Monthly Archives: November 2012

[***]          Summary:          [***]

11 new Open rules. 11 new Pro rules (11/0) Unknown EK, Vobfus, Zuponcic EK, Sibhost EK, Phsihing. A couple of updates/fixes.

2015964 – Landing URL for an Unknown EK.
2015965 – RDP Session detection used in Shylock to avoid some analysis environments.
2015968 – 2015969 VOBFUS Reliable detection for this for quite a while. These two sigs provide more coverage.
2015970 – 2015971 Zuponcic Exploit Kit
2015972 – 2015973 A couple of Phishing sigs.
2015974 – Sibhost status check

[+++]          Added rules:          [+++]

2015964 – ET CURRENT_EVENTS Unknown EK Landing URL (current_events.rules)
2015965 – ET INFO EXE SCardForgetReaderGroupA (Used in Malware Anti-Debugging) (info.rules)
2015966 – ET P2P QVOD P2P Sharing Traffic detected (udp) beacon (p2p.rules)
2015967 – ET P2P QVOD P2P Sharing Traffic detected (udp) payload (p2p.rules)
2015968 – ET TROJAN WORM_VOBFUS Checkin 1 (trojan.rules)
2015969 – ET TROJAN WORM_VOBFUS Requesting exe (trojan.rules)
2015970 – ET CURRENT_EVENTS Zuponcic EK Payload Request (current_events.rules)
2015971 – ET CURRENT_EVENTS Zuponcic EK Java Exploit Jar (current_events.rules)
2015972 – ET CURRENT_EVENTS PHISH PayPal – Account Phished (current_events.rules)
2015973 – ET CURRENT_EVENTS PHISH Gateway POST to gateway-p (current_events.rules)
2015974 – ET CURRENT_EVENTS Sibhost Status Check (current_events.rules)

[///]     Modified active rules:     [///]

2009078 – ET TROJAN Backdoor Lanfiltrator Checkin (trojan.rules)
2011409 – ET DNS DNS Query for Suspicious .co.cc Domain (dns.rules)
2011410 – ET DNS DNS Query for Suspicious .cz.cc Domain (dns.rules)
2014459 – ET P2P QVOD P2P Sharing Traffic detected (tcp) (p2p.rules)

[///]    Modified inactive rules:    [///]

2011407 – ET DNS DNS Query for Suspicious .com.ru Domain (dns.rules)
2011408 – ET DNS DNS Query for Suspicious .com.cn Domain (dns.rules)
2011411 – ET DNS DNS Query for Suspicious .co.kr Domain (dns.rules)

[***]          Summary:          [***]

10 new Open rules. 12 new Pro rules (10/2). Lyposit, Serenity EK,
CritxPack, Samsung Admin SNMP string

2015954 –  2015955 PDF document using /FlateDecode and a document
version that doesn’t support /FlateDecode
2015956 – Serenity Exploit Kit Landing page
2015957 – 2015958 Lyposit Ransomware
2015959 Samsung SNMP Hardcoded RW SNMP string
2015960 – 2015962 Updated CritXPack Coverage
2015963 Generic Phishing sig

2805751 – 2805752 Daily Pro Trojan Coverage

[+++]          Added rules:          [+++]

Open:
2015954 – ET INFO PDF /FlateDecode and PDF version 1.0 (info.rules)
2015955 – ET CURRENT_EVENTS PDF /FlateDecode and PDF version 1.1
(seen in pamdql EK) (current_events.rules)
2015956 – ET CURRENT_EVENTS Serenity Exploit Kit Landing Page HTML
Header (current_events.rules)
2015957 – ET TROJAN Lyposit Ransomware Checkin 1 (trojan.rules)
2015958 – ET TROJAN Lyposit Ransomware Checkin 2 (trojan.rules)
2015959 – ET SNMP Samsung Printer SNMP Hardcode RW Community String
(snmp.rules)
2015960 – ET CURRENT_EVENTS CritXPack Jar Request (current_events.rules)
2015961 – ET CURRENT_EVENTS CritXPack PDF Request (current_events.rules)
2015962 – ET CURRENT_EVENTS CritXPack Payload Request (current_events.rules)
2015963 – ET INFO PHISH Generic – Bank and Routing (info.rules)

Pro:
2805751 – ETPRO TROJAN Trojan-Proxy.Win32.Ranky Checkin (trojan.rules)
2805752 – ETPRO TROJAN Win32/Ksare.A /
Trojan-Dropper.Win32.Mudrop.kg Checkin (trojan.rules)

[---]         Removed rules:         [---]

2008064 – ET POLICY Nginx Server with no version string – Often
Hostile Traffic (policy.rules)

[***]          Summary:          [***]

7 new Open rules. 16 new Pro rules (7 Open 9 Pro) A couple of tweaks.

