Francis Trudeau | 6 Feb 01:14 2016
Picon

Daily Ruleset Update Summary 2016/02/05

 [***] Summary: [***]

 1 new Open signature, 8 new Pro (1 + 7).  PlasmaRAT, PoisonIvy, Escelar.

 [+++]          Added rules:          [+++]

 Open:

  2022493 - ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 05
2016 (current_events.rules)

 Pro:

  2816091 - ETPRO TROJAN PlasmaRAT Variant Checkin (trojan.rules)
  2816092 - ETPRO TROJAN PoisonIvy Keepalive to CnC 293 (trojan.rules)
  2816096 - ETPRO CURRENT_EVENTS Possible Websc Phishing Page Feb 5
(current_events.rules)
  2816097 - ETPRO TROJAN Win32/Rogue Browser Extension Installer
Checkin (trojan.rules)
  2816099 - ETPRO CURRENT_EVENTS Successful USAA Phish Feb 5 M1
(current_events.rules)
  2816100 - ETPRO CURRENT_EVENTS Successful USAA Phish Feb 5 M2
(current_events.rules)
  2816101 - ETPRO TROJAN Possible Escelar MSSQL Cert (trojan.rules)

 [///]     Modified active rules:     [///]

  2011582 - ET POLICY Vulnerable Java Version 1.6.x Detected (policy.rules)
  2014297 - ET POLICY Vulnerable Java Version 1.7.x Detected (policy.rules)
  2019401 - ET POLICY Vulnerable Java Version 1.8.x Detected (policy.rules)
(Continue reading)

Kevin Ross | 6 Feb 01:13 2016

SIG: ET TROJAN W32/Hydracrypt.Ransomware CnC Beacon

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Hydracrypt.Ransomware CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"=hydra"; http_uri; content:",0x"; http_uri; content:",0x"; http_uri; content:",0x"; http_uri; content:",0x"; http_uri; content:!"User-Agent|3A|"; http_header; content:!"Referer|3A|"; http_header; classtype:trojan-activity; reference:md5,08b304d01220f9de63244b4666621bba; sid:156701; rev:1;)

Kind Regards,
Kevin Ross


<div><div dir="ltr">
<div>
<div>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN W32/Hydracrypt.Ransomware CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"=hydra"; http_uri; content:",0x"; http_uri; content:",0x"; http_uri; content:",0x"; http_uri; content:",0x"; http_uri; content:!"User-Agent|3A|"; http_header; content:!"Referer|3A|"; http_header; classtype:trojan-activity; reference:md5,08b304d01220f9de63244b4666621bba; sid:156701; rev:1;)<br><br>
</div>Kind Regards,<br>
</div>Kevin Ross<br><br><br>
</div></div>
Jeff H | 6 Feb 00:04 2016
Picon

ET CURRENT_EVENTS PHISH Generic Webmail - Landing Page Sept 11 alerting on cpanel webmail

I have a user on one of my networks that is running cpanel webmail without SSL and when he access the site it triggers sid 2021760 (ET CURRENT_EVENTS PHISH Generic Webmail - Landing Page Sept 11) and 2021761 (ET CURRENT_EVENTS Possible PHISH - Generic Status Messages Sept 11)

I understand that running webmail without SSL is a terrible idea, but should these rules be cleaned up to not alert on legitimate cpanel webmail? (With maybe a policy or info sig written to alert on cpanel webmail access without SSL?)

pcaps or webmail URL can be provided off list
<div><div dir="ltr">I have a user on one of my networks that is running cpanel webmail without SSL and when he access the site it triggers sid 2021760 (ET CURRENT_EVENTS PHISH Generic Webmail - Landing Page Sept 11) and 2021761 (<span class="">ET CURRENT_EVENTS Possible PHISH - Generic Status Messages </span><span class="">Sept 11)</span><div><br></div>
<div>I understand that running webmail without SSL is a terrible idea, but should these rules be cleaned up to not alert on legitimate cpanel webmail? (With maybe a policy or info sig written to alert on cpanel webmail access without SSL?)</div>
<div><br></div>
<div>pcaps or webmail URL can be provided off list</div>
</div></div>
Jeff H | 5 Feb 22:55 2016
Picon

ET POLICY Outdated Windows Flash Version IE with Windows 8 and Windows 10

I've been getting hits on this for Windows 8 and Windows 10 machines running Flash in IE.

