Kevin Ross | 31 Aug 15:00 2015

Re: Anyone know what this is?

Hi,

I can't really tell (not haing capture doesn't really help); this one is new though although I have 2 individual cases of this kind of traffic the last week but no other malicious activity before or after that I can find. It probably is some kind of spam or redirection and not having a referer field isn't obviously doesn't mean no redirection didn't take place. Interesting paper on tracing such things: https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-nelms.pdf

On 31 August 2015 at 10:44, Adnan Shukor <adnan.shukor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:

But that was back in 2013. Recently, I only saw direct single-usage redirection

Thanks,

--
Adnan
From: Kevin Ross
Sent: Isnin, 31 Ogos 2015 5:30 PTG
Subject: [Emerging-Sigs] Anyone know what this is?

Hi,


Can anyone identify this? First connection was an AlphaCrypt infection but I have also seen the following top beacons to the same server but different hosts. No Referer or anything and status code in both cases just show 302 status code. Also from the hosts there is possible fraud traffic to cheaprxwebstore.com (pharmaceutical fraud) for one host and topinvestmentnews.com (gateway timeout now but known as a phishing/fraud site according to VT) for the other. Both these domains on virustotal appear to be fraud related but there is nothing else.

Also even though a 302 is returned there is no traffic containing this domain as a referer. So any ideas what this might be (sorry I have no packet captures of it). Could this be spam related or is this more likely to be malware related although I can't in my logs find anything which looks like a compromise of these devices. Aside from this I can't find anymore malicious activity from these hosts.




Thanks,
Kevin Ross


<div>
<div dir="ltr">Hi,<div><br></div>
<div>I can't really tell (not haing capture doesn't really help); this one is new though although I have 2 individual cases of this kind of traffic the last week but no other malicious activity before or after that I can find. It probably is some kind of spam or redirection and not having a referer field isn't obviously doesn't mean no redirection didn't take place. Interesting paper on tracing such things: <a href="https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-nelms.pdf">https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-nelms.pdf</a>
</div>
</div>
<div class="gmail_extra">
<br><div class="gmail_quote">On 31 August 2015 at 10:44, Adnan Shukor <span dir="ltr">&lt;<a href="mailto:adnan.shukor@...m" target="_blank">adnan.shukor@...</a>&gt;</span> wrote:<br><blockquote class="gmail_quote"><div>                                                                                      <div>Is it something similar to my write up here? <a href="https://www.bluecoat.com/security-blog/2013-04-04/spam-scam-or-malware" target="_blank">https://www.bluecoat.com/security-blog/2013-04-04/spam-scam-or-malware</a> </div>                                                                                                                                     <div><br></div>
<div>But that was back in 2013. Recently, I only saw direct single-usage redirection</div>
<div><br></div>                                                                                                                                                                                                   <div>Thanks,<br><br>--<br>Adnan</div>                                                                                                                                                                                  <table width="100%"><tr><td colspan="2">                           <div>  <div>From: Kevin Ross</div>
<div>Sent: Isnin, 31 Ogos 2015 5:30 PTG</div>
<div>To: <a href="mailto:emerging-sigs@..." target="_blank">emerging-sigs@...</a>
</div>
<div>Subject: [Emerging-Sigs] Anyone know what this is?</div>
</div>
</td></tr></table>
<div><div class="h5">
<div></div>
<br><div>
<div dir="ltr">Hi,<div><br></div>
<div><br></div>
<div>Can anyone identify this? First connection was an AlphaCrypt infection but I have also seen the following top beacons to the same server but different hosts. No Referer or anything and status code in both cases just show 302 status code. Also from the hosts there is possible fraud traffic to&nbsp;<a href="http://cheaprxwebstore.com" target="_blank">cheaprxwebstore.com</a> (pharmaceutical fraud) for one host and <a href="http://topinvestmentnews.com" target="_blank">topinvestmentnews.com</a> (gateway timeout now but known as a phishing/fraud site according to VT) for the other. Both these domains on virustotal appear to be fraud related but there is nothing else.</div>
<div><br></div>
<div>Also even though a 302 is returned there is no traffic containing this domain as a referer. So any ideas what this might be (sorry I have no packet captures of it). Could this be spam related or is this more likely to be malware related although I can't in my logs find anything which looks like a compromise of these devices. Aside from this I can't find anymore malicious activity from these hosts.<br><div><br></div>
<div><br></div>
</div>
<div><br></div>
<div><br></div>
<div>Thanks,</div>
<div>Kevin Ross</div>
</div>
<br>
</div>
</div></div>
</div></blockquote>
</div>
<br>
</div>
</div>
Jeff Hammett | 29 Aug 06:47 2015

Drive by download with little/no ET coverage

I saw the below drive by download that doesn’t seem to have any ET sig coverage. I only got alerts for the EXE
download. Something like this is beyond my Snort sig writing skills, but I thought I’d share in case
anyone was interested in looking at it and writing sigs. 

As far as I can tell the endpoint didn’t get infected, but I am not yet sure. If anyone is interested in
taking a look at what this is and helping a relative newb (myself) understand it better that would be
appreciated as well.

 Below are Bro logs and I can share a pcap off
list.

ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	method	host	uri	referrer	user_agent	response_body_len	status_code	status_msg	resp_mime_type
1440801924	CTqoeL2EQXOl7xGjqa	192.168.1.132	62834	78.140.191.89	80	GET	onclickads.net	/apu.php?zoneid=2274&lim=12	http://acidcow.com/pics/17659-games-102-pics.html	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko	13747	200	OK	text/plain
1440801965	Cd6y1c4bNCHagj9Wmi	192.168.1.132	62835	78.140.191.89	80	GET	onclickads.net	/?auction_id=6fbaf1315e5d0fed&zoneid=2274&pbk2=0c404c99a95c52847104304dd3b6c4116188197144736736397&r=/oc/han	-	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko	216	200	OK	text/html
1440801966	Cs4Hvl36kPToAZYBDc	192.168.1.132	63205	54.69.14.198	80	GET	www.bestdevicedownload.com	/v9/index.html?dp=w4SMA871FOUV4ENMGT6M5618&brw=ie	http://onclickads.net/?auction_id=6fbaf1315e5d0fed&zoneid=2274&pbk2=0c404c99a95c52847104304dd3b6c4116188197144736736397&r=%2Foc%2Fhan	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko	0	302	Moved
Temporarily	-
1440801966	C3SxQGdLkkWFx9w1	192.168.1.132	63200	78.140.191.89	80	GET	onclickads.net	/favicon.ico	-	Mozilla/5.0
(Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko	0	204	No
Content	-
1440801966	C7jeyo4syIWmiW6Nk7	192.168.1.132	63202	54.183.156.217	80	GET	www.acoachsoft.net	/238f62c1-b000-4bc7-8d57-5ce8e57e4e7c?siteid=2274&visitor_id=99048315532	http://onclickads.net/?auction_id=6fbaf1315e5d0fed&zoneid=2274&pbk2=0c404c99a95c52847104304dd3b6c4116188197144736736397&r=%2Foc%2Fhan	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko	0	302	Found	-
1440801966	C4gGQCDcrvZ8WCmU9	192.168.1.132	63207	54.230.84.39	80	GET	www.bestoa1ppsfree.com	/v9/index.html?dp=w4SMA871FOUV4ENMGT6M5618&brw=ie	http://onclickads.net/?auction_id=6fbaf1315e5d0fed&zoneid=2274&pbk2=0c404c99a95c52847104304dd3b6c4116188197144736736397&r=%2Foc%2Fhan	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko	115433	200	OK	text/html
1440801966	CE3Gp323uPSeRrzmji	192.168.1.132	63210	54.230.84.39	80	GET	www.bestoa1ppsfree.com	/v9/xternal/popdl.js	http://www.bestoa1ppsfree.com/v9/index.html?dp=w4SMA871FOUV4ENMGT6M5618&brw=ie	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko	150	200	OK	text/plain
1440801966	C4gGQCDcrvZ8WCmU9	192.168.1.132	63207	54.230.84.39	80	GET	www.bestoa1ppsfree.com	/v9/img/bt.jpg	http://www.bestoa1ppsfree.com/v9/index.html?dp=w4SMA871FOUV4ENMGT6M5618&brw=ie	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko	5900	200	OK	image/jpeg
1440801966	CPrQ4V3wtEdcyBJBD	192.168.1.132	63213	54.230.84.39	80	GET	www.bestoa1ppsfree.com	/v9/favicon.ico	-	Mozilla/5.0
(Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like
Gecko	2462	200	OK	image/x-icon
1440801966	CTvRJy4OtPfHfshgZd	192.168.1.132	63209	54.230.84.39	80	GET	www.bestoa1ppsfree.com	/v9/xternal/external.js	http://www.bestoa1ppsfree.com/v9/index.html?dp=w4SMA871FOUV4ENMGT6M5618&brw=ie	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko	2145	200	OK	text/plain
1440801966	C79CGy4npg3kZNwtlf	192.168.1.132	63212	54.230.84.39	80	GET	www.bestoa1ppsfree.com	/v9/img/f.jpg	http://www.bestoa1ppsfree.com/v9/index.html?dp=w4SMA871FOUV4ENMGT6M5618&brw=ie	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko	4577	200	OK	image/jpeg
1440801966	CZhcMi3AeVUP7lsdof	192.168.1.132	63206	54.230.84.39	80	GET	www.bestoa1ppsfree.com	/v9/xternal/jquery-1.11.3.min.js	http://www.bestoa1ppsfree.com/v9/index.html?dp=w4SMA871FOUV4ENMGT6M5618&brw=ie	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko	95957	200	OK	text/plain
1440801966	C79CGy4npg3kZNwtlf	192.168.1.132	63212	54.230.84.39	80	GET	www.bestoa1ppsfree.com	/v9/xternal/footer.txt	http://www.bestoa1ppsfree.com/v9/index.html?dp=w4SMA871FOUV4ENMGT6M5618&brw=ie	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko	611	200	OK	application/javascript
1440801966	CuAkrh2GVfesq1kTF7	192.168.1.132	63211	54.230.84.39	80	GET	www.bestoa1ppsfree.com	/v9/img/x.jpg	http://www.bestoa1ppsfree.com/v9/index.html?dp=w4SMA871FOUV4ENMGT6M5618&brw=ie	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko	1728	200	OK	image/jpeg
1440801970	CuZJ8A3d9y74QrTsYb	192.168.1.132	63216	54.148.221.176	80	GET	www.bestcleardownloads.com	/videoplayer_ie/?c=idHypAeNSuXB9rCotcIDfOA9stab6639&dp=w4SMA871FOUV4ENMGT6M5618&brw=ie	http://www.bestoa1ppsfree.com/v9/index.html?dp=w4SMA871FOUV4ENMGT6M5618&brw=ie	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko	301	200	OK	text/json
1440801970	CttkgQCWD7zCTeoVl	192.168.1.132	63219	54.200.3.105	80	GET	cdn.jddfmlafmdamracsoftwarepresent.com	/c?x=9nxCJ0jTkCO0tMR3XaPkjCHLcm/eFgNCcC7D0ANJf64=&c=ChZxCRQga9/4cTXQ9mH0Yzp5eHOclzY940BhemY77LYKx5fwpw9+PynfgoCAIXyHrvAi8jXnfXII/BPpHsWXR46nShKE9WgQQLAKBUmyz+kq0+4qqkwlEKJ7jTomI4NB0w0sRPjOnFkDpTCZb7yirg==	http://www.bestoa1ppsfree.com/v9/index.html?dp=w4SMA871FOUV4ENMGT6M5618&brw=ie	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko	817928	200	OK	application/x-dosexec
1440802063	CFN4qF3W1Wl3401ppk	192.168.1.132	63230	78.140.191.89	80	GET	onclickads.net	/?auction_id=6fbaf1315e5d0fed&zoneid=2274&pbk2=0c404c99a95c52847104304dd3b6c4116188197144736736397&r=/oc/han	-	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko	216	200	OK	text/html
1440802064	Cht2Dq4FNYQ7QRz886	192.168.1.132	63239	78.140.191.89	80	GET	onclickads.net	/favicon.ico	-	Mozilla/5.0
(Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko	0	204	No
Content	-
1440802064	CyLp162En6tQUJVsv7	192.168.1.132	63241	54.183.104.171	80	GET	www.acoachsoft.net	/238f62c1-b000-4bc7-8d57-5ce8e57e4e7c?siteid=2274&visitor_id=88443437754	http://onclickads.net/?auction_id=6fbaf1315e5d0fed&zoneid=2274&pbk2=0c404c99a95c52847104304dd3b6c4116188197144736736397&r=%2Foc%2Fhan	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko	0	302	Found	-
1440802064	C0zi4F2dZIQfvl4ivf	192.168.1.132	63245	54.230.87.128	80	GET	www.bestoa1ppsfree.com	/v9/index.html?dp=wT9ETNN6IET4PENM020MABB0&brw=ie	http://onclickads.net/?auction_id=6fbaf1315e5d0fed&zoneid=2274&pbk2=0c404c99a95c52847104304dd3b6c4116188197144736736397&r=%2Foc%2Fhan	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like
Gecko	115433	200	OK	text/html
1440802064	CMlOrQH46WXFbngWa	192.168.1.132	63242	52.26.87.132	80	GET	www.bestdevicedownload.com	/v9/index.html?dp=wT9ETNN6IET4PENM020MABB0&brw=ie	http://onclickads.net/?auction_id=6fbaf1315e5d0fed&zoneid=2274&pbk2=0c404c99a95c52847104304dd3b6c4116188197144736736397&r=%2Foc%2Fhan	Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko	0	302	Moved Temporarily	-

Jeff

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs <at> lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net

Francis Trudeau | 27 Aug 01:46 2015
Picon

Daily Ruleset Update Summary 2015/08/26

 [***] Summary: [***]

 5 new Open signatures, 36 new Pro (5 + 31).  Arid Viper APT, Linopid, Cheshire Cat.

 Thanks:  abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2021718 - ET TROJAN Bedep HTTP POST CnC Beacon 2 (trojan.rules)
  2021719 - ET TROJAN APT Cheshire Cat CnC Beacon (trojan.rules)
  2021720 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (trojan.rules)
  2021721 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (trojan.rules)
  2021722 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (trojan.rules)

 Pro:

  2812700 - ETPRO MALWARE Gigaclicks CnC Beacon (malware.rules)
  2812701 - ETPRO TROJAN Arid Viper APT Checkin 3 (trojan.rules)
  2812702 - ETPRO TROJAN Win32/Hacktool.AntiBan Activity 1 (trojan.rules)
  2812703 - ETPRO TROJAN Win32/Hacktool.AntiBan Activity 2 (trojan.rules)
  2812704 - ETPRO USER_AGENTS Suspicious User-Agent (wf-AntiBan) (user_agents.rules)
  2812705 - ETPRO TROJAN Tinybaron FTP Password (trojan.rules)
  2812706 - ETPRO TROJAN Tinybaron HTTP CnC Beacon (trojan.rules)
  2812707 - ETPRO TROJAN Linopid DNS Lookup (gameshare00.linkpc.net) (trojan.rules)
  2812708 - ETPRO TROJAN Linopid DNS Lookup (securityqc.linkpc.net) (trojan.rules)
  2812709 - ETPRO TROJAN Linopid HTTP GET CnC Beacon (trojan.rules)
  2812710 - ETPRO TROJAN Linopid HTTP CnC Beacon (trojan.rules)
  2812711 - ETPRO TROJAN Plugx and APT.9002 DNS Lookup (www.registre.instanthq.com) (trojan.rules)
  2812712 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 1) (trojan.rules)
  2812713 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 2) (trojan.rules)
  2812714 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 3) (trojan.rules)
  2812715 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 4) (trojan.rules)
  2812716 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 5) (trojan.rules)
  2812717 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 6) (trojan.rules)
  2812718 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 7) (trojan.rules)
  2812719 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 8) (trojan.rules)
  2812720 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 9) (trojan.rules)
  2812721 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 10) (trojan.rules)
  2812722 - ETPRO TROJAN Bedep Downloading Config (trojan.rules)
  2812723 - ETPRO TROJAN Bedep Downloading Config Server Response (trojan.rules)
  2812727 - ETPRO MALWARE PUA_BrowseForCause Reporting Install (malware.rules)
  2812728 - ETPRO TROJAN HTTPBrowser DNS Lookup (www.wordpress.zzux.com) (trojan.rules)
  2812729 - ETPRO TROJAN Arid Viper APT Checkin 4 (trojan.rules)
  2812730 - ETPRO TROJAN Possible AlphaCrypt Connectivity Check (trojan.rules)
  2812731 - ETPRO TROJAN Unknown Banker Dropper Checkin (trojan.rules)
  2812732 - ETPRO TROJAN EvilGrab/Vidgrab CnC Beacon (trojan.rules)
  2812733 - ETPRO MALWARE Adware.MSIL.Linkury.M Checkin (malware.rules)


 [///]     Modified active rules:     [///]

  2011124 - ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced) (malware.rules)
  2016398 - ET TROJAN Trojan.APT.9002 CnC Traffic (trojan.rules)
  2017413 - ET TROJAN EvilGrab/Vidgrab Checkin (trojan.rules)
  2019400 - ET TROJAN Possible Bedep Connectivity Check (trojan.rules)
  2019401 - ET POLICY Vulnerable Java Version 1.8.x Detected (policy.rules)
  2807941 - ETPRO TROJAN Linopid HTTP POST CnC Beacon (trojan.rules)
  2810792 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 1 (trojan.rules)
  2810793 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 2 (trojan.rules)
  2810794 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 3 (trojan.rules)
  2810795 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 4 (trojan.rules)
  2810796 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 5 (trojan.rules)
  2810797 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 6 (trojan.rules)
  2810798 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 7 (trojan.rules)
  2810799 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 8 (trojan.rules)
  2810800 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 9 (trojan.rules)
  2810801 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 10 (trojan.rules)
  2810802 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 11 (trojan.rules)
  2810803 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 12 (trojan.rules)
  2810804 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 13 (trojan.rules)
  2810805 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 14 (trojan.rules)
  2810806 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 15 (trojan.rules)
  2810807 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 16 (trojan.rules)
  2812694 - ETPRO CURRENT_EVENTS Hunter EK Landing Flash Exploits Aug 25 2015 M1 (current_events.rules)
  2812695 - ETPRO CURRENT_EVENTS Hunter EK Landing Flash Exploits Aug 25 2015 M2 (current_events.rules)
  2812696 - ETPRO CURRENT_EVENTS Hunter EK Landing VBS Aug 25 2015 (current_events.rules)
  2812697 - ETPRO CURRENT_EVENTS Hunter EK Landing Java Exploit Redirect Aug 25 2015 (current_events.rules)

<div><div dir="ltr">
<div>
<div>&nbsp;[***] Summary: [***]</div>
<div><br></div>
<div>&nbsp;5 new Open signatures, 36 new Pro (5 + 31).&nbsp; Arid Viper APT, Linopid, Cheshire Cat.</div>
<div><br></div>
<div>&nbsp;Thanks: &nbsp;abuse_ch.</div>
<div><br></div>
<div>&nbsp;[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</div>
<div><br></div>
<div>&nbsp;Open:</div>
<div><br></div>
<div>&nbsp; 2021718 - ET TROJAN Bedep HTTP POST CnC Beacon 2 (trojan.rules)</div>
<div>&nbsp; 2021719 - ET TROJAN APT Cheshire Cat CnC Beacon (trojan.rules)</div>
<div>&nbsp; 2021720 - ET TROJAN <a href="http://ABUSE.CH">ABUSE.CH</a> SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (trojan.rules)</div>
<div>&nbsp; 2021721 - ET TROJAN <a href="http://ABUSE.CH">ABUSE.CH</a> SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (trojan.rules)</div>
<div>&nbsp; 2021722 - ET TROJAN <a href="http://ABUSE.CH">ABUSE.CH</a> SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (trojan.rules)</div>
<div><br></div>
<div>&nbsp;Pro:</div>
<div><br></div>
<div>&nbsp; 2812700 - ETPRO MALWARE Gigaclicks CnC Beacon (malware.rules)</div>
<div>&nbsp; 2812701 - ETPRO TROJAN Arid Viper APT Checkin 3 (trojan.rules)</div>
<div>&nbsp; 2812702 - ETPRO TROJAN Win32/Hacktool.AntiBan Activity 1 (trojan.rules)</div>
<div>&nbsp; 2812703 - ETPRO TROJAN Win32/Hacktool.AntiBan Activity 2 (trojan.rules)</div>
<div>&nbsp; 2812704 - ETPRO USER_AGENTS Suspicious User-Agent (wf-AntiBan) (user_agents.rules)</div>
<div>&nbsp; 2812705 - ETPRO TROJAN Tinybaron FTP Password (trojan.rules)</div>
<div>&nbsp; 2812706 - ETPRO TROJAN Tinybaron HTTP CnC Beacon (trojan.rules)</div>
<div>&nbsp; 2812707 - ETPRO TROJAN Linopid DNS Lookup (<a href="http://gameshare00.linkpc.net">gameshare00.linkpc.net</a>) (trojan.rules)</div>
<div>&nbsp; 2812708 - ETPRO TROJAN Linopid DNS Lookup (<a href="http://securityqc.linkpc.net">securityqc.linkpc.net</a>) (trojan.rules)</div>
<div>&nbsp; 2812709 - ETPRO TROJAN Linopid HTTP GET CnC Beacon (trojan.rules)</div>
<div>&nbsp; 2812710 - ETPRO TROJAN Linopid HTTP CnC Beacon (trojan.rules)</div>
<div>&nbsp; 2812711 - ETPRO TROJAN Plugx and APT.9002 DNS Lookup (<a href="http://www.registre.instanthq.com">www.registre.instanthq.com</a>) (trojan.rules)</div>
<div>&nbsp; 2812712 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 1) (trojan.rules)</div>
<div>&nbsp; 2812713 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 2) (trojan.rules)</div>
<div>&nbsp; 2812714 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 3) (trojan.rules)</div>
<div>&nbsp; 2812715 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 4) (trojan.rules)</div>
<div>&nbsp; 2812716 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 5) (trojan.rules)</div>
<div>&nbsp; 2812717 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 6) (trojan.rules)</div>
<div>&nbsp; 2812718 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 7) (trojan.rules)</div>
<div>&nbsp; 2812719 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 8) (trojan.rules)</div>
<div>&nbsp; 2812720 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 9) (trojan.rules)</div>
<div>&nbsp; 2812721 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-25 10) (trojan.rules)</div>
<div>&nbsp; 2812722 - ETPRO TROJAN Bedep Downloading Config (trojan.rules)</div>
<div>&nbsp; 2812723 - ETPRO TROJAN Bedep Downloading Config Server Response (trojan.rules)</div>
<div>&nbsp; 2812727 - ETPRO MALWARE PUA_BrowseForCause Reporting Install (malware.rules)</div>
<div>&nbsp; 2812728 - ETPRO TROJAN HTTPBrowser DNS Lookup (<a href="http://www.wordpress.zzux.com">www.wordpress.zzux.com</a>) (trojan.rules)</div>
<div>&nbsp; 2812729 - ETPRO TROJAN Arid Viper APT Checkin 4 (trojan.rules)</div>
<div>&nbsp; 2812730 - ETPRO TROJAN Possible AlphaCrypt Connectivity Check (trojan.rules)</div>
<div>&nbsp; 2812731 - ETPRO TROJAN Unknown Banker Dropper Checkin (trojan.rules)</div>
<div>&nbsp; 2812732 - ETPRO TROJAN EvilGrab/Vidgrab CnC Beacon (trojan.rules)</div>
<div>&nbsp; 2812733 - ETPRO MALWARE Adware.MSIL.Linkury.M Checkin (malware.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[///] &nbsp; &nbsp; Modified active rules: &nbsp; &nbsp; [///]</div>
<div><br></div>
<div>&nbsp; 2011124 - ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced) (malware.rules)</div>
<div>&nbsp; 2016398 - ET TROJAN Trojan.APT.9002 CnC Traffic (trojan.rules)</div>
<div>&nbsp; 2017413 - ET TROJAN EvilGrab/Vidgrab Checkin (trojan.rules)</div>
<div>&nbsp; 2019400 - ET TROJAN Possible Bedep Connectivity Check (trojan.rules)</div>
<div>&nbsp; 2019401 - ET POLICY Vulnerable Java Version 1.8.x Detected (policy.rules)</div>
<div>&nbsp; 2807941 - ETPRO TROJAN Linopid HTTP POST CnC Beacon (trojan.rules)</div>
<div>&nbsp; 2810792 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 1 (trojan.rules)</div>
<div>&nbsp; 2810793 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 2 (trojan.rules)</div>
<div>&nbsp; 2810794 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 3 (trojan.rules)</div>
<div>&nbsp; 2810795 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 4 (trojan.rules)</div>
<div>&nbsp; 2810796 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 5 (trojan.rules)</div>
<div>&nbsp; 2810797 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 6 (trojan.rules)</div>
<div>&nbsp; 2810798 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 7 (trojan.rules)</div>
<div>&nbsp; 2810799 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 8 (trojan.rules)</div>
<div>&nbsp; 2810800 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 9 (trojan.rules)</div>
<div>&nbsp; 2810801 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 10 (trojan.rules)</div>
<div>&nbsp; 2810802 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 11 (trojan.rules)</div>
<div>&nbsp; 2810803 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 12 (trojan.rules)</div>
<div>&nbsp; 2810804 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 13 (trojan.rules)</div>
<div>&nbsp; 2810805 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 14 (trojan.rules)</div>
<div>&nbsp; 2810806 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 15 (trojan.rules)</div>
<div>&nbsp; 2810807 - ETPRO TROJAN Win32/Bancos.AMF CnC Beacon 16 (trojan.rules)</div>
<div>&nbsp; 2812694 - ETPRO CURRENT_EVENTS Hunter EK Landing Flash Exploits Aug 25 2015 M1 (current_events.rules)</div>
<div>&nbsp; 2812695 - ETPRO CURRENT_EVENTS Hunter EK Landing Flash Exploits Aug 25 2015 M2 (current_events.rules)</div>
<div>&nbsp; 2812696 - ETPRO CURRENT_EVENTS Hunter EK Landing VBS Aug 25 2015 (current_events.rules)</div>
<div>&nbsp; 2812697 - ETPRO CURRENT_EVENTS Hunter EK Landing Java Exploit Redirect Aug 25 2015 (current_events.rules)</div>
</div>
<div><br></div>
</div></div>
Kevin Ross | 26 Aug 23:35 2015