2015947-2015948 and 2015953 Piwik Backdoor access. http://piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/
2015949 – 2015950 Propack EK Java sigs http://malware.dontneedcoffee.com/2012/11/meet-propack-exploit-pack.html
2015951 Sibhost EK Java Request
2015952 Generic Phishing sig ssn[1-3]
2015783 Update to BegOP EK MZ sig. http://www.kahusecurity.com/2012/new-exploit-pack-spotted/

2805742 – 2805750 Daily Pro Trojan/Adware/Malware coverage.

[+++]          Added rules:          [+++]

Open:
2015947 – ET WEB_SPECIFIC_APPS Piwik Backdoor Access (web_specific_apps.rules)
2015948 – ET WEB_SPECIFIC_APPS Piwik Backdoor Access 2 (web_specific_apps.rules)
2015949 – ET CURRENT_EVENTS Propack Recent Jar (1) (current_events.rules)
2015950 – ET CURRENT_EVENTS Propack Payload Request (current_events.rules)
2015951 – ET CURRENT_EVENTS SibHost Jar Request (current_events.rules)
2015952 – ET CURRENT_EVENTS PHISH Generic -SSN – ssn1 ssn2 ssn3 (current_events.rules)
2015953 – ET WEB_SERVER PIWIK Backdored Version calls home (web_server.rules)

Pro:
2805742 – ETPRO TROJAN Win32.HLLW.MyBot sending info (trojan.rules)
2805743 – ETPRO TROJAN Dropper.Win32.Binder.ihv Checkin (trojan.rules)
2805744 – ETPRO MALWARE Adware.Kraddare!11iB0o+IEDU CnC 1 (malware.rules)
2805745 – ETPRO MALWARE Adware.Kraddare!11iB0o+IEDU CnC 2 (malware.rules)
2805746 – ETPRO TROJAN W32/Onlinegames.QNT!tr Checkin (trojan.rules)
2805747 – ETPRO TROJAN Win32/Zegost.B CnC (trojan.rules)
2805748 – ETPRO TROJAN TROJ_GEN.F47V1018 Checkin (trojan.rules)
2805749 – ETPRO TROJAN W32/Chinflej.AC!tr Command Response (trojan.rules)
2805750 – ETPRO MALWARE Adware.Agent.FJ Checkin (malware.rules)

[///]     Modified active rules:     [///]

Open:
2015783 – ET CURRENT_EVENTS BegOp Exploit Kit Payload (current_events.rules)

Pro:
2805219 – ETPRO MALWARE Win32/InstallMonetizer.AC Checkin (malware.rules)

[***]          Summary:          [***]

18 new Open rules. 25 new Pro rules (18 Open 7 Pro)

2015927 – 2015931 Redkit Detection Updates.
2015932 – 2015933 A couple of common BHEK URI structs
2015936 Nuclear EK detection update
2015937 PostMan Webshell
2015938 Phish Landing page
2015939 g01pack Detection update
2015940 SFTP/FTP Password Exposure http://blog.sucuri.net/2012/11/psa-sftpftp-password-exposure-via-sftp-config-json.html
2015941 – 2015946 CrimeBoss EK.

2805635 – 2805741 Daily Pro Trojan/Malware Coverage.

