Russell Fulton | 22 Jul 22:31 2016
Picon
Picon

possible FP for ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 ( 2018784)

I can’t decide if this is an issue or not.  It depends on whether the pcre is supposed to match the post data or
just the headers.  

POST /malurl/api/urls/query/single HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: acs.lavasoft.com
Content-Length: 346
Expect: 100-continue

url=http://b.scorecardresearch.com/p?&c1=8&c2=6000006&c3=158087&c4=3861227&c5=35778&c6=6836406&c10=245270&cv=1.7&cj=1&rn=1469137516&r=http%3A%2F%2Fpixel.quantserve.com%2Fpixel%2Fp-cb6C0zFF7dWjI.gif%3Flabels%3Dp.6836406.3861227.0%2Ca.35778.158087.245270%2Cu.968.640x360%3Bmedia%3Dad%3Br%3D1469137516&machine_id=ce75814b-fbd9-13e0-6df4-e050e9ff199d

I suspect that this is a real hit and the “host: acs.lavasoft.com” is there to mislead.  IP owned by
cloudfare and reverse lookup times out with server not found.

This appears to be a machine owned and managed by us and probably should not be running anything from lavasoft.

Russell

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs <at> lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net

Francis Trudeau | 19 Jul 22:48 2016
Picon

Daily Ruleset Update Summary 2016/07/19

 [***] Summary: [***]

 10 new Pro signatures.  ZeusSSL/Terdot.A/Zloader, Bladabindi/njRAT, Sharik.

 Thanks:   <at> MalwareMustDie

 [+++]          Added rules:          [+++]

  2821196 - ETPRO WEB_SERVER Likely Malicious Proxy Header in Inbound HTTP Request (web_server.rules)
  2821197 - ETPRO CURRENT_EVENTS ZeusSSL/Terdot.A/Zloader Malicious SSL Cert Observed (current_events.rules)
  2821198 - ETPRO MALWARE W32/Softpulse PUP Install Failed Beacon 2 (POST) (malware.rules)
  2821199 - ETPRO TROJAN MSIL/Bladabindi/njRAT Variant Keepalive Ping (Maadawy) (trojan.rules)
  2821200 - ETPRO POLICY Observed External IP (wtfismyip) Lookup SSL Cert (Server Hello) (policy.rules)
  2821201 - ETPRO CURRENT_EVENTS Document Macro Downloading Various Malware Jul 19 (current_events.rules)
  2821202 - ETPRO TROJAN Win32.Sharik Microsoft Connectivity Check M2 (trojan.rules)
  2821203 - ETPRO CURRENT_EVENTS Earthlink Phishing Landing Jul 19 (current_events.rules)
  2821204 - ETPRO CURRENT_EVENTS Successful Earthlink Phish Jul 19 (current_events.rules)
  2821205 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.BVN Checkin (mobile_malware.rules)


 [///]     Modified active rules:     [///]

  2814684 - ETPRO CURRENT_EVENTS Malicious Redirect Leading to EK Oct 30 2015 (current_events.rules)
  2816849 - ETPRO CURRENT_EVENTS Phishing Landing via Tripod.com (set) Mar 31 (current_events.rules)
  2820334 - ETPRO POLICY Tripod/Lycos Form Submission - Possible Successful Phish (policy.rules)


