[+++] Added rules: [+++]
Open:
2014751 – ET CURRENT_EVENTS Unknown – Java Exploit – 32char file name (current_events.rules)
2014752 – ET CURRENT_EVENTS Win32.HLLW.Autoruner USA_Load UA (current_events.rules)
2014753 – ET CURRENT_EVENTS probable malicious Glazunov Javascript injection (current_events.rules)
2014754 – ET TROJAN W32/Mepaow.Backdoor Initial Checkin to Intermediary Pre-CnC (trojan.rules)
2014755 – ET CURRENT_EVENTS W32/HupigonUser.Backdoor Agent RAbcLib (current_events.rules)
2014756 – ET POLICY Logmein.com SSL Remote Control Access (policy.rules)
2014757 – ET TROJAN Win32/Comrerop Checkin at FTP server (trojan.rules)
2014758 – ET TROJAN Trojan.BAT.Qhost – SET (trojan.rules)
2014759 – ET TROJAN Trojan.BAT.Qhost Response from Controller (trojan.rules)
2014760 – ET TROJAN W32/Votwup.Backdoor Checkin (trojan.rules)
2014761 – ET POLICY Internal Host Getting External IP Address – ip2city.asp (policy.rules)
2014762 – ET TROJAN W32/SpyBanker Infection Confirmation Email 2 (trojan.rules)

Pro:
2804934 – ETPRO TROJAN Dropper-FQE Checkin (trojan.rules)
2804937 – ETPRO TROJAN TrojanDownloader.Win32/Waledac.R Checkin (trojan.rules)
2804938 – ETPRO MALWARE Win32/Adware.1ClickDownload User-Agent (Inetc3 (Mozilla#-#- FW 4#-#-)) (malware.rules)
2804939 – ETPRO TROJAN Worm.Win32.Ainslot Checkin (trojan.rules)
2804940 – ETPRO TROJAN TrojanDownloader.Win32/Begger.A Checkin (trojan.rules)
2804941 – ETPRO TROJAN Win32/Karagany.E Checkin 1 (trojan.rules)
2804942 – ETPRO TROJAN Win32/Karagany.E Checkin 2 (trojan.rules)
2804943 – ETPRO TROJAN Backdoor/Buterat.abl Checkin (trojan.rules)
2804944 – ETPRO TROJAN Win32/Simda.A CnC Traffic (trojan.rules)
2804945 – ETPRO TROJAN W32/Banload.XPX!tr Checkin (trojan.rules)
2804946 – ETPRO TROJAN WinNT/Nagyo.C!rootkit Checkin (trojan.rules)
2804947 – ETPRO TROJAN Backdoor.VB.5 CnC Traffic (trojan.rules)
2804948 – ETPRO TROJAN TrojanDownloader.Win32/Pluzoks.A Checkin 2 (trojan.rules)
2804949 – ETPRO TROJAN RogueAntiSpyware.XPAntivirus Checkin (trojan.rules)
2804950 – ETPRO TROJAN Backdoor.Win32.Simda.kv/Proxyier Checkin (trojan.rules)

[///] Modified active rules: [///]

Open:
2008415 – ET SCAN Cisco Torch IOS HTTP Scan (scan.rules)
2008529 – ET SCAN Core-Project Scanning Bot UA Detected (scan.rules)
2014610 – ET TROJAN W32/Downvision.A Initial Checkin (trojan.rules)

Pro:
2803869 – ETPRO TROJAN Rootkit.ZAccess.cj Checkin (trojan.rules)

[---] Removed rules: [---]

2800847 – ETPRO POLICY Logmein.com SSL Remote Control Access (policy.rules)
2804930 – ETPRO TROJAN Win32/Comrerop Checkin at FTP server (trojan.rules)

6 new rules today.  A few little fixes and tweaks.