I verified that the machines are up to date via Windows Update. But their flash version is 20.0.0.272 and the sig is looking for 20.0.0.286. Then I found this stating that IE for Windows 8 and 10 wouldn't be getting this update and would instead get updated during the normal February patch. https://forums.adobe.com/thread/2069452?start=0&tstart=0

I can't tell for sure if there were security fixed effecting the IE version in this release, but it doesn't look like it to me (no related security bulletin)

Just wondering if anything can be done about this to prevent alerts when no patch is available? Or if this is such a rare occurrence that its better to just power through (as Flash will be patched in a few days and it will become a non-issue)

Jeff
<div><div dir="ltr">I've been getting hits on this for Windows 8 and Windows 10 machines running Flash in IE.<div><br></div>
<div>I verified that the machines are up to date via Windows Update. But their flash version is 20.0.0.272 and the sig is looking for 20.0.0.286. Then I found this stating that IE for Windows 8 and 10 wouldn't be getting this update and would instead get updated during the normal February patch. <a href="https://forums.adobe.com/thread/2069452?start=0&amp;tstart=0">https://forums.adobe.com/thread/2069452?start=0&amp;tstart=0</a>
</div>
<div><br></div>
<div>I can't tell for sure if there were security fixed effecting the IE version in this release, but it doesn't look like it to me (no related security bulletin)</div>
<div><br></div>
<div>Just wondering if anything can be done about this to prevent alerts when no patch is available? Or if this is such a rare occurrence that its better to just power through (as Flash will be patched in a few days and it will become a non-issue)</div>
<div><br></div>
<div>Jeff</div>
</div></div>
Francis Trudeau | 4 Feb 23:25 2016
Picon

Daily Ruleset Update Summary 2016/02/04

 [***] Summary: [***]

 5 new Open signatures, 16 new Pro (5 + 11).  NanoCore, Dridex,
TeslaCrypt/AlphaCrypt.

 Thanks:  <at> jaimeblascob &  <at> rmkml.

 [+++]          Added rules:          [+++]

 Open:

  2022488 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Quakbot CnC) (trojan.rules)
  2022489 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex) (trojan.rules)
  2022490 - ET TROJAN TeslaCrypt/AlphaCrypt Variant .onion Payment
Domain(yez2o5lwqkmlv5lc) (trojan.rules)
  2022491 - ET TROJAN Download Request Containing Suspicious Filename
- Crypted (trojan.rules)
  2022492 - ET TROJAN Win32/Fluxer CnC Checkin (trojan.rules)

 Pro:

  2816079 - ETPRO TROJAN Dridex Downloader SSL Cert (trojan.rules)
  2816080 - ETPRO TROJAN NanoCore RAT CnC 5 (trojan.rules)
  2816081 - ETPRO TROJAN NanoCore RAT CnC 6 (trojan.rules)
  2816082 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2816083 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2816084 - ETPRO MALWARE PUP/DriverRestore Sending System Information
to Affiliate (malware.rules)
  2816085 - ETPRO MALWARE MSIL/Adload.AT Beacon (malware.rules)
  2816086 - ETPRO CURRENT_EVENTS Base64 Javascript URL Refresh -
Common Phish Landing Obfuscation Feb 4 (current_events.rules)
  2816087 - ETPRO TROJAN Win32/Uloz Botnet Filename Generator (trojan.rules)
  2816088 - ETPRO MALWARE MSIL/Adload.AT Beacon (malware.rules)
  2816090 - ETPRO TROJAN Unknown AutoHotKey Malware Checkin (trojan.rules)

