Blog

Daily Ruleset Update Summary 1/23/2012

12 new open rules, 71 new Pro Subscriber rules.

 

Why so many new rules you ask? Because we like new rules, and we dislike malware!

 

Many of these are dyn dns domains. We’re picking the worst and recent offenders there, more to come as these prove effectiveness. We know there are hundreds of thousands of dyn domains. We’re not covering them all.

 

 

[+++]          Added rules:          [+++]

 

2014138 – ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested class.class (current_events.rules)

2014139 – ET CURRENT_EVENTS Query to Known CnC Domain msnsolution.nicaze.net (current_events.rules)

2014140 – ET WEB_SERVER LOIC Javascript DDoS Inbound (web_server.rules)

2014141 – ET CURRENT_EVENTS LOIC Javascript DDoS Outbound (current_events.rules)

2014142 – ET CURRENT_EVENTS Likely Driveby Delivered Malicious PDF (current_events.rules)

2014143 – ET TROJAN PoisonIvy.Esf Keepalive to CnC (trojan.rules)

2014144 – ET TROJAN PoisonIvy.Eks Keepalive to CnC (trojan.rules)

2014145 – ET TROJAN PoisonIvy.Ehy Keepalive to CnC (trojan.rules)

2014146 – ET TROJAN Win32/Spy.Banker Reporting Via SMTP (trojan.rules)

2014147 – ET CURRENT_EVENTS Sakura Exploit Kit Landing Page Request (current_events.rules)

2014148 – ET CURRENT_EVENTS Sakura Exploit Kit Binary Load Request (current_events.rules)

2014149 – ET TROJAN Clickfraud List Delivered To Client (trojan.rules)

 

Pro Subscriber Rules. I’ll divide these up a bit into category for ease of review:

 

 

Trojan/Malware/CNC, the stuff we love to hate:

2804330 – ETPRO TROJAN Trojan.Win32.TDSS.bsqo Checkin (trojan.rules)

2804331 – ETPRO TROJAN Trojan.Win32.ConnectionServices.m Checkin (trojan.rules) 2804334 – ETPRO TROJAN Trojan/Buzus.fgw Checkin (trojan.rules)

2804385 – ETPRO TROJAN Win32/SouGouDownloader.A User-Agent (SouGouDownloader) (trojan.rules)

2804386 – ETPRO MALWARE Variant.Adware.Gabpath.2 Checkin (malware.rules)

2804395 – ETPRO TROJAN TrojanBanker.Banbra.aaoa checkin (trojan.rules)

2804398 – ETPRO TROJAN Win32/Crix.C checkin (trojan.rules)

2804400 – ETPRO TROJAN Win32/DelpBanc.A Checkin (trojan.rules)

 

A few new GEOIP Methods. Legit by nature, but seen in some new malware of late. Likely a response to existing detection of the whatismyip style api.

2804332 – ETPRO POLICY IP Geo Location Request (policy.rules)

2804333 – ETPRO POLICY IP Geo location service response (policy.rules)

2804396 – ETPRO POLICY IP Check via ipinfodb com style API – often hostile (policy.rules)

 

Some of the usual vulns:

2804394 – ETPRO ACTIVEX McAfee SaaS MyCioScan ShowReport Remote Command Execution (activex.rules)

2804397 – ETPRO EXPLOIT Avaya WinPDM UniteHostRouter Stack Buffer Overflow (exploit.rules)

2804399 – ETPRO EXPLOIT HP OpenView Network Node Manager ov.dll _OVBuildPath Buffer Overflow (exploit.rules)

 

Note: These were from patch tuesday. We did not publish at that time for FP/load fears. We’ve been tweaking and testing, but still not wildly confident in these rules, feedback very welcome!

2804387 – ETPRO WEB_CLIENT Microsoft Internet Explorer Anti-Cross Site Scripting Library Vulnerability 1 (web_client.rules)

2804388 – ETPRO WEB_CLIENT Microsoft Internet Explorer Anti-Cross Site Scripting Library Vulnerability 2 (web_client.rules)

 

 

 

Dyn dns stuff:

2804335 – ETPRO CURRENT_EVENTS HTTP Request to a *.1dumb.com Dynamic DNS Domain (current_events.rules)

2804336 – ETPRO CURRENT_EVENTS DNS Query to a *.1dumb.com Dynamic DNS Domain (current_events.rules)

2804337 – ETPRO CURRENT_EVENTS HTTP Request to a *.25u.com Dynamic DNS Domain (current_events.rules)