[+++]          Added rules:          [+++]

Open:
2015927 – ET CURRENT_EVENTS Possible RedKit /hmXX.htm(l) Landing Page – Set (current_events.rules)
2015928 – ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (1) (current_events.rules)
2015929 – ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (2) (current_events.rules)
2015930 – ET CURRENT_EVENTS RedKit Exploit Kit Vulnerable Java Payload Request URI (1) (current_events.rules)
2015931 – ET CURRENT_EVENTS RedKit Exploit Kit vulnerable Java Payload Request to URI (2) (current_events.rules)
2015932 – ET CURRENT_EVENTS Blackhole 2 Landing Page (7) (current_events.rules)
2015933 – ET CURRENT_EVENTS Blackhole 2 Landing Page (8) (current_events.rules)
2015936 – ET CURRENT_EVENTS Nuclear Exploit Kit HTTP Off-port Landing Page Request (current_events.rules)
2015937 – ET WEB_SERVER WebShell – PostMan (web_server.rules)
2015938 – ET CURRENT_EVENTS Unknown Banking PHISH – Login.php?LOB=RBG (current_events.rules)
2015939 – ET CURRENT_EVENTS g01pack Exploit Kit .blogsite. Landing Page (current_events.rules)
2015940 – ET SCAN SFTP/FTP Password Exposure via sftp-config.json (scan.rules)
2015941 – ET CURRENT_EVENTS CrimeBoss – Java Exploit – Recent Jar (1) (current_events.rules)
2015942 – ET CURRENT_EVENTS CrimeBoss – Java Exploit – Recent Jar (2) (current_events.rules)
2015943 – ET CURRENT_EVENTS Crimeboss – Java Exploit – Recent Jar (3) (current_events.rules)
2015944 – ET CURRENT_EVENTS CrimeBoss – Stats Access (current_events.rules)
2015945 – ET CURRENT_EVENTS CrimeBoss – Stats Java On (current_events.rules)
2015946 – ET CURRENT_EVENTS CrimeBoss – Setup (current_events.rules)

Pro:
2805635 – ETPRO MALWARE Adware.DirectDownloader Checkin (malware.rules)
2805736 – ETPRO TROJAN Trojan.Fakesec-309 Checkin (trojan.rules)
2805737 – ETPRO TROJAN Win32.Worm.Winko.I Checkin (trojan.rules)
2805738 – ETPRO TROJAN Win32/Bublik.B Checkin 2 (trojan.rules)
2805739 – ETPRO TROJAN Email-Worm.Win32.Warezov spreading via SMTP (trojan.rules)
2805740 – ETPRO TROJAN BanBra Checkin (trojan.rules)
2805741 – ETPRO TROJAN TROJ_FAKEAV.SMNA Checkin (trojan.rules)

[///]     Modified active rules:     [///]

2015739 – ET CURRENT_EVENTS pamdql applet with obfuscated URL (current_events.rules)

[---]         Removed rules:         [---]

2805635 – ETPRO TROJAN Trojan.Kazy-237 Checkin (trojan.rules)

[***]          Summary:          [***]

5 new Open rules. 9 new Pro rules (5 Open 4 Pro).  Update for Java exploit sig used by various EK’s. Older blackhole JS sig disabled for FP’s.

2015922 – 2015923 Glazunov Java exploit/payload
2015924 – 2015926 WebShell sigs.

2805732 – 2805735 Daily Pro Trojan/Malware coverage.

[+++]          Added rules:          [+++]

Open:
2015922 – ET CURRENT_EVENTS Possible Glazunov Java exploit request /10-/5-digit (current_events.rules)
2015923 – ET CURRENT_EVENTS Possible Glazunov Java payload request /5-digit (current_events.rules)
2015924 – ET WEB_SERVER WebShell – PHP eMailer (web_server.rules)
2015925 – ET WEB_SERVER WebShell – Unknown – self-kill (web_server.rules)
2015926 – ET WEB_SERVER WebShell – Unknown – .php?x=img&img= (web_server.rules)

Pro:
2805732 – ETPRO TROJAN Backdoor Boomie.A Checkin Response/Egg Download Command (trojan.rules)
2805733 – ETPRO TROJAN Win32/Virut.BN Checkin 3 (trojan.rules)
2805734 – ETPRO TROJAN Unknown Trojan Checkin (trojan.rules)
2805735 – ETPRO TROJAN Backdoor Boomie.A Checkin Command 2 (trojan.rules)

[///]     Modified active rules:     [///]

2015887 – ET CURRENT_EVENTS Possible exploitation of CVE-2012-5076 by an exploit kit Nov 13 2012 (current_events.rules)

[---]         Removed rules:         [---]

2015525 – ET CURRENT_EVENTS Blackhole try eval prototype string splitting evasion Jul 24 2012 (current_events.rules)

[***]          Summary:          [***]

18 new Open rules. 5 new Pro rules. A couple of detection updates.

