Daily Ruleset Update Summary 5/17/2012
Blog

April 2012 Microsoft/Adobe Patch Tuesday Coverage

Bulletin CVE Title Notes ET Pro Coverage
MS12-023 2012-0169 JScript9 Remote Code Execution Difficult to Exploit Reliably Not Reliably Sigable. Will add exploit specific coverage as possible.
MS12-023 2012-0170 OnReadyStateChange Remote Code Execution Easy to Exploit  Not Reliably Sigable. Will add exploit specific coverage as possible.
MS12-023 2012-0171 selectAll Remote Code Exeuction Easy to Exploit  Continuing research. Likely not Reliably Sigable.
MS12-023 2012-0172 VML Style Remote Code Exeuction Easy to Exploit 2804975
MS12-028 2012-0177 WPS Converter Vulnerability Easy to Exploit  Continuing research.
MS12-024 2011-0151 WinVerifyTrust Signature Validation Exploit Code Likely 2804792 – 2804794
MS12-025 2012-0163 .NET Framework Parameter Validation Exploit Code Likely  Continuing research.
MS12-026 2012-0147 Unfiltered  Access to UAG Default Web Site Info Disclosure Not Reliably Sigable
MS12-027 2012-0158 MSCOMCTL.OCX RCE Exploits in the Wild  2804796 – 2804800
MS12-028 2012-0177 Office WPS Converter Heap Overflow Difficult to Exploit  Continuing research.
APSB12-08 2012-0774 Adobe TTF Integer Overflow Not Reliably Sigable. Will add exploit specific coverage as possible.
APSB12-08 2012-0775 Adobe PDF Javascript Add Button Dereference Easily Exploitable  2804791
APSB12-08 2012-0776 Adobe PDF Reader Security Bypass Local Only N/A

Daily Ruleset Update Summary 4/9/2012

A light update today. Getting ready for the Patch Tuesday ruleset for tomorrow!

 

1 new Open rule, 1 rule moved from Pro to Open, and 4 new Pro Subscriber rules.

 

Enjoy!

 

 

 

[+++]          Added rules:          [+++]

 

2014534 – ET TROJAN OSX/Flashback.K/I User-Agent (trojan.rules)

2014535 – ET MALWARE BitCoinPlus Embedded site forcing visitors to mine BitCoins (malware.rules)

 

Pro rules:

2804782 – ETPRO TROJAN Virus.Win32.Sality.aa Checkin (trojan.rules)

2804783 – ETPRO TROJAN Win32.Sality.bh Checkin (trojan.rules)

2804784 – ETPRO TROJAN W32/Spyrat.A Checkin (trojan.rules)

2804785 – ETPRO TROJAN Likely Bot User Joining IRC (trojan.rules)

 

 

[///]     Modified active rules:     [///]

 

FN and performance fixes, most thanks to rmkml!

2001949 – ET WEB_SPECIFIC_APPS Athena Web Registration Remote Command Execution Attempt (web_specific_apps.rules)

2002671 – ET WEB_SPECIFIC_APPS Galerie ShowGallery.php SQL Injection attempt (web_specific_apps.rules)

2009005 – ET MALWARE Simbar Spyware User-Agent Detected (malware.rules)

2013500 – ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com (current_events.rules)

 

Rotated to the next few days of CnC Domains:

2804769 – ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-11-2012 (trojan.rules)

2804770 – ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-11-2012 (trojan.rules)

2804771 – ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-12-2012 (trojan.rules)

2804772 – ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-12-2012 (trojan.rules)

2804773 – ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-13-2012 (trojan.rules)

2804774 – ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-13-2012 (trojan.rules)

 

 

[---]         Removed rules:         [---]

 

Dupes and obsoletes:

2002863 – ET WEB_SERVER osCommerce vulnerable web application extras update.php exists (web_server.rules)

2013501 – ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com 2 (current_events.rules)

2013667 – ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?v Download Secondary Request (current_events.rules)

 

Moved to the Open ruleset:

2804762 – ETPRO TROJAN OSX/Flashback.K/I User-Agent (trojan.rules)

 

 

 

2002863 || ET DELETED osCommerce vulnerable web application extras update.php exists || url,doc.emergingthreats.net/2002863 || url,retrogod.altervista.org/oscommerce_22_adv.html

