Monthly Archives: May 2013

31 05, 2013

Daily Ruleset Update Summary 05/31/2013

By |May 31st, 2013|Categories: Daily Ruleset Update Summary||0 Comments

[***] Summary: [***]

12 new Open rules. 19 new Pro rules (12/7), Nuclear EK, FakeAV, Apache Struts, etc.

[+++] Added rules: [+++]

Open:
2016951 – ET TROJAN Backdoor.Win32.Trup.CX Checkin 1 (trojan.rules)
2016952 – ET CURRENT_EVENTS Probable Nuclear exploit kit landing page (current_events.rules)
2016953 – ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI (exploit.rules)
2016954 – ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in client body (exploit.rules)
2016956 – ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in URI (exploit.rules)
2016957 – ET EXPLOIT Apache Struts Possible OGNL Java Exec in client body (exploit.rules)
2016958 – ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in client_body (exploit.rules)
2016959 – ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in URI (exploit.rules)
2016960 – ET TROJAN System Progressive Detection FakeAV (AuthenticAMD) (trojan.rules)
2016961 – ET TROJAN System Progressive Detection FakeAV (GenuineIntel) (trojan.rules)

Pro:
2806429 – ETPRO TROJAN Win32/Obfuscator.XY requesting soft.xml (trojan.rules)
2806430 – ETPRO TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 2 (trojan.rules)
2806431 – ETPRO TROJAN Backdoor.Win32.Runagry.cy Checkin (trojan.rules)
2806432 – ETPRO TROJAN Win32.HLLW.Autoruner1.35904 Checkin (trojan.rules)
2806433 – ETPRO TROJAN MSIL/Spy.Agent.FE Checkin (trojan.rules)
2806434 – ETPRO TROJAN MSIL/PSW.Agent.NID Checkin (trojan.rules)
2806435 – ETPRO MALWARE Adware.Eorez Checkin (malware.rules)

[///] Modified active rules: [///]

Open;
2015969 – ET TROJAN WORM_VOBFUS Requesting exe (trojan.rules)
2016730 – ET CURRENT_EVENTS Blackhole/Cool plugindetect in octal (current_events.rules)
2016801 – ET CURRENT_EVENTS Nuclear landing with obfuscated plugindetect Apr 29 2013 (current_events.rules)

Pro:
2801960 – ETPRO TROJAN Win32/Koutodoor.D Checkin (trojan.rules)
2801998 – ETPRO TROJAN Banker.Win32.Banbra.hp Reporting via SMTP (trojan.rules)
2802984 – ETPRO TROJAN Win32.Potao.A Checkin (trojan.rules)
2804865 – ETPRO POLICY IP Address Lookup online service hostip.info (policy.rules)

[---] Removed rules: [---]

Open:
2013215 – ET TROJAN W32/Alworo CnC Checkin (trojan.rules)
2013343 – ET TROJAN Backdoor W32/Phanta Checkin (trojan.rules)

Pro:
2801615 – ETPRO TROJAN Backdoor.Win32.Trup.CX Checkin 1 (trojan.rules)
2806390 – ETPRO MALWARE Win32/TrojanDownloader.Banload.SCN 2 (malware.rules)

30 05, 2013

Daily Ruleset Update Summary 05/30/2013

By |May 30th, 2013|Categories: Daily Ruleset Update Summary||0 Comments

[***] Summary: [***]

5 new Open rules. 12 new Pro rules. Bicololo, Hupigon, Linux.Tsunami, etc.

[+++] Added rules: [+++]

Open:
2016946 – ET TROJAN Possible Win32.Bicololo Checkin (trojan.rules)
2016947 – ET TROJAN Win32.Bicololo Response 1 (trojan.rules)
2016948 – ET TROJAN Win32.Bicololo Response 2 (trojan.rules)
2016949 – ET TROJAN Possible Backdoor.Linux.Tsunami Outbound HTTP request (trojan.rules)
2016950 – ET TROJAN Possible Win32/Hupigon ip.txt with a Non-Mozilla UA (trojan.rules)

Pro:
2806389 – ETPRO TROJAN Win32/TrojanDownloader.Banload.SCN (trojan.rules)
2806423 – ETPRO TROJAN Variant.zbot Server Response (trojan.rules)
2806424 – ETPRO TROJAN Trojan.Dloader.GM Checkin (trojan.rules)
2806425 – ETPRO TROJAN Win32/Spy.Banker.ZNK Checkin (trojan.rules)
2806426 – ETPRO TROJAN Trojan.Click2.53404 Checkin (trojan.rules)
2806427 – ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.bo Checkin (mobile_malware.rules)
2806428 – ETPRO TROJAN MSIL/Dropper.XID!tr Checkin (trojan.rules)

[///] Modified active rules: [///]

