Francis Trudeau | 26 Nov 01:02 2014
Picon

Daily Ruleset Update Summary 11/25/2014

 [***] Summary: [***]

 15 new Open signatures, 19 new Pro (15+4).  D-Link IP Camera vuln,
Magnitude, CVE-2014-6332, BlackUnix Shellbot.

 Thanks:  Kevin Ross,  <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2019798 - ET CURRENT_EVENTS Malicious Iframe Leading to EK
(current_events.rules)
  2019799 - ET CURRENT_EVENTS Magnitude Flash Exploit (IE)
(current_events.rules)
  2019800 - ET CURRENT_EVENTS Magnitude Flash Payload (current_events.rules)
  2019801 - ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request
(CVE-2013-1599) (exploit.rules)
  2019802 - ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request
(CVE-2013-1600) (exploit.rules)
  2019803 - ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request
(CVE-2013-1601) (exploit.rules)
  2019804 - ET WEB_SERVER PHP.//Input in HTTP POST (web_server.rules)
  2019805 - ET MOBILE_MALWARE Android.Stealthgenie Checkin
(mobile_malware.rules)
  2019806 - ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332
Common Construct (Reversed) (current_events.rules)
  2019807 - ET CURRENT_EVENTS KaiXin Landing Page Nov 25 2014
(current_events.rules)
  2019808 - ET TROJAN W32/DoubleTap.APT Downloader CnC Beacon (trojan.rules)
(Continue reading)

Russell Fulton | 25 Nov 20:55 2014
Picon
Picon

likely FP for ET CURRENT_EVENTS Fake FedEX/Pony spam campaign URI Struct 2017258

FYI — i got a few — not a big deal

GET /rutorrent/plugins/tracklabels/action.php?label=Game HTTP/1.1
Host: 91.121.193.5
Connection: keep-alive
Authorization: Digest username="avenus89", realm="rutorrent",
nonce="9kVWA6QIBQA=c61c8de0376299f54194e13d19c6ab1553f4ae28",
uri="/rutorrent/plugins/tracklabels/action.php?label=Game", algorithm=MD5,
response="f2b8293e4611c63affca488e6f59801c", qop=auth, nc=0000008f, cnonce="59a5522cfc1d654f"
Accept: image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/39.0.2171.65 Safari/537.36
Referer: http://91.121.193.5/rutorrent/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

James Lay | 25 Nov 02:46 2014
Picon

Pulledpork 404's


Hey all,

Just did a new box and I'm getting the below for ET rules:

Use of uninitialized value $Snort in pattern match (m//) at /opt/bin/pulledpork.pl line 1855.
Use of uninitialized value $Snort in pattern match (m//) at /opt/bin/pulledpork.pl line 1859.
Checking latest MD5 for emerging.rules.tar.gz....
A 404 error occurred, please verify your filenames and urls for your tarball!
Error 404 when fetching https://rules.emergingthreats.net/emerging.rules.tar.gz.md5 at /opt/bin/pulledpork.pl line 482.
main::md5file('open-nogpl', 'emerging.rules.tar.gz', '/tmp/', 'https://rules.emergingthreats.net/') called at /opt/bin/pulledpork.pl line 1875

Anyone else seeing this?  Link is:

https://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl

Thanks

James
<div>
<br>
Hey all, <br><br>
Just did a new box and I'm getting the below for ET rules:<br><br>
Use of uninitialized value $Snort in pattern match (m//) at /opt/bin/pulledpork.pl line 1855.<br>
Use of uninitialized value $Snort in pattern match (m//) at /opt/bin/pulledpork.pl line 1859.<br>
Checking latest MD5 for emerging.rules.tar.gz....<br>
A 404 error occurred, please verify your filenames and urls for your tarball!<br>
Error 404 when fetching <a href="https://rules.emergingthreats.net/emerging.rules.tar.gz.md5">https://rules.emergingthreats.net/emerging.rules.tar.gz.md5</a> at /opt/bin/pulledpork.pl line 482.<br>
main::md5file('open-nogpl', 'emerging.rules.tar.gz', '/tmp/', '<a href="https://rules.emergingthreats.net/')">https://rules.emergingthreats.net/')</a> called at /opt/bin/pulledpork.pl line 1875<br><br>
Anyone else seeing this?&nbsp; Link is:<br><br><a href="https://rules.emergingthreats.net/%7C">https://rules.emergingthreats.net/|</a>emerging.rules.tar.gz|open-nogpl<br><br>
Thanks<br><br>
James 
</div>
Francis Trudeau | 25 Nov 01:35 2014
Picon

Daily Ruleset Update Summary 11/24/2014

 [***] Summary: [***]

 19 new Open signatures, 26 new Pro (19 + 6).  CVE-2014-6332,
CVE-2014-7992, CoinLocker, Win32/Spy.Agent.OLF.