[+++]          Added rules:          [+++]

2804928 – ETPRO TROJAN W32.Philis.Q Checkin (trojan.rules)

2804929 – ETPRO TROJAN TrojanDownloader.Win32/Banload.ACI Checkin 2 (trojan.rules)

2804930 – ETPRO TROJAN Win32/Comrerop Checkin at FTP server (trojan.rules)

2804931 – ETPRO TROJAN W32.Colowned.A Checkin 1 (trojan.rules)

2804932 – ETPRO TROJAN W32.Colowned.A Checkin 2 (trojan.rules)

2804933 – ETPRO TROJAN Win32/Virut.BN Checkin 2 (trojan.rules)

[///]     Modified active rules:     [///]

2014730 – ET CURRENT_EVENTS Potential FAKEAV Download .info a-f0-9 x16 setup download (current_events.rules)

2402000 – ET DROP Dshield Block Listed Source (dshield.rules)

2803188 – ETPRO TROJAN Cnaddare.A/Fednu.c/Adware Checkin to Server flowbit set (trojan.rules)

2804317 – ETPRO TROJAN TrojanDownloader.Win32/Banload.ACI Checkin (trojan.rules)

2804900 – ETPRO TROJAN Win32/Lybsus.A CnC Traffic (trojan.rules)

[///]    Modified inactive rules:    [///]

2014015 – ET TROJAN TROJAN LDPinch Loader Binary Request (trojan.rules)

[---]  Disabled and modified rules:  [---]

2014748 – ET CURRENT_EVENTS RedKit Repeated Exploit Request Pattern (current_events.rules)

[+++] Added rules: [+++]

Open:
2014746 – ET CURRENT_EVENTS Blackhole Java Exploit request to /Set.jar (current_events.rules)
2014747 – ET CURRENT_EVENTS Blackhole Try Prototype Catch May 14 2012 (current_events.rules)
2014748 – ET CURRENT_EVENTS RedKit Repeated Exploit Request Pattern (current_events.rules)
2014749 – ET CURRENT_EVENTS Redkit Java Exploit request to /24842.jar (current_events.rules)
2014750 – ET CURRENT_EVENTS Incognito/RedKit Exploit Kit vulnerable Java payload request to /1.html (current_events.rules)

Pro:
2804927 – ETPRO WEB_CLIENT Microsoft Excell with Regular SERIES Record with a malformed stdy value (web_client.rules)

[///] Modified active rules: [///]
2802960 – ETPRO TROJAN Win32.SpyEye.cuk Checkin flowbit SET (trojan.rules)
2804876 – ETPRO TROJAN Win32/Coswid.A Checkin (trojan.rules)

[+++] Added rules: [+++]

2014735 – ET MALWARE Malicious file bitdefender_isecurity.exe download (malware.rules)
2014736 – ET WEB_SPECIFIC_APPS Andromeda Streaming MP3 Server andromeda.php Cross-Site Scripting Attempt (web_specific_apps.rules)
2014737 – ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow (activex.rules)
2014738 – ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow 2 (activex.rules)
2014739 – ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow (activex.rules)
2014740 – ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow 2 (activex.rules)
2014741 – ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow (activex.rules)
2014742 – ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow 2 (activex.rules)
2014743 – ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow (activex.rules)
2014744 – ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow 2 (activex.rules)
2014745 – ET CURRENT_EVENTS Blackhole Try Prototype Catch May 11 2012 (current_events.rules)

[///] Modified active rules: [///]

Open:
2014154 – ET CURRENT_EVENTS DRIVEBY PDF Containing Subform with JavaScript (current_events.rules)

Pro:
2804921 – ETPRO WEB_CLIENT Microsoft Excel file download – SET 1 (web_client.rules)
2804922 – ETPRO WEB_CLIENT Microsoft Excel file download – SET 2 (web_client.rules)

[+++] Added rules: [+++]

Open:
2014729 – ET CURRENT_EVENTS FakeAV Landing Page – Viruses were found (current_events.rules)
2014730 – ET CURRENT_EVENTS Potential FAKEAV Download .info /[a-f0-9]{16}/ setup download (current_events.rules)
2014731 – ET TROJAN Snap Bot Checkin (trojan.rules)
2014732 – ET TROJAN Snap Bot Receiving Download Command (trojan.rules)
2014733 – ET TROJAN Snap Bot Receiving DDoS Command (trojan.rules)
2014734 – ET POLICY BitTorrent – Torrent File Downloaded (policy.rules)