 [///]     Modified active rules:     [///]

  2811882 - ETPRO CURRENT_EVENTS Angler EK Flash Exploit (IE) Jun 16
M1 T3 (current_events.rules)
  2812245 - ETPRO CURRENT_EVENTS Angler EK Flash Exploit (IE) Jun 16
M1  T1 (current_events.rules)
  2815938 - ETPRO TROJAN Win32.Banbra.bkbw Checkin (trojan.rules)

 [---]         Removed rules:         [---]

  2019469 - ET TROJAN APT.Fexel Checkin (trojan.rules)
Michał Purzyński | 4 Feb 02:08 2016
Picon

Post to dotted quad with fake browser 2 FP on player.ooyala.com

The rule ET INFO GENERIC SUSPICIOUS OOST to Dotted Quad with Fake Browser 2 has lots of false positives when user has http://player.ooyala.com opened and active.

The who session starts with

GET     cp187553.edgefcs.net    /crossdomain.xml        http://player.ooyala.com/static/cacheable/<long_string_of_alphanumeric>/player_v2.swf?player=<long_string_of_alphanumeric> with a standard UA, such as Firefox

No FP yet, then

GET     cp187553.edgefcs.net    /fcs/ident      http://player.ooyala.com/static/cacheable/<long_string_of_alphanumeric>/player_v2.swf?player=<long_string_of_alphanumeric>
 
Still no FP, then

POST    96.17.15.174    /fcs/ident2/fcs/ident2     -       Firefox/1.0 CFNetwork/760.2.6 Darwin/15.2.0 (x86_64)
POST    96.17.15.174    /open/1/open/1 -       Firefox/1.0 CFNetwork/760.2.6 Darwin/15.2.0 (x86_64)

And then thousands of these happen

POST    96.17.15.174/idle/<alphanumeric, 6 chars in total/<sequential numbers>>/0        -       Firefox/1.0 CFNetwork/760.2.6 Darwin/15.2.0 (x86_64)

Which makes sense, since they are a POST requests to a dotted quad with a fake browser. I guess I could just suppress it in Suricata. Or you can add a negation.
<div>
<div>The rule ET INFO GENERIC SUSPICIOUS OOST to Dotted Quad with Fake Browser 2 has lots of false positives when user has&nbsp;<a href="http://player.ooyala.com" target="_blank">http://player.ooyala.com</a>&nbsp;opened and active.</div>
<div><br></div>
<div>The who session starts with</div>
<div><div dir="ltr">
<div><br></div>
<div>GET&nbsp;&nbsp;&nbsp;&nbsp; <a href="http://cp187553.edgefcs.net" target="_blank">cp187553.edgefcs.net</a>&nbsp;&nbsp;&nbsp; /crossdomain.xml&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href="http://player.ooyala.com/static/cacheable/" target="_blank">http://player.ooyala.com/static/cacheable/</a>&lt;long_string_of_alphanumeric&gt;/player_v2.swf?player=&lt;long_string_of_alphanumeric&gt; with a standard UA, such as Firefox<br><br>No FP yet, then</div>
<div>
<br>GET&nbsp;&nbsp;&nbsp;&nbsp; <a href="http://cp187553.edgefcs.net" target="_blank">cp187553.edgefcs.net</a>&nbsp;&nbsp;&nbsp; /fcs/ident&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href="http://player.ooyala.com/static/cacheable/" target="_blank">http://player.ooyala.com/static/cacheable/</a>&lt;long_string_of_alphanumeric&gt;/player_v2.swf?player=&lt;long_string_of_alphanumeric&gt;<br>&nbsp;</div>
<div>Still no FP, then</div>
<div>
<br>POST&nbsp;&nbsp;&nbsp; 96.17.15.174&nbsp;&nbsp;&nbsp; /fcs/ident2/fcs/ident2&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Firefox/1.0 CFNetwork/760.2.6 Darwin/15.2.0 (x86_64)<br>POST&nbsp;&nbsp;&nbsp; 96.17.15.174&nbsp;&nbsp;&nbsp; /open/1/open/1 -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Firefox/1.0 CFNetwork/760.2.6 Darwin/15.2.0 (x86_64)<br><br>
</div>And then thousands of these happen<br><div>
<br>POST&nbsp;&nbsp;&nbsp; <a href="http://96.17.15.174/idle/" target="_blank">96.17.15.174/idle/≤/a>&lt;alphanumeric, 6 chars in total/&lt;sequential numbers&gt;&gt;/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Firefox/1.0 CFNetwork/760.2.6 Darwin/15.2.0 (x86_64)<br>
</div>
<div>
<br>Which makes sense, since they are a POST requests to a dotted quad with a fake browser. I guess I could just suppress it in Suricata. Or you can add a negation.</div>
</div></div>
<blockquote type="cite"><div>
<div dir="ltr"></div>
</div></blockquote>
</div>
Francis Trudeau | 3 Feb 23:16 2016
Picon