 Thanks:  Kevin Ross, pckthck,  <at> abuse_ch and  <at> rmkml.

 [+++]          Added rules:          [+++]

 Open:

  2019778 - ET EXPLOIT DLSw Information Disclosure CVE-2014-7992 (exploit.rules)
  2019780 - ET TROJAN W32/CloudScout CnC Beacon (trojan.rules)
  2019781 - ET CURRENT_EVENTS AOL PHISH PayPal - Creds Phished
(current_events.rules)
  2019782 - ET CURRENT_EVENTS AOL PHISH PayPal - Name Address Phished
(current_events.rules)
  2019783 - ET CURRENT_EVENTS AOL PHISH PayPal - Credit Card and SSN
Phished (current_events.rules)
  2019784 - ET CURRENT_EVENTS AOL PHISH PayPal - Bank Account Phished
(current_events.rules)
  2019785 - ET CURRENT_EVENTS AOL PHISH PayPal - Landing Page
(current_events.rules)
  2019786 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dyre CnC) (trojan.rules)
  2019787 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dyre CnC) (trojan.rules)
  2019788 - ET TROJAN DNS Query for Suspicious cvredirect.no-ip.net
Domain - CoinLocker Domain (trojan.rules)
  2019789 - ET TROJAN HTTP Request to a *.cvredirect.no-ip.net domain
- CoinLocker Domain (trojan.rules)
  2019790 - ET TROJAN DNS Query for Suspicious cvredirect.ddns.net
Domain - CoinLocker Domain (trojan.rules)
  2019791 - ET TROJAN HTTP Request to a *.cvredirect.ddns.net domain -
CoinLocker Domain (trojan.rules)
  2019792 - ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332
Common Construct URLENCODE (current_events.rules)
  2019793 - ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332
Common Construct HEX (current_events.rules)
  2019794 - ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332
Common Construct HEXC (current_events.rules)
  2019795 - ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332
Common Construct HEXCS (current_events.rules)
  2019796 - ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332
Common Construct DECC (current_events.rules)
  2019797 - ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332
Common Construct DECCS (current_events.rules)

 Pro:

  2809235 - ETPRO TROJAN Win32/Blaknight.A Connectivity Check (trojan.rules)
  2809237 - ETPRO TROJAN Win32/Filecoder.NCP .onion Proxy domain
lookup (trojan.rules)
  2809238 - ETPRO TROJAN Win32/Spy.Agent.OLF Retrieving CnC IP - SET
(trojan.rules)
  2809239 - ETPRO TROJAN Win32/Spy.Agent.OLF Retrieving CnC IP (trojan.rules)
  2809240 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.IS Checkin
(mobile_malware.rules)
  2809241 - ETPRO TROJAN Win32/Carberp.B Checkin (trojan.rules)

 [///]     Modified active rules:     [///]

  2805815 - ETPRO POLICY Internal Host Retrieving External IP via
whatismyipaddress.com - Possible Infection (policy.rules)
  2806019 - ETPRO TROJAN Win32/Zeprox.B Checkin (trojan.rules)
  2808035 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.fe Checkin
(mobile_malware.rules)

 [---]         Removed rules:         [---]
Jake Warren | 24 Nov 22:25 2014

Regin SMB Named Pipe Sig

Here's my attempt at a signature for the SMB named pipe "DC" used by Regin. Hasn't been tested.