Pro:
2804921 – ETPRO WEB_CLIENT Microsoft Excell file download – SET 1 (web_client.rules)
2804922 – ETPRO WEB_CLIENT Microsoft Excell file download – SET 2 (web_client.rules)
2804923 – ETPRO TROJAN Rootkit.Win32.Bootkor.ha CnC Traffic (trojan.rules)
2804924 – ETPRO TROJAN Trojan-Downloader.Win32.Banload.buij Checkin (trojan.rules)
2804925 – ETPRO TROJAN Trojan/Banker.Agent.bof Checkin (trojan.rules)
2804926 – ETPRO TROJAN Win32/Autorun.GN Checkin (trojan.rules)

[+++] Enabled and modified rules: [+++]

2804910 – ETPRO WEB_CLIENT Microsoft Excel corrupted/hostile file invalid SXLI BIFF record (web_client.rules)
2804911 – ETPRO WEB_CLIENT Microsoft Excel corrupted/hostile file invalid MergeCells.rgref.ref8.colLast value (web_client.rules)

[///] Modified active rules: [///]

2800064 – ETPRO WEB_CLIENT Microsoft Excel BIFF File Format Named Graph Record Parsing Stack Overflow (web_client.rules)
2800065 – ETPRO WEB_CLIENT Microsoft Excel Set Font Handling Code Execution (web_client.rules)
2800695 – ETPRO EXPLOIT Microsoft Excel Embedded Shockwave Flash Object Code Execution within xls (exploit.rules)
2801906 – ETPRO WEB_CLIENT Microsoft Office Excel ADO Object Parsing Code Execution – SET (web_client.rules)
2801929 – ETPRO WEB_CLIENT Microsoft Office Excel Pivot Item Index Boundary Error Memory Corruption 1 (web_client.rules)
2801930 – ETPRO WEB_CLIENT Microsoft Office Excel Pivot Item Index Boundary Error Memory Corruption 2 (web_client.rules)
2801931 – ETPRO WEB_CLIENT Microsoft Office Excel Pivot Item Index Boundary Error Memory Corruption 3 (web_client.rules)
2802020 – ETPRO WEB_CLIENT Excel File Containing Integer Overrun Vulnerability BIFF v6 Record ToolBarDef (web_client.rules)
2802021 – ETPRO WEB_CLIENT Excel File Containing Integer Overrun Vulnerability BIFF v5 Record ToolBarDef (web_client.rules)
2802022 – ETPRO WEB_CLIENT Excel File Malformed Label recType BIFF5 record (web_client.rules)
2802033 – ETPRO WEB_CLIENT Microsoft Excel Malformed CatSerRange Record Vulnerability (web_client.rules)
2802034 – ETPRO WEB_CLIENT Microsoft Excel Malformed SupBook Record Vulnerability (web_client.rules)
2802035 – ETPRO WEB_CLIENT Microsoft Excel OBJ Records Vulnerability (web_client.rules)
2802067 – ETPRO WEB_CLIENT Microsoft Excel Office Drawing Layer Remote Code Execution (web_client.rules)
2802987 – ETPRO WEB_CLIENT Microsoft Excel Insufficient Record Validation (web_client.rules)
2802991 – ETPRO WEB_CLIENT Microsoft Excel corrupted SerAuxTrend BIFF Record (web_client.rules)
2802992 – ETPRO WEB_CLIENT Microsoft Excel Corrupted SerAuxTrend BIFF Record Attack 1 (web_client.rules)
2802993 – ETPRO WEB_CLIENT Microsoft Excel Excel Improper Record Parsing Vulnerability Flowbit SET (web_client.rules)
2802995 – ETPRO WEB_CLIENT Microsoft Excel WriteAV Vulnerability Attack (web_client.rules)
2803027 – ETPRO WEB_CLIENT Microsoft Excel malformed Selection (type 0x1D) BIFF record (web_client.rules)
2803653 – ETPRO WEB_CLIENT Microsoft Excel DataFormat Record Parsing Vulnerability (web_client.rules)
2803657 – ETPRO WEB_CLIENT Microsoft Excel SHRFMLA Biff Record Vulnerability Attempt (web_client.rules)
2803659 – ETPRO WEB_CLIENT Microsoft Excel Possible AXISPARENT Biff Record Vulnerability Attempt (web_client.rules)
2803660 – ETPRO WEB_CLIENT Microsoft Excel Biff Record Vulnerability Attempt (web_client.rules)
2804141 – ETPRO WEB_CLIENT Microsoft Excell corrupted file download invalid Lel BIFF records (web_client.rules)
2804906 – ETPRO WEB_CLIENT Microsoft Excel corrupted/hostile file with invalid ObjectLink BIFF record (web_client.rules)
2804907 – ETPRO WEB_CLIENT Microsoft Excel corrupted/hostile file download invalid Window2 BIFF record (web_client.rules)
2804912 – ETPRO WEB_CLIENT RTMPmsg Traffic (web_client.rules)
2804913 – ETPRO WEB_CLIENT RTMPmsg Traffic 2 (web_client.rules)
2804914 – ETPRO TROJAN Potential Adobe Flash type confusion exploit attempt 1 (trojan.rules)
2804915 – ETPRO TROJAN Potential Adobe Flash type confusion exploit attempt 2 (trojan.rules)
2804916 – ETPRO TROJAN Potential Adobe Flash type confusion exploit attempt 3 (trojan.rules)
2804917 – ETPRO TROJAN Potential Adobe Flash type confusion exploit attempt 4 (trojan.rules)