2015905 – 2015906 WSO webshell
2015917 – 2015920 C99 based webshells
2015907 – 2015914 Phishing seen along with webshell activity.
2015915 – 2015916 Cool EK Landing url
2015921 JPG CnC sig from Kevin Ross.

2805727 – 2805731 Daily Pro Trojan/Malware coverage.

[+++]          Added rules:          [+++]
Open:
2015905 – ET CURRENT_EVENTS WSO – WebShell Activity – WSO Title (current_events.rules)
2015906 – ET CURRENT_EVENTS WSO – WebShell Activity – POST structure (current_events.rules)
2015907 – ET CURRENT_EVENTS BoA -Account Phished (current_events.rules)
2015908 – ET CURRENT_EVENTS BoA – PII Phished (current_events.rules)
2015909 – ET CURRENT_EVENTS – BoA – Creds Phished (current_events.rules)
2015910 – ET CURRENT_EVENTS Remax – AOL Creds (current_events.rules)
2015911 – ET CURRENT_EVENTS Remax – Yahoo Creds (current_events.rules)
2015912 – ET CURRENT_EVENTS Remax – Gmail Creds (current_events.rules)
2015913 – ET CURRENT_EVENTS Remax – Hotmail Creds (current_events.rules)
2015914 – ET CURRENT_EVENTS Remax – Other Creds (current_events.rules)
2015915 – ET CURRENT_EVENTS CoolEK Landing Pattern (1) (current_events.rules)
2015916 – ET CURRENT_EVENTS CoolEK Landing Pattern (2) (current_events.rules)
2015917 – ET WEB_SERVER WebShell – D.K – Title (web_server.rules)
2015918 – ET WEB_SERVER WebShell – Generic – c99shell based header (web_server.rules)
2015919 – ET WEB_SERVER WebShell – Generic – c99shell based header w/colons (web_server.rules)
2015920 – ET WEB_SERVER WebShell – Generic – c99shell based POST structure w/multipart (web_server.rules)
2015921 – ET CURRENT_EVENTS Spam Campaign JPG CnC Link (current_events.rules)

Pro:
2805727 – ETPRO TROJAN Win32/Zlob.W Checkin (trojan.rules)
2805728 – ETPRO TROJAN Unknown Trojan Checkin (trojan.rules)
2805729 – ETPRO TROJAN liquid backdoor Checkin (trojan.rules)
2805730 – ETPRO TROJAN Trojan-Downloader.Win32.Zlob.bv Checkin (trojan.rules)
2805731 – ETPRO TROJAN Trojan-PSW.Win32.QQDragon.y Checkin (trojan.rules)

[///]     Modified active rules:     [///]

2014938 – ET WEB_CLIENT Potential MSXML2.DOMDocument Uninitialized Memory Corruption CVE-2012-1889 (web_client.rules)
2015555 – ET WEB_CLIENT Potential MSXML2.DOMDocument.4-6.0 Uninitialized Memory Corruption CVE-2012-1889 (web_client.rules)
2015556 – ET WEB_CLIENT Potential MSXML2.DOMDocument ActiveXObject Uninitialized Memory Corruption Attempt (web_client.rules)
2015557 – ET WEB_CLIENT Potential MSXML2.FreeThreadedDOMDocument Uninitialized Memory Corruption Attempt (web_client.rules)

[/+/]     Restored rules:     [/+/]
2007728 – ET TROJAN TROJ_PROX.AFV POST (trojan.rules)

[***]          Summary:          [***]

8 new Open rules. 9 new Pro rules. A couple of fixes, 3 Kuluoz.B sigs moved from Pro to Open.