2016107 – ET CURRENT_EVENTS Topic EK Requesting Jar (current_events.rules)
2016108 – ET CURRENT_EVENTS Topic EK Requesting PDF (current_events.rules)
2805454 – ETPRO TROJAN BackDoor.Pigeon.45938/Hupigon Checkin (trojan.rules)
2806414 – ETPRO TROJAN FakeAV-BT Checkin (trojan.rules)

[---] Disabled and modified rules: [---]

2803357 – ETPRO EXPLOIT Sybase Open Server Function Pointer Array Code Execution 1 (exploit.rules)
2803359 – ETPRO EXPLOIT Sybase Open Server Function Pointer Array Code Execution 3 (exploit.rules)

[---] Disabled rules: [---]

2803358 – ETPRO EXPLOIT Sybase Open Server Function Pointer Array Code Execution 2 (exploit.rules)

[---] Removed rules: [---]

2800032 – ETPRO EXPLOIT BakBone NetVault Buffer Overflow (exploit.rules)
2806389 – ETPRO MALWARE Win32/TrojanDownloader.Banload.SCN (malware.rules)

29 05, 2013

Daily Ruleset Update Summary 05/29/2013

By |May 29th, 2013|Categories: Daily Ruleset Update Summary||0 Comments

[***] Summary: [***]

5 new Open rules. 17 new Pro rules, SofosFo, Sakura, PolyCrypt, etc.

[+++] Added rules: [+++]

Open:
2016941 – ET TROJAN W32/PolyCrypt.A Checkin (trojan.rules)
2016942 – ET CURRENT_EVENTS Sakura – Landing Page – Received May 29 2013 (current_events.rules)
2016943 – ET CURRENT_EVENTS Sakura – Payload Requested (current_events.rules)
2016944 – ET CURRENT_EVENTS HTTP connection to net78.net Free Web Hosting (Used by Various Trojans) (current_events.rules)
2016945 – ET CURRENT_EVENTS Sakura encrypted binary (2) (current_events.rules)

Pro:
2806411 – ETPRO MALWARE Suspicious User-Agent PI (malware.rules)
2806412 – ETPRO MALWARE Adware.Shopper.Q Checking 1 (malware.rules)
2806413 – ETPRO MALWARE Adware.Shopper.Q Checking 2 (malware.rules)
2806414 – ETPRO TROJAN FakeAV-BT Checkin (trojan.rules)
2806415 – ETPRO MALWARE Adware.Mutabaha.6 Checkin 1 (malware.rules)
2806416 – ETPRO MALWARE Adware.Mutabaha.6 Checkin 2 (malware.rules)
2806417 – ETPRO TROJAN Worm.Win32.Fujack.bw Checkin (trojan.rules)
2806418 – ETPRO TROJAN Trojan-Dropper.Win32.Dorifel.addq Checkin (trojan.rules)
2806419 – ETPRO TROJAN Trojan-Downloader.Win32.Dofoil.cc Checkin (trojan.rules)
2806420 – ETPRO TROJAN Win32/Alureon.CO Checkin (trojan.rules)
2806421 – ETPRO TROJAN Win32/Dofoil.E Checkin (trojan.rules)
2806422 – ETPRO TROJAN Trojan-Dropper.Win32.Dapato.bfjn Download (trojan.rules)

[///] Modified active rules: [///]

2002959 – ET TROJAN Tibs Checkin (trojan.rules)
2016706 – ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page (1) (current_events.rules)

[---] Removed rules: [---]

2803108 – ETPRO TROJAN W32/PolyCrypt.A Checkin (trojan.rules)

28 05, 2013

Daily Ruleset Update Summary 05/28/2013

By |May 28th, 2013|Categories: Daily Ruleset Update Summary||0 Comments

[***] Summary [***]

10 new Open. 26 new Pro (10/16). Generic SQLi, Kazy, Vobfus, BHEK, Sakura, etc.

[+++] Added rules: [+++]

Open:
2016931 – ET CURRENT_EVENTS BlackHole EK JNLP request (current_events.rules)
2016932 – ET TROJAN Spy/Infostealer.Win32.Embed.A Client Traffic (trojan.rules)
2016933 – ET CURRENT_EVENTS SUSPICIOUS Java Request to Afraid.org Top 100 Dynamic DNS Domain May 28 2013 (current_events.rules)
2016934 – ET TROJAN W32/Safe User Agent Fantasia (trojan.rules) Kevin Ross
2016935 – ET WEB_SERVER SQL Injection Select Sleep Time Delay (web_server.rules) Kevin Ross
2016936 – ET WEB_SERVER SQL Injection Local File Access Attempt Using LOAD_FILE (web_server.rules) Kevin Ross
2016937 – ET WEB_SERVER SQL Injection List Priveleges Attempt (web_server.rules) Kevin Ross
2016938 – ET MALWARE Adware.Ezula Checkin (malware.rules)
2016939 – ET TROJAN Variant.Kazy.174106 Checkin (trojan.rules)
2016940 – ET TROJAN Vobfus Check-in (trojan.rules)