SIGS: ET TROJAN W32/TeslaCrypt.Ransomware

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/TeslaCrypt.Ransomware CnC Beacon"; flow:established,to_server; content:"/wp-content/themes/r.php?"; http_uri; depth:25; pcre:"/^\/wp\-content\/themes\/r\.php\?[A-Z0-9]{100,}$/U"; content:!"Referer|3A|"; http_header; content:!"Accept"; http_header; classtype:trojan-activity; reference:url,blogs.cisco.com/security/talos/teslacrypt; sid:156661; rev:1;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN W32/TeslaCrypt.Ransomware CnC Server Response"; flow:established,to_client; file_data; content:"---!!!INSERTED!!!---"; within:20; classtype:trojan-activity; reference:url,blogs.cisco.com/security/talos/teslacrypt; sid:156662; rev:1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>
<div>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN W32/TeslaCrypt.Ransomware CnC Beacon"; flow:established,to_server; content:"/wp-content/themes/r.php?"; http_uri; depth:25; pcre:"/^\/wp\-content\/themes\/r\.php\?[A-Z0-9]{100,}$/U"; content:!"Referer|3A|"; http_header; content:!"Accept"; http_header; classtype:trojan-activity; reference:url,<a href="http://blogs.cisco.com/security/talos/teslacrypt">blogs.cisco.com/security/talos/teslacrypt</a>; sid:156661; rev:1;)<br><br>alert http $EXTERNAL_NET any -&gt; $HOME_NET any (msg:"ET TROJAN W32/TeslaCrypt.Ransomware CnC Server Response"; flow:established,to_client; file_data; content:"---!!!INSERTED!!!---"; within:20; classtype:trojan-activity; reference:url,<a href="http://blogs.cisco.com/security/talos/teslacrypt">blogs.cisco.com/security/talos/teslacrypt</a>; sid:156662; rev:1;)<br><br><br>
</div>Kind Regards,<br>
</div>Kevin Ross<br>
</div></div>
Jeff Hammett | 26 Aug 01:51 2015

ET POLICY Vulnerable Java Version 1.8.x Detected

Can sig 2019401 be updated for the recently released Java 8 Update 60?

https://www.java.com/en/download/faq/release_dates.xml

Thanks

Jeff

Francis Trudeau | 25 Aug 01:14 2015
Picon

Daily Ruleset Update Summary 2015/08/24

 [***] Summary: [***]

 8 new Open signatures, 53 new Pro (8 + 45).  Magnitude EK, Nuclear EK, OnionDuke, Neutrino, PoisonIvy.

 Thanks:   <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2021703 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (trojan.rules)
  2021704 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (trojan.rules)
  2021705 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ursnif CnC) (trojan.rules)
  2021706 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC) (trojan.rules)
  2021707 - ET CURRENT_EVENTS Magnitude EK IE Exploit Aug 23 2015 (current_events.rules)
  2021708 - ET CURRENT_EVENTS Nuclear EK IE Exploit Aug 23 2015 (current_events.rules)
  2021709 - ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444) (web_client.rules)
  2021710 - ET CURRENT_EVENTS HT SWF Exploit RIP M2 (current_events.rules)

 Pro:

  2812633 - ETPRO TROJAN CTB-Locker .onion Proxy Domain (trojan.rules)
  2812634 - ETPRO TROJAN Win32.Scar Checkin (trojan.rules)
  2812635 - ETPRO TROJAN OnionDuke CnC Beacon 1 (trojan.rules)
  2812636 - ETPRO TROJAN OnionDuke CnC Beacon 2 (trojan.rules)
  2812637 - ETPRO TROJAN OnionDuke CnC Beacon 3 (trojan.rules)
  2812638 - ETPRO TROJAN OnionDuke CnC Beacon 4 (trojan.rules)
  2812639 - ETPRO TROJAN OnionDuke CnC Beacon 5 (trojan.rules)
  2812640 - ETPRO TROJAN OnionDuke CnC Beacon 6 (trojan.rules)
  2812641 - ETPRO TROJAN OnionDuke CnC Beacon 7 (trojan.rules)
  2812642 - ETPRO TROJAN OnionDuke CnC Beacon 8 (trojan.rules)
  2812643 - ETPRO TROJAN OnionDuke CnC Beacon 9 (trojan.rules)
  2812644 - ETPRO TROJAN OnionDuke CnC Beacon 10 (trojan.rules)
  2812645 - ETPRO TROJAN Neutrino Checkin 1 (trojan.rules)
  2812646 - ETPRO TROJAN Neutrino Checkin 2 (trojan.rules)
  2812647 - ETPRO TROJAN Neutrino Failed Task (trojan.rules)
  2812648 - ETPRO TROJAN PoisonIvy Keepalive to CnC 210 (trojan.rules)
  2812649 - ETPRO TROJAN PoisonIvy Keepalive to CnC 211 (trojan.rules)
  2812650 - ETPRO MALWARE Win32/Kryptik.DUHH Variant Activity (malware.rules)
  2812651 - ETPRO MALWARE Win32/Kryptik.DUHH Variant Retrieving File (malware.rules)
  2812652 - ETPRO MALWARE Win32/Perion Toolbar PUP Config (malware.rules)
  2812653 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.JQ Checkin (mobile_malware.rules)
  2812654 - ETPRO CURRENT_EVENTS Phishing Fake Account Loading Message (current_events.rules)
  2812655 - ETPRO CURRENT_EVENTS Phishing Fake Account Loading Message 2 (current_events.rules)
  2812656 - ETPRO CURRENT_EVENTS Successful ScotiaBank Account Phish Aug 24 1 (current_events.rules)
  2812657 - ETPRO CURRENT_EVENTS Successful ScotiaBank Account Phish Aug 24 2 (current_events.rules)
  2812658 - ETPRO CURRENT_EVENTS Successful ScotiaBank Account Phish Aug 24 3 (current_events.rules)
  2812659 - ETPRO TROJAN Possible Neutrino Checkin Response (trojan.rules)
  2812660 - ETPRO CURRENT_EVENTS Likely Linux/Xorddos DDoS Attack Participation (linux.bc5j.com) (current_events.rules)
  2812661 - ETPRO CURRENT_EVENTS Likely Linux/Xorddos DDoS Attack Participation (sbss.f3322.net) (current_events.rules)
  2812662 - ETPRO CURRENT_EVENTS Likely Linux/Xorddos DDoS Attack Participation (8uc.f1122.org) (current_events.rules)
  2812663 - ETPRO TROJAN Win32/Wedots.A Retrieving Config (trojan.rules)
  2812664 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Kcuf.a Checkin (mobile_malware.rules)
  2812665 - ETPRO TROJAN Minerd Loader Beacon (trojan.rules)
  2812666 - ETPRO MOBILE_MALWARE Android/Spy.Banker.CJ Checkin (mobile_malware.rules)
  2812667 - ETPRO MOBILE_MALWARE Android/Secapk.F Checkin 3 (mobile_malware.rules)
  2812668 - ETPRO TROJAN Win32.Reconyc.eeiq Checkin (trojan.rules)
  2812669 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-24 1) (trojan.rules)
  2812670 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-24 2) (trojan.rules)
  2812671 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-24 3) (trojan.rules)
  2812672 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-24 4) (trojan.rules)
  2812673 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-24 5) (trojan.rules)
  2812674 - ETPRO TROJAN Bitcoin miner known malicious basic auth (YmVuamk6eA==) (trojan.rules)
  2812675 - ETPRO TROJAN Bitcoin miner known malicious basic auth (MzI6MQ==) (trojan.rules)
  2812676 - ETPRO TROJAN Bitcoin miner known malicious basic auth (bXl0aHhfMTExOnBhdmxha2E=) (trojan.rules)
  2812677 - ETPRO TROJAN Bitcoin miner known malicious basic auth (Y29uTFRDaW5nLjMwOnBhc3M=) (trojan.rules)
  2812678 - ETPRO TROJAN Bitcoin miner known malicious basic auth (bXl0aHhfMTQ6cGF2bGFrYQ==) (trojan.rules)


 [///]     Modified active rules:     [///]

  2810822 - ETPRO TROJAN Neutrino Checkin Response (trojan.rules)
  2811864 - ETPRO TROJAN PhilBot/Toshliph Checkin GET (trojan.rules)
  2811905 - ETPRO TROJAN PhilBot/Toshliph POST CnC Beacon (trojan.rules)


 [---]         Removed rules:         [---]

  2812340 - ETPRO WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444) (web_client.rules)