2804338 – ETPRO CURRENT_EVENTS DNS Query to a *.25u.com Dynamic DNS Domain (current_events.rules)

2804339 – ETPRO CURRENT_EVENTS HTTP Request to a *.BigMoney.biz Dynamic DNS Domain (current_events.rules)

2804340 – ETPRO CURRENT_EVENTS DNS Query to a *.BigMoney.biz Dynamic DNS Domain (current_events.rules)

2804341 – ETPRO CURRENT_EVENTS HTTP Request to a *.dns04.com Dynamic DNS Domain (current_events.rules)

2804342 – ETPRO CURRENT_EVENTS DNS Query to a *.dns04.com Dynamic DNS Domain (current_events.rules)

2804343 – ETPRO CURRENT_EVENTS HTTP Request to a *.dns05.com Dynamic DNS Domain (current_events.rules)

2804344 – ETPRO CURRENT_EVENTS DNS Query to a *.dns05.com Dynamic DNS Domain (current_events.rules)

2804345 – ETPRO CURRENT_EVENTS HTTP Request to a *.dynamic-dns.net Dynamic DNS Domain (current_events.rules)

2804346 – ETPRO CURRENT_EVENTS DNS Query to a *.dynamic-dns.net Dynamic DNS Domain (current_events.rules)

2804347 – ETPRO CURRENT_EVENTS HTTP Request to a *.dynamicDNS.biz Dynamic DNS Domain (current_events.rules)

2804348 – ETPRO CURRENT_EVENTS DNS Query to a *.dynamicDNS.biz Dynamic DNS Domain (current_events.rules)

2804349 – ETPRO CURRENT_EVENTS HTTP Request to a *.freeWWW.biz Dynamic DNS Domain (current_events.rules)

2804350 – ETPRO CURRENT_EVENTS DNS Query to a *.freeWWW.biz Dynamic DNS Domain (current_events.rules)

2804351 – ETPRO CURRENT_EVENTS HTTP Request to a *.dns-dns.com Dynamic DNS Domain (current_events.rules)

2804352 – ETPRO CURRENT_EVENTS DNS Query to a *.dns-dns.com Dynamic DNS Domain (current_events.rules)

2804353 – ETPRO CURRENT_EVENTS HTTP Request to a *.ProxyDNS.com Dynamic DNS Domain (current_events.rules)

2804354 – ETPRO CURRENT_EVENTS DNS Query to a *.ProxyDNS.com Dynamic DNS Domain (current_events.rules)

2804355 – ETPRO CURRENT_EVENTS HTTP Request to a *.gr8name.biz Dynamic DNS Domain (current_events.rules)

2804356 – ETPRO CURRENT_EVENTS DNS Query to a *.gr8name.biz Dynamic DNS Domain (current_events.rules)

2804357 – ETPRO CURRENT_EVENTS HTTP Request to a *.gr8domain.biz Dynamic DNS Domain (current_events.rules)

2804358 – ETPRO CURRENT_EVENTS DNS Query to a *.gr8domain.biz Dynamic DNS Domain (current_events.rules)

2804359 – ETPRO CURRENT_EVENTS HTTP Request to a *.my03.com Dynamic DNS Domain (current_events.rules)

2804360 – ETPRO CURRENT_EVENTS DNS Query to a *.my03.com Dynamic DNS Domain (current_events.rules)

2804361 – ETPRO CURRENT_EVENTS HTTP Request to a *.ns01.biz Dynamic DNS Domain (current_events.rules)

2804362 – ETPRO CURRENT_EVENTS DNS Query to a *.ns01.biz Dynamic DNS Domain (current_events.rules)

2804363 – ETPRO CURRENT_EVENTS HTTP Request to a *.ns01.info Dynamic DNS Domain (current_events.rules)

2804364 – ETPRO CURRENT_EVENTS DNS Query to a *.ns01.info Dynamic DNS Domain (current_events.rules)

2804365 – ETPRO CURRENT_EVENTS HTTP Request to a *.ns01.us Dynamic DNS Domain (current_events.rules)

2804366 – ETPRO CURRENT_EVENTS DNS Query to a *.ns01.us Dynamic DNS Domain (current_events.rules)

2804367 – ETPRO CURRENT_EVENTS HTTP Request to a *.ns02.biz Dynamic DNS Domain (current_events.rules)

