). Win32/Ropest.H, Win32/DarkNeuron, Various
Mobile.

Thanks: @AttackDetection

[+++]          Added rules:          [+++]

Open:

 2025064 - ET CURRENT_EVENTS Possible Neutrino EK Landing Landing URI
Struct (fb set) (current_events.rules)
 2025065 - ET TROJAN Backdoor.Perl.Shellbot.cd IRC Bot that have DoS/DDoS
functions (trojan.rules)
 2025066 - ET CHAT IRC USER Likely bot with 0 0 colon checkin (chat.rules)
 2025067 - ET CHAT IRC USER Off-port Likely bot with 0 0 colon checkin
(chat.rules)
 2025068 - ET TROJAN Win32/Ropest.H CnC - INBOUND set (trojan.rules)
 2025069 - ET TROJAN Win32/Ropest.H CnC - INBOUND (trojan.rules)
 2025070 - ET TROJAN Possible Win32/Atraps Receiving Config via Image File
(steganography) (trojan.rules)
 2025071 - ET CURRENT_EVENTS Bingo Exploit Kit Landing May 08 2017
(current_events.rules)
 2025072 - ET TROJAN Patchwork DNS Tunneling (nsn1.winodwsupdates .me)
(trojan.rules)
 2025073 - ET TROJAN Patchwork Domain (randreports .org in DNS Lookup)
(trojan.rules)
 2025074 - ET TROJAN [PTsecurity] Bladabindi/njRAT (HAMAD versions)
(trojan.rules)
 2025075 - ET TROJAN Brazilian Banker SSL Cert (trojan.rules)
 2025076 - ET TROJAN Brazilian Banker SSL Cert (trojan.rules)
 2025077 - ET TROJAN [PTsecurity] Bladabindi/njRAT (Dd19271927)
(trojan.rules)
 2025078 - ET TROJAN Mirai Variant Domain (bigboatreps .pw in DNS Lookup)
(trojan.rules)
 2025079 - ET TROJAN Mirai Variant Domain (blacklister .nl in DNS Lookup)
(trojan.rules)
 2025080 - ET EXPLOIT Actiontec C1000A backdoor account M1 (exploit.rules)
 2025081 - ET TROJAN Patchwork Domain (rannd .org in DNS Lookup)
(trojan.rules)

Pro:

 2828711 - ETPRO TROJAN Win32/DarkNeuron POST Request to CnC (trojan.rules)
 2828712 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Agent.ck Checkin
(mobile_malware.rules)


[///]     Modified active rules:     [///]

 2017946 - ET TROJAN Agent.BAAB Checkin (trojan.rules)
 2020747 - ET TROJAN Win32.Chroject.B Requesting ClickFraud Commands from
CnC (trojan.rules)
 2020837 - ET CURRENT_EVENTS Malicious Doc Download EXE Primer (flowbits
set) (current_events.rules)
 2020838 - ET CURRENT_EVENTS Malicious Doc Downloading EXE
(current_events.rules)
 2024980 - ET EXPLOIT Actiontec C1000A backdoor account M2 (exploit.rules)
 2025063 - ET EXPLOIT Exim4 UAF Attempt (BDAT with non-printable chars)
(exploit.rules)
 2801301 - ETPRO USER_AGENTS Select Rebates Spyware UA Detected
(user_agents.rules)
 2805218 - ETPRO TROJAN Rogue.Win32/Winwebsec Install 3 (trojan.rules)
 2809579 - ETPRO TROJAN Win32/Sality.AT Checkin (trojan.rules)
 2810678 - ETPRO MALWARE Win32/4Shared Variant CnC Beacon (malware.rules)
 2820270 - ETPRO TROJAN Win32.Floxif.A Checkin (trojan.rules)
 2821948 - ETPRO TROJAN Trojan.MSIL.Ranos.A Bot USER Command (trojan.rules)


[///]    Modified inactive rules:    [///]

 2820646 - ETPRO NETBIOS Tree Connect AndX Request IPC$ Unicode
(netbios.rules)


[---]         Disabled rules:        [---]