5 new open rules, 3 new Pro.

Enjoy!

[+++]          Added rules:          [+++]

2014724 – ET CURRENT_EVENTS Blackhole Java Exploit request to /Cal.jar (current_events.rules)

2014725 – ET CURRENT_EVENTS Possible Request for Blackhole Exploit Kit Landing Page – src.php?case= (current_events.rules)

Please report issues with these. disable if you haven’t control of the versions on your net of course!

2014726 – ET POLICY Outdated Windows Flash Version IE (policy.rules)

2014727 – ET POLICY Outdated Mac Flash Version (policy.rules)

2014728 – ET TROJAN Smoke Loader Checkin r=gate (trojan.rules)

Pro subscriber rules:

2804918 – ETPRO TROJAN Backdoor/MSIL.adv Checkin (trojan.rules)

2804919 – ETPRO TROJAN Trojan.Win32.Swisyn.cioi Checkin (trojan.rules)

2804920 – ETPRO TROJAN Win32/Rlsloup.gen!A Checkin (trojan.rules)

[///]     Modified active rules:     [///]

Just renamed, thanks Eoin:

2014701 – ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set (dns.rules)

2014702 – ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set (dns.rules)

2014703 – ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set (dns.rules)

2014641 – ET CURRENT_EVENTS Incognito Exploit Kit landing page request to images.php?t=4xxxxxxx (current_events.rules)

2014722 – ET TROJAN Medfos/Midhos Checkin (trojan.rules)

[---]         Removed rules:         [---]

2014701 – ET TROJAN DNS Protocol Violation Opcode 6 or 7 set Possible CnC (trojan.rules)

2014702 – ET TROJAN DNS Protocol Violation Opcode 8 through 15 set Possible CnC (trojan.rules)

2014703 – ET TROJAN DNS Protocol Violation Reserved Bit Set Possible CnC (trojan.rules)

2803431 – ETPRO TROJAN Win32.Banbra or Related Checkin (trojan.rules)

Happy Patch Tuesday! 12 new Pro rules, and Patch Tuesday coverage details here:

Enjoy!

[+++]          Added rules:          [+++]

2804906 – ETPRO WEB_CLIENT Microsoft Excel corrupted/hostile file with invalid ObjectLink BIFF record (web_client.rules)

2804907 – ETPRO WEB_CLIENT Microsoft Excel corrupted/hostile file download invalid Window2 BIFF record (web_client.rules)

2804908 – ETPRO WEB_CLIENT TrueType Font Parsing Attack (web_client.rules)

2804909 – ETPRO WEB_CLIENT Hostile Microsoft Rich Text File (RTF) with corrupted listoverride (web_client.rules)

2804910 – ETPRO WEB_CLIENT Microsoft Excel corrupted/hostile file invalid SXLI BIFF record (web_client.rules)

2804911 – ETPRO WEB_CLIENT Microsoft Excel corrupted/hostile file invalid MergeCells.rgref.ref8.colLast value (web_client.rules)

2804912 – ETPRO WEB_CLIENT RTMPmsg Traffic (web_client.rules)

2804913 – ETPRO WEB_CLIENT RTMPmsg Traffic 2 (web_client.rules)

2804914 – ETPRO TROJAN Potential Adobe Flash type confusion exploit attempt 1 (trojan.rules)

2804915 – ETPRO TROJAN Potential Adobe Flash type confusion exploit attempt 2 (trojan.rules)