Daily Ruleset Update Summary 2016/02/03

 [***] Summary: [***]

 3 new Open signatures, 23 new Pro.  Cyborg RAT, APT.HelKit, HydraCrypt.

 Thanks:   <at> PietroDelsante &  <at> a_de_pasquale.

 [+++]          Added rules:          [+++]

 Open:

  2022485 - ET WEB_SERVER Possible Compromised Webserver Retriving
Inject (web_server.rules)
  2022486 - ET CURRENT_EVENTS Possible Phishing Landing via GetGoPhish
Phishing Tool (current_events.rules)
  2022487 - ET CURRENT_EVENTS Successful Phishing Attempt via
GetGoPhish Phishing Tool (current_events.rules)

 Pro:

  2816058 - ETPRO TROJAN Cyborg RAT Exfil via FTP 1 (trojan.rules)
  2816059 - ETPRO TROJAN Cyborg RAT Exfil via FTP 2 (trojan.rules)
  2816060 - ETPRO TROJAN Cyborg RAT Exfil via FTP 3 (trojan.rules)
  2816061 - ETPRO TROJAN APT.HelKit (BLACKCOFFEE) CnC Beacon M1 (trojan.rules)
  2816062 - ETPRO TROJAN APT.HelKit (BLACKCOFFEE) CnC Beacon M2 (trojan.rules)
  2816063 - ETPRO TROJAN W32/Daviany IP Check (trojan.rules)
  2816065 - ETPRO TROJAN APT.Preshin CnC Beacon (trojan.rules)
  2816066 - ETPRO TROJAN APT.Preshin HTTP Request to Google (trojan.rules)
  2816067 - ETPRO CURRENT_EVENTS Nuclear EK Flash Version PostBack T2
Feb 03 2016 (current_events.rules)
  2816068 - ETPRO CURRENT_EVENTS Nuclear EK Landing T2 Feb 03 2016
(current_events.rules)
  2816069 - ETPRO MALWARE Win32/Adware.Kuaiba.E Sending System
Information (malware.rules)
  2816070 - ETPRO TROJAN PoisonIvy Keepalive to CnC 292 (trojan.rules)
  2816071 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2816072 - ETPRO CURRENT_EVENTS Successful DHL Phish Feb 3
(current_events.rules)
  2816073 - ETPRO CURRENT_EVENTS Phishing Fake Document Loading Error
Feb 3 (current_events.rules)
  2816074 - ETPRO CURRENT_EVENTS DHL Phishing Landing Feb 3
(current_events.rules)
  2816075 - ETPRO TROJAN Ransomware Raas/Sarento .onion Proxy Domain
(trojan.rules)
  2816076 - ETPRO TROJAN Win32/HydraCrypt CnC Beacon 1 (trojan.rules)
  2816077 - ETPRO TROJAN Win32/HydraCrypt Ransom Image Inbound (trojan.rules)
  2816078 - ETPRO CURRENT_EVENTS TorrentLocker Localization Redirect
Feb 3 (current_events.rules)