 2017296 - ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack Jar Download
(current_events.rules)
 2017297 - ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download
(current_events.rules)
 2017300 - ET CURRENT_EVENTS Rawin -TDS - POST w/Java Version
(current_events.rules)
 2017301 - ET CURRENT_EVENTS Fake Trojan Dropper purporting to be missing
application page landing (current_events.rules)
 2017302 - ET CURRENT_EVENTS Fake Trojan Dropper purporting to be missing
application - findloader (current_events.rules)
 2017306 - ET CURRENT_EVENTS 0f2490 Hacked Site Response (Inbound)
(current_events.rules)
 2017307 - ET CURRENT_EVENTS 0f2490 Hacked Site Response (Outbound)
(current_events.rules)
 2017328 - ET CURRENT_EVENTS Unknown EK setSecurityManager hex August 14
2013 (current_events.rules)
 2017333 - ET CURRENT_EVENTS Styx EK - /jvvn.html (current_events.rules)
 2017370 - ET CURRENT_EVENTS AutoIT C&C Check-In 2013-08-23 URL
(current_events.rules)
 2017387 - ET CURRENT_EVENTS Unknown EK Landing Aug 27 2013
(current_events.rules)
 2017388 - ET CURRENT_EVENTS Possible Sweet Orange Payload Download Aug 28
2013 (current_events.rules)
 2017435 - ET CURRENT_EVENTS Unknown Bleeding EK Variant Landing JAR Sep 06
2013 (current_events.rules)
 2017450 - ET CURRENT_EVENTS Sakura Sep 10 2013 (current_events.rules)
 2017467 - ET CURRENT_EVENTS CottonCastle EK Java Jar
(current_events.rules)
 2017469 - ET CURRENT_EVENTS Possible SNET EK VBS Download
(current_events.rules)
 2017473 - ET CURRENT_EVENTS Possible CoolEK Variant Payload Download Sep
16 2013 (current_events.rules)
 2017483 - ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass
(current_events.rules)
 2017484 - ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass
(current_events.rules)
 2017485 - ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass
(current_events.rules)
 2017486 - ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass
(current_events.rules)
 2017488 - ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass
(current_events.rules)
 2017497 - ET CURRENT_EVENTS Rawin EK - Java Exploit - bona.jar
(current_events.rules)
 2017503 - ET CURRENT_EVENTS Unknown EK Used in various watering hole
attacks (current_events.rules)
 2017506 - ET CURRENT_EVENTS Sakura - Java Exploit Recieved - Atomic
(current_events.rules)
 2017507 - ET CURRENT_EVENTS Cushion Redirection (current_events.rules)
 2017509 - ET CURRENT_EVENTS Possible J7u21 click2play bypass
(current_events.rules)
 2017529 - ET CURRENT_EVENTS LightsOut EK Payload Download
(current_events.rules)
 2017530 - ET CURRENT_EVENTS Possible LightsOut EK info3i.html
(current_events.rules)
 2017531 - ET CURRENT_EVENTS Possible LightsOut EK info3i.php
(current_events.rules)
 2017532 - ET CURRENT_EVENTS Possible LightsOut EK inden2i.html
(current_events.rules)
 2017534 - ET CURRENT_EVENTS Possible LightsOut EK leks.html
(current_events.rules)
 2017535 - ET CURRENT_EVENTS Possible LightsOut EK negc.html
(current_events.rules)
 2017536 - ET CURRENT_EVENTS Possible LightsOut EK negq.html
(current_events.rules)
 2017537 - ET CURRENT_EVENTS Possible LightsOut EK leks.jar
(current_events.rules)
 2017538 - ET CURRENT_EVENTS Possible LightsOut EK start.jar
(current_events.rules)
 2017539 - ET CURRENT_EVENTS Possible LightsOut EK stoq.jar
(current_events.rules)
 2017540 - ET CURRENT_EVENTS Possible LightsOut EK erno_rfq.html
(current_events.rules)
 2017541 - ET CURRENT_EVENTS Possible LightsOut EK inden2i.php
(current_events.rules)
 2017542 - ET CURRENT_EVENTS Possible LightsOut EK gami.html
(current_events.rules)
 2017543 - ET CURRENT_EVENTS Possible LightsOut EK gami.jar
(current_events.rules)
 2017546 - ET CURRENT_EVENTS Possible FortDisco POP3 Site list download
(current_events.rules)
 2017547 - ET CURRENT_EVENTS CoolEK Jar Download Sep 30 2013
(current_events.rules)
 2017553 - ET CURRENT_EVENTS HiMan EK Reporting Host/Exploit Info
(current_events.rules)
 2017564 - ET CURRENT_EVENTS Unknown EK Landing (current_events.rules)
 2017576 - ET CURRENT_EVENTS Styx EK jply.html (current_events.rules)
 2017577 - ET CURRENT_EVENTS Fiesta EK Landing Oct 09 2013
(current_events.rules)