2804916 – ETPRO TROJAN Potential Adobe Flash type confusion exploit attempt 3 (trojan.rules)

2804917 – ETPRO TROJAN Potential Adobe Flash type confusion exploit attempt 4 (trojan.rules)

[///]     Modified active rules:     [///]

2014561 – ET CURRENT_EVENTS landing page with malicious Java applet (current_events.rules)

2402000 – ET DROP Dshield Block Listed Source (dshield.rules)

2800871 – ETPRO WEB_CLIENT Microsoft Office RTF Stack Buffer Overflow (web_client.rules)

Light update today. 7 new open rules, 4 Pro.

We’re getting your patch tuesday ruleset ready, see you tomorrow!

[+++]          Added rules:          [+++]

Moved from malware to Policy:

2014342 – ET POLICY Snadboy.com Products User-Agent (policy.rules)

2014718 – ET GAMES Nintedo Wii User-Agent (games.rules)

2014719 – ET TROJAN W32/Simbot.Backdoor Checkin (trojan.rules)

2014720 – ET TROJAN W32/Downloader/Agent.dxh.1 Reporting to CnC (trojan.rules)

Based on leaked bot code, interesting case. See references:

2014721 – ET TROJAN Boatz Checkin (trojan.rules)

2014722 – ET TROJAN Medfos/Midhos Checkin (trojan.rules)

2014723 – ET TROJAN Suspicious lcon http header in response seen with Medfos/Midhos downloader (trojan.rules)

Pro Subscriber rules:

2804903 – ETPRO TROJAN W32/Troj_Generic.BNJME Checkin (trojan.rules)

2804904 – ETPRO TROJAN Trojan.Autoit-124 Checkin (trojan.rules)

2804905 – ETPRO TROJAN Win32/Horst.gen!C Checkin (trojan.rules)

Moved from Malware to Policy:

2803915 – ETPRO POLICY OpenInstall.com Install (policy.rules)

[///]     Modified active rules:     [///]

Perf tweak, thanks Eoin:

2014285 – ET DNS DNS Query for Suspicious .ch.vu Domain (dns.rules)

[---]  Disabled and modified rules:  [---]

Getting FPs on some legit-”ish” games as well as the trojan. Researching:

2801402 – ETPRO TROJAN Generic Gui Trojan Hacker Tool Request to Controller (trojan.rules)

2801403 – ETPRO TROJAN Generic Gui Trojan Hacker Tool Response from Controller Execute File (trojan.rules)

Note the changes to teh BotCC RUles, which sholdn’t affect configs.

Have a great weekend!

[+++]          Added rules:          [+++]

2014708 – ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution (activex.rules)

2014709 – ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution 2 (activex.rules)

2014710 – ET ACTIVEX Possible Samsung NET-i Viewer Active-X SEH Overwrite (activex.rules)

2014711 – ET WEB_SPECIFIC_APPS maxxweb Cms kategorie parameter Cross-Site Scripting Attempt (web_specific_apps.rules)

2014712 – ET WEB_SPECIFIC_APPS WordPress WPsc-MijnPress plugin rwflush parameter Cross-Site Scripting Attempt (web_specific_apps.rules)

2014713 – ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow (activex.rules)

2014714 – ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow 2 (activex.rules)

2014715 – ET WEB_SPECIFIC_APPS Joomla com_obsuggest controller parameter Local File Inclusion Attempt (web_specific_apps.rules)

2014716 – ET WEB_SPECIFIC_APPS Joomla com_joomtouch controller parameter Local File Inclusion Attempt (web_specific_apps.rules)

2014717 – ET WEB_SPECIFIC_APPS WordPress WP Custom Pages url parameter Local File Inclusion Attempt (web_specific_apps.rules)

Pro:

2804902 – ETPRO MALWARE Adware.Downware.23 Install 2 (malware.rules)

[///]     Modified active rules:     [///]

2014704 – ET WEB_SPECIFIC_APPS PHP-CGI query string parameter vulnerability (web_specific_apps.rules)

2402000 – ET DROP Dshield Block Listed Source (dshield.rules)

2804883 – ETPRO CURRENT_EVENTS mass SQL Injection campaigns targeting Microsoft IIS web server (ASP/ASP.Net/CFM/MS-SQL) sites (current_events.rules)