2013500 || ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com || url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx

2013501 || ET DELETED Known Fraudulent DigiNotar SSL Certificate for google.com 2 || url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx

2013667 || ET DELETED Likely Blackhole Exploit Kit Driveby ?v Download Secondary Request

2014534 || ET TROJAN OSX/Flashback.K/I User-Agent || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

2014535 || ET MALWARE BitCoinPlus Embedded site forcing visitors to mine BitCoins || url,www.bitcoinplus.com/miner/whatsthis || url,www.bitcoinplus.com/miner/embeddable

2501728 || ET COMPROMISED Known Compromised or Hostile Host Traffic (865) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

2501730 || ET COMPROMISED Known Compromised or Hostile Host Traffic (866) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

2501732 || ET COMPROMISED Known Compromised or Hostile Host Traffic (867) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

2520162 || ET TOR Known Tor Exit Node Traffic (82) || url,doc.emergingthreats.net/bin/view/Main/TorRules

2804769 || ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-11-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

2804770 || ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-11-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

2804771 || ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-12-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

2804772 || ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-12-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

2804773 || ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-13-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

2804774 || ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-13-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

2804782 || ETPRO TROJAN Virus.Win32.Sality.aa Checkin || md5,1e0e6717f72b66f6fc83f2ef6c00dcb7

2804783 || ETPRO TROJAN Win32.Sality.bh Checkin || md5,c15f4fe2e180150dc511aa64427404c5

2804784 || ETPRO TROJAN W32/Spyrat.A Checkin || md5,aadfb22d04e958092a3940fd5f274b9e

2804785 || ETPRO TROJAN Likely Bot User Joining IRC || md5,ab6513796297104d0cbba5268e2228a2

Daily Ruleset Update Summary 4/6/2012

 

 

12 new open rules, 14 new Pro Subscriber rules.

 

Lots on the flashback trojan. have a great weekend!

 

 

[+++]          Added rules:          [+++]

 

Moved over from the pro ruleset:

2014522 – ET TROJAN OSX/Flashback.K/I reporting successful infection (trojan.rules)

2014523 – ET TROJAN OSX/Flashback.K/I reporting successful infection 2 (trojan.rules)

2014524 – ET TROJAN OSX/Flashback.K/I reporting failed infection (trojan.rules)

2014525 – ET TROJAN OSX/Flashback.K first execution checkin (trojan.rules)

 

2014526 – ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client (current_events.rules)

2014527 – ET CURRENT_EVENTS Exploit Kit Delivering Compressed Flash Content to Client (current_events.rules)

2014528 – ET TROJAN W32/Taidoor.Backdoor Command Request CnC Checkin (trojan.rules)

2014529 – ET TROJAN W32/Taidoor.Backdoor CnC Checkin With Default Substitute MAC Address Field (trojan.rules)

2014530 – ET ATTACK_RESPONSE Metasploit Meterpreter stdapi_* Command Request (attack_response.rules)

2014531 – ET ATTACK_RESPONSE Metasploit Meterpreter core_channel_* Command Request (attack_response.rules)

2014532 – ET ATTACK_RESPONSE Metasploit Meterpreter stdapi_* Command Response (attack_response.rules)

2014533 – ET ATTACK_RESPONSE Metasploit Meterpreter core_channel_* Command Response (attack_response.rules)

 

Pro Subscriber rules:

2804768 – ETPRO TROJAN Win32.AutoTsifiri.n Related 0-0-0.info Checkin 2 (trojan.rules)

2804769 – ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-6-2012 (trojan.rules)

2804770 – ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-6-2012 (trojan.rules)

2804771 – ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-7-2012 (trojan.rules)

2804772 – ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-7-2012 (trojan.rules)

2804773 – ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-8-2012 (trojan.rules)

2804774 – ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-8-2012 (trojan.rules)

2804775 – ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-9-2012 (trojan.rules)

2804776 – ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-9-2012 (trojan.rules)

2804777 – ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-10-2012 (trojan.rules)

2804778 – ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-10-2012 (trojan.rules)

2804779 – ETPRO TROJAN Win32/Comisproc Checkin (trojan.rules)