2015894 FakeAV get
2015897 flow{1,2}.php TDS redirects to evil.
2015898 – 2015900 Windows NT [1-3] seen in UA Trojans/Malware use this occasionally. We already have sigs for NT 7-9
2015901 – g01pack detection update

2805718 – 2805726 Daily Pro Trojan/Malware coverage.
[+++]          Added rules:          [+++]

Open:
2015894 – ET TROJAN Unknown FakeAV – /get/*.crp (trojan.rules)
2015895 – ET TROJAN Unknown_comee.pl – POST with stpfu in http_client_body (trojan.rules)
2015896 – ET TROJAN Unknown_comee.pl – Response from stpfu in http_client_body (trojan.rules)
2015897 – ET CURRENT_EVENTS Possible TDS Exploit Kit /flow redirect at .ru domain (current_events.rules)
2015898 – ET INFO Suspicious Windows NT version 1 User-Agent (info.rules)
2015899 – ET INFO Suspicious Windows NT version 2 User-Agent (info.rules)
2015900 – ET INFO Suspicious Windows NT version 3 User-Agent (info.rules)
2015901 – ET CURRENT_EVENTS g01pack – Landing Page – Java ClassID and 32HexChar.jar (current_events.rules)

Pro:
2805718 – ETPRO TROJAN Win32/Mitglieder.BN Checkin (trojan.rules)
2805719 – ETPRO TROJAN Trojan-Proxy.Win32.Small.ai Checkin (trojan.rules)
2805720 – ETPRO MALWARE Adware.Win32/Hotbar User-Agent (RPCriCheck) (malware.rules)
2805721 – ETPRO TROJAN Win32.Winoff Checkin (trojan.rules)
2805722 – ETPRO TROJAN Backdoor.Win32.Kbot Checkin (trojan.rules)
2805723 – ETPRO TROJAN Trojan.Winlock.7372 Checkin (trojan.rules)
2805724 – ETPRO TROJAN Win32/Small.gen!M js check-in (trojan.rules)
2805725 – ETPRO TROJAN Win32/Small.gen!M gif check (trojan.rules)
2805726 – ETPRO TROJAN Win32/Small.gen!M Possible js C2 (trojan.rules)

[///]     Modified active rules:     [///]

2009389 – ET TROJAN Tornado Pack Binary Request (trojan.rules)
2803105 – ETPRO DNS ISC BIND RRSIG RRsets Denial of Service UDP 1 (dns.rules)
2803106 – ETPRO DNS ISC BIND RRSIG RRsets Denial of Service TCP 1 (dns.rules)
2805089 – ETPRO TROJAN Backdoor.Win32.Hupigon.dpgy Checkin (trojan.rules)

[-+-]         Moved from Pro to Open:         [-+-]

Old:
2805469 – ETPRO TROJAN Win32/Kuluoz.B CnC (trojan.rules)
2805483 – ETPRO TROJAN Win32/Kuluoz.B CnC 2 (trojan.rules)
2805486 – ETPRO TROJAN Win32/Kuluoz.B CnC 3 (trojan.rules)

New:
2015902 – ET TROJAN Win32/Kuluoz.B CnC (trojan.rules)
2015903 – ET TROJAN Win32/Kuluoz.B CnC 2 (trojan.rules)
2015904 – ET TROJAN Win32/Kuluoz.B CnC 3 (trojan.rules)

[---]         Removed rules:         [---]

2001225 – ET MALWARE Statblaster Receiving New configuration (update) (malware.rules)
2007728 – ET TROJAN TROJ_PROX.AFV POST (trojan.rules)
2400018 – ET DROP Spamhaus DROP Listed Traffic Inbound (drop.rules)

[***]          Summary:          [***]

6 new Open. 17 new Pro rules. Two additional MS Tuesday sigs, CoolEK, SofosFO, Popads, Multiple fixes. 2014521 disabled (duplicate coverage). A bunch of extra char inside pcre char class clean-up.

2015888 – “Popads” Unkown Java EK
2015889  SofosFO updated detection logic
2015890 – 2015893 Additional CoolEK coverage.

2805700 – 2805717 Trojan/Malware coverage with the exception of 2805703 and  2805717 which provide additional MS Tuesday coverage.