 2017578 - ET CURRENT_EVENTS Fake MS Security Update EK (Payload Download)
(current_events.rules)
 2017580 - ET CURRENT_EVENTS DotkaChef Payload October 09
(current_events.rules)
 2017589 - ET CURRENT_EVENTS Unknown EK Initial Payload Internet
Connectivity Check (current_events.rules)
 2017590 - ET CURRENT_EVENTS D-LINK Router Backdoor via Specific UA
(current_events.rules)
 2017591 - ET CURRENT_EVENTS Unknown Malvertising Related EK Landing Oct 14
2013 (current_events.rules)
 2017592 - ET CURRENT_EVENTS Unknown Malvertising Related EK Redirect Oct
14 2013 (current_events.rules)
 2017593 - ET CURRENT_EVENTS Neutrino EK Landing URI Format Oct 15 2013
(current_events.rules)
 2017602 - ET CURRENT_EVENTS Magnitude EK - Landing Page - Java ClassID and
32/32 archive Oct 16 2013 (current_events.rules)
 2017621 - ET CURRENT_EVENTS Possible Cutwail Redirect to Magnitude EK
(current_events.rules)
 2017623 - ET CURRENT_EVENTS Tenda Router Backdoor 1 (current_events.rules)
 2017624 - ET CURRENT_EVENTS Tenda Router Backdoor 2 (current_events.rules)
 2017625 - ET CURRENT_EVENTS 81a338 Hacked Site Response (Outbound)
(current_events.rules)
 2017626 - ET CURRENT_EVENTS 81a338 Hacked Site Response (Inbound)
(current_events.rules)
 2017628 - ET CURRENT_EVENTS Possible Sakura Jar Download Oct 22 2013
(current_events.rules)
 2017629 - ET CURRENT_EVENTS FlashPack Oct 23 2013 (current_events.rules)
 2017631 - ET CURRENT_EVENTS Netgear WNDR4700 Auth Bypass
(current_events.rules)
 2017632 - ET CURRENT_EVENTS Netgear WNDR3700 Auth Bypass
(current_events.rules)
 2017638 - ET CURRENT_EVENTS Alpha Networks ADSL2/2+ router remote
administration password disclosure (current_events.rules)
 2017644 - ET CURRENT_EVENTS Host Domain .bit (current_events.rules)
 2017652 - ET CURRENT_EVENTS Possible Neutrino EK Landing URI Format Nov 1
2013 (current_events.rules)
 2017660 - ET CURRENT_EVENTS Malicious Cookie Set By Flash Malvertising
(current_events.rules)
 2017663 - ET CURRENT_EVENTS Fredcot campaign php5-cgi initial exploit
(current_events.rules)
 2017664 - ET CURRENT_EVENTS Fredcot campaign payload download
(current_events.rules)
 2017665 - ET CURRENT_EVENTS Fredcot campaign IRC CnC (current_events.rules)
 2017696 - ET CURRENT_EVENTS FaceBook IM & Web Driven Facebook Trojan
Download (current_events.rules)
 2017698 - ET CURRENT_EVENTS Magnitude Landing Nov 11 2013
(current_events.rules)
 2017711 - ET CURRENT_EVENTS Possible Fake Codec Download
(current_events.rules)
 2017735 - ET CURRENT_EVENTS WhiteLotus EK PluginDetect Nov 20 2013
(current_events.rules)
 2017739 - ET CURRENT_EVENTS Possible WhiteLotus Java Payload
(current_events.rules)
 2017744 - ET CURRENT_EVENTS StyX EK Payload Cookie (current_events.rules)
 2017745 - ET CURRENT_EVENTS Fake Media Player malware binary requested
(current_events.rules)
 2017786 - ET CURRENT_EVENTS SNET EK Activity Nov 27 2013
(current_events.rules)
 2017789 - ET CURRENT_EVENTS JJEncode Encoded Script Inside of PDF Likely
Evil (current_events.rules)
 2017791 - ET CURRENT_EVENTS Polling/Check-in/Compromise from fake DHL
mailing campaign (current_events.rules)
 2017792 - ET CURRENT_EVENTS Hostile fake DHL mailing campaign
(current_events.rules)
 2017794 - ET CURRENT_EVENTS HiMan EK - Flash Exploit (current_events.rules)
 2017796 - ET CURRENT_EVENTS HiMan EK - Landing Page (current_events.rules)
 2017797 - ET CURRENT_EVENTS HiMan EK - TDS - POST hyt=
(current_events.rules)
 2017813 - ET CURRENT_EVENTS Safe/CritX/FlashPack Payload
(current_events.rules)
 2017815 - ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Edwards Packed
PluginDetect (current_events.rules)
 2017819 - ET CURRENT_EVENTS Styx EK iexp.html (current_events.rules)
 2017826 - ET CURRENT_EVENTS SPL2 EK Landing Dec 09 2013
(current_events.rules)
 2017827 - ET CURRENT_EVENTS SPL2 EK Dec 09 2013 Java Request
(current_events.rules)
 2017840 - ET CURRENT_EVENTS Styx Exploit Kit - JAR Exploit
(current_events.rules)
 2017844 - ET CURRENT_EVENTS Styx Exploit Kit - EOT Exploit
(current_events.rules)
 2017847 - ET CURRENT_EVENTS Browlock Landing Page URI Struct
(current_events.rules)
 2017848 - ET CURRENT_EVENTS SPL2 EK SilverLight (current_events.rules)
 2017851 - ET CURRENT_EVENTS HiMan EK Exploit URI Struct
