[Emerging-Sigs] Daily Ruleset Update Summary 11/21/2012

Will Metcalf wmetcalf at emergingthreatspro.com
Wed Nov 21 16:40:27 HAST 2012


[***]          Summary:          [***]

18 new Open rules. 5 new Pro rules. A couple of detection updates.

2015905 - 2015906 WSO webshell
2015917 - 2015920 C99 based webshells
2015907 - 2015914 Phishing seen along with webshell activity.
2015915 - 2015916 Cool EK Landing url
2015921 JPG CnC sig from Kevin Ross.

2805727 - 2805731 Daily Pro Trojan/Malware coverage.

[+++]          Added rules:          [+++]
  Open:
  2015905 - ET CURRENT_EVENTS WSO - WebShell Activity - WSO Title
(current_events.rules)
  2015906 - ET CURRENT_EVENTS WSO - WebShell Activity - POST structure
(current_events.rules)
  2015907 - ET CURRENT_EVENTS BoA -Account Phished (current_events.rules)
  2015908 - ET CURRENT_EVENTS BoA - PII Phished (current_events.rules)
  2015909 - ET CURRENT_EVENTS - BoA - Creds Phished (current_events.rules)
  2015910 - ET CURRENT_EVENTS Remax - AOL Creds (current_events.rules)
  2015911 - ET CURRENT_EVENTS Remax - Yahoo Creds (current_events.rules)
  2015912 - ET CURRENT_EVENTS Remax - Gmail Creds (current_events.rules)
  2015913 - ET CURRENT_EVENTS Remax - Hotmail Creds (current_events.rules)
  2015914 - ET CURRENT_EVENTS Remax - Other Creds (current_events.rules)
  2015915 - ET CURRENT_EVENTS CoolEK Landing Pattern (1)
(current_events.rules)
  2015916 - ET CURRENT_EVENTS CoolEK Landing Pattern (2)
(current_events.rules)
  2015917 - ET WEB_SERVER WebShell - D.K - Title (web_server.rules)
  2015918 - ET WEB_SERVER WebShell - Generic - c99shell based header
(web_server.rules)
  2015919 - ET WEB_SERVER WebShell - Generic - c99shell based header
w/colons (web_server.rules)
  2015920 - ET WEB_SERVER WebShell - Generic - c99shell based POST
structure w/multipart (web_server.rules)
  2015921 - ET CURRENT_EVENTS Spam Campaign JPG CnC Link
(current_events.rules)

  Pro:
  2805727 - ETPRO TROJAN Win32/Zlob.W Checkin (trojan.rules)
  2805728 - ETPRO TROJAN Unknown Trojan Checkin (trojan.rules)
  2805729 - ETPRO TROJAN liquid backdoor Checkin (trojan.rules)
  2805730 - ETPRO TROJAN Trojan-Downloader.Win32.Zlob.bv Checkin
(trojan.rules)
  2805731 - ETPRO TROJAN Trojan-PSW.Win32.QQDragon.y Checkin (trojan.rules)


 [///]     Modified active rules:     [///]

  2014938 - ET WEB_CLIENT Potential MSXML2.DOMDocument Uninitialized Memory
Corruption CVE-2012-1889 (web_client.rules)
  2015555 - ET WEB_CLIENT Potential MSXML2.DOMDocument.4-6.0 Uninitialized
Memory Corruption CVE-2012-1889 (web_client.rules)
  2015556 - ET WEB_CLIENT Potential MSXML2.DOMDocument ActiveXObject
Uninitialized Memory Corruption Attempt (web_client.rules)
  2015557 - ET WEB_CLIENT Potential MSXML2.FreeThreadedDOMDocument
Uninitialized Memory Corruption Attempt (web_client.rules)

  [/+/]     Restored rules:     [/+/]
  2007728 - ET TROJAN TROJ_PROX.AFV POST (trojan.rules)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121121/99ea0ec8/attachment.html>


More information about the Emerging-sigs mailing list