Russell Fulton | 3 Aug 01:43 2015
Picon
Picon

ET TROJAN Butterfly/Mariposa Bot client init connection

Hi Folks

Is anyone seeing real alerts for Mariposa these days?

I occasionally see short bursts of these alerts (eg. 800 in about 4 minutes) from desktop machine — not the
sort of behaviour one expects from a bot.

In this particular case the destination was an telco block in the user’s home country.   I suspect some sort
of voip app.

I am wondering about retiring that sig.

Russell
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs <at> lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net

Kevin Ross | 31 Jul 13:38 2015

SIG: ET TROJAN W32/UnknownBackdoor CnC Beacon

Hi,

Now sure what this actually is or even what to name it as AV detection currently only still at 2 AVs on VT.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/UnknownBackdoor CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/loading.php"; fast_pattern:only; http_uri; content:!"Referer|3A|"; http_header; pcre:"/^Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/H"; classtype:trojan-activity; reference:md5,5996eb3a93227785052650b9481cbbad; sid:179541; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/UknownBackdoor CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"/gate1.php"; fast_pattern:only; http_uri; content:!"Referer|3A|"; http_header; pcre:"/^Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/H"; classtype:trojan-activity; reference:md5,5996eb3a93227785052650b9481cbbad; sid:179542; rev:1;)

Regards,
Kevin





<div><div dir="ltr">Hi,<div><br></div>
<div>Now sure what this actually is or even what to name it as AV detection currently only still at 2 AVs on VT.</div>
<div><br></div>
<div>
<span>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN W32/UnknownBackdoor CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/loading.php"; fast_pattern:only; http_uri; content:!"Referer|3A|"; http_header; pcre:"/^Host\x3A\x20\d{1,3}\</span><span>x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,</span><span>3}/H"; classtype:trojan-activity; reference:md5,</span><span>5996eb3a93227785052650b9481cbb</span><span>ad; sid:179541; rev:1;)</span><br><br><span>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN W32/UknownBackdoor CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"/gate1.php"; fast_pattern:only; http_uri; content:!"Referer|3A|"; http_header; pcre:"/^Host\x3A\x20\d{1,3}\</span><span>x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,</span><span>3}/H"; classtype:trojan-activity; reference:md5,</span><span>5996eb3a93227785052650b9481cbb</span><span>ad; sid:179542; rev:1;)</span><br>
</div>
<div><span><br></span></div>
<div><span>Regards,</span></div>
<div><span>Kevin</span></div>
<div><span><br></span></div>
<div><span><br></span></div>
<div><span><br></span></div>
<div><span><br></span></div>
<div><br></div>
</div></div>
Francis Trudeau | 31 Jul 00:32 2015
Picon

Daily Ruleset Update Summary 2015/07/30

 [***] Summary: [***]

 10 new Open signatures, 38 new Pro (10 + 28).  Potao, Dyre,
CVE-2015-2590, Korplug.

 Thanks:   <at> ESET and  <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2021553 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (VMZeuS MITM) (trojan.rules)
  2021554 - ET TROJAN Potao CnC (trojan.rules)
  2021555 - ET TROJAN Potao CnC POST Response (trojan.rules)
  2021556 - ET TROJAN Dyre CnC Checkin (trojan.rules)
  2021557 - ET TROJAN Possible Java/Downloader Observed in Pawn Storm
CVE-2015-2590 1 (trojan.rules)
  2021558 - ET TROJAN Possible Java/Downloader Observed in Pawn Storm
CVE-2015-2590 2 (trojan.rules)
  2021559 - ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 29
(current_events.rules)
  2021560 - ET TROJAN URI Struct Observed in Pawn Storm CVE-2015-2950
(trojan.rules)
  2021561 - ET TROJAN EncryptorRaas .onion Proxy Domain
(613cb6owitcouepv) (trojan.rules)
  2021562 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (VMZeuS MITM) (trojan.rules)

 Pro:

  2812229 - ETPRO MOBILE_MALWARE Android/Spydme.B Checkin (mobile_malware.rules)
  2812251 - ETPRO MALWARE Win32/Stocksoft.Downloader PUP Activity
(malware.rules)
  2812252 - ETPRO TROJAN Backdoor.Korplug Checkin (UDP) 2 (trojan.rules)
  2812253 - ETPRO TROJAN Backdoor.Korplug Checkin (UDP) 3 (trojan.rules)
  2812254 - ETPRO MALWARE Win32/Pandora.tv Installer PUP Checkin (malware.rules)
  2812255 - ETPRO TROJAN Win32/Frethog.BP Possible SSL Cert (trojan.rules)
  2812256 - ETPRO TROJAN Win32/Caphaw.D Possible SSL Cert (trojan.rules)
  2812257 - ETPRO POLICY DNS Query to .onion proxy Domain
(tor-network.org) (policy.rules)
  2812258 - ETPRO POLICY DNS Query to .onion proxy Domain
(torsafetyproxy.org) (policy.rules)
  2812259 - ETPRO POLICY DNS Query to .onion proxy Domain
(toroperator.org) (policy.rules)
  2812260 - ETPRO POLICY DNS Query to .onion proxy Domain
(torexplorer.org) (policy.rules)
  2812261 - ETPRO POLICY DNS Query to .onion proxy Domain
(toractive.org) (policy.rules)
  2812262 - ETPRO POLICY DNS Query to .onion proxy Domain
(bythepaywayall.com) (policy.rules)
  2812263 - ETPRO POLICY DNS Query to .onion proxy Domain
(torenable.org) (policy.rules)
  2812264 - ETPRO POLICY DNS Query to .onion proxy Domain
(torgate.org) (policy.rules)
  2812265 - ETPRO POLICY DNS Query to .onion proxy Domain
(toruplink.org) (policy.rules)
  2812266 - ETPRO POLICY DNS Query to .onion proxy Domain
(torhome.org) (policy.rules)
  2812267 - ETPRO POLICY DNS Query to .onion proxy Domain
(tor-area.org) (policy.rules)
  2812268 - ETPRO POLICY DNS Query to .onion proxy Domain
(tor2earth.org) (policy.rules)
  2812269 - ETPRO POLICY DNS Query to .onion proxy Domain
(torsector.org) (policy.rules)
  2812270 - ETPRO POLICY DNS Query to .onion proxy Domain
(vremlotofpa.org) (policy.rules)
  2812271 - ETPRO MOBILE_MALWARE Android/Agent.LG Checkin (mobile_malware.rules)
  2812272 - ETPRO TROJAN KINS Possible SSL Cert (trojan.rules)
  2812273 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2015-07-30 1) (trojan.rules)
  2812274 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(ZnVra2VycnJyLjE6eA==) (trojan.rules)
  2812275 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(TGlyb21pcjE0NDE4YnRjOmJ0Yw==) (trojan.rules)
  2812276 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(bWFnaWNzYXRhX2JvYXQ6Ym9hdA==) (trojan.rules)

 [///]     Modified active rules:     [///]

  2810154 - ETPRO TROJAN Win32.ProxyChanger.TH Checkin (trojan.rules)

 [---]  Disabled and modified rules:  [---]

  2014914 - ET CURRENT_EVENTS NuclearPack - PDF Naming Algorithm
(current_events.rules)
Francis Trudeau | 29 Jul 23:46 2015
Picon

Daily Ruleset Update Summary 2015/07/29

 [***] Summary: [***]

 4 new Open signatures, 26 new Pro (4 + 22).  CryptoLocker, Litera.A,
Avast Vulns.