2804780 – ETPRO TROJAN Win32/Comisproc Checkin 2 (trojan.rules)

2804781 – ETPRO POLICY DynDNS IP Check getip (policy.rules)

 

 

[///]     Modified active rules:     [///]

 

2009931 – ET WEB_SPECIFIC_APPS Possible OpenSiteAdmin pageHeader.php Remote File Inclusion Attempt (web_specific_apps.rules)

2014309 – ET TROJAN W32/LockScreen Scareware Geolocation Request (trojan.rules)

 

Performance:

2802860 – ETPRO DNS Query to a Suspicious *-0-0.info domain (dns.rules)

2803740 – ETPRO TROJAN Worm.Win32.Balucaf.A Checkin (trojan.rules)

2804243 – ETPRO TROJAN Win32.AutoTsifiri.n Related 0-0-0.info Checkin 1 (trojan.rules)

 

 

[---]         Removed rules:         [---]

 

2804758 – ETPRO CURRENT_EVENTS OSX/Flashback.K/I reporting successful infection (current_events.rules)

2804759 – ETPRO TROJAN OSX/Flashback.K/I reporting successful infection 2 (trojan.rules)

2804760 – ETPRO TROJAN OSX/Flashback.K/I reporting failed infection (trojan.rules)

2804761 – ETPRO TROJAN OSX/Flashback.K first execution checkin (trojan.rules)

 

 

 

2014309 || ET TROJAN W32/LockScreen Scareware Geolocation Request || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf || url,www.abuse.ch/?p=3610

2014522 || ET TROJAN OSX/Flashback.K/I reporting successful infection || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

2014523 || ET TROJAN OSX/Flashback.K/I reporting successful infection 2 || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

2014524 || ET TROJAN OSX/Flashback.K/I reporting failed infection || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

2014525 || ET TROJAN OSX/Flashback.K first execution checkin || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

2014526 || ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client

2014527 || ET CURRENT_EVENTS Exploit Kit Delivering Compressed Flash Content to Client

2014528 || ET TROJAN W32/Taidoor.Backdoor Command Request CnC Checkin || url,www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks

2014529 || ET TROJAN W32/Taidoor.Backdoor CnC Checkin With Default Substitute MAC Address Field || url,www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks

2014530 || ET ATTACK_RESPONSE Metasploit Meterpreter stdapi_* Command Request

2014531 || ET ATTACK_RESPONSE Metasploit Meterpreter core_channel_* Command Request

2014532 || ET ATTACK_RESPONSE Metasploit Meterpreter stdapi_* Command Response

2014533 || ET ATTACK_RESPONSE Metasploit Meterpreter core_channel_* Command Response

2404202 || ET DROP Known Bot C&C Server Traffic (group 102)  || url,abuse.ch || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/ShadowServerCC

2501726 || ET COMPROMISED Known Compromised or Hostile Host Traffic (864) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

2802860 || ETPRO DNS Query to a Suspicious *-0-0.info domain

2804243 || ETPRO TROJAN Win32.AutoTsifiri.n Related 0-0-0.info Checkin 1 || md5,330d2ba6af1f18031157bbcfae5c3256

2804768 || ETPRO TROJAN Win32.AutoTsifiri.n Related 0-0-0.info Checkin 2 || md5,94d7a8ade3ecc4957920c944cd23540b

2804769 || ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-6-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

2804770 || ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-6-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

2804771 || ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-7-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

2804772 || ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-7-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

2804773 || ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-8-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

2804774 || ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-8-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

2804775 || ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-9-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

2804776 || ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-9-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

2804777 || ETPRO TROJAN OSX/Flashback CnC Domain Lookup 4-10-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

2804778 || ETPRO TROJAN OSX/Flashback HTTP Request to CnC Domain 4-10-2012 || url,www.securelist.com/en/blog/208193441/Flashfake_Mac_OS_X_botnet_confirmed

2804779 || ETPRO TROJAN Win32/Comisproc Checkin

2804780 || ETPRO TROJAN Win32/Comisproc Checkin 2

2804781 || ETPRO POLICY DynDNS IP Check getip

 

Daily Ruleset Update Summary 4/5/2012

Big update today! 44 new Open rules 10 new Pro rules.

