Daily Ruleset Update Summary 2/21/2012
We’ve got a great set of new rules and updates today.
39 new Open rules, 28 new Pro Subscriber rules, and a lot of tweaks to some very critical CnC rules.
[+++] Added rules: [+++]
2014234 – ET TROJAN Fareit!IK/Kazy/PWS.Siggen.33210 Checkin (trojan.rules)
More variation:
2014235 – ET CURRENT_EVENTS DRIVEBY Blackhole – Payload Download – info.exe (current_events.rules)
2014236 – ET CURRENT_EVENTS DRIVEBY Blackhole – Payload Download – contacts.exe (current_events.rules)
2014237 – ET CURRENT_EVENTS DRIVEBY Blackhole – Payload Download – calc.exe (current_events.rules)
2014238 – ET CURRENT_EVENTS DRIVEBY Blackhole – Payload Download – about.exe (current_events.rules)
2014243 – ET CURRENT_EVENTS DRIVEBY Java Rhino Scripting Engine Exploit Downloaded (current_events.rules)
2014244 – ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL 2 (current_events.rules)
2014245 – ET CURRENT_EVENTS Blackhole Java Exploit request to /content/jav.jar (current_events.rules)
2014241 – ET CURRENT_EVENTS DRIVEBY Generic – Java Exploit Obfuscated With Allatori (current_events.rules)
2014242 – ET CURRENT_EVENTS TDS Trojan Stream request /stream? (current_events.rules)
Such wide use of this username in ftp, worth the sig:
2014239 – ET TROJAN W32.Duptwux/Ganelp FTP Username – onthelinux (trojan.rules)
2014240 – ET CURRENT_EVENTS Win32/Cridex.B Self Signed SSL Certificate (root@ks310208.kimsufi.com) (current_events.rules)
2014246 – ET TROJAN Sefnit Checkin 3 (trojan.rules)
2014247 – ET TROJAN Sefnit Checkin 4 (trojan.rules)
2014248 – ET TROJAN Sefnit Checkin 5 (trojan.rules)
2014249 – ET MALWARE W32/GameplayLabs.Adware Installer Checkin (malware.rules)
2014250 – ET WEB_SPECIFIC_APPS Joomla com_jreactions mosConfig_absolute_path Parameter Remote File inclusion Attempt (web_specific_apps.rules)
2014251 – ET WEB_SPECIFIC_APPS Grady Levkov id Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
2014252 – ET WEB_SPECIFIC_APPS PHP Membership Site Manager Script key Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
2014253 – ET WEB_SPECIFIC_APPS pfile file.php id Parameter SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
2014254 – ET WEB_SPECIFIC_APPS pfile file.php id Parameter DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
2014255 – ET WEB_SPECIFIC_APPS pfile file.php id Parameter UNION SELECT SQL Injection Attempt (web_specific_apps.rules)
2014256 – ET WEB_SPECIFIC_APPS pfile file.php id Parameter INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
2014257 – ET WEB_SPECIFIC_APPS pfile file.php id Parameter UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
2014258 – ET WEB_SPECIFIC_APPS Joomla com_visa controller Local File Inclusion Attempt (web_specific_apps.rules)
2014259 – ET WEB_SPECIFIC_APPS Joomla com_eventcal mosConfig_absolute_path Parameter Remote File inclusion Attempt (web_specific_apps.rules)
2014260 – ET WEB_SPECIFIC_APPS Horde 3.3.12 Backdoor Attempt (web_specific_apps.rules)
Moved from the Pro set:
2014261 – ET MALWARE W32/PlaySushi User-Agent (trojan.rules)
2014262 – ET MALWARE AdWare.Win32.Sushi.au Checkin (malware.rules)
2014263 – ET TROJAN W32/Pasta.IK Checkin (trojan.rules)
Also moved from the Pro set:
2014264 – ET POLICY IP Geo Location Request (policy.rules)
2014265 – ET POLICY IP geo location service response (policy.rules)
2014266 – ET TROJAN Trojan.Win32.NfLog Checkin (TTip) (trojan.rules)
Working on sigs for the CnC here. If you have dns requests for test or 1.test… you have something to chase down. Working on the CnC.