<div><div dir="ltr">
<div>&nbsp;[***] Summary: [***]</div>
<div><br></div>
<div>&nbsp;10 new Pro signatures.&nbsp; ZeusSSL/Terdot.A/Zloader, Bladabindi/njRAT, Sharik.</div>
<div><br></div>
<div>&nbsp;Thanks: &nbsp; <at> MalwareMustDie</div>
<div><br></div>
<div>&nbsp;[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</div>
<div><br></div>
<div>&nbsp; 2821196 - ETPRO WEB_SERVER Likely Malicious Proxy Header in Inbound HTTP Request (web_server.rules)</div>
<div>&nbsp; 2821197 - ETPRO CURRENT_EVENTS ZeusSSL/Terdot.A/Zloader Malicious SSL Cert Observed (current_events.rules)</div>
<div>&nbsp; 2821198 - ETPRO MALWARE W32/Softpulse PUP Install Failed Beacon 2 (POST) (malware.rules)</div>
<div>&nbsp; 2821199 - ETPRO TROJAN MSIL/Bladabindi/njRAT Variant Keepalive Ping (Maadawy) (trojan.rules)</div>
<div>&nbsp; 2821200 - ETPRO POLICY Observed External IP (wtfismyip) Lookup SSL Cert (Server Hello) (policy.rules)</div>
<div>&nbsp; 2821201 - ETPRO CURRENT_EVENTS Document Macro Downloading Various Malware Jul 19 (current_events.rules)</div>
<div>&nbsp; 2821202 - ETPRO TROJAN Win32.Sharik Microsoft Connectivity Check M2 (trojan.rules)</div>
<div>&nbsp; 2821203 - ETPRO CURRENT_EVENTS Earthlink Phishing Landing Jul 19 (current_events.rules)</div>
<div>&nbsp; 2821204 - ETPRO CURRENT_EVENTS Successful Earthlink Phish Jul 19 (current_events.rules)</div>
<div>&nbsp; 2821205 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.BVN Checkin (mobile_malware.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[///] &nbsp; &nbsp; Modified active rules: &nbsp; &nbsp; [///]</div>
<div><br></div>
<div>&nbsp; 2814684 - ETPRO CURRENT_EVENTS Malicious Redirect Leading to EK Oct 30 2015 (current_events.rules)</div>
<div>&nbsp; 2816849 - ETPRO CURRENT_EVENTS Phishing Landing via Tripod.com (set) Mar 31 (current_events.rules)</div>
<div>&nbsp; 2820334 - ETPRO POLICY Tripod/Lycos Form Submission - Possible Successful Phish (policy.rules)</div>
<div><br></div>
<div><br></div>
</div></div>
James Lay | 19 Jul 17:23 2016
Picon

Rule 31971 FP

Rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT 
Astrum exploit kit multiple exploit download request"; 
flow:to_server,established; urilen:>60,norm; content:"GET"; content:".. 
HTTP/1."; fast_pattern:only; pcre:"/\x2f[\w\x2d]*\x2e\x2e$/mU"; 
content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header;

flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; 
metadata:ruleset community, service http; 
reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; 
classtype:trojan-activity; sid:31971; rev:6;)

Hit:
15:18:17  [1:31971:6] EXPLOIT-KIT Astrum exploit kit multiple exploit 
download request [**] [Classification: A Network Trojan was Detected] 
[Priority: 1] {TCP} x.x.x.31:36964 -> 54.214.7.76:80

Minidump:

GET 
/img/BAQgBEAEawAJ2THSsgosiINnMMOKPnivWKSK-WmHHLwvtmTf2TDI_GvIodQ_BC3ECFW2pB4Rc0SaWcahwD5LCxpQzMF_iWQ4FzrBHmsPmd6bPzMMiCxzSlfbe--xjlKsUxGAHQKUuu-4FaP0lhe4w9Q7YNdyLgjPcbAgTleTkNjG-QkEwLHUdHvkL_8ShmCfMeM2T3n7S4-H1imfbeKh6Yx8jflgCNQ858ep-BI_FfDJA-v4-JKKGTDrgyOyiYiZFkt0cioCGmkc2Wy7qHr2QoZbvzYXurKhmYUpaoZCmwT-0s4ZUCpxDXHVtM9X6GMvN0GH_qXUzDqtaG8AkmOYFEpsSz9r7tBteJcTy_6HiFntanl3eXlOp8o7MaY_FAj8D1tUI_R95rauArAkdaUcPHiu58Kf7uGPyFuV9tFNoFQPRzsl_J81Awg

HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; 
Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 
3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Microsoft Outlook 
14.0.7169; ms-office; MSOffice 14)..Cookie: 
memclid=21b57a19-e2e0-42a2-951d-e002566897f9;
nfvdid=BQFmAAEBEELUkqGYP7%2FKyVGLUWVNhVYwwGpua4oOhiyvadb1%2BjQgdDwpfFx7O0qavfWycinL7aMBDTBg4byDD1sqttlNb%2BUp
Host: beacon.netflix.com
Cache-Control: max-stale=0
Connection: Keep-Alive
Pragma: no-cache