[***] Results from Oinkmaster started Thu Apr  5 19:48:16 2012 [***]

[+++]          Added rules:          [+++]

Open:

2014478 – ET CURRENT_EVENTS DNS Query to a *.3d-game.com Dynamic DNS Domain (current_events.rules)
2014479 – ET CURRENT_EVENTS HTTP Request to a *.3d-game.com Dynamic DNS Domain (current_events.rules)
2014480 – ET CURRENT_EVENTS DNS Query to a *.4irc.com Dynamic DNS Domain (current_events.rules)
2014481 – ET CURRENT_EVENTS HTTP Request to a *.4irc.com Dynamic DNS Domain (current_events.rules)
2014482 – ET CURRENT_EVENTS DNS Query to a *.b0ne.com Dynamic DNS Domain (current_events.rules)
2014483 – ET CURRENT_EVENTS HTTP Request to a *.b0ne.com Dynamic DNS Domain (current_events.rules)
2014484 – ET CURRENT_EVENTS DNS Query to a *.bbsindex.com Dynamic DNS Domain (current_events.rules)
2014485 – ET CURRENT_EVENTS HTTP Request to a *.bbsindex.com Dynamic DNS Domain (current_events.rules)
2014486 – ET CURRENT_EVENTS DNS Query to a *.chatnook.com Dynamic DNS Domain (current_events.rules)
2014487 – ET CURRENT_EVENTS HTTP Request to a *.chatnook.com Dynamic DNS Domain (current_events.rules)
2014488 – ET CURRENT_EVENTS DNS Query to a *.darktech.org Dynamic DNS Domain (current_events.rules)
2014489 – ET CURRENT_EVENTS HTTP Request to a *.darktech.org Dynamic DNS Domain (current_events.rules)
2014490 – ET CURRENT_EVENTS DNS Query to a *.deaftone.com Dynamic DNS Domain (current_events.rules)
2014491 – ET CURRENT_EVENTS HTTP Request to a *.deaftone.com Dynamic DNS Domain (current_events.rules)
2014492 – ET CURRENT_EVENTS DNS Query to a *.dtdns.net Dynamic DNS Domain (current_events.rules)
2014493 – ET CURRENT_EVENTS HTTP Request to a *.dtdns.net Dynamic DNS Domain (current_events.rules)
2014494 – ET CURRENT_EVENTS DNS Query to a *.effers.com Dynamic DNS Domain (current_events.rules)
2014495 – ET CURRENT_EVENTS HTTP Request to a *.effers.com Dynamic DNS Domain (current_events.rules)
2014496 – ET CURRENT_EVENTS DNS Query to a *.etowns.net Dynamic DNS Domain (current_events.rules)
2014497 – ET CURRENT_EVENTS HTTP Request to a *.etowns.net Dynamic DNS Domain (current_events.rules)
2014498 – ET CURRENT_EVENTS DNS Query to a *.etowns.org Dynamic DNS Domain (current_events.rules)
2014499 – ET CURRENT_EVENTS HTTP Request to a *.etowns.org Dynamic DNS Domain (current_events.rules)
2014500 – ET CURRENT_EVENTS DNS Query to a *.flnet.org Dynamic DNS Domain (current_events.rules)
2014501 – ET CURRENT_EVENTS HTTP Request to a *.flnet.org Dynamic DNS Domain (current_events.rules)
2014502 – ET CURRENT_EVENTS DNS Query to a *.gotgeeks.com Dynamic DNS Domain (current_events.rules)
2014503 – ET CURRENT_EVENTS HTTP Request to a *.gotgeeks.com Dynamic DNS Domain (current_events.rules)
2014504 – ET CURRENT_EVENTS DNS Query to a *.scieron.com Dynamic DNS Domain (current_events.rules)
2014505 – ET CURRENT_EVENTS HTTP Request to a *.scieron.com Dynamic DNS Domain (current_events.rules)
2014506 – ET CURRENT_EVENTS DNS Query to a *.slyip.com Dynamic DNS Domain (current_events.rules)
2014507 – ET CURRENT_EVENTS HTTP Request to a *.slyip.com Dynamic DNS Domain (current_events.rules)
2014508 – ET CURRENT_EVENTS DNS Query to a *.slyip.net Dynamic DNS Domain (current_events.rules)
2014509 – ET CURRENT_EVENTS HTTP Request to a *.slyip.net Dynamic DNS Domain (current_events.rules)
2014510 – ET CURRENT_EVENTS DNS Query to a *.suroot.com Dynamic DNS Domain (current_events.rules)
2014511 – ET CURRENT_EVENTS HTTP Request to a *.suroot.com Dynamic DNS Domain (current_events.rules)
2014513 – ET TROJAN DNS Request for Zaletelly CnC Domain (trojan.rules)
2013023 – ET MOBILE_MALWARE DNS Query for gongfu-android.com DroidKungFu CnC Server (mobile_malware.rules)
2014514 – ET INFO EXE – OSX Executable Download – Multi Arch w/Intel(info.rules)
2014515 – ET INFO EXE – OSX Executable Download – Multi Arch w/PowerPC (info.rules)
2014516 – ET INFO EXE – OSX Executable Download – Intel Arch (info.rules)
2014517 – ET INFO EXE – OSX Executable Download – PowerPC Arch (info.rules)
2014518 – ET INFO EXE – OSX Disk Image Download (info.rules)
2014519 – ET INFO EXE – Served Inline HTTP (info.rules)
2014520 – ET INFO EXE – Served Attached HTTP (info.rules)
2014521 – ET CURRENT_EVENTS Possible Blackhole Landing to 8 chr folder plus index.html (current_events.rules)Pro:

Pro:
2804758 – ETPRO CURRENT_EVENTS OSX/Flashback.K/I reporting successful infection (current_events.rules)
2804759 – ETPRO TROJAN OSX/Flashback.K/I reporting successful infection 2 (trojan.rules)
2804760 – ETPRO TROJAN OSX/Flashback.K/I reporting failed infection (trojan.rules)
2804761 – ETPRO TROJAN OSX/Flashback.K first execution checkin (trojan.rules)
2804762 – ETPRO TROJAN OSX/Flashback.K/I User-Agent (trojan.rules)
2804763 – ETPRO TROJAN Win32/Psyokym.B Checkin (trojan.rules)
2804764 – ETPRO TROJAN W32/Fakevimes.gen!B Checkin (trojan.rules)
2804765 – ET TROJAN Dirt Jumper/Russkill v5 Checkin (trojan.rules)
2804766 – ETPRO TROJAN Trojan.Win32.TDSS.iqjw Checkin (trojan.rules)
2804767 – ETPRO TROJAN Trojan-Spy.Win32.Agent.bxuh Checkin (trojan.rules)

[///]     Modified active rules:     [///]
Open:
2014467 – ET TROJAN Win32.Datamaikon Checkin NewAgent (trojan.rules)
2014468 – ET TROJAN Win32.Datamaikon Checkin myAgent (trojan.rules)
2102580 – GPL WEB_CLIENT server negative Content-Length attempt (web_client.rules)

 2014313 – ET POLICY Executable Download From DropBox (policy.rules)
2014333 – ET CURRENT_EVENTS OSX/Flashback Checkin via Twitter Hashtag Pepbyfadxeoa (current_events.rules)
2014353 – ET MALWARE W32/MediaGet.Adware Installer Download (malware.rules)
2014474 – ET INFO JAVA – Java Class Download (info.rules)

Pro:
2804666 – ETPRO TROJAN Khan DDoS Bot Checkin (trojan.rules)

[///]    Modified inactive rules:    [///]
2008673 – ET ACTIVEX Microsoft PicturePusher ActiveX Cross Site File Upload Attack (activex.rules)

[---]  Disabled and modified rules:  [---]

2014466 – ET TROJAN Win32.Datamaikon Checkin (trojan.rules)

[---]         Removed rules:         [---]
2001293 – ET MALWARE Featured-Results.com Agent Reporting Data (malware.rules)
2007755 – ET TROJAN Trojan-Downloader.Win32.Small.hkp Checkin via HTTP (trojan.rules)
2013023 – ET DNS DNS Query for gongfu-android.com DroidKungFu CnC Server (dns.rules)

No longer March… Will add one for May if the net’s still in use then:
2804639 – ETPRO TROJAN Flashback Mac Malware Twitter CnC Request for March 2012 (trojan.rules)

Daily Ruleset Update Summary 4/5/2012

 

Here’s a supplemental ruleset push for this morning. We’ll do another later today as well likely.