<div><div dir="ltr">
<div>&nbsp;[***] Summary: [***]</div>
<div><br></div>
<div>&nbsp;8 new Open signatures, 53 new Pro (8 + 45).&nbsp; Magnitude EK, Nuclear EK, OnionDuke, Neutrino, PoisonIvy.</div>
<div><br></div>
<div>&nbsp;Thanks: &nbsp; <at> abuse_ch.</div>
<div><br></div>
<div>&nbsp;[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</div>
<div><br></div>
<div>&nbsp;Open:</div>
<div><br></div>
<div>&nbsp; 2021703 - ET TROJAN <a href="http://ABUSE.CH">ABUSE.CH</a> SSL Blacklist Malicious SSL certificate detected (KINS CnC) (trojan.rules)</div>
<div>&nbsp; 2021704 - ET TROJAN <a href="http://ABUSE.CH">ABUSE.CH</a> SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (trojan.rules)</div>
<div>&nbsp; 2021705 - ET TROJAN <a href="http://ABUSE.CH">ABUSE.CH</a> SSL Blacklist Malicious SSL certificate detected (Ursnif CnC) (trojan.rules)</div>
<div>&nbsp; 2021706 - ET TROJAN <a href="http://ABUSE.CH">ABUSE.CH</a> SSL Blacklist Malicious SSL certificate detected (Gozi CnC) (trojan.rules)</div>
<div>&nbsp; 2021707 - ET CURRENT_EVENTS Magnitude EK IE Exploit Aug 23 2015 (current_events.rules)</div>
<div>&nbsp; 2021708 - ET CURRENT_EVENTS Nuclear EK IE Exploit Aug 23 2015 (current_events.rules)</div>
<div>&nbsp; 2021709 - ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444) (web_client.rules)</div>
<div>&nbsp; 2021710 - ET CURRENT_EVENTS HT SWF Exploit RIP M2 (current_events.rules)</div>
<div><br></div>
<div>&nbsp;Pro:</div>
<div><br></div>
<div>&nbsp; 2812633 - ETPRO TROJAN CTB-Locker .onion Proxy Domain (trojan.rules)</div>
<div>&nbsp; 2812634 - ETPRO TROJAN Win32.Scar Checkin (trojan.rules)</div>
<div>&nbsp; 2812635 - ETPRO TROJAN OnionDuke CnC Beacon 1 (trojan.rules)</div>
<div>&nbsp; 2812636 - ETPRO TROJAN OnionDuke CnC Beacon 2 (trojan.rules)</div>
<div>&nbsp; 2812637 - ETPRO TROJAN OnionDuke CnC Beacon 3 (trojan.rules)</div>
<div>&nbsp; 2812638 - ETPRO TROJAN OnionDuke CnC Beacon 4 (trojan.rules)</div>
<div>&nbsp; 2812639 - ETPRO TROJAN OnionDuke CnC Beacon 5 (trojan.rules)</div>
<div>&nbsp; 2812640 - ETPRO TROJAN OnionDuke CnC Beacon 6 (trojan.rules)</div>
<div>&nbsp; 2812641 - ETPRO TROJAN OnionDuke CnC Beacon 7 (trojan.rules)</div>
<div>&nbsp; 2812642 - ETPRO TROJAN OnionDuke CnC Beacon 8 (trojan.rules)</div>
<div>&nbsp; 2812643 - ETPRO TROJAN OnionDuke CnC Beacon 9 (trojan.rules)</div>
<div>&nbsp; 2812644 - ETPRO TROJAN OnionDuke CnC Beacon 10 (trojan.rules)</div>
<div>&nbsp; 2812645 - ETPRO TROJAN Neutrino Checkin 1 (trojan.rules)</div>
<div>&nbsp; 2812646 - ETPRO TROJAN Neutrino Checkin 2 (trojan.rules)</div>
<div>&nbsp; 2812647 - ETPRO TROJAN Neutrino Failed Task (trojan.rules)</div>
<div>&nbsp; 2812648 - ETPRO TROJAN PoisonIvy Keepalive to CnC 210 (trojan.rules)</div>
<div>&nbsp; 2812649 - ETPRO TROJAN PoisonIvy Keepalive to CnC 211 (trojan.rules)</div>
<div>&nbsp; 2812650 - ETPRO MALWARE Win32/Kryptik.DUHH Variant Activity (malware.rules)</div>
<div>&nbsp; 2812651 - ETPRO MALWARE Win32/Kryptik.DUHH Variant Retrieving File (malware.rules)</div>
<div>&nbsp; 2812652 - ETPRO MALWARE Win32/Perion Toolbar PUP Config (malware.rules)</div>
<div>&nbsp; 2812653 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.JQ Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2812654 - ETPRO CURRENT_EVENTS Phishing Fake Account Loading Message (current_events.rules)</div>
<div>&nbsp; 2812655 - ETPRO CURRENT_EVENTS Phishing Fake Account Loading Message 2 (current_events.rules)</div>
<div>&nbsp; 2812656 - ETPRO CURRENT_EVENTS Successful ScotiaBank Account Phish Aug 24 1 (current_events.rules)</div>
<div>&nbsp; 2812657 - ETPRO CURRENT_EVENTS Successful ScotiaBank Account Phish Aug 24 2 (current_events.rules)</div>
<div>&nbsp; 2812658 - ETPRO CURRENT_EVENTS Successful ScotiaBank Account Phish Aug 24 3 (current_events.rules)</div>
<div>&nbsp; 2812659 - ETPRO TROJAN Possible Neutrino Checkin Response (trojan.rules)</div>
<div>&nbsp; 2812660 - ETPRO CURRENT_EVENTS Likely Linux/Xorddos DDoS Attack Participation (<a href="http://linux.bc5j.com">linux.bc5j.com</a>) (current_events.rules)</div>
<div>&nbsp; 2812661 - ETPRO CURRENT_EVENTS Likely Linux/Xorddos DDoS Attack Participation (<a href="http://sbss.f3322.net">sbss.f3322.net</a>) (current_events.rules)</div>
<div>&nbsp; 2812662 - ETPRO CURRENT_EVENTS Likely Linux/Xorddos DDoS Attack Participation (<a href="http://8uc.f1122.org">8uc.f1122.org</a>) (current_events.rules)</div>
<div>&nbsp; 2812663 - ETPRO TROJAN Win32/Wedots.A Retrieving Config (trojan.rules)</div>
<div>&nbsp; 2812664 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Kcuf.a Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2812665 - ETPRO TROJAN Minerd Loader Beacon (trojan.rules)</div>
<div>&nbsp; 2812666 - ETPRO MOBILE_MALWARE Android/Spy.Banker.CJ Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2812667 - ETPRO MOBILE_MALWARE Android/Secapk.F Checkin 3 (mobile_malware.rules)</div>
<div>&nbsp; 2812668 - ETPRO TROJAN Win32.Reconyc.eeiq Checkin (trojan.rules)</div>
<div>&nbsp; 2812669 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-24 1) (trojan.rules)</div>
<div>&nbsp; 2812670 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-24 2) (trojan.rules)</div>
<div>&nbsp; 2812671 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-24 3) (trojan.rules)</div>
<div>&nbsp; 2812672 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-24 4) (trojan.rules)</div>
<div>&nbsp; 2812673 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2015-08-24 5) (trojan.rules)</div>
<div>&nbsp; 2812674 - ETPRO TROJAN Bitcoin miner known malicious basic auth (YmVuamk6eA==) (trojan.rules)</div>
<div>&nbsp; 2812675 - ETPRO TROJAN Bitcoin miner known malicious basic auth (MzI6MQ==) (trojan.rules)</div>
<div>&nbsp; 2812676 - ETPRO TROJAN Bitcoin miner known malicious basic auth (bXl0aHhfMTExOnBhdmxha2E=) (trojan.rules)</div>
<div>&nbsp; 2812677 - ETPRO TROJAN Bitcoin miner known malicious basic auth (Y29uTFRDaW5nLjMwOnBhc3M=) (trojan.rules)</div>
<div>&nbsp; 2812678 - ETPRO TROJAN Bitcoin miner known malicious basic auth (bXl0aHhfMTQ6cGF2bGFrYQ==) (trojan.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[///] &nbsp; &nbsp; Modified active rules: &nbsp; &nbsp; [///]</div>
<div><br></div>
<div>&nbsp; 2810822 - ETPRO TROJAN Neutrino Checkin Response (trojan.rules)</div>
<div>&nbsp; 2811864 - ETPRO TROJAN PhilBot/Toshliph Checkin GET (trojan.rules)</div>
<div>&nbsp; 2811905 - ETPRO TROJAN PhilBot/Toshliph POST CnC Beacon (trojan.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[---] &nbsp; &nbsp; &nbsp; &nbsp; Removed rules: &nbsp; &nbsp; &nbsp; &nbsp; [---]</div>
<div><br></div>
<div>&nbsp; 2812340 - ETPRO WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444) (web_client.rules)</div>
<div><br></div>
</div></div>
Francis Trudeau | 22 Aug 00:55 2015
Picon

Daily Ruleset Update Summary 2015/08/21

 [***] Summary: [***]

 5 new Open signatures, 47 new Pro (5 + 42).  Magnitude,
CottonCastle/Niteris, DarkComet, Innuendo.

 Thanks:  Nathan Fowler and  <at> jaimeblascob.

 [+++]          Added rules:          [+++]

 Open:

  2021698 - ET CURRENT_EVENTS Possible Magnitude EK Landing URI Struct
Aug 21 2015 (current_events.rules)
  2021699 - ET CURRENT_EVENTS Magnitude EK Landing Aug 21 2015
(current_events.rules)
  2021700 - ET MALWARE PUA Boxore User-Agent (malware.rules)
  2021701 - ET GAMES MINECRAFT Server response inbound (games.rules)
  2021702 - ET GAMES MINECRAFT Server response outbound (games.rules)

 Pro:

  2807077 - ETPRO TROJAN Win32.Zbot.f Checkin (trojan.rules)
  2807544 - ETPRO MOBILE_MALWARE Android.Fakebank.B Checkin
(mobile_malware.rules)
  2812551 - ETPRO TROJAN Backdoor.Emdivi Checkin 4 (trojan.rules)
  2812552 - ETPRO TROJAN Win32/MGLocker CnC Checkin (trojan.rules)
  2812553 - ETPRO TROJAN Backdoor.Win32.MSIL_Bladabindi Checkin (trojan.rules)
  2812554 - ETPRO CURRENT_EVENTS CottonCastle/Niteris EK Redirector
Struct Aug 20 2015 (current_events.rules)
  2812555 - ETPRO CURRENT_EVENTS CottonCastle/Niteris EK Redirector
Struct Aug 20 2015 (current_events.rules)
  2812556 - ETPRO MOBILE_MALWARE Android/JSmsHider.O Checkin
(mobile_malware.rules)
  2812557 - ETPRO CURRENT_EVENTS Successful Adobe Online Account Phish
Aug 20 (current_events.rules)
  2812558 - ETPRO CURRENT_EVENTS Successful NY Saves Account Phish Aug
20 (current_events.rules)
  2812559 - ETPRO CURRENT_EVENTS Successful Impots.gouv.fr Phish Aug
20 1 (current_events.rules)
  2812600 - ETPRO CURRENT_EVENTS Successful Impots.gouv.fr Phish Aug
20 2 (current_events.rules)
  2812601 - ETPRO CURRENT_EVENTS Successful OWA Account Phish Aug 20
(current_events.rules)
  2812602 - ETPRO TROJAN Win32/Genasom.FO Sending Ransom Details (trojan.rules)
  2812603 - ETPRO TROJAN Win32/Genasom.FO Malicious Redirect (trojan.rules)
  2812604 - ETPRO TROJAN Win32/Genasom.FO Attempted Ransom Payment
(trojan.rules)
  2812605 - ETPRO CURRENT_EVENTS Horde Phish Landing Page Aug 21
(current_events.rules)
  2812606 - ETPRO CURRENT_EVENTS Successful Horde Account Phish Aug 21
(current_events.rules)
  2812607 - ETPRO CURRENT_EVENTS Successful Horde Phish Landing Page
Aug 21 (current_events.rules)
  2812608 - ETPRO CURRENT_EVENTS Successful UPS Account Phish Aug 21
(current_events.rules)
  2812610 - ETPRO CURRENT_EVENTS Successful RHB Bank Account Phish Aug
21 2 (current_events.rules)
  2812611 - ETPRO CURRENT_EVENTS Successful RHB Bank Account Phish Aug
21 3 (current_events.rules)
  2812612 - ETPRO CURRENT_EVENTS Successful BBVA Compass Account Phish
Aug 21 (current_events.rules)
  2812613 - ETPRO CURRENT_EVENTS Successful BBVA Compass Account Phish
Aug 21 (current_events.rules)
  2812614 - ETPRO TROJAN Win32/Citeary.D CnC Beacon 2 (trojan.rules)
  2812615 - ETPRO TROJAN Backdoor.Win32.DarkComet Screenshot Upload
Successful (trojan.rules)
  2812616 - ETPRO TROJAN Win32/Citeary.D CnC Beacon (trojan.rules)
  2812617 - ETPRO TROJAN Likely Win32/CoinMiner Retreiving Config -
Pastebin (trojan.rules)
  2812618 - ETPRO POLICY Possible Innuendo Covert DNS CnC Channel TXT
Request (policy.rules)
  2812619 - ETPRO POLICY Possible Innuendo Covert DNS CnC Channel TXT
Response (policy.rules)
  2812620 - ETPRO TROJAN Ixeshe GIF CnC Beacon (trojan.rules)
  2812621 - ETPRO TROJAN Win32/Ixeshe HTTP CnC Beacon (trojan.rules)
  2812622 - ETPRO TROJAN APT Actor SSL Cert (Observed Ixeshe and
Etumbot) (trojan.rules)
  2812623 - ETPRO TROJAN Etumbot HTTP CnC Beacon (trojan.rules)
  2812624 - ETPRO TROJAN Win32/Ixeshe HTTP CnC Beacon 2 (trojan.rules)
  2812625 - ETPRO CURRENT_EVENTS Malicious Redirect Leading to EK Aug
21 2015 T1 (current_events.rules)
  2812627 - ETPRO CURRENT_EVENTS Malicious Redirect Leading to EK Aug
21 2015 T3 (current_events.rules)
  2812628 - ETPRO CURRENT_EVENTS Malicious Redirect Leading to EK Aug
21 2015 T4 (current_events.rules)
  2812629 - ETPRO CURRENT_EVENTS BossTDS Redirect (current_events.rules)
  2812630 - ETPRO TROJAN Carbanak CnC Beacon (trojan.rules)
  2812631 - ETPRO TROJAN Win32/Wedex.AA CnC Beacon (trojan.rules)
  2812632 - ETPRO MOBILE_MALWARE Android/JSmsHider.P Checkin
(mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2003492 - ET MALWARE Suspicious Mozilla User-Agent - Likely Fake
(Mozilla/4.0) (malware.rules)
  2018194 - ET MALWARE Adware.iBryte.B Install (malware.rules)
  2018379 - ET TROJAN Ixeshe/Mecklow Checkin (trojan.rules)
  2018380 - ET TROJAN Ixeshe/Mecklow Checkin 2 (trojan.rules)
  2020895 - ET CURRENT_EVENTS Magnitude Flash Exploit (IE) M2
(current_events.rules)
  2021694 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Payload Aug 19
2015 (current_events.rules)
  2807843 - ETPRO TROJAN Ixeshe/Mecklow Checkin 3 (trojan.rules)
  2812473 - ETPRO MALWARE Win32/Toolbar.CrossRider.A Checkin 3 (malware.rules)

 [---]         Removed rules:         [---]

  2805083 - ETPRO TROJAN Ixeshe/Mecklow Checkin 3 (trojan.rules)
  2807077 - ETPRO MALWARE Win32.Zbot.f Checkin (malware.rules)
  2807544 - ETPRO TROJAN Android.Fakebank.B Checkin (trojan.rules)
  2812516 - ETPRO DOS Possible RPC Portmapper Reflected DDoS Attack
Outbound (dos.rules)
Markus Manzke | 21 Aug 14:44 2015
Picon

question on blockrules/blocklists


Hi list,

i have a question regarding some blockrules from here:
https://rules.emergingthreats.net/blockrules/

is there some documentation about where the ips in compromised-ips.txt
/ botcc.rules  does comes from, how long,a fter the inital report,
it will be included etc?

or is there someone i might ask directly?

cheers, mex
Jaime Blasco | 21 Aug 02:31 2015

Suggestion, Minecraft detection

Hi all,

I had somone earlier today asking me how to detect Minecraft servers. I took a quick look and came out with this:


alert tcp $EXTERNAL_NET 25565 -> $HOME_NET any (msg:"MINECRAFT Server response inbound"; content:"|7B 22|"; depth:10; classtype:policy-violation; sid:11111111; rev:1;)

alert tcp $HOME_NET 25565 -> $EXTERNAL_ANY any (msg:"MINECRAFT Server response outbound"; content:"|7B 22|"; depth:10; classtype:policy-violation; sid:111111112; rev:1;)



And pick a server from this list:


# nmap --script minecraft-info.nse -p 25565 play-dc.com


Starting Nmap 6.40 ( http://nmap.org ) at 2015-08-19 02:49 EDT

Nmap scan report for play-dc.com (192.99.21.125)

Host is up (0.097s latency).

rDNS record for 192.99.21.125: ns235835.ip-192-99-21.net

PORT      STATE SERVICE

25565/tcp open  minecraft

| minecraft-info: 

|   Description:          \xC2\xA76\xC2\xA7m----\xC2\xA7r\xC2\xA78[\xC2\xA77\xC2\xA7m-\xC2\xA7r \xC2\xA73\xC2\xA7lDestructioncraft\xC2\xA7r \xC2\xA77\xC2\xA7m-\xC2\xA7r\xC2\xA78]\xC2\xA76\xC2\xA7m----\xC2\xA7r                     \xC2\xA7b\xC2\xA7lJoin our amazing community today!

|   Max Players: 500

|   Players Online: 147

|   Version: BungeeCord 1.8

|_  Protocol: 47


Nmap done: 1 IP address (1 host up) scanned in 0.76 seconds




--
<div><div dir="ltr">Hi all,<div><br></div>
<div>I had somone&nbsp;earlier today asking me&nbsp;how to detect Minecraft servers. I took a quick look and came out with this:</div>
<div><br></div>
<div><br></div>
<div>
<div>alert tcp $EXTERNAL_NET 25565 -&gt; $HOME_NET any (msg:"MINECRAFT Server response inbound"; content:"|7B 22|"; depth:10; classtype:policy-violation; sid:11111111; rev:1;)</div>
<div><br></div>
<div>alert tcp $HOME_NET 25565 -&gt; $EXTERNAL_ANY any (msg:"MINECRAFT Server response outbound"; content:"|7B 22|"; depth:10; classtype:policy-violation; sid:111111112; rev:1;)</div>
<div><br></div>
<div><br></div>
<div>Easy way to test is using&nbsp;<a href="https://raw.githubusercontent.com/sjhilt/Nmap-NSEs/master/minecraft-info.nse">https://raw.githubusercontent.com/sjhilt/Nmap-NSEs/master/minecraft-info.nse</a>
</div>
<div><br></div>
<div>And pick a server from this list:</div>
<div><br></div>
<div>
<a href="http://minecraftservers.org/">http://minecraftservers.org/</a><br>
</div>
<div><br></div>
<div>