[+++]          Added rules:          [+++]

Open:
2015888 – ET CURRENT_EVENTS Popads/Unknown Java Exploit Kit 32-32 byte hex java payload request (current_events.rules)
2015889 – ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page (current_events.rules)
2015890 – ET CURRENT_EVENTS CoolEK – Landing Page – FlashExploit (current_events.rules)
2015891 – ET CURRENT_EVENTS CoolEK – Landing Page – Title (current_events.rules)
2015892 – ET CURRENT_EVENTS CoolEK – PDF Exploit – pdf_new.php (current_events.rules)
2015893 – ET CURRENT_EVENTS CoolEK – PDF Exploit – pdf_old.php (current_events.rules)

Pro:
2805700 – ETPRO TROJAN Trojan.Win32.Agent2.fjpq Checkin (trojan.rules)
2805701 – ETPRO TROJAN Win32/Phintok.A Checkin 1 (trojan.rules)
2805702 – ETPRO TROJAN Win32/Phintok.A Checkin 2 (trojan.rules)
2805703 – ETPRO WEB_CLIENT Microsoft Excel corrupted file download invalid SerAuxErrBar BIFF record (web_client.rules)
2805704 – ETPRO TROJAN Win32/Alyak.C Checkin 1 (trojan.rules)
2805705 – ETPRO TROJAN Win32/Alyak.C Checkin 2 (trojan.rules)
2805706 – ETPRO TROJAN Win32/Alyak.C Checkin 3 (trojan.rules)
2805707 – ETPRO TROJAN Backdoor.Win32.DarkMoon.BE Checkin 1 (trojan.rules)
2805708 – ETPRO TROJAN Backdoor.Win32.DarkMoon.BE Checkin 2 (trojan.rules)
2805709 – ETPRO MALWARE Win32/InstallMate User-Agent (TixDll) (malware.rules)
2805710 – ETPRO TROJAN PSW.LdPinch.NCB Reporting via SMTP (trojan.rules)
2805711 – ETPRO TROJAN Unknown Trojan Checkin (trojan.rules)
2805712 – ETPRO TROJAN W32/Banker.ULW!tr Checkin (trojan.rules)
2805714 – ETPRO TROJAN Win32/Tinxy.A / Worm.Win32.Koobface Checkin (trojan.rules)
2805715 – ETPRO TROJAN Trojan.Win32.Agent.angq / Worm.Win32.Koobface Checkin (trojan.rules)
2805716 – ETPRO TROJAN Unknown Trojan Checkin (trojan.rules)
2805717 – ETPRO WEB_CLIENT Microsoft Internet Explorer CTreeNode Use After Free (web_client.rules)

[///]     Modified active rules:     [///]

Open:
2012102 – ET ACTIVEX Image Viewer CP Gold Image2PDF Buffer Overflow (activex.rules)
2012133 – ET ACTIVEX FathFTP 1.8 EnumFiles Method ActiveX Buffer Overflow (activex.rules)
2012134 – ET ACTIVEX SigPlus Pro 3.74 ActiveX LCDWriteString Method Remote Buffer Overflow (activex.rules)
2012145 – ET ACTIVEX Netcraft Toolbar Remote Code Execution (activex.rules)
2012146 – ET ACTIVEX ImageShack Toolbar Remote Code Execution (activex.rules)
2012147 – ET ACTIVEX Advanced File Vault Activex Heap Spray Attempt (activex.rules)
2012148 – ET ACTIVEX dBpowerAMP Audio Player 2 FileExists Method ActiveX Buffer Overflow (activex.rules)
2014730 – ET CURRENT_EVENTS Potential FAKEAV Download a-f0-9 x16 download (current_events.rules)
2015739 – ET CURRENT_EVENTS pamdql applet with obfuscated URL (current_events.rules)
2015881 – ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page NOP String (current_events.rules)
2015882 – ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page parseInt Javascript Replace (current_events.rules)

Pro:
2805679 – ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free (web_client.rules)

[---]  Disabled and modified rules:  [---]

2014599 – ET TROJAN Mac Flashback Checkin 3 (trojan.rules)

[---]         Removed rules:         [---]

2008766 – ET TROJAN Generic Downloader Checkin Url Detected (trojan.rules)
2014521 – ET CURRENT_EVENTS Possible Blackhole Landing to 8 chr folder plus index.html (current_events.rules)