 

This adds 35 new Open rules, and 5 Pro rules.

 

Mac Flashback coverage added and file_data removed from a few suricata rules.

 

[+++]          Added rules:          [+++]

 

Open rules:

2014478 – ET CURRENT_EVENTS DNS Query to a *.3d-game.com Dynamic DNS Domain (current_events.rules)

2014479 – ET CURRENT_EVENTS HTTP Request to a *.3d-game.com Dynamic DNS Domain (current_events.rules)

2014480 – ET CURRENT_EVENTS DNS Query to a *.4irc.com Dynamic DNS Domain (current_events.rules)

2014481 – ET CURRENT_EVENTS HTTP Request to a *.4irc.com Dynamic DNS Domain (current_events.rules)

2014482 – ET CURRENT_EVENTS DNS Query to a *.b0ne.com Dynamic DNS Domain (current_events.rules)

2014483 – ET CURRENT_EVENTS HTTP Request to a *.b0ne.com Dynamic DNS Domain (current_events.rules)

2014484 – ET CURRENT_EVENTS DNS Query to a *.bbsindex.com Dynamic DNS Domain (current_events.rules)

2014485 – ET CURRENT_EVENTS HTTP Request to a *.bbsindex.com Dynamic DNS Domain (current_events.rules)

2014486 – ET CURRENT_EVENTS DNS Query to a *.chatnook.com Dynamic DNS Domain (current_events.rules)

2014487 – ET CURRENT_EVENTS HTTP Request to a *.chatnook.com Dynamic DNS Domain (current_events.rules)

2014488 – ET CURRENT_EVENTS DNS Query to a *.darktech.org Dynamic DNS Domain (current_events.rules)

2014489 – ET CURRENT_EVENTS HTTP Request to a *.darktech.org Dynamic DNS Domain (current_events.rules)

2014490 – ET CURRENT_EVENTS DNS Query to a *.deaftone.com Dynamic DNS Domain (current_events.rules)

2014491 – ET CURRENT_EVENTS HTTP Request to a *.deaftone.com Dynamic DNS Domain (current_events.rules)

2014492 – ET CURRENT_EVENTS DNS Query to a *.dtdns.net Dynamic DNS Domain (current_events.rules)

2014493 – ET CURRENT_EVENTS HTTP Request to a *.dtdns.net Dynamic DNS Domain (current_events.rules)

2014494 – ET CURRENT_EVENTS DNS Query to a *.effers.com Dynamic DNS Domain (current_events.rules)

2014495 – ET CURRENT_EVENTS HTTP Request to a *.effers.com Dynamic DNS Domain (current_events.rules)

2014496 – ET CURRENT_EVENTS DNS Query to a *.etowns.net Dynamic DNS Domain (current_events.rules)

2014497 – ET CURRENT_EVENTS HTTP Request to a *.etowns.net Dynamic DNS Domain (current_events.rules)

2014498 – ET CURRENT_EVENTS DNS Query to a *.etowns.org Dynamic DNS Domain (current_events.rules)

2014499 – ET CURRENT_EVENTS HTTP Request to a *.etowns.org Dynamic DNS Domain (current_events.rules)

2014500 – ET CURRENT_EVENTS DNS Query to a *.flnet.org Dynamic DNS Domain (current_events.rules)

2014501 – ET CURRENT_EVENTS HTTP Request to a *.flnet.org Dynamic DNS Domain (current_events.rules)

2014502 – ET CURRENT_EVENTS DNS Query to a *.gotgeeks.com Dynamic DNS Domain (current_events.rules)

2014503 – ET CURRENT_EVENTS HTTP Request to a *.gotgeeks.com Dynamic DNS Domain (current_events.rules)

2014504 – ET CURRENT_EVENTS DNS Query to a *.scieron.com Dynamic DNS Domain (current_events.rules)

2014505 – ET CURRENT_EVENTS HTTP Request to a *.scieron.com Dynamic DNS Domain (current_events.rules)

