Blog

Daily Ruleset Update Summary 05/24/2013


[***] Summary: [***]

8 new Open rules. 11 new Pro rules (8/11). HellSpawn EK, KaiXin, etc.

[+++] Added rules: [+++]

2016923 – ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 1 May 24 2013 (current_events.rules)
2016924 – ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 2 May 24 2013 (current_events.rules)
2016925 – ET CURRENT_EVENTS KaiXin Exploit Landing Page 1 May 24 2013 (current_events.rules)
2016926 – ET CURRENT_EVENTS KaiXin Exploit Landing Page 2 May 24 2013 (current_events.rules)
2016927 – ET CURRENT_EVENTS HellSpawn EK Landing 1 May 24 2013 (current_events.rules)
2016928 – ET CURRENT_EVENTS HellSpawn EK Landing 2 May 24 2013 (current_events.rules)
2016929 – ET CURRENT_EVENTS Possible HellSpawn EK Fake Flash May 24 2013 (current_events.rules)
2016930 – ET CURRENT_EVENTS Possible HellSpawn EK Java Artifact May 24 2013 (current_events.rules)

Pro:
2806392 – ETPRO TROJAN Trojan-Ransom.Win32.Blocker.bczs Checkin (trojan.rules)
2806393 – ETPRO TROJAN Trojan.Siggen5.15498 Checkin (trojan.rules)
2806394 – ETPRO TROJAN Trojan.Win32.Agent.hwgs Checkin (trojan.rules)

[///] Modified active rules: [///]

2015575 – ET CURRENT_EVENTS KaiXin Exploit Kit Java Class (current_events.rules)
2016384 – ET WEB_SPECIFIC_APPS WordPress CommentLuv Plugin _ajax_nonce Parameter XSS Attempt (web_specific_apps.rules)
2016832 – ET CURRENT_EVENTS HellSpawn EK Requesting Jar (current_events.rules)

[---] Moved rules: [---]

Old:
2806284 – ETPRO TROJAN Backdoor family PCRat/Gh0st CnC traffic (trojan.rules)

New:
2016922 – ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (trojan.rules)

Posted in Daily Ruleset Update Summary | Leave a comment

Daily Ruleset Update Summary 05/23/2013


+++] Summary: [+++]

3 new Open rules. 8 new Pro rules (3/5). Apache Struts, Malicious Redirect, Fake/Old UA thresholding changed to limit 2,60 from threshold of the same value we were missing some one shot requests. Again depending on your env you may need to tweak/turn these off. NGINX chunked sig, modified to look for any chunk greater than a 32 bit signed int. etc.

[+++] Added rules: [+++]

Open:
2016919 – ET CURRENT_EVENTS Malicious Redirect URL (current_events.rules)
2016920 – ET WEB_SERVER Apache Struts Possible xwork Disable Method Execution (web_server.rules)
2016921 – ET INFO Suspicious Mozilla UA with no Space after colon (info.rules)

Pro:
2806387 – ETPRO TROJAN Win32/TrojanDropper.Agent.PYN Checkin (trojan.rules)
2806388 – ETPRO TROJAN Trojan.Win32.Agent.vldg Checkin (trojan.rules)
2806389 – ETPRO MALWARE Win32/TrojanDownloader.Banload.SCN (malware.rules)
2806390 – ETPRO MALWARE Win32/TrojanDownloader.Banload.SCN 2 (malware.rules)
2806391 – ETPRO MALWARE Win32/Vog Request (malware.rules)

[///] Modified active rules: [///]

2016870 – ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. (policy.rules)
2016871 – ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4. (policy.rules)
2016872 – ET POLICY Unsupported/Fake Internet Explorer Version MSIE 3. (policy.rules)
2016873 – ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2. (policy.rules)
2016874 – ET POLICY Unsupported/Fake Internet Explorer Version MSIE 1. (policy.rules)
2016875 – ET POLICY Unsupported/Fake FireFox Version 0. (policy.rules)
2016876 – ET POLICY Unsupported/Fake FireFox Version 1. (policy.rules)
2016877 – ET POLICY Unsupported/Fake FireFox Version 2. (policy.rules)
2016878 – ET POLICY Unsupported/Fake Windows NT Version 4. (policy.rules)
2016879 – ET POLICY Unsupported/Fake Windows NT Version 5.0 (policy.rules)
2016897 – ET TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5 (trojan.rules)
2016898 – ET INFO Suspicious MSIE 10 on Windows NT 5 (info.rules)
2016918 – ET WEB_SERVER Possible NGINX Overflow CVE-2013-2028 Exploit Specific (web_server.rules)

Posted in Daily Ruleset Update Summary | Leave a comment

Daily Ruleset Update Summary 05/22/2013


[+++] Summary: [+++]

7 new Open. 14 new Pro (7/7) Nginx CVE-2013-2028, More Operation Hangover, etc.

[+++] Added rules: [+++]

Open:
2016912 – ET TROJAN W32/KeyLogger.ACQH!tr Checkin (trojan.rules)
2016913 – ET TROJAN Backdoor.Win32.VB.Alsci/Dragon Eye RAT Checkin (sending user info) (trojan.rules)
2016914 – ET TROJAN Trojan.Win32.Antavmu.guw Checkin (trojan.rules)
2016915 – ET MALWARE Suspicious User Agent Smart-RTP (malware.rules)
2016916 – ET MALWARE Suspicious User Agent Custom_56562_HttpClient/VER_STR_COMMA (malware.rules)
2016917 – ET MALWARE Adware pricepeep Adware.Shopper.297 (malware.rules)
2016918 – ET WEB_SERVER Possible NGINX Overflow CVE-2013-2028 Exploit Specific (web_server.rules)

Pro:
2806380 – ETPRO TROJAN Backdoor.Win32.Polybot.A Checkin 6 (trojan.rules)
2806381 – ETPRO MALWARE Freepds related Spyware Checkin (malware.rules)
2806382 – ETPRO MALWARE Suspicious User-Agent FreePDS (malware.rules)
2806383 – ETPRO TROJAN Trojan-Downloader.Win32.Genome.dmhl Checkin (trojan.rules)
2806384 – ETPRO TROJAN Win32/Banker.AKW Checkin (trojan.rules)
2806385 – ETPRO TROJAN Loadmoney.A Checkin 4 (trojan.rules)
2806386 – ETPRO TROJAN Win32/Wecorl.gen!A Download (trojan.rules)

[///] Modified active rules: [///]

2015836 – ET CURRENT_EVENTS Blackhole 2.0 Binary Get Request (current_events.rules)
2805487 – ETPRO TROJAN Virus.Win32.Sality.gen Checkin (trojan.rules)

Posted in Daily Ruleset Update Summary | Leave a comment