Reference Link: http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/

alert tcp any any -> any 445 (msg:"Possible Regin SMB Named Pipe"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; content:"\|00|P|00|I|00|P|00|E|00|\|00|D|00|C|00|"; reference:url,securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/; classtype:trojan-activity; sid:xxxx; rev:1;)

Thanks,
Jake Warren
<div><div dir="ltr">
<div>
<div>Here's my attempt at a signature for the SMB named pipe "DC" used by Regin. Hasn't been tested.<br><br>
</div>Reference Link: <a href="http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/">http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/</a><br><br>alert tcp any any -&gt; any 445 (msg:"Possible Regin SMB Named Pipe"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; content:"\|00|P|00|I|00|P|00|E|00|\|00|D|00|C|00|"; reference:url,<a href="http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/">securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/</a>; classtype:trojan-activity; sid:xxxx; rev:1;)<br><br>
</div>Thanks,<br>Jake Warren<br>
</div></div>
Will Metcalf | 24 Nov 18:16 2014

Re: Coinlocker rules

I added rules into open last night for this.

Regards,

Will

On Mon, Nov 24, 2014 at 9:56 AM, Packet Hack <pckthck <at> gmail.com> wrote:
alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"ET TROJAN DNS Query
for Suspicious cvredirect.no-ip.net Domain - CoinLocker Domain";
content:"|0a|cvredirect|05|no-ip|03|net|00|"; fast_pattern;
distance:0; nocase; classtype:misc-activity; reference:
url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street;
sid:9100832; rev:1; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"ET TROJAN
HTTP Request to a *.cvredirect.no-ip.net domain - CoinLocker Domain";
flow:to_server,established; content:"cvredirect.no-ip.net";
fast_pattern:only; classtype:bad-unknown; reference:
url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street;
sid:9100833; rev:1; )

alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"ET TROJAN DNS Query
for Suspicious cvredirect.ddns.net Domain - CoinLocker Domain";
content:"|0a|cvredirect|04|ddns|03|net|00|"; fast_pattern; distance:0;
nocase; classtype:misc-activity; reference:
url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street;
sid:9100834; rev:1; )

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"ET TROJAN
HTTP Request to a *.cvredirect.ddns.net domain - CoinLocker Domain";
flow:to_server,established; content:"cvredirect.ddns.net";
fast_pattern:only; classtype:bad-unknown; reference:
url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street;
sid:9100835; rev:1; )

-- pckthck
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs <at> lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net


<div>
<div dir="ltr">
<div>I added rules into open last night for this.<br><br>
</div>Regards,<br><br>Will<br>
</div>
<div class="gmail_extra">
<br><div class="gmail_quote">On Mon, Nov 24, 2014 at 9:56 AM, Packet Hack <span dir="ltr">&lt;<a href="mailto:pckthck@..." target="_blank">pckthck <at> gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote">alert udp $HOME_NET any -&gt; $EXTERNAL_NET 53 ( msg:"ET TROJAN DNS Query<br>
for Suspicious <a href="http://cvredirect.no-ip.net" target="_blank">cvredirect.no-ip.net</a> Domain - CoinLocker Domain";<br>
content:"|0a|cvredirect|05|no-ip|03|net|00|"; fast_pattern;<br>
distance:0; nocase; classtype:misc-activity; reference:<br>
url,<a href="http://securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street" target="_blank">securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street</a>;<br>
sid:9100832; rev:1; )<br><br>
alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS ( msg:"ET TROJAN<br>
HTTP Request to a *.<a href="http://cvredirect.no-ip.net" target="_blank">cvredirect.no-ip.net</a> domain - CoinLocker Domain";<br>
flow:to_server,established; content:"<a href="http://cvredirect.no-ip.net" target="_blank">cvredirect.no-ip.net</a>";<br>
fast_pattern:only; classtype:bad-unknown; reference:<br>
url,<a href="http://securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street" target="_blank">securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street</a>;<br>
sid:9100833; rev:1; )<br><br>
alert udp $HOME_NET any -&gt; $EXTERNAL_NET 53 ( msg:"ET TROJAN DNS Query<br>
for Suspicious <a href="http://cvredirect.ddns.net" target="_blank">cvredirect.ddns.net</a> Domain - CoinLocker Domain";<br>
content:"|0a|cvredirect|04|ddns|03|net|00|"; fast_pattern; distance:0;<br>
nocase; classtype:misc-activity; reference:<br>
url,<a href="http://securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street" target="_blank">securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street</a>;<br>
sid:9100834; rev:1; )<br><br>
alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS ( msg:"ET TROJAN<br>
HTTP Request to a *.<a href="http://cvredirect.ddns.net" target="_blank">cvredirect.ddns.net</a> domain - CoinLocker Domain";<br>
flow:to_server,established; content:"<a href="http://cvredirect.ddns.net" target="_blank">cvredirect.ddns.net</a>";<br>
fast_pattern:only; classtype:bad-unknown; reference:<br>
url,<a href="http://securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street" target="_blank">securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street</a>;<br>
sid:9100835; rev:1; )<br><br>
-- pckthck<br>
_______________________________________________<br>
Emerging-sigs mailing list<br><a href="mailto:Emerging-sigs@...">Emerging-sigs <at> lists.emergingthreats.net</a><br><a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br><br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br><br>
</blockquote>
</div>
<br>
</div>
</div>
Kevin Ross | 24 Nov 15:18 2014