2014506 – ET CURRENT_EVENTS DNS Query to a *.slyip.com Dynamic DNS Domain (current_events.rules)

2014507 – ET CURRENT_EVENTS HTTP Request to a *.slyip.com Dynamic DNS Domain (current_events.rules)

2014508 – ET CURRENT_EVENTS DNS Query to a *.slyip.net Dynamic DNS Domain (current_events.rules)

2014509 – ET CURRENT_EVENTS HTTP Request to a *.slyip.net Dynamic DNS Domain (current_events.rules)

2014510 – ET CURRENT_EVENTS DNS Query to a *.suroot.com Dynamic DNS Domain (current_events.rules)

2014511 – ET CURRENT_EVENTS HTTP Request to a *.suroot.com Dynamic DNS Domain (current_events.rules)

2014513 – ET TROJAN DNS Request for Zaletelly CnC Domain (trojan.rules)

 

Pro Subscriber rules:

2804758 – ETPRO CURRENT_EVENTS OSX/Flashback.K/I reporting successful infection (current_events.rules)

2804759 – ETPRO TROJAN OSX/Flashback.K/I reporting successful infection 2 (trojan.rules)

2804760 – ETPRO TROJAN OSX/Flashback.K/I reporting failed infection (trojan.rules)

2804761 – ETPRO TROJAN OSX/Flashback.K first execution checkin (trojan.rules)

2804762 – ETPRO TROJAN OSX/Flashback.K/I User-Agent (trojan.rules)

 

 

[///]     Modified active rules:     [///]

 

2014313 – ET POLICY Executable Download From DropBox (policy.rules)

2014333 – ET CURRENT_EVENTS OSX/Flashback Checkin via Twitter Hashtag Pepbyfadxeoa (current_events.rules)

2014353 – ET MALWARE W32/MediaGet.Adware Installer Download (malware.rules)

2014474 – ET INFO JAVA – Java Class Download (info.rules)

 

 

[---]         Removed rules:         [---]

 

No longer March… Will add one for May if the net’s still in use then:

2804639 – ETPRO TROJAN Flashback Mac Malware Twitter CnC Request for March 2012 (trojan.rules)

 

 

 

2014333 || ET CURRENT_EVENTS OSX/Flashback Checkin via Twitter Hashtag Pepbyfadxeoa || url,blog.intego.com/flashback-mac-malware-uses-twitter-as-command-and-control-center/