 Thanks:  Andrea De Pasquale and  <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2021548 - ET MALWARE OSX ADWARE/Mackeeper Checkin (malware.rules)
  2021549 - ET TROJAN CryptoLocker .onion Proxy Domain
(vacdgwaw5djp5hmu) (trojan.rules)
  2021550 - ET POLICY External IP Lookup trackip.net (policy.rules)
  2021551 - ET TROJAN Critroni .onion Proxy Domain (trojan.rules)

 Pro:

  2812180 - ETPRO MALWARE  Win32/Adware.ConvertAd.VA Checkin (malware.rules)
  2812228 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ff
Checkin (mobile_malware.rules)
  2812230 - ETPRO MALWARE Adware/Mostofate Checkin (malware.rules)
  2812231 - ETPRO TROJAN Win32/Litera.A CnC Checkin (trojan.rules)
  2812232 - ETPRO TROJAN Win32/Litera.A CnC Checkin 2 (trojan.rules)
  2812233 - ETPRO TROJAN PoisonIvy Keepalive to CnC 206 (trojan.rules)
  2812234 - ETPRO POLICY IP lookup pv.sohu.com (policy.rules)
  2812235 - ETPRO EXPLOIT Possible Avast Free SafeZone Escape (IE)
(exploit.rules)
  2812236 - ETPRO EXPLOIT Possible Avast SafeZone Escape (Chrome)
(exploit.rules)
  2812237 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish
July 28 (current_events.rules)
  2812238 - ETPRO CURRENT_EVENTS Possible Google Drive Phish Landing
July 28 (current_events.rules)
  2812239 - ETPRO CURRENT_EVENTS Possible Apple Store Phish Landing
July 28 M1 (current_events.rules)
  2812240 - ETPRO CURRENT_EVENTS Possible Apple Store Phish Landing
July 28 M2 (current_events.rules)
  2812241 - ETPRO CURRENT_EVENTS Possible Apple Store Phish Landing
July 28 M3 (current_events.rules)
  2812242 - ETPRO CURRENT_EVENTS Possible Apple Store Phish Landing
July 28 M4 (current_events.rules)
  2812243 - ETPRO CURRENT_EVENTS Possible Successful Apple Phish July
28 (current_events.rules)
  2812244 - ETPRO MALWARE Win32/Adware.EoRezo Retrieving PE (malware.rules)
  2812246 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2015-07-29 1) (trojan.rules)
  2812247 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2015-07-29 2) (trojan.rules)
  2812248 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(aGl0bWFudWtfY2hlYXA6MTIz) (trojan.rules)
  2812249 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(MUszNW4xNWU0cGZNS2FmM250MjJwUWc4UmhYa3JjZWY2bTp4) (trojan.rules)
  2812250 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(c2RndHpqempAbWFpbC5jb21fMTpzMWY1MTJmcw==) (trojan.rules)

 [///]     Modified active rules:     [///]

  2020712 - ET MALWARE AdWare.Win32.BetterSurf.b SSL Cert (malware.rules)
  2021519 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex CnC) (trojan.rules)

 [---]         Removed rules:         [---]

  2812180 - ETPRO TROJAN Win32/Neshta.A JSON Checkin (trojan.rules)
Francis Trudeau | 29 Jul 00:53 2015
Picon

Daily Ruleset Update Summary 2015/07/28

 [***] Summary: [***]

 6 new Open signatures, 47 new Pro (6 + 41).  ScanBox, Nlex, Asterope.

 Thanks:   <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2021542 - ET CURRENT_EVENTS ScanBox Jun 06 2015 M1 T1 (current_events.rules)
  2021543 - ET CURRENT_EVENTS ScanBox Jun 06 2015 M2 T1 (current_events.rules)
  2021544 - ET CURRENT_EVENTS ScanBox Jun 06 2015 M3 T1 (current_events.rules)
  2021545 - ET TROJAN EncryptorRaas .onion Proxy Domain (trojan.rules)
  2021546 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gozi CnC) (trojan.rules)
  2021547 - ET TROJAN EncryptorRaas .onion Proxy Domain (trojan.rules)

 Pro:

  2812181 - ETPRO MALWARE Win32/RaonMedia PUP Downloader Activity
(malware.rules)
  2812182 - ETPRO TROJAN ZIP file embedded in Large JPG (~10-100MB)
(trojan.rules)
  2812183 - ETPRO TROJAN ZIP file embedded in JPG (trojan.rules)
  2812184 - ETPRO TROJAN ZIP file embedded in JPG containing EXE (trojan.rules)
  2812185 - ETPRO CURRENT_EVENTS Possible Successful BofA PHISH July
27 M1 (current_events.rules)
  2812186 - ETPRO CURRENT_EVENTS Possible Successful BofA PHISH July
27 M2 (current_events.rules)
  2812187 - ETPRO CURRENT_EVENTS Possible Successful BofA PHISH July
27 M3 (current_events.rules)
  2812188 - ETPRO TROJAN Win32/Huhk.7005 CnC Checkin (trojan.rules)
  2812189 - ETPRO TROJAN MSIL/Povbop.A Checkin (trojan.rules)
  2812190 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2015-07-27 1) (trojan.rules)
  2812191 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2015-07-27 2) (trojan.rules)
  2812192 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(TWlsZXNQOTQuRGVtQ29pbnM6MTIzNDU2) (trojan.rules)
  2812193 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(MUtrZGFwRWJnV3N1RnNuZlp6OHl3dTgxVDFhVXBIZnBiRDp4) (trojan.rules)
  2812194 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(MTVUaDQzUTV0c2JUeDVTa3JVZ3ZldWk1d0oyNng2SG54cjp4) (trojan.rules)
  2812195 - ETPRO CURRENT_EVENTS Possible Successful Fedex PHISH
(current_events.rules)
  2812196 - ETPRO CURRENT_EVENTS Possible Fedex PHISH - Landing
(current_events.rules)
  2812197 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.fx Checkin
(mobile_malware.rules)
  2812198 - ETPRO CURRENT_EVENTS Magnitude EK SilverLight Exploit Jul
28 2015 M1 (current_events.rules)
  2812199 - ETPRO CURRENT_EVENTS Magnitude EK SilverLight Exploit Jul
28 2015 M2 (current_events.rules)
  2812200 - ETPRO CURRENT_EVENTS Docusign Phish July 24 - Landing Page
(current_events.rules)
  2812201 - ETPRO MOBILE_MALWARE Android/Clicker.C Checkin
(mobile_malware.rules)
  2812202 - ETPRO MOBILE_MALWARE Android/TrojanSMS.FakeInst.GK Checkin
(mobile_malware.rules)
  2812203 - ETPRO TROJAN Nlex TCP CnC Beacon (trojan.rules)
  2812204 - ETPRO TROJAN Nlex UDP CnC Beacon (trojan.rules)
  2812205 - ETPRO TROJAN Win32/Bagsu.A Connectivity Check (trojan.rules)
  2812206 - ETPRO TROJAN Win32/Bagsu.A Connectivity Check 2 (trojan.rules)
  2812207 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.DN Checkin
(mobile_malware.rules)
  2812208 - ETPRO TROJAN Asterope CnC Beacon (trojan.rules)
  2812209 - ETPRO POLICY DNS Query to .onion proxy Domain
(spatopayforwin.com) (policy.rules)
  2812210 - ETPRO POLICY DNS Query to .onion proxy Domain
(speralpayopio.com) (policy.rules)
  2812211 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2015-07-28 1) (trojan.rules)
  2812212 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2015-07-28 2) (trojan.rules)
  2812213 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2015-07-28 3) (trojan.rules)
  2812214 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2015-07-28 4) (trojan.rules)
  2812215 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2015-07-28 5) (trojan.rules)
  2812216 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2015-07-28 6) (trojan.rules)
  2812217 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2015-07-28 7) (trojan.rules)
  2812218 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2015-07-28 8) (trojan.rules)
  2812219 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(2015-07-28 9) (trojan.rules)
  2812220 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(cDR1bF9uZXc6bm9tYW1lcw==) (trojan.rules)
  2812221 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(ZWVheF9jaGVhcDoxMjM0NTY=) (trojan.rules)