SIG: ET TROJAN W32/Regin.Backdoor ICMP CnC Beacon

Info here http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf. Basically only enough information to determine a basic signature for ICMP based on hints. It has HTTP, TCP and UDP CnC channels too

alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Regin.Backdoor ICMP CnC Beacon"; content:"shit"; content:"content:"shit"; distance:0; classtype:trojan-activity; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf; sid:194881; rev:1;)

Kind Regards,
Kevin Ross
<div><div dir="ltr">Info here <a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf">http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf</a>. Basically only enough information to determine a basic signature for ICMP based on hints. It has HTTP, TCP and UDP CnC channels too<br><div>
<div>
<br>alert icmp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN W32/Regin.Backdoor ICMP CnC Beacon"; content:"shit"; content:"content:"shit"; distance:0; classtype:trojan-activity; reference:url,<a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf">www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf</a>; sid:194881; rev:1;)<br><br>
</div>
<div>Kind Regards,<br>Kevin Ross<br>
</div>
</div>
</div></div>
Kevin Ross | 24 Nov 10:30 2014

SIGS: W32/CloudScout.Downloader & W32/LiMo.A

I am still tracking down the infection chain but both of these were downloaded within 1 second of each other to same client.

# https://malwr.com/analysis/NGYxYWM4NjNkZDkyNGJjODg3ZjliZWE5MTcxMDQwOTQ/ & same here hXXp://cdn[.]cloudguard[.]me/download/4/00005/CloudScout.exe
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/CloudScout.Downloader CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/QualityCheck/"; http_uri; content:".php"; http_uri; content:"User-Agent|3A| NSIS_Inetc (Mozilla)"; http_header; fast_pattern:12,20; content:"dp="; http_client_body; depth:3; content:"&sdp="; http_client_body; distance:0; content:"&a="; http_client_body; distance:0; classtype:trojan-activity; reference:md5,c732b52b245444e3f568d372ce399911; sid:1993881; rev:1;)

# https://malwr.com/analysis/OWM2ZTFiMDIxZTI1NGI2MzhjMWJkN2ZlZjg5YjljN2I/ Sample here: hXXp://www[.]girlliuxiaoqing[.]com/home/lly_omiga-plus.exe
alert tcp $HOME_NET any -> EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/LiMo.A CnC Beacon"; flow:established,to_server; content:"/v4/sof-installer/"; http_uri; content:"?action"; http_uri; classtype:trojan-activity; reference:md5,f6bb1d394919144da33bcc51ab6d81e8; sid:1993882; rev:1;)