2014478 || ET CURRENT_EVENTS DNS Query to a *.3d-game.com Dynamic DNS Domain

2014479 || ET CURRENT_EVENTS HTTP Request to a *.3d-game.com Dynamic DNS Domain

2014480 || ET CURRENT_EVENTS DNS Query to a *.4irc.com Dynamic DNS Domain

2014481 || ET CURRENT_EVENTS HTTP Request to a *.4irc.com Dynamic DNS Domain

2014482 || ET CURRENT_EVENTS DNS Query to a *.b0ne.com Dynamic DNS Domain

2014483 || ET CURRENT_EVENTS HTTP Request to a *.b0ne.com Dynamic DNS Domain

2014484 || ET CURRENT_EVENTS DNS Query to a *.bbsindex.com Dynamic DNS Domain

2014485 || ET CURRENT_EVENTS HTTP Request to a *.bbsindex.com Dynamic DNS Domain

2014486 || ET CURRENT_EVENTS DNS Query to a *.chatnook.com Dynamic DNS Domain

2014487 || ET CURRENT_EVENTS HTTP Request to a *.chatnook.com Dynamic DNS Domain

2014488 || ET CURRENT_EVENTS DNS Query to a *.darktech.org Dynamic DNS Domain

2014489 || ET CURRENT_EVENTS HTTP Request to a *.darktech.org Dynamic DNS Domain

2014490 || ET CURRENT_EVENTS DNS Query to a *.deaftone.com Dynamic DNS Domain

2014491 || ET CURRENT_EVENTS HTTP Request to a *.deaftone.com Dynamic DNS Domain

2014492 || ET CURRENT_EVENTS DNS Query to a *.dtdns.net Dynamic DNS Domain

2014493 || ET CURRENT_EVENTS HTTP Request to a *.dtdns.net Dynamic DNS Domain

2014494 || ET CURRENT_EVENTS DNS Query to a *.effers.com Dynamic DNS Domain

2014495 || ET CURRENT_EVENTS HTTP Request to a *.effers.com Dynamic DNS Domain

2014496 || ET CURRENT_EVENTS DNS Query to a *.etowns.net Dynamic DNS Domain

2014497 || ET CURRENT_EVENTS HTTP Request to a *.etowns.net Dynamic DNS Domain

2014498 || ET CURRENT_EVENTS DNS Query to a *.etowns.org Dynamic DNS Domain

2014499 || ET CURRENT_EVENTS HTTP Request to a *.etowns.org Dynamic DNS Domain

2014500 || ET CURRENT_EVENTS DNS Query to a *.flnet.org Dynamic DNS Domain

2014501 || ET CURRENT_EVENTS HTTP Request to a *.flnet.org Dynamic DNS Domain

2014502 || ET CURRENT_EVENTS DNS Query to a *.gotgeeks.com Dynamic DNS Domain

2014503 || ET CURRENT_EVENTS HTTP Request to a *.gotgeeks.com Dynamic DNS Domain

2014504 || ET CURRENT_EVENTS DNS Query to a *.scieron.com Dynamic DNS Domain

2014505 || ET CURRENT_EVENTS HTTP Request to a *.scieron.com Dynamic DNS Domain

2014506 || ET CURRENT_EVENTS DNS Query to a *.slyip.com Dynamic DNS Domain

2014507 || ET CURRENT_EVENTS HTTP Request to a *.slyip.com Dynamic DNS Domain

2014508 || ET CURRENT_EVENTS DNS Query to a *.slyip.net Dynamic DNS Domain

2014509 || ET CURRENT_EVENTS HTTP Request to a *.slyip.net Dynamic DNS Domain

2014510 || ET CURRENT_EVENTS DNS Query to a *.suroot.com Dynamic DNS Domain

2014511 || ET CURRENT_EVENTS HTTP Request to a *.suroot.com Dynamic DNS Domain

2014513 || ET TROJAN DNS Request for Zaletelly CnC Domain || url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MDrop-EAB/detailed-analysis.aspx

2404198 || ET DROP Known Bot C&C Server Traffic (group 100)  || url,abuse.ch || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/ShadowServerCC

2404200 || ET DROP Known Bot C&C Server Traffic (group 101)  || url,abuse.ch || url,www.shadowserver.org || url,doc.emergingthreats.net/bin/view/Main/ShadowServerCC

2501724 || ET COMPROMISED Known Compromised or Hostile Host Traffic (863) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

2804639 || ETPRO DELETED Flashback Mac Malware Twitter CnC Request for March 2012 || url,blog.intego.com/flashback-mac-malware-uses-twitter-as-command-and-control-center/

2804758 || ETPRO CURRENT_EVENTS OSX/Flashback.K/I reporting successful infection || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

2804759 || ETPRO TROJAN OSX/Flashback.K/I reporting successful infection 2 || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml|| url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

2804760 || ETPRO TROJAN OSX/Flashback.K/I reporting failed infection || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

2804761 || ETPRO TROJAN OSX/Flashback.K first execution checkin || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

2804762 || ETPRO TROJAN OSX/Flashback.K/I User-Agent || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

 

 

Removed:

2014333 || ET CURRENT_EVENTS MAC/Flashback Checkin via Twitter Hashtag Pepbyfadxeoa || url,blog.intego.com/flashback-mac-malware-uses-twitter-as-command-and-control-center/

2520166 || ET TOR Known Tor Exit Node Traffic (84) || url,doc.emergingthreats.net/bin/view/Main/TorRules

2804639 || ETPRO TROJAN Flashback Mac Malware Twitter CnC Request for March 2012 || url,blog.intego.com/flashback-mac-malware-uses-twitter-as-command-and-control-center/

 

 

  3. 1
  4. 2
  5. 3
  6. 4
  7. 5
  8. 6
  9. 7
  10. 8
  11. 9
  12. 10
  13. ...
  14. 71

Blog Archive

RSS

Categories

Twitter Updates