 [///]     Modified active rules:     [///]

  2018402 - ET CURRENT_EVENTS DRIVEBY Possible Goon/Infinity/Magnitude
EK SilverLight Exploit (current_events.rules)
  2804254 - ETPRO TROJAN Xtrat/Bifrose/VBKrypt CnC Channel Keepalive
(trojan.rules)
  2804468 - ETPRO TROJAN Trojan/Banker.Qhost.ms Checkin (trojan.rules)
  2806653 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.Nidb.a Checkin
(mobile_malware.rules)
  2811155 - ETPRO MOBILE_MALWARE Trojan.Android.Clicker.M Checkin
(mobile_malware.rules)
  2812168 - ETPRO CURRENT_EVENTS Phishing Fake Document Loading Error
(current_events.rules)
  2812169 - ETPRO CURRENT_EVENTS Phishing Fake Document Loading Error
(current_events.rules)

 [---]         Removed rules:         [---]

  2014894 - ET CURRENT_EVENTS RedKit - Landing Page Received - applet
and 5digit jar (current_events.rules)
  2021527 - ET TROJAN Possible Zberp receiving config via image file
(steganography) 3 (trojan.rules)
  2806545 - ETPRO TROJAN Win32.Coced Reporting via SMTP 2 (trojan.rules)
Francis Trudeau | 28 Jul 00:33 2015
Picon

Daily Ruleset Update Summary 2015/07/27

 [***] Summary: [***]

 9 new Open signatures, 30 new Pro (9 + 21).  Poshcoder, Neshta.A,
MSIL/Cyborg.A.

 Thanks:   <at> rmkml and   <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2021533 - ET POLICY Possible External IP Lookup myip.kz (policy.rules)
  2021534 - ET TROJAN Poshcoder .onion Proxy Domain (hlvumvvclxy2nw7j)
(trojan.rules)
  2021535 - ET CURRENT_EVENTS Google Drive Phish - Landing Page July
24 M1 (current_events.rules)
  2021536 - ET CURRENT_EVENTS Google Drive Phish - Landing Page July
24 M2 (current_events.rules)
  2021537 - ET CURRENT_EVENTS Possible Successful PHISH - function
Validate (current_events.rules)
  2021538 - ET CURRENT_EVENTS Possible Successful PHISH - function
Validate (current_events.rules)
  2021539 - ET CURRENT_EVENTS Possible Successful PHISH - function
Validate (current_events.rules)
  2021540 - ET CURRENT_EVENTS Possible Successful PHISH - function
Validate (current_events.rules)
  2021541 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Ransomware CnC) (trojan.rules)

 Pro:

  2812160 - ETPRO TROJAN Trojan.Win32.Agent.dtrzmo Checkin (trojan.rules)
  2812161 - ETPRO TROJAN Password Stealer MSIL/Cyborg.A reporting via
SMTP (trojan.rules)
  2812162 - ETPRO TROJAN Win32/Spy.Zbot.YW .onion Proxy Domain (trojan.rules)
  2812163 - ETPRO CURRENT_EVENTS Apple Phish July 24 - Landing Page
(current_events.rules)
  2812164 - ETPRO CURRENT_EVENTS Possible Successful Apple Phish July
24 M1 (current_events.rules)
  2812165 - ETPRO CURRENT_EVENTS Possible Successful Apple Phish July
24 M2 (current_events.rules)
  2812166 - ETPRO CURRENT_EVENTS Possible Successful Apple Phish July
24 M3 (current_events.rules)
  2812167 - ETPRO CURRENT_EVENTS Possible Successful Apple Phish July
24 M4 (current_events.rules)
  2812168 - ETPRO CURRENT_EVENTS Possible Successful Docusign Phish
July 24 M1 (current_events.rules)
  2812169 - ETPRO CURRENT_EVENTS Possible Successful Docusign Phish
July 24 M2 (current_events.rules)
  2812170 - ETPRO TROJAN MSIL/Nitwil.A FTP wallet.dat Exfil (trojan.rules)
  2812171 - ETPRO TROJAN Win32/QQpass.gen!E Activity (trojan.rules)
  2812172 - ETPRO TROJAN Win32/Troxen!rts DoS Requests (trojan.rules)
  2812173 - ETPRO TROJAN Win32/Dodiw.A Checkin (trojan.rules)
  2812174 - ETPRO CURRENT_EVENTS Google Drive PHISH Landing July 27 M1
(current_events.rules)
  2812175 - ETPRO CURRENT_EVENTS Possible Successful Google Drive
Phish July 27 M1 (current_events.rules)
  2812176 - ETPRO CURRENT_EVENTS Possible Successful Google Drive
Phish July 27 M2 (current_events.rules)
  2812177 - ETPRO CURRENT_EVENTS Google Drive PHISH Landing July 27 M2
(current_events.rules)
  2812178 - ETPRO TROJAN Win32/Bagsu.A Checkin (trojan.rules)
  2812179 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmThief.eq
Checkin (mobile_malware.rules)
  2812180 - ETPRO TROJAN Win32/Neshta.A JSON Checkin (trojan.rules)

 [///]     Modified active rules:     [///]

  2018101 - ET TROJAN W32/Dinwod.Dropper CnC Beacon (trojan.rules)
  2807480 - ETPRO TROJAN ghstnet Bot User Joining IRC (trojan.rules)

 [---]         Removed rules:         [---]

  2021524 - ET TROJAN KINS/ZeusVM Variant CnC Beacon (trojan.rules)
  2811947 - ETPRO WEB_CLIENT Internet Explorer Memory Corruption
Vulnerability (CVE-2015-2391) 1 (web_client.rules)
Francis Trudeau | 24 Jul 23:59 2015
Picon

Daily Ruleset Update Summary 2015/07/24

 [***] Summary: [***]

 4 new Open signatures, 31 new Pro (4 + 27).  W2KM_BARTALEX, Pirpi, AlphaCrypt.

 Thanks:   <at> kafeine and  <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2021529 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex CnC) (trojan.rules)
  2021530 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gozi MITM) (trojan.rules)
  2021531 - ET TROJAN W2KM_BARTALEX Downloading Payload M2 (set) (trojan.rules)
  2021532 - ET TROJAN W2KM_BARTALEX Downloading Payload M2 (trojan.rules)

 Pro:

  2812134 - ETPRO TROJAN AlphaCrypt .onion Proxy Domain (trojan.rules)
  2812135 - ETPRO POLICY Possible IRC Botnet Activity - Throttled
Connection (policy.rules)
  2812136 - ETPRO MOBILE_MALWARE Android/Clicker.M Download
(mobile_malware.rules)
  2812137 - ETPRO TROJAN Win32/Venik.L Checkin (trojan.rules)
  2812138 - ETPRO MALWARE Win32/VK.SerfingBot PUP Activity (malware.rules)
  2812139 - ETPRO TROJAN Pirpi CnC Beacon Response (trojan.rules)
  2812140 - ETPRO TROJAN Pirpi CnC Beacon Response Fake 404 (trojan.rules)
  2812141 - ETPRO TROJAN Pirpi CnC Beacon HTTP POST (trojan.rules)
  2812142 - ETPRO TROJAN Possible Pirpi DNS Lookup
(product.sorgerealty.com) (trojan.rules)
  2812143 - ETPRO TROJAN Possible Pirpi DNS Lookup
(en.neatechguvenlik.com) (trojan.rules)
  2812144 - ETPRO TROJAN Possible Pirpi DNS Lookup
(inform.bedircati.com) (trojan.rules)
  2812145 - ETPRO TROJAN Possible Pirpi DNS Lookup
(swe.karasoyemlak.com) (trojan.rules)
  2812146 - ETPRO TROJAN Possible Pirpi DNS Lookup (ww.dndssc.com)
(trojan.rules)
  2812147 - ETPRO TROJAN Possible Pirpi DNS Lookup (wds.jiscs.com)
(trojan.rules)
  2812148 - ETPRO TROJAN Possible Pirpi DNS Lookup
(udi.ilovetustin.com) (trojan.rules)
  2812149 - ETPRO TROJAN Possible Pirpi DNS Lookup (pn.lamb-site.com)
(trojan.rules)
  2812150 - ETPRO POLICY DNS Query to .onion proxy Domain
(optiontosolutionss.com) (policy.rules)
  2812151 - ETPRO POLICY DNS Query to .onion proxy Domain
(paybullionbb.com) (policy.rules)
  2812152 - ETPRO POLICY DNS Query to .onion proxy Domain
(namepospay.com) (policy.rules)
  2812153 - ETPRO POLICY DNS Query to .onion proxy Domain
(winingpicturess.com) (policy.rules)
  2812154 - ETPRO TROJAN MSIL/Grelog.A Checkin (trojan.rules)
  2812155 - ETPRO MALWARE Win32/Adware.Hebogo PUP Activity (malware.rules)
  2812156 - ETPRO TROJAN MSIL/Mictanort.A Checkin (trojan.rules)
  2812157 - ETPRO TROJAN Win32/Teags.A CnC Checkin (trojan.rules)
  2812158 - ETPRO CURRENT_EVENTS Google Drive Phish - Landing Page
(current_events.rules)
  2812159 - ETPRO MOBILE_MALWARE Android/AdDisplay.Fictus.B Checkin 2
(mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2012842 - ET TROJAN Backdoor.Win32.Xyligan Checkin (trojan.rules)
  2017934 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 11 (trojan.rules)
  2021357 - ET CURRENT_EVENTS Fake AV Phone Scam Landing June 26 2015
M1 (current_events.rules)

 [---]         Removed rules:         [---]

  2812132 - ETPRO TROJAN Malicious SSL certificate detected (Dridex
CnC) (trojan.rules)
Kevin Ross | 24 Jul 12:48 2015

SIG: ET CURRENT_EVENTS W32/CryptoWall global1.jpg Distribution Campaign

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS W32/CryptoWall global1.jpg Distribution Campaign"; flow:established,to_server; content:"/images/global1.jpg"; http_uri; depth:20; classtype:trojan-activity; reference:md5,0f5a5f029aacad212322fe5cf259cdd1; sid:1566911; rev:1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr">alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS W32/CryptoWall global1.jpg Distribution Campaign"; flow:established,to_server; content:"/images/global1.jpg"; http_uri; depth:20; classtype:trojan-activity; reference:md5,0f5a5f029aacad212322fe5cf259cdd1; sid:1566911; rev:1;)<br><div><br></div>
<div><br></div>
<div>Kind Regards,</div>
<div>Kevin Ross</div>
</div></div>
Leonard Jacobs | 24 Jul 01:46 2015

CVE-2015-5119

Is there a signature to cover this CVE or any of the other Hacking Team Adobe Flash exploits?

 

Thanks.

 

Leonard

 

 

 

<div><div class="WordSection1">
<p class="MsoNormal">Is there a signature to cover this CVE or any of the other Hacking Team Adobe Flash exploits?<p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal">Thanks.<p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal"><span>Leonard <p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
</div></div>
Francis Trudeau | 23 Jul 23:46 2015
Picon

Daily Ruleset Update Summary 2015/07/23

 [***] Summary: [***]

 11 new Open signatures, 21 new Pro (11 + 10).  Dridex, KINS/ZeusVM, PoisonIvy.