James
rmkml | 18 Jul 20:52 2016
Picon

Offer a new sig for detecting HttpOxy vulnerability

Hi,

The http://etplc.org open source project offer a new sig for detecting "HttpOxy" vulnerability:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC HttpOxy vulnerability HTTP Proxy
header attempt"; 
flow:to_server,established; content:"Proxy|3A|"; nocase; http_header; pcre:"/^Proxy\x3a/Hsmi";
reference:url,httpoxy.org; 
reference:cve,2016-5385; reference:cve,2016-5386; reference:cve,2016-5387;
reference:cve,2016-5388; reference:cve,2016-1000109; 
reference:cve,2016-1000110;
reference:url,isc.sans.edu/forums/diary/HTTP+Proxy+Header+Vulnerability+httpoxy/21271/; 
classtype:misc-attack; sid:1; rev:1;)

See reference for more information.

Don't forget check variables.

Please send any comments.

Regards
 <at> Rmkml
David | 18 Jul 13:06 2016
Picon

ET MALWARE MultiPlug.J Checkin (sid 2020422)

Hi,

I have tones of FP on this alert.

hb-endpoint-elb-307841411.eu-west-1.elb.amazonaws.com/?q=Im1vbmV5dGl6ZXItMzg0NjI3gICrkwgcemltYnJhLmZyZWUuZnIECjI2MzAwAtgE9AMABBBBUFBORVhVUwZBT0wAAhw1OWJmNWY3ZTk1OWIyNRBBUFBORVhVU%2FT91DvYBPQDxgMAAAAACjMwMDEyArALtAEABBBBUFBORVhVUwZBT0wAAhw2NDgwOWVlYWI0NThiORBBUFBORVhVU5m7Fj2wC7QBkggAAAAAAA%3D%3D
hb-endpoint-elb-307841411.eu-west-1.elb.amazonaws.com/?q=Im1vbmV5dGl6ZXItMzg0NjI3gIDWgggcemltYnJhLmZyZWUuZnIECjI2MzAwAtgE9AMABBBBUFBORVhVUwZBT0wAAh42NmZjYmRjN2QwMzM4NDgQQVBQTkVYVVOmm8Q62AT0A%2FwPAAAAAAozMDAxMgKwC7QBAAQQQVBQTkVYVVMGQU9MAAIcNWM5MjBhNmQ4YzZhZTIQQVBQTkVYVVMAAAAAAACGBQIAAAAA

I can give you some others urls if needed, all from 
hb-endpoint-elb-307841411.eu-west-1.elb.amazonaws.com

Thanks,

David
Andrea De Pasquale | 18 Jul 12:45 2016
Picon
Gravatar

Kali Linux hostname in DHCPREQUEST

Hello,
I'd like to contribute a simple signature that can catch the default
Kali Linux (https://www.kali.org/) hostname in a DHCP Request packet.

alert udp any 68 -> any 67 (msg:"ET POLICY Possible Kali Linux
hostname in DHCP Request Packet"; content:"|63 82 53 63 35 01 03|";
content:"|0c 04|kali"; distance:0; nocase; reference:url,www.kali.org;
classtype:policy-violation; sid:9999999; rev:1;)

Regards,
--

-- 
Andrea De Pasquale
Incident Response Team, Certego
Victor Julien | 13 Jul 10:42 2016
Picon
Gravatar

Suricata 3.1.1 released!

We're pleased to announce *Suricata 3.1.1*.

Get the release here:
http://www.openinfosecfoundation.org/download/suricata-3.1.1.tar.gz

*Changes*

Feature #1775: Lua: SMTP-support
Bug #1419: DNS transaction handling issues
Bug #1515: Problem with Threshold.config when using more than one IP
Bug #1664: Unreplied DNS queries not logged when flow is aged out
Bug #1808: Can't set thread priority after dropping privileges.
Bug #1821: Suricata 3.1 fails to start on CentOS6
Bug #1839: suricata 3.1 configure.ac says >=libhtp-0.5.5, but
>=libhtp-0.5.20 required
Bug #1840: --list-keywords and --list-app-layer-protos not working
Bug #1841: libhtp 0.5.21
Bug #1844: netmap: IPS mode doesn't set 2nd iface in promisc mode
Bug #1845: Crash on disabling a app-layer protocol when it's logger is
still enabled
Optimization #1846: af-packet: improve thread calculation logic
Optimization #1847: rules: don't warn on empty files

Note to PF_RING users: upgrade to 6.4.1+. It fixes a critical zero copy
issue that can lead to crashes and missed alerts/events.