(current_events.rules)
 2017852 - ET CURRENT_EVENTS HiMan EK Secondary Landing
(current_events.rules)
 2017874 - ET CURRENT_EVENTS W32/BitCoinMiner Fake Flash Player
Distribution Campaign - December 2013 (current_events.rules)
 2017905 - ET CURRENT_EVENTS SofosFO/GrandSoft PDF (current_events.rules)
 2017906 - ET CURRENT_EVENTS TDS Unknown_.aso - URI - IP.aso
(current_events.rules)
 2017907 - ET CURRENT_EVENTS GoonEK Landing with CVE-2013-2551 Dec 29 2013
(current_events.rules)
 2017957 - ET CURRENT_EVENTS GoonEK Landing Jan 10 2014
(current_events.rules)
 2017958 - ET CURRENT_EVENTS Possible Neutrino EK SilverLight Exploit Jan
11 2014 (current_events.rules)
 2017987 - ET CURRENT_EVENTS Upatre SSL Compromised site appsredeeem
(current_events.rules)
 2017995 - ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 1
(current_events.rules)
 2017996 - ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 2
(current_events.rules)
 2017997 - ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 3
(current_events.rules)
 2018011 - ET CURRENT_EVENTS Fiesta EK Landing Jan 24 2013
(current_events.rules)
 2018029 - ET CURRENT_EVENTS ehow/livestrong Malicious Flash 10/11
(current_events.rules)
 2018035 - ET CURRENT_EVENTS StyX Landing Jan 29 2014 (current_events.rules)
 2018041 - ET CURRENT_EVENTS Current Asprox Spam Campaign
(current_events.rules)
 2018127 - ET CURRENT_EVENTS Goon EK Java JNLP URI Struct Feb 12 2014
(current_events.rules)
 2018135 - ET CURRENT_EVENTS Current Asprox Spam Campaign 2
(current_events.rules)
 2018161 - ET CURRENT_EVENTS Possible GoonEK Landing Feb 19 2014 1
(current_events.rules)
 2018162 - ET CURRENT_EVENTS Malicious Redirect Evernote Spam Campaign Feb
19 2014 (current_events.rules)
 2018163 - ET CURRENT_EVENTS GoonEK Landing Feb 19 2014 2
(current_events.rules)
 2018177 - ET CURRENT_EVENTS OnClick Anti-BOT TDS POST Feb 25 2014
(current_events.rules)
 2018178 - ET CURRENT_EVENTS OnClick Anti-BOT TDS Hidden Form Feb 25 2014
(current_events.rules)
 2018190 - ET CURRENT_EVENTS Possible FakeAV .exe.vbe HTTP
Content-Disposition (current_events.rules)
 2018196 - ET CURRENT_EVENTS Malicious Spam Redirection Feb 28 2014
(current_events.rules)
 2018206 - ET CURRENT_EVENTS Hello/LightsOut EK Secondary Landing
(current_events.rules)
 2018207 - ET CURRENT_EVENTS LightsOut EK Exploit/Payload Request
(current_events.rules)
 2018209 - ET CURRENT_EVENTS Rawin EK Java fakav.jar (current_events.rules)
 2018227 - ET CURRENT_EVENTS Rawin Flash Landing URI Struct March 05 2014
(current_events.rules)
 2018235 - ET CURRENT_EVENTS CritX/SafePack/FlashPack CVE-2013-2551
(current_events.rules)
 2018236 - ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight Secondary
Landing (current_events.rules)
 2018237 - ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight file as
eot (current_events.rules)
 2018238 - ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename
javadb.php (current_events.rules)
 2018239 - ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename
javaim.php (current_events.rules)
 2018240 - ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename
javarh.php (current_events.rules)
 2018298 - ET CURRENT_EVENTS GoonEK Landing Mar 20 2014
(current_events.rules)
 2018348 - ET CURRENT_EVENTS Possible Deep Panda WateringHole Related URI
Struct (current_events.rules)
 2018352 - ET CURRENT_EVENTS Possible FakeAV binary download (setup)
(current_events.rules)
 2018357 - ET CURRENT_EVENTS EvilTDS Redirection (current_events.rules)
 2018408 - ET CURRENT_EVENTS Fiesta PDF Exploit Download
(current_events.rules)
 2018410 - ET CURRENT_EVENTS Fiesta Flash Exploit Download
(current_events.rules)
 2018439 - ET CURRENT_EVENTS Common Bad Actor Indicators Used in Various
Targeted 0-day Attacks (current_events.rules)
 2802583 - ETPRO TROJAN Backdoor.Win32.Qakbot.E (Backdoor Communication)
(trojan.rules)
 2804838 - ETPRO TROJAN Savit.A Checkin (trojan.rules)
 2809257 - ETPRO EXPLOIT SChannel Possible Heap Overflow CVE-2014-6321
TLSv1.1 (exploit.rules)
 2809922 - ETPRO EXPLOIT Samba >= 3.5 CVE 2015-0240 Request (exploit.rules)
 2814971 - ETPRO TROJAN Liudoor Handshake Init (trojan.rules)