2014267 – ET TROJAN Query for Known Hostile *test.3322.org.cn Domain (trojan.rules)
2014268 – ET TROJAN Backdoor.Win32.RShot Checkin (trojan.rules)
2014269 – ET TROJAN Backdoor.Win32.RShot HTTP Checkin (trojan.rules)
2014270 – ET TROJAN Backdoor.Win32.RShot Ping Outbound (trojan.rules)
2014271 – ET TROJAN Win32/Cutwail.BE Checkin 1 (trojan.rules)
2014272 – ET TROJAN Win32/Cutwail.BE Checkin 2 (trojan.rules)
And the Pro Subscriber rules:
Renamed:
2802096 – ETPRO MALWARE Zugo Adware Checkin (malware.rules)
2804530 – ETPRO TROJAN P2P-Worm.Win32.Palevo.cgrr P2P traffic (trojan.rules)
2804531 – ETPRO TROJAN TrojanClicker.Win32/Agent.ABHQ Checkin (trojan.rules)
2804532 – ETPRO TROJAN TrojanClicker.Win32/Agent.ABHQ Checkin 2 (trojan.rules)
2804533 – ETPRO TROJAN Trojan.Win32.Menti.ghpb Checkin (trojan.rules)
2804534 – ETPRO TROJAN worm.win32/duptwux.a Checkin – SET (trojan.rules)
2804535 – ETPRO TROJAN worm.win32/duptwux.a Checkin (trojan.rules)
2804536 – ETPRO MALWARE Adware.EoRezo.T User-Agent (EoEngine) (malware.rules)
2804537 – ETPRO TROJAN Win32/Cleaman.G Checkin (trojan.rules)
2804538 – ETPRO TROJAN Trojan-Proxy.Win32.Xorpix.bh Checkin (trojan.rules)
2804539 – ETPRO MALWARE W32/DownVision.A.gen!Eldorado Checkin (malware.rules)
2804540 – ETPRO TROJAN Win32/Flood.L IRC set user mode (trojan.rules)
2804541 – ETPRO MALWARE TSPY_ONLING.SMIF INSTALL (malware.rules)
2804542 – ETPRO MALWARE Generic.KDV.71846 INSTALL (malware.rules)
2804543 – ETPRO TROJAN Backdoor.Win32.Hupigon Checkin (trojan.rules)
2804544 – ETPRO TROJAN W32/Autorun.worm.aa Checkin – SET (trojan.rules)
2804545 – ETPRO TROJAN W32/Autorun.worm.aa Checkin (trojan.rules)
2804546 – ETPRO TROJAN User-Agent (Windows Internet) (trojan.rules)
2804547 – ETPRO TROJAN Win32/Zdesnado.AD Checkin (trojan.rules)
2804548 – ETPRO MALWARE Winload Adware Checkin (malware.rules)
2804549 – ETPRO TROJAN Win32/Sacanph.A Checkin (trojan.rules)
2804550 – ETPRO TROJAN Trojan.Win32.Scar.doyf Checkin (trojan.rules)
Used enough in malware we need to see it at the install:
2804551 – ETPRO MALWARE SweetIM Install in Progress 2 (malware.rules)
2804552 – ETPRO MALWARE SweetIM Install in Progress 3 (malware.rules)
2804553 – ETPRO MALWARE SweetIM Install in Progress 4 (malware.rules)
2804554 – ETPRO MALWARE SweetIM Install in Progress 5 (malware.rules)
2804555 – ETPRO MALWARE SweetIM instant message redirect.php (malware.rules)
2804556 – ETPRO TROJAN Trojan.Win32.FlyStudio.u Checkin (trojan.rules)
[///] Modified active rules: [///]
2003410 – ET POLICY FTP Login Successful (policy.rules)
2003470 – ET MALWARE Suspicious User-Agent (Updater) (malware.rules)
2012208 – ET CURRENT_EVENTS FAKEAV CryptMEN pack.exe Payload Download (current_events.rules)
2012886 – ET POLICY Http Client Body contains passwd= in cleartext (policy.rules)
2012887 – ET POLICY Http Client Body contains pass= in cleartext (policy.rules)
2012888 – ET POLICY Http Client Body contains pwd= in cleartext (policy.rules)
2012889 – ET POLICY Http Client Body contains pw= in cleartext (policy.rules)
2012890 – ET POLICY Http Client Body contains passphrase= in cleartext (policy.rules)
2012891 – ET POLICY Http Client Body contains pword= in cleartext (policy.rules)
2014226 – ET TROJAN IP2B Trojan Communication Protocol detected (trojan.rules)
More modifications to this coming, C601 isn’t static. More research to get a more general sig, but it’s also on a wide range of ports. Modified here to cover all ports.
2014228 – ET TROJAN X-Shell 601 Trojan Communication Protocol detected (trojan.rules)
2803017 – ETPRO TROJAN Backdoor.Win32.Babmote.A Checkin (trojan.rules)
[///] Modified inactive rules: [///]
Pcre efficiency mod:
2001116 – ET DNS Standard query response, Format error (dns.rules)
2001117 – ET DNS Standard query response, Name Error (dns.rules)
2001118 – ET DNS Standard query response, Not Implemented (dns.rules)
2001119 – ET DNS Standard query response, Refused (dns.rules)
[---] Removed rules: [---]
Moved to open or obsoleted:
2009092 – ET CURRENT_EVENTS New Malware Information Post (current_events.rules)
2011118 – ET USER_AGENTS Suspicious User Agent Maxthon (user_agents.rules)
2800255 – ETPRO EXPLOIT Novell GroupWise Client IMG Tag SRC Parameter Buffer Overflow (Published Exploit) (exploit.rules)
2802096 – ETPRO TROJAN Trojan.Win32.Sefnit Checkin (trojan.rules)
2804332 – ETPRO POLICY IP Geo Location Request (policy.rules)
2804333 – ETPRO POLICY IP geo location service response (policy.rules)
2804389 – ETPRO MALWARE AdWare.Win32.Sushi.au Checkin (malware.rules)