*Special thanks*

CoverityScan and the Casec Bachelors group: Lauritz Prag Sømme, Levi
Tobiassen, Stian Hoel Bergseth, Vinjar Hillestad

*Known issues & missing features*

In a release candidate like this things may not be as polished yet. So
please handle with care. That said, if you encounter issues, please let
us know! As always, we are doing our best to make you aware of
continuing development and items within the engine that are not yet
complete or optimal. With this in mind, please notice the list we have
included of known items we are working on.

See http://redmine.openinfosecfoundation.org/projects/suricata/issues
for an up to date list and to report new issues. See
http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues
for a discussion and time line for the major issues.

*SuriCon 2.0*

Join us in Washington, D.C. November 9-11 for the 2nd Suricata User
Conference. http://suricon.net/

*Training & Support*

Need help installing, updating, validating and tuning Suricata? We have
trainings coming up. September 12-16 in Paris, November 7 & 8 in
Washington, D.C.: see http://suricata-ids.org/training/

For support options also see http://suricata-ids.org/support/

*About Suricata*

Suricata is a high performance Network Threat Detection, IDS, IPS and
Network Security Monitoring engine. Open Source and owned by a community
run non-profit foundation, the Open Information Security Foundation
(OISF). Suricata is developed by the OISF, its supporting vendors and
the community.

--

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs <at> lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net

Francis Trudeau | 12 Jul 20:59 2016
Picon

Snort 2.8.4 and Suricata 1.0 EOL

All,

Please let this email serve as official notice of Proofpoint's intention to end of life (EOL) ETPro / ETOpen signature support for the following:

Snort 2.8.4
Suricata 1.0

Support for these products will end on 2016/10/03.

On that date, both of these branches will no longer receive updates. The last exported set will still be available on the servers, but no changes or additions will be applied to these branches from that date forward.

These will be the supported versions after 2016/10/03:

Snort 2.8.6
Snort 2.9.0 and above
Suricata 1.3 and above

Please direct any non sensitive questions to the emerging-sigs-KR6O7HwU5NEm7effSn6vN9HuzzzSOjJt@public.gmane.org list, otherwise email ftrudeau-KR6O7HwU5NEm7effSn6vN9HuzzzSOjJt@public.gmane.org

Thanks,

Francis

<div>
<p dir="ltr">All,</p>
<p dir="ltr">Please let this email serve as official notice of Proofpoint's intention to end of life (EOL) ETPro / ETOpen signature support for the following:</p>
<p dir="ltr">Snort 2.8.4<br>
Suricata 1.0</p>
<p dir="ltr">Support for these products will end on 2016/10/03.</p>
<p dir="ltr">On that date, both of these branches will no longer receive updates. The last exported set will still be available on the servers, but no changes or additions will be applied to these branches from that date forward.</p>
<p dir="ltr">These will be the supported versions after 2016/10/03:</p>
<p dir="ltr">Snort 2.8.6<br>
Snort 2.9.0 and above<br>
Suricata 1.3 and above</p>
<p dir="ltr">Please direct any non sensitive questions to the <a href="mailto:emerging-sigs@...">emerging-sigs@...</a> list, otherwise email <a href="mailto:ftrudeau@...">ftrudeau@...</a> </p>
<p dir="ltr">Thanks,</p>
<p dir="ltr">Francis<br></p>
</div>
rmkml | 12 Jul 14:08 2016
Picon

Offer a new sig for detecting LibreOffice RTF stylesheet and superscript tokens access

Hi,

The http://etplc.org open source project offer a new sig for detecting LibreOffice RTF stylesheet and
superscript tokens access:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-RTF LibreOffice stylesheet and
superscript tokens access"; 
flow:to_client,established; file_data; content:"\\rtf1"; within:5; distance:1;
content:"\\stylesheet"; distance:0; content:"\\super"; 
distance:0; reference:cve,2016-4324;
reference:url,www.talosintelligence.com/reports/TALOS-2016-0126/; 
reference:bugtraq,91499; classtype:attempted-user; sid:1; rev:1;)

See reference for more information.