2804368 – ETPRO CURRENT_EVENTS DNS Query to a *.ns02.biz Dynamic DNS Domain (current_events.rules)

2804369 – ETPRO CURRENT_EVENTS HTTP Request to a *.ns02.info Dynamic DNS Domain (current_events.rules)

2804370 – ETPRO CURRENT_EVENTS DNS Query to a *.ns02.info Dynamic DNS Domain (current_events.rules)

2804371 – ETPRO CURRENT_EVENTS HTTP Request to a *.ns02.us Dynamic DNS Domain (current_events.rules)

2804372 – ETPRO CURRENT_EVENTS DNS Query to a *.ns02.us Dynamic DNS Domain (current_events.rules)

2804373 – ETPRO CURRENT_EVENTS HTTP Request to a *.ns1.name Dynamic DNS Domain (current_events.rules)

2804374 – ETPRO CURRENT_EVENTS DNS Query to a *.ns1.name Dynamic DNS Domain (current_events.rules)

2804375 – ETPRO CURRENT_EVENTS HTTP Request to a *.ns2.name Dynamic DNS Domain (current_events.rules)

2804376 – ETPRO CURRENT_EVENTS DNS Query to a *.ns2.name Dynamic DNS Domain (current_events.rules)

2804377 – ETPRO CURRENT_EVENTS HTTP Request to a *.ns3.name Dynamic DNS Domain (current_events.rules)

2804378 – ETPRO CURRENT_EVENTS DNS Query to a *.ns3.name Dynamic DNS Domain (current_events.rules)

2804379 – ETPRO CURRENT_EVENTS HTTP Request to a *.changeip.org Dynamic DNS Domain (current_events.rules)

2804380 – ETPRO CURRENT_EVENTS DNS Query to a *.changeip.org Dynamic DNS Domain (current_events.rules)

2804381 – ETPRO CURRENT_EVENTS HTTP Request to a *.freeTCP.com Dynamic DNS Domain (current_events.rules)

2804382 – ETPRO CURRENT_EVENTS DNS Query to a *.freeTCP.com Dynamic DNS Domain (current_events.rules)

2804383 – ETPRO CURRENT_EVENTS HTTP Request to a *.3-a.net Dynamic DNS Domain (current_events.rules)

2804384 – ETPRO CURRENT_EVENTS DNS Query to a *.3-a.net Dynamic DNS Domain (current_events.rules)

 

 

 

 

 

 

[///]     Modified active rules:     [///]

 

Performance tweaks primarily:

2801525 – ETPRO NETBIOS Microsoft Powerpoint pp7x32.dll Insecure Library Loading – SMB ASCII (netbios.rules)

2803529 – ETPRO WEB_CLIENT Mozilla Firefox and Thunderbird sensor.dll Insecure Library Loading (web_client.rules)

2804132 – ETPRO NETBIOS Microsoft Powerpoint pp4x322.dll Insecure Library Loading – SMB ASCII (netbios.rules)

2804138 – ETPRO NETBIOS peerdist.dll Insecure Library Loading – SMB ASCII (netbios.rules)

2009485 – ET WEB_SERVER /etc/shadow Detected in URI (web_server.rules)

2013361 – ET CURRENT_EVENTS HTran/SensLiceld.A Checkin 1 (current_events.rules)

2013362 – ET CURRENT_EVENTS HTran/SensLiceld.A Checkin 2 (unicode) (current_events.rules)

2013962 – ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client (current_events.rules)

2014084 – ET TROJAN TROJAN Win32.OnlineGames.Bft Reporting (trojan.rules)

 

 

2800981 – ETPRO CURRENT_EVENTS UDP Based D0S LOIC Low Orbit Ion Cannon Attack Default String U dun goofed (current_events.rules)

2800982 – ETPRO CURRENT_EVENTS UDP Based D0S LOIC Low Orbit Ion Cannon Attack OUTBOUND Default String U dun goofed (current_events.rules)

2801460 – ETPRO WEB_CLIENT Microsoft Office Groove 2007 Insecure Library Loading Code Execution (web_client.rules)

2801490 – ETPRO WEB_CLIENT Microsoft Windows Backup Manager fveapi.dll Insecure Library Loading fveapi.dll (web_client.rules)

2801514 – ETPRO WEB_CLIENT Multiple Load Library Vulns dwmapi.dll Insecure Library Loading (web_client.rules)

2801526 – ETPRO WEB_CLIENT Microsoft Powerpoint pp7x32.dll Insecure Library Loading (web_client.rules)