Kind Regards,
Kevin Ross

<div><div dir="ltr">
<div>
<div>I am still tracking down the infection chain but both of these were downloaded within 1 second of each other to same client.<br><br># <a href="https://malwr.com/analysis/NGYxYWM4NjNkZDkyNGJjODg3ZjliZWE5MTcxMDQwOTQ/">https://malwr.com/analysis/NGYxYWM4NjNkZDkyNGJjODg3ZjliZWE5MTcxMDQwOTQ/</a> &amp; same here hXXp://cdn[.]cloudguard[.]me/download/4/00005/CloudScout.exe<br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/CloudScout.Downloader CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/QualityCheck/"; http_uri; content:".php"; http_uri; content:"User-Agent|3A| NSIS_Inetc (Mozilla)"; http_header; fast_pattern:12,20; content:"dp="; http_client_body; depth:3; content:"&amp;sdp="; http_client_body; distance:0; content:"&amp;a="; http_client_body; distance:0; classtype:trojan-activity; reference:md5,c732b52b245444e3f568d372ce399911; sid:1993881; rev:1;)<br><br># <a href="https://malwr.com/analysis/OWM2ZTFiMDIxZTI1NGI2MzhjMWJkN2ZlZjg5YjljN2I/">https://malwr.com/analysis/OWM2ZTFiMDIxZTI1NGI2MzhjMWJkN2ZlZjg5YjljN2I/</a> Sample here: hXXp://www[.]girlliuxiaoqing[.]com/home/lly_omiga-plus.exe<br>alert tcp $HOME_NET any -&gt; EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/LiMo.A CnC Beacon"; flow:established,to_server; content:"/v4/sof-installer/"; http_uri; content:"?action"; http_uri; classtype:trojan-activity; reference:md5,f6bb1d394919144da33bcc51ab6d81e8; sid:1993882; rev:1;)<br><br>
</div>Kind Regards,<br>
</div>Kevin Ross<br><div><div><br></div></div>
</div></div>
Will Metcalf | 24 Nov 07:42 2014

Daily Ruleset Update Summary (Weekend Update) 11/23/2014

 [***]          Summary:          [***]

 5 New rules. Various Fixes. Archie, CoinVault, etc. Tks James Lay, <at> rmkml

 [+++]          Added rules:          [+++]

  2019773 - ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct b64 1 (Observed in Archie EK) (current_events.rules)
  2019774 - ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct b64 2 (Observed in Archie EK) (current_events.rules)
  2019775 - ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct b64 3 (Observed in Archie EK) (current_events.rules)
  2019776 - ET TROJAN CoinVault POST M1 (trojan.rules)
  2019777 - ET TROJAN CoinVault POST M2 (trojan.rules)


 [///]     Modified active rules:     [///]

  2018925 - ET CURRENT_EVENTS Turla/SPL EK Java Exploit Requested - /spl/ (current_events.rules)
  2019655 - ET CURRENT_EVENTS Fiesta EK Landing Nov 05 2014 (current_events.rules)
  2019768 - ET CURRENT_EVENTS Archie EK T2 PD Struct Nov 20 2014 (current_events.rules)
  2019769 - ET CURRENT_EVENTS Archie EK T2 Landing Struct Nov 20 2014 (current_events.rules)
  2019770 - ET CURRENT_EVENTS Archie EK T2 SWF Exploit Struct Nov 20 2014 (current_events.rules)
  2019765 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (current_events.rules)

 [---]         Removed rules:         [---]

  2016706 - ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page (1) (current_events.rules)
<div><div dir="ltr">
<div>&nbsp;[***] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Summary: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[***]</div>
<div><br></div>
<div>&nbsp;5 New rules. Various Fixes. Archie, CoinVault, etc. Tks James Lay,  <at> rmkml</div>
<div><br></div>
<div>&nbsp;[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</div>
<div><br></div>
<div>&nbsp; 2019773 - ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct b64 1 (Observed in Archie EK) (current_events.rules)</div>
<div>&nbsp; 2019774 - ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct b64 2 (Observed in Archie EK) (current_events.rules)</div>
<div>&nbsp; 2019775 - ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct b64 3 (Observed in Archie EK) (current_events.rules)</div>
<div>&nbsp; 2019776 - ET TROJAN CoinVault POST M1 (trojan.rules)</div>
<div>&nbsp; 2019777 - ET TROJAN CoinVault POST M2 (trojan.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[///] &nbsp; &nbsp; Modified active rules: &nbsp; &nbsp; [///]</div>
<div><br></div>
<div>&nbsp; 2018925 - ET CURRENT_EVENTS Turla/SPL EK Java Exploit Requested - /spl/ (current_events.rules)</div>
<div>&nbsp; 2019655 - ET CURRENT_EVENTS Fiesta EK Landing Nov 05 2014 (current_events.rules)</div>
<div>&nbsp; 2019768 - ET CURRENT_EVENTS Archie EK T2 PD Struct Nov 20 2014 (current_events.rules)</div>
<div>&nbsp; 2019769 - ET CURRENT_EVENTS Archie EK T2 Landing Struct Nov 20 2014 (current_events.rules)</div>
<div>&nbsp; 2019770 - ET CURRENT_EVENTS Archie EK T2 SWF Exploit Struct Nov 20 2014 (current_events.rules)</div>
<div>&nbsp; 2019765 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (current_events.rules)</div>
<div><br></div>
<div>&nbsp;[---] &nbsp; &nbsp; &nbsp; &nbsp; Removed rules: &nbsp; &nbsp; &nbsp; &nbsp; [---]</div>
<div><br></div>
<div>&nbsp; 2016706 - ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page (1) (current_events.rules)</div>
</div></div>
Francis Trudeau | 22 Nov 01:00 2014
Picon