Don't forget check variables.

Futur plan: better if you use flowbits for checking rtf file, and don't forget smtp trafic...

Please send any comments.

Regards
 <at> Rmkml
Duane Howard | 12 Jul 03:10 2016
Picon

FP on sid:2019541

This stackoverflow article[0] contains the following code snippet, which triggers the alert:
function myFunction()
   {
     // your code 

    // stop for sometime if needed
     setTimeout(myFunction, 5000);
   }


[0] http://stackoverflow.com/questions/16623852/how-to-pause-javascript-code-excution-for-2-seconds

-Duane
<div><div dir="ltr">
<div>This stackoverflow article[0] contains the following code snippet, which triggers the alert:</div>
<div>
<div>function myFunction()</div>
<div>&nbsp; &nbsp;{</div>
<div>&nbsp; &nbsp; &nbsp;// your code&nbsp;</div>
<div><br></div>
<div>&nbsp; &nbsp; // stop for sometime if needed</div>
<div>&nbsp; &nbsp; &nbsp;setTimeout(myFunction, 5000);</div>
<div>&nbsp; &nbsp;}</div>
</div>
<div><br></div>
<div><br></div>[0] <a href="http://stackoverflow.com/questions/16623852/how-to-pause-javascript-code-excution-for-2-seconds">http://stackoverflow.com/questions/16623852/how-to-pause-javascript-code-excution-for-2-seconds</a><br><div><br></div>
<div>-Duane</div>
</div></div>
Francis Trudeau | 8 Jul 22:42 2016
Picon

Daily Ruleset Update Summary 2016/07/08

 [***] Summary: [***]

 17 new Pro signatures.  CryptXXX, Android.Trojan.SLocker.

 [+++]          Added rules:          [+++]

  2821004 - ETPRO POLICY DNS Query to .onion proxy Domain (paybonymans
. com) (policy.rules)
  2821005 - ETPRO POLICY DNS Query to .onion proxy Domain (zmdru5 .
top) (policy.rules)
  2821006 - ETPRO POLICY DNS Query to .onion proxy Domain (er48rt .
win) (policy.rules)
  2821007 - ETPRO POLICY DNS Query to .onion proxy Domain (xtrvb4 .
win) (policy.rules)
  2821008 - ETPRO POLICY DNS Query to .onion proxy Domain (ie7t8k .
top) (policy.rules)
  2821009 - ETPRO POLICY DNS Query to .onion proxy Domain (305iot .
top) (policy.rules)
  2821010 - ETPRO POLICY DNS Query to .onion proxy Domain (alri58 .
win) (policy.rules)
  2821011 - ETPRO POLICY DNS Query to .onion proxy Domain (wi49ur .
top) (policy.rules)
  2821012 - ETPRO POLICY DNS Query to .onion proxy Domain (dk59jg .
win) (policy.rules)
  2821013 - ETPRO POLICY DNS Query to .onion proxy Domain (fkgrie .
top) (policy.rules)
  2821015 - ETPRO TROJAN CryptXXX Jul 07 2016 initial checkin M2 (trojan.rules)
  2821016 - ETPRO TROJAN CryptXXX Jul 07 2016 request for ransom note
1 (trojan.rules)
  2821017 - ETPRO TROJAN CryptXXX Jul 07 2016 request for ransom note
2 (trojan.rules)
  2821018 - ETPRO TROJAN CryptXXX Jul 07 2016 request for key (trojan.rules)
  2821019 - ETPRO TROJAN CryptXXX Jul 07 2016 key download (trojan.rules)
  2821020 - ETPRO TROJAN CryptXXX Jul 07 2016 encrypting finished (trojan.rules)
  2821021 - ETPRO MOBILE_MALWARE Android.Trojan.SLocker.FH Checkin via
SMTP (mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2019842 - ET WEB_CLIENT Possible Internet Explorer VBscript
CVE-2014-6332 multiple redim preserve (web_client.rules)
  2022888 - ET TROJAN Malicious SSL Certificate Detected (Bancos C2)
(trojan.rules)
  2022925 - ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29
M1 (current_events.rules)
  2815254 - ETPRO CURRENT_EVENTS Possible Nuclear EK Payload Dec 06
2015 M2 (current_events.rules)

Gmane