<p class="p1"><span class="s1"># nmap --script minecraft-info.nse -p 25565 <a href="http://play-dc.com">play-dc.com</a></span></p>
<p class="p2"><span class="s1"></span><br></p>
<p class="p1"><span class="s1">Starting Nmap 6.40 ( <a href="http://nmap.org">http://nmap.org</a> ) at 2015-08-19 02:49 EDT</span></p>
<p class="p1"><span class="s1">Nmap scan report for <a href="http://play-dc.com">play-dc.com</a> (192.99.21.125)</span></p>
<p class="p1"><span class="s1">Host is up (0.097s latency).</span></p>
<p class="p1"><span class="s1">rDNS record for <a href="http://192.99.21.125">192.99.21.125</a>: <a href="http://ns235835.ip-192-99-21.net">ns235835.ip-192-99-21.net</a></span></p>
<p class="p1"><span class="s1">PORT&nbsp; &nbsp; &nbsp; STATE SERVICE</span></p>
<p class="p1"><span class="s1">25565/tcp open&nbsp; minecraft</span></p>
<p class="p1"><span class="s1">| minecraft-info:&nbsp;</span></p>
<p class="p1"><span class="s1">| &nbsp; Description:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \xC2\xA76\xC2\xA7m----\xC2\xA7r\xC2\xA78[\xC2\xA77\xC2\xA7m-\xC2\xA7r \xC2\xA73\xC2\xA7lDestructioncraft\xC2\xA7r \xC2\xA77\xC2\xA7m-\xC2\xA7r\xC2\xA78]\xC2\xA76\xC2\xA7m----\xC2\xA7r &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \xC2\xA7b\xC2\xA7lJoin our amazing community today!</span></p>
<p class="p1"><span class="s1">| &nbsp; Max Players: 500</span></p>
<p class="p1"><span class="s1">| &nbsp; Players Online: 147</span></p>
<p class="p1"><span class="s1">| &nbsp; Version: BungeeCord 1.8</span></p>
<p class="p1"><span class="s1">|_&nbsp; Protocol: 47</span></p>
<p class="p2"><span class="s1"></span><br></p>
<p class="p1"><span class="s1">Nmap done: 1 IP address (1 host up) scanned in 0.76 seconds</span></p>
<p class="p1"><span class="s1"><br></span></p>
</div>
<div><br></div>
<div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">_______________________________<br><br>Jaime Blasco<div><br></div>
<div>Vice President and Chief Scientist<br><br><a href="http://www.alienvault.com" target="_blank">www.alienvault.com<br></a><a href="https://www.alienvault.com/open-threat-exchange" target="_blank">https://www.alienvault.com/open-threat-exchange</a>
</div>
<div>Email: <a href="mailto:jaime.blasco@..." target="_blank">jaime.blasco@...</a><br><br><a href="http://twitter.com/jaimeblascob" target="_blank">http://twitter.com/jaimeblascob</a><br>
</div>
</div></div></div></div></div></div>
</div>
</div></div>
Francis Trudeau | 21 Aug 00:12 2015
Picon

Daily Ruleset Update Summary 2015/08/20

 [***] Summary: [***]

 1 new Open signature, 19 new Pro (1 + 18).  RPC DDoS, EXEPROXY.

 Thanks:  Kevin Ross.

 [+++]          Added rules:          [+++]

 Open:

  2021697 - ET TROJAN EXE Download Request To Wordpress Folder Likely
Malicious (trojan.rules)

 Pro:

  2812532 - ETPRO CURRENT_EVENTS Successful Poste Italiane Phish Aug
19 (current_events.rules)
  2812533 - ETPRO CURRENT_EVENTS Successful Key Bank Phish Aug 19 1
(current_events.rules)
  2812534 - ETPRO CURRENT_EVENTS Successful Key Bank Phish Aug 19 2
(current_events.rules)
  2812535 - ETPRO CURRENT_EVENTS Successful Commonwealth Bank Phish
Aug 19 1 (current_events.rules)
  2812536 - ETPRO CURRENT_EVENTS Successful Commonwealth Bank Phish
Aug 19 2 (current_events.rules)
  2812537 - ETPRO CURRENT_EVENTS Successful Commonwealth Bank Phish
Fake Error Page Aug 19 (current_events.rules)
  2812538 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Fakeapp.a Checkin
(mobile_malware.rules)
  2812539 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Fakeapp.a Download
(mobile_malware.rules)
  2812540 - ETPRO TROJAN Win32/Setaclod.A Checkin (trojan.rules)
  2812541 - ETPRO TROJAN Win32/Dynamer!ac Checkin (trojan.rules)
  2812542 - ETPRO DOS Possible RPC Portmapper Reflected DDoS Attack
Inbound (dos.rules)
  2812543 - ETPRO DOS Possible RPC Portmapper Scanning (dos.rules)
  2812544 - ETPRO DOS Possible RPC Portmapper Reflected DDoS Attack
Participation (dos.rules)
  2812545 - ETPRO MOBILE_MALWARE Android/Fadeb.K Checkin (mobile_malware.rules)
  2812546 - ETPRO CURRENT_EVENTS Successful Amazon Account Phish Aug
20 1 (current_events.rules)
  2812547 - ETPRO CURRENT_EVENTS Successful Amazon Account Phish Aug
20 2 (current_events.rules)
  2812548 - ETPRO CURRENT_EVENTS Successful Amazon Account Phish Aug
20 3 (current_events.rules)
  2812549 - ETPRO TROJAN Possible EXEPROXY SSL Cert (trojan.rules)

 [///]     Modified active rules:     [///]

  2021590 - ET CURRENT_EVENTS Job314/Neutrino Flash Exploit M1 Aug 02
2015 (IE) (current_events.rules)
  2021625 - ET TROJAN W2KM_BARTALEX August 11 2015 (trojan.rules)
  2021690 - ET TROJAN MWI Maldoc Stats Callout Aug 18 (trojan.rules)
  2021694 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Payload Aug 19
2015 (current_events.rules)
Kevin Ross | 20 Aug 17:11 2015

Dridex Warning

Hi,

Just a quick note for those watching Dridex or dealing with it (probably most of us).

The Dridex office document described here http://myonlinesecurity.co.uk/shared-from-docs-app-excel-xls-spreadsheet-malware/. I saw a machine get hit and didn't see a download they in analysis found it drops the EXE direct from within it and that is why I didn't see that usual bit.

So in this case there was no exe download to detect, if the document gets through it seems to have everything it needs. Obviously this could be a problem given Dridex's general success already.


Kind Regards,
Kevin Ross


<div><div dir="ltr">Hi,<div><br></div>
<div>Just a quick note for those watching Dridex or dealing with it (probably most of us).</div>
<div><br></div>
<div>The Dridex office document described here <a href="http://myonlinesecurity.co.uk/shared-from-docs-app-excel-xls-spreadsheet-malware/">http://myonlinesecurity.co.uk/shared-from-docs-app-excel-xls-spreadsheet-malware/</a>. I saw a machine get hit and didn't see a download they in analysis found it drops the EXE direct from within it and that is why I didn't see that usual bit.</div>
<div><br></div>
<div>So in this case there was no exe download to detect, if the document gets through it seems to have everything it needs. Obviously this could be a problem given Dridex's general success already.</div>
<div><br></div>
<div><br></div>
<div>Kind Regards,</div>
<div>Kevin Ross</div>
<div><br></div>
<div><br></div>
</div></div>

Gmane