Monthly Archives: November 2012

29 11, 2012

Daily Ruleset Update Summary 11/29/2012

By |November 29th, 2012|Categories: Daily Ruleset Update Summary||0 Comments

[***]          Summary:          [***]

11 new Open rules. 11 new Pro rules (11/0) Unknown EK, Vobfus, Zuponcic EK, Sibhost EK, Phsihing. A couple of updates/fixes.

2015964 – Landing URL for an Unknown EK.
2015965 – RDP Session detection used in Shylock to avoid some analysis environments.
2015968 – 2015969 VOBFUS Reliable detection for this for quite a while. These two sigs provide more coverage.
2015970 – 2015971 Zuponcic Exploit Kit
2015972 – 2015973 A couple of Phishing sigs.
2015974 – Sibhost status check

[+++]          Added rules:          [+++]

2015964 – ET CURRENT_EVENTS Unknown EK Landing URL (current_events.rules)
2015965 – ET INFO EXE SCardForgetReaderGroupA (Used in Malware Anti-Debugging) (info.rules)
2015966 – ET P2P QVOD P2P Sharing Traffic detected (udp) beacon (p2p.rules)
2015967 – ET P2P QVOD P2P Sharing Traffic detected (udp) payload (p2p.rules)
2015968 – ET TROJAN WORM_VOBFUS Checkin 1 (trojan.rules)
2015969 – ET TROJAN WORM_VOBFUS Requesting exe (trojan.rules)
2015970 – ET CURRENT_EVENTS Zuponcic EK Payload Request (current_events.rules)
2015971 – ET CURRENT_EVENTS Zuponcic EK Java Exploit Jar (current_events.rules)
2015972 – ET CURRENT_EVENTS PHISH PayPal – Account Phished (current_events.rules)
2015973 – ET CURRENT_EVENTS PHISH Gateway POST to gateway-p (current_events.rules)
2015974 – ET CURRENT_EVENTS Sibhost Status Check (current_events.rules)

[///]     Modified active rules:     [///]

2009078 – ET TROJAN Backdoor Lanfiltrator Checkin (trojan.rules)
2011409 – ET DNS DNS Query for Suspicious .co.cc Domain (dns.rules)
2011410 – ET DNS DNS Query for Suspicious .cz.cc Domain (dns.rules)
2014459 – ET P2P QVOD P2P Sharing Traffic detected (tcp) (p2p.rules)

[///]    Modified inactive rules:    [///]

2011407 – ET DNS DNS Query for Suspicious .com.ru Domain (dns.rules)
2011408 – ET DNS DNS Query for Suspicious .com.cn Domain (dns.rules)
2011411 – ET DNS DNS Query for Suspicious .co.kr Domain (dns.rules)

28 11, 2012

Daily Ruleset Update Summary 11/28/2012

By |November 28th, 2012|Categories: Daily Ruleset Update Summary||0 Comments

[***]          Summary:          [***]

10 new Open rules. 12 new Pro rules (10/2). Lyposit, Serenity EK,
CritxPack, Samsung Admin SNMP string

2015954 –  2015955 PDF document using /FlateDecode and a document
version that doesn’t support /FlateDecode
2015956 – Serenity Exploit Kit Landing page
2015957 – 2015958 Lyposit Ransomware
2015959 Samsung SNMP Hardcoded RW SNMP string
2015960 – 2015962 Updated CritXPack Coverage
2015963 Generic Phishing sig

2805751 – 2805752 Daily Pro Trojan Coverage

[+++]          Added rules:          [+++]

Open:
2015954 – ET INFO PDF /FlateDecode and PDF version 1.0 (info.rules)
2015955 – ET CURRENT_EVENTS PDF /FlateDecode and PDF version 1.1
(seen in pamdql EK) (current_events.rules)
2015956 – ET CURRENT_EVENTS Serenity Exploit Kit Landing Page HTML
Header (current_events.rules)
2015957 – ET TROJAN Lyposit Ransomware Checkin 1 (trojan.rules)
2015958 – ET TROJAN Lyposit Ransomware Checkin 2 (trojan.rules)
2015959 – ET SNMP Samsung Printer SNMP Hardcode RW Community String
(snmp.rules)
2015960 – ET CURRENT_EVENTS CritXPack Jar Request (current_events.rules)
2015961 – ET CURRENT_EVENTS CritXPack PDF Request (current_events.rules)
2015962 – ET CURRENT_EVENTS CritXPack Payload Request (current_events.rules)
2015963 – ET INFO PHISH Generic – Bank and Routing (info.rules)