2801532 – ETPRO WEB_CLIENT Microsoft Powerpoint pp4x322.dll Insecure Library Loading (web_client.rules)

2801544 – ETPRO WEB_CLIENT Microsoft Powerpoint schannel.dll Insecure Library Loading (web_client.rules)

2801568 – ETPRO WEB_CLIENT Microsoft Windows SDK for Windows 7 and NET Framework 4 GraphEdit measure.dll Insecure Library Loading (web_client.rules)

2801580 – ETPRO WEB_CLIENT IBM Lotus Notes nlsxbe.dll Insecure Library Loading (web_client.rules)

2803137 – ETPRO WEB_CLIENT Microsoft Visio mfc71loc.dll Insecure Library Loading (web_client.rules)

2804133 – ETPRO WEB_CLIENT Microsoft Powerpoint pp4x322.dll Insecure Library Loading (web_client.rules)

2804139 – ETPRO WEB_CLIENT peerdist.dll Insecure Library Loading (web_client.rules)

 

 

[///]    Modified inactive rules:    [///]

 

2008470 – ET DNS Excessive NXDOMAIN responses – Possible DNS Backscatter or Fast Flux DNS Lookups (dns.rules)

 

 

[---]  Disabled and modified rules:  [---]

 

2014048 – ET CURRENT_EVENTS Blackhole Exploit Kit Java Rhino Script Engine Remote Code Execution Attempt (current_events.rules)

 

 

[---]         Removed rules:         [---]

 

Dedupes:

1372 – GPL EXPLOIT /etc/shadow access (exploit.rules)

2007805 – ET TROJAN Blink.com related Backdoor Checkin (trojan.rules)

2007806 – ET TROJAN Blink.com related Upgrade Command Given (trojan.rules)

2011546 – ET CURRENT_EVENTS FAKEAV client requesting fake scanner page (current_events.rules)

2011962 – ET CURRENT_EVENTS FAKEAV client requesting fake scanner page (current_events.rules)

2013714 – ET TROJAN Win32/Spy.Lpxenur Checkin (trojan.rules)

2013789 – ET TROJAN Win32.PEx.C.91139756616 Checkin (trojan.rules)

2800729 – ETPRO DOS FreeBSD nfsd NFS Mount Request Denial of Service (dos.rules)

2801525 – ETPRO WEB_CLIENT Microsoft Powerpoint pp7x32.dll Insecure Library Loading – SMB ASCII (web_client.rules)

2801527 – ETPRO WEB_CLIENT Microsoft Powerpoint pp7x32.dll Insecure Library Loading (web_client.rules)

2801533 – ETPRO WEB_CLIENT Microsoft Powerpoint pp4x322.dll Insecure Library Loading (web_client.rules)

2801545 – ETPRO WEB_CLIENT Microsoft Powerpoint schannel.dll Insecure Library Loading (web_client.rules)

2801569 – ETPRO WEB_CLIENT Microsoft Windows SDK for Windows 7 and NET Framework 4 GraphEdit measure.dll Insecure Library Loading (web_client.rules)

2801581 – ETPRO WEB_CLIENT IBM Lotus Notes nlsxbe.dll Insecure Library Loading (web_client.rules)

2803138 – ETPRO WEB_CLIENT Microsoft Visio mfc71loc.dll Insecure Library Loading (web_client.rules)

2803312 – ETPRO TROJAN Virut.Ce Checkin (trojan.rules)

2803329 – ETPRO TROJAN Win32.Knigsfot.ai Checkin (trojan.rules)

2803345 – ETPRO TROJAN Win32/Zwangi-BU Checkin (trojan.rules)

2803455 – ETPRO TROJAN Backdoor.Win32.SensLiceld.A/HTran Checkin 1 (trojan.rules)

2803456 – ETPRO TROJAN Backdoor.Win32.SensLiceld.A/HTran Checkin 2 (trojan.rules)

2804132 – ETPRO WEB_CLIENT Microsoft Powerpoint pp4x322.dll Insecure Library Loading – SMB ASCII (web_client.rules)

2804134 – ETPRO WEB_CLIENT Microsoft Powerpoint pp4x322.dll Insecure Library Loading (web_client.rules)

2804138 – ETPRO WEB_CLIENT peerdist.dll Insecure Library Loading – SMB ASCII (web_client.rules)

Leave a Reply

Blog Archive

RSS

Categories

Twitter Updates