Daily Ruleset Update Summary 11/21/2014

 [***] Summary: [***]

 7 new Open signatures, 14 new Pro (7 + 7).  Archie EK, Hikvision DVR
Vulnerability, FlashPack.

 [+++]          Added rules:          [+++]

 Open:

  2019765 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (current_events.rules)
  2019766 - ET CURRENT_EVENTS FlashPack Flash Exploit Nov 20 2014
(current_events.rules)
  2019767 - ET TROJAN Rogue.Win32/FakePAV Checkin (trojan.rules)
  2019768 - ET CURRENT_EVENTS Archie EK T2 PD Struct Nov 20 2014
(current_events.rules)
  2019769 - ET CURRENT_EVENTS Archie EK T2 Landing Struct Nov 20 2014
(current_events.rules)
  2019770 - ET CURRENT_EVENTS Archie EK T2 SWF Exploit Struct Nov 20
2014 (current_events.rules)
  2019771 - ET TROJAN W32/AntiBreach Possible Activation Attempt (trojan.rules)

 Pro:

  2809228 - ETPRO WEB_CLIENT IE Memory Corruption Vulnerability
CVE-2014-6348 (web_client.rules)
  2809229 - ETPRO MALWARE PUP Linkey.A Checkin (malware.rules)
  2809230 - ETPRO EXPLOIT Hikvision DVR Buffer Overflow Exploit
Attempt CVE-2014-4878 (exploit.rules)
  2809231 - ETPRO EXPLOIT Hikvision DVR Buffer Overflow Exploit
Attempt CVE-2014-4879 (exploit.rules)
  2809232 - ETPRO EXPLOIT Hikvision DVR Buffer Overflow Exploit
Attempt CVE-2014-4880 (exploit.rules)
  2809233 - ETPRO WEB_SPECIFIC_APPS CM Download Manager WP Plugin Code
Injection (web_specific_apps.rules)
  2809234 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.FakePrin.a Checkin
(mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2808199 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.DZ Checkin
(mobile_malware.rules)
Kevin Ross | 21 Nov 22:53 2014

SIGS: ET TROJAN W32/DoubleTap.APT Downloader

alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET TROJAN W32/DoubleTap.APT Downloader CnC Beacon"; flow:established,to_server; content:"|05 01 00 01 c0 b8 3c e5 00 51|"; depth:10; classtype:trojan-activity; reference:url,www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html; sid:194441; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1913 (msg:"ET TROJAN W32/DoubleTap.APT Downloader Socks5 Setup Request"; content:"|05 01 00|"; depth:3; classtype:trojan-activity; reference:url,www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html; sid:194442; rev:1;)

Kindest Regards,
Kevin Ross
<div><div dir="ltr">
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET 81 (msg:"ET TROJAN W32/DoubleTap.APT Downloader CnC Beacon"; flow:established,to_server; content:"|05 01 00 01 c0 b8 3c e5 00 51|"; depth:10; classtype:trojan-activity; reference:url,<a href="http://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html">www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html</a>; sid:194441; rev:1;)<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET 1913 (msg:"ET TROJAN W32/DoubleTap.APT Downloader Socks5 Setup Request"; content:"|05 01 00|"; depth:3; classtype:trojan-activity; reference:url,<a href="http://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html">www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html</a>; sid:194442; rev:1;)<br><br>
</div>Kindest Regards,<br>Kevin Ross<br>
</div></div>

Gmane