Pro:
2805751 – ETPRO TROJAN Trojan-Proxy.Win32.Ranky Checkin (trojan.rules)
2805752 – ETPRO TROJAN Win32/Ksare.A /
Trojan-Dropper.Win32.Mudrop.kg Checkin (trojan.rules)

[---]         Removed rules:         [---]

2008064 – ET POLICY Nginx Server with no version string – Often
Hostile Traffic (policy.rules)

28 11, 2012

Daily Ruleset Update Summary 11/27/2012

By |November 28th, 2012|Categories: Daily Ruleset Update Summary||0 Comments

[***]          Summary:          [***]

7 new Open rules. 16 new Pro rules (7 Open 9 Pro) A couple of tweaks.

2015947-2015948 and 2015953 Piwik Backdoor access. http://piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/
2015949 – 2015950 Propack EK Java sigs http://malware.dontneedcoffee.com/2012/11/meet-propack-exploit-pack.html
2015951 Sibhost EK Java Request
2015952 Generic Phishing sig ssn[1-3]
2015783 Update to BegOP EK MZ sig. http://www.kahusecurity.com/2012/new-exploit-pack-spotted/

2805742 – 2805750 Daily Pro Trojan/Adware/Malware coverage.

[+++]          Added rules:          [+++]

Open:
2015947 – ET WEB_SPECIFIC_APPS Piwik Backdoor Access (web_specific_apps.rules)
2015948 – ET WEB_SPECIFIC_APPS Piwik Backdoor Access 2 (web_specific_apps.rules)
2015949 – ET CURRENT_EVENTS Propack Recent Jar (1) (current_events.rules)
2015950 – ET CURRENT_EVENTS Propack Payload Request (current_events.rules)
2015951 – ET CURRENT_EVENTS SibHost Jar Request (current_events.rules)
2015952 – ET CURRENT_EVENTS PHISH Generic -SSN – ssn1 ssn2 ssn3 (current_events.rules)
2015953 – ET WEB_SERVER PIWIK Backdored Version calls home (web_server.rules)

Pro:
2805742 – ETPRO TROJAN Win32.HLLW.MyBot sending info (trojan.rules)
2805743 – ETPRO TROJAN Dropper.Win32.Binder.ihv Checkin (trojan.rules)
2805744 – ETPRO MALWARE Adware.Kraddare!11iB0o+IEDU CnC 1 (malware.rules)
2805745 – ETPRO MALWARE Adware.Kraddare!11iB0o+IEDU CnC 2 (malware.rules)
2805746 – ETPRO TROJAN W32/Onlinegames.QNT!tr Checkin (trojan.rules)
2805747 – ETPRO TROJAN Win32/Zegost.B CnC (trojan.rules)
2805748 – ETPRO TROJAN TROJ_GEN.F47V1018 Checkin (trojan.rules)
2805749 – ETPRO TROJAN W32/Chinflej.AC!tr Command Response (trojan.rules)
2805750 – ETPRO MALWARE Adware.Agent.FJ Checkin (malware.rules)

[///]     Modified active rules:     [///]

Open:
2015783 – ET CURRENT_EVENTS BegOp Exploit Kit Payload (current_events.rules)

Pro:
2805219 – ETPRO MALWARE Win32/InstallMonetizer.AC Checkin (malware.rules)

26 11, 2012

Daily Ruleset Update Summary 11/26/2012

By |November 26th, 2012|Categories: Daily Ruleset Update Summary||0 Comments

[***]          Summary:          [***]

18 new Open rules. 25 new Pro rules (18 Open 7 Pro)

2015927 – 2015931 Redkit Detection Updates.
2015932 – 2015933 A couple of common BHEK URI structs
2015936 Nuclear EK detection update
2015937 PostMan Webshell
2015938 Phish Landing page
2015939 g01pack Detection update
2015940 SFTP/FTP Password Exposure http://blog.sucuri.net/2012/11/psa-sftpftp-password-exposure-via-sftp-config-json.html
2015941 – 2015946 CrimeBoss EK.

2805635 – 2805741 Daily Pro Trojan/Malware Coverage.