[---]         Removed rules:         [---]

 2017701 - ET CURRENT_EVENTS webr00t WebShell Access (current_events.rules)
 2017854 - ET CURRENT_EVENTS PHP script in OptimizePress Upload Directory
Possible WebShell Access (current_events.rules)
 2017969 - ET CURRENT_EVENTS Netgear passwordrecovered.cgi attempt
(current_events.rules)
 2018136 - ET CURRENT_EVENTS Linksys Router Returning Device Settings To
External Source (current_events.rules)
 2018232 - ET CURRENT_EVENTS Possible ZyXELs ZynOS Configuration Download
Attempt (Contains Passwords) (current_events.rules)
 2018279 - ET CURRENT_EVENTS MtGox Leak wallet stealer UA
(current_events.rules)
 2804958 - ETPRO TROJAN Backdoor.Perl.Shellbot.cd IRC Bot that have
DoS/DDoS functions (trojan.rules)
 2806660 - ETPRO CHAT IRC USER Likely bot with 0 0 colon checkin
(chat.rules)
 2806661 - ETPRO CHAT IRC USER Off-port Likely bot with 0 0 colon checkin
(chat.rules)
 2809094 - ETPRO TROJAN Win32/Ropest.H CnC - INBOUND set (trojan.rules)
 2809095 - ETPRO TROJAN Win32/Ropest.H CnC - INBOUND (trojan.rules)
 2816919 - ETPRO TROJAN Possible Win32/Atraps Receiving Config via Image
File (steganography) (trojan.rules)
 2820851 - ETPRO CURRENT_EVENTS Possible Neutrino EK Landing Landing URI
Struct (fb set) (current_events.rules)
 2826350 - ETPRO CURRENT_EVENTS Bingo Exploit Kit Landing May 08 2017
(current_events.rules)


-- 
PGP: 0xBED7B297
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-updates/attachments/20171128/f00f7f18/attachment-0001.html>


More information about the Emerging-updates mailing list