Pro:
2806395 – ETPRO TROJAN DGA (16hex srv.ns-lookups.com) (trojan.rules)
2806396 – ETPRO MALWARE Adware.Softomate Checkin (malware.rules)
2806397 – ETPRO TROJAN W32/Banker.EIQTNXK!tr.spy Checkin (trojan.rules)
2806398 – ETPRO TROJAN Win32/ProxyChanger.HO Checkin (trojan.rules)
2806399 – ETPRO TROJAN TrojanDownloader Win32/Frethog.E (Response) (trojan.rules)
2806400 – ETPRO TROJAN TrojanDownloader Win32/Frethog.E (mactj.asp) (trojan.rules)
2806401 – ETPRO TROJAN TrojanDownloader Win32/Frethog.E (Safe.txt) (trojan.rules)
2806402 – ETPRO TROJAN TrojanDownloader Win32/Frethog.E (Response 2) (trojan.rules)
2806403 – ETPRO TROJAN TrojanDownloader Win32/Frethog.E (exitpop.txt) (trojan.rules)
2806404 – ETPRO TROJAN Trojan-Banker.Win32.Agent.phl Checkin (trojan.rules)
2806405 – ETPRO TROJAN Virus.Win32.Virut.ce Checkin 2 (trojan.rules)
2806406 – ETPRO TROJAN Win32/Spy.Banker.ZHN Checkin (trojan.rules)
2806407 – ETPRO TROJAN Backdoor.Win32.Delf.cin Checkin (trojan.rules)
2806408 – ETPRO TROJAN Win32/Banload.AHA Sending SPAM (trojan.rules)
2806409 – ETPRO TROJAN Win32/Ternanu.gen!A Checkin (trojan.rules)
2806410 – ETPRO TROJAN Trojan-Dropper.Win32.Small.nm (trojan.rules)

[///] Modified active rules: [///]

2001972 – ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound) (scan.rules)
2013479 – ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Outbound) (scan.rules)
2016785 – ET CURRENT_EVENTS Sakura – Java Exploit Recievied (current_events.rules)
2016786 – ET CURRENT_EVENTS Sakura – Payload Requested (current_events.rules)
2016787 – ET CURRENT_EVENTS Sakura – Payload Downloaded (current_events.rules)
2016791 – ET CURRENT_EVENTS Sakura – Landing Page – Received (current_events.rules)
2804291 – ETPRO TROJAN Win32/Anedl.A Checkin (trojan.rules)
2806274 – ETPRO POLICY Torrent Client zona.ru Install (policy.rules)

[---] Removed rules: [---]

2803903 – ETPRO TROJAN Win32/DelfInject.W Checkin (trojan.rules)

24 05, 2013

Daily Ruleset Update Summary 05/24/2013

By |May 24th, 2013|Categories: Daily Ruleset Update Summary||0 Comments

[***] Summary: [***]

8 new Open rules. 11 new Pro rules (8/11). HellSpawn EK, KaiXin, etc.

[+++] Added rules: [+++]

2016923 – ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 1 May 24 2013 (current_events.rules)
2016924 – ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 2 May 24 2013 (current_events.rules)
2016925 – ET CURRENT_EVENTS KaiXin Exploit Landing Page 1 May 24 2013 (current_events.rules)
2016926 – ET CURRENT_EVENTS KaiXin Exploit Landing Page 2 May 24 2013 (current_events.rules)
2016927 – ET CURRENT_EVENTS HellSpawn EK Landing 1 May 24 2013 (current_events.rules)
2016928 – ET CURRENT_EVENTS HellSpawn EK Landing 2 May 24 2013 (current_events.rules)
2016929 – ET CURRENT_EVENTS Possible HellSpawn EK Fake Flash May 24 2013 (current_events.rules)
2016930 – ET CURRENT_EVENTS Possible HellSpawn EK Java Artifact May 24 2013 (current_events.rules)

Pro:
2806392 – ETPRO TROJAN Trojan-Ransom.Win32.Blocker.bczs Checkin (trojan.rules)
2806393 – ETPRO TROJAN Trojan.Siggen5.15498 Checkin (trojan.rules)
2806394 – ETPRO TROJAN Trojan.Win32.Agent.hwgs Checkin (trojan.rules)

[///] Modified active rules: [///]

2015575 – ET CURRENT_EVENTS KaiXin Exploit Kit Java Class (current_events.rules)
2016384 – ET WEB_SPECIFIC_APPS WordPress CommentLuv Plugin _ajax_nonce Parameter XSS Attempt (web_specific_apps.rules)
2016832 – ET CURRENT_EVENTS HellSpawn EK Requesting Jar (current_events.rules)

[---] Moved rules: [---]

Old:
2806284 – ETPRO TROJAN Backdoor family PCRat/Gh0st CnC traffic (trojan.rules)

New:
2016922 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (trojan.rules)