 [///]     Modified active rules:     [///]

  2019469 - ET TROJAN APT.Fexel Checkin (trojan.rules)
  2021245 - ET TROJAN Possible Dridex Download URI Struct with no
referer (trojan.rules)
  2022466 - ET CURRENT_EVENTS Possible Keitaro TDS Redirect
(current_events.rules)
  2022483 - ET TROJAN JS/Nemucod requesting EXE payload 2016-01-28
(trojan.rules)
  2815395 - ETPRO TROJAN Linux/Fysbis or Sofacy/CHOPSTICK CnC Beacon
M2 (trojan.rules)
Andrea De Pasquale | 3 Feb 12:01 2016
Picon
Gravatar

Possible FP for 2021245 Dridex Download URI Struct with no referer

Hello,
SID 2021245 is tripping on this Logitech update download (and similar):

GET /logitech/controldevices/setpoint/devices/1/2000038.exe HTTP/1.1
User-Agent: LogitechUpdate
Host: d23iz4esrwkib6.cloudfront.net
Connection: Keep-Alive

Could you maybe add some negations?

Thanks,
--

-- 
Andrea De Pasquale
Incident Response Team
CERTEGO
Jeff H | 3 Feb 00:35 2016
Picon

SID 2018302, ET INFO Possible Phish - Mirrored Website Comment Observed questions

Just wondering if others are seeing lots of hits on this for non-malicious sites? And is anyone catching a lot of bad stuff with it?

I'm getting a few hits a day, not an absurd amount, but looking at the hits I don't think any of them have been phishing/malicious sites. I'm seeing a lot of hits where the mirrored comment is referencing the domain itself.

I don't think this is possible, but I guess it doesn't hurt to ask, is there some way to modify the rule so it doesn't fire when the domain in the mirrored comment matches the domain in the host header? I think that would solve most of my hits.

But if thats not possible, just trying to determine how much of an an impact disabling the rule would have.

Thanks
<div><div dir="ltr">Just wondering if others are seeing lots of hits on this for non-malicious sites? And is anyone catching a lot of bad stuff with it?<div><br></div>
<div>I'm getting a few hits a day, not an absurd amount, but looking at the hits I don't think any of them have been phishing/malicious sites. I'm seeing a lot of hits where the mirrored comment is referencing the domain itself.</div>
<div><br></div>
<div>I don't think this is possible, but I guess it doesn't hurt to ask, is there some way to modify the rule so it doesn't fire when the domain in the mirrored comment matches the domain in the host header? I think that would solve most of my hits.</div>
<div><br></div>
<div>But if thats not possible, just trying to determine how much of an an impact disabling the rule would have.</div>
<div><br></div>
<div>Thanks</div>
</div></div>
Francis Trudeau | 2 Feb 23:34 2016
Picon

Daily Ruleset Update Summary 2016/02/02

 [***] Summary: [***]

 3 new Open signatures, 23 new Pro (3 + 20).  Dridex, Gootkit,
Vawtrak, VARIOUS PHISHING.

 Thanks:  Michał Purzyński,  <at> sucurisecurity &  <at> PietroDelsante.

 [+++]          Added rules:          [+++]

 Open:

  2022481 - ET CURRENT_EVENTS Evil Redirect Compromised WP Feb 01 2016
(current_events.rules)
  2022482 - ET TROJAN JS/Nemucod requesting EXE payload 2016-02-01
(trojan.rules)
  2022483 - ET TROJAN JS/Nemucod requesting EXE payload 2016-01-28
(trojan.rules)

 Pro:

  2816038 - ETPRO MALWARE Win32/WuJi.K Checkin (malware.rules)
  2816039 - ETPRO CURRENT_EVENTS Phishing Landing via Weebly.com (set)
Feb 2 (current_events.rules)
  2816040 - ETPRO CURRENT_EVENTS Phishing Landing via Weebly.com Feb 2
M1 