 Thanks:   Jake Warren,  <at> kafeine,  <at> abuse_ch,  <at> EKwatcher and  <at> MalwareMustDie.

 [+++]          Added rules:          [+++]

 Open:

  2021518 - ET TROJAN Likely Dridex SSL Cert (trojan.rules)
  2021519 - ET TROJAN Likely Dridex SSL Cert (trojan.rules)
  2021520 - ET TROJAN KINS/ZeusVM Variant CnC Beacon (trojan.rules)
  2021521 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dyre CnC) (trojan.rules)
  2021522 - ET CURRENT_EVENTS Fake AV Phone Scam Landing July 23 2015
(current_events.rules)
  2021523 - ET TROJAN PoisonIvy HTTP CnC Beacon (trojan.rules)
  2021524 - ET TROJAN KINS/ZeusVM Variant CnC Beacon (trojan.rules)
  2021525 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Ransomware CnC) (trojan.rules)
  2021526 - ET TROJAN Linux/ChinaZ DDoS Bot Checkin 3 (trojan.rules)
  2021527 - ET TROJAN Possible Zberp receiving config via image file
(steganography) 3 (trojan.rules)
  2021528 - ET TROJAN KINS/ZeusVM Variant Retrieving Config (trojan.rules)

 Pro:

  2812123 - ETPRO MALWARE Win32/Adware.FileTour Variant PUP Checkin 2
(malware.rules)
  2812124 - ETPRO MALWARE Win32/Adware.FileTour Variant PUP - IE
Redirect (malware.rules)
  2812125 - ETPRO TROJAN Win32/Renocide.gen!H Checkin (trojan.rules)
  2812126 - ETPRO TROJAN Win32/Poindampa.A Geolocate Request (trojan.rules)
  2812128 - ETPRO TROJAN PoisonIvy Keepalive to CnC 205 (trojan.rules)
  2812129 - ETPRO POLICY SpyHunter Spyware Removal Tool PUP Checkin
(policy.rules)
  2812130 - ETPRO POLICY SpyHunter Spyware Removal Tool PUP User-Agent
(SpyHunter) (policy.rules)
  2812131 - ETPRO MOBILE_MALWARE Android PUP Wodsha-E Checkin 2
(mobile_malware.rules)
  2812132 - ETPRO TROJAN Malicious SSL certificate detected (Dridex
CnC) (trojan.rules)
  2812133 - ETPRO TROJAN PoisonIvy DNS Lookup (xp.homeunix.org) (trojan.rules)

 [///]     Modified active rules:     [///]

  2008512 - ET TROJAN Suspicious User-Agent (C slash) (trojan.rules)
  2810583 - ETPRO CURRENT_EVENTS DRIVEBY Magnitude Landing Dec 03 2014
M2 (current_events.rules)
  2812067 - ETPRO TROJAN SOGU DNS CnC Channel TXT Lookup (trojan.rules)
Kevin Ross | 23 Jul 11:59 2015

Dridex Download Pattern Change Heads Up

Hi,

Dridex campaigns (or at least some of them) no longer following the numeric number format which made up most of them - at least the ones I was seeing and not the weird dropbox ones. Today's is a pattern of /mini/mmpy.exe for those wanting to check and just to be aware of this change in hunting.

Kind Regards,
Kevin Ross


Document Download:


Dridex File:

<div><div dir="ltr">Hi,<div><br></div>
<div>Dridex campaigns (or at least some of them) no longer following the numeric number format which made up most of them - at least the ones I was seeing and not the weird dropbox ones. Today's is a pattern of /mini/mmpy.exe for those wanting to check and just to be aware of this change in hunting.</div>
<div><br></div>
<div>Kind Regards,</div>
<div>Kevin Ross</div>
<div><br></div>
<div><br></div>
<div>Document Download:</div>
<div><br></div>
<div><br></div>
<div>Dridex File:</div>
<div><br></div>
</div></div>

Gmane