[+++]          Added rules:          [+++]

Open:
2015927 – ET CURRENT_EVENTS Possible RedKit /hmXX.htm(l) Landing Page – Set (current_events.rules)
2015928 – ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (1) (current_events.rules)
2015929 – ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (2) (current_events.rules)
2015930 – ET CURRENT_EVENTS RedKit Exploit Kit Vulnerable Java Payload Request URI (1) (current_events.rules)
2015931 – ET CURRENT_EVENTS RedKit Exploit Kit vulnerable Java Payload Request to URI (2) (current_events.rules)
2015932 – ET CURRENT_EVENTS Blackhole 2 Landing Page (7) (current_events.rules)
2015933 – ET CURRENT_EVENTS Blackhole 2 Landing Page (8) (current_events.rules)
2015936 – ET CURRENT_EVENTS Nuclear Exploit Kit HTTP Off-port Landing Page Request (current_events.rules)
2015937 – ET WEB_SERVER WebShell – PostMan (web_server.rules)
2015938 – ET CURRENT_EVENTS Unknown Banking PHISH – Login.php?LOB=RBG (current_events.rules)
2015939 – ET CURRENT_EVENTS g01pack Exploit Kit .blogsite. Landing Page (current_events.rules)
2015940 – ET SCAN SFTP/FTP Password Exposure via sftp-config.json (scan.rules)
2015941 – ET CURRENT_EVENTS CrimeBoss – Java Exploit – Recent Jar (1) (current_events.rules)
2015942 – ET CURRENT_EVENTS CrimeBoss – Java Exploit – Recent Jar (2) (current_events.rules)
2015943 – ET CURRENT_EVENTS Crimeboss – Java Exploit – Recent Jar (3) (current_events.rules)
2015944 – ET CURRENT_EVENTS CrimeBoss – Stats Access (current_events.rules)
2015945 – ET CURRENT_EVENTS CrimeBoss – Stats Java On (current_events.rules)
2015946 – ET CURRENT_EVENTS CrimeBoss – Setup (current_events.rules)

Pro:
2805635 – ETPRO MALWARE Adware.DirectDownloader Checkin (malware.rules)
2805736 – ETPRO TROJAN Trojan.Fakesec-309 Checkin (trojan.rules)
2805737 – ETPRO TROJAN Win32.Worm.Winko.I Checkin (trojan.rules)
2805738 – ETPRO TROJAN Win32/Bublik.B Checkin 2 (trojan.rules)
2805739 – ETPRO TROJAN Email-Worm.Win32.Warezov spreading via SMTP (trojan.rules)
2805740 – ETPRO TROJAN BanBra Checkin (trojan.rules)
2805741 – ETPRO TROJAN TROJ_FAKEAV.SMNA Checkin (trojan.rules)

[///]     Modified active rules:     [///]

2015739 – ET CURRENT_EVENTS pamdql applet with obfuscated URL (current_events.rules)

[---]         Removed rules:         [---]

2805635 – ETPRO TROJAN Trojan.Kazy-237 Checkin (trojan.rules)

23 11, 2012

Daily Ruleset Update Summary 11/23/2012

By |November 23rd, 2012|Categories: Daily Ruleset Update Summary||0 Comments

[***]          Summary:          [***]

5 new Open rules. 9 new Pro rules (5 Open 4 Pro).  Update for Java exploit sig used by various EK’s. Older blackhole JS sig disabled for FP’s.

2015922 – 2015923 Glazunov Java exploit/payload
2015924 – 2015926 WebShell sigs.

2805732 – 2805735 Daily Pro Trojan/Malware coverage.

[+++]          Added rules:          [+++]

Open:
2015922 – ET CURRENT_EVENTS Possible Glazunov Java exploit request /10-/5-digit (current_events.rules)
2015923 – ET CURRENT_EVENTS Possible Glazunov Java payload request /5-digit (current_events.rules)
2015924 – ET WEB_SERVER WebShell – PHP eMailer (web_server.rules)
2015925 – ET WEB_SERVER WebShell – Unknown – self-kill (web_server.rules)
2015926 – ET WEB_SERVER WebShell – Unknown – .php?x=img&img= (web_server.rules)

Pro:
2805732 – ETPRO TROJAN Backdoor Boomie.A Checkin Response/Egg Download Command (trojan.rules)
2805733 – ETPRO TROJAN Win32/Virut.BN Checkin 3 (trojan.rules)
2805734 – ETPRO TROJAN Unknown Trojan Checkin (trojan.rules)
2805735 – ETPRO TROJAN Backdoor Boomie.A Checkin Command 2 (trojan.rules)

[///]     Modified active rules:     [///]

2015887 – ET CURRENT_EVENTS Possible exploitation of CVE-2012-5076 by an exploit kit Nov 13 2012 (current_events.rules)

[---]         Removed rules:         [---]

2015525 – ET CURRENT_EVENTS Blackhole try eval prototype string splitting evasion Jul 24 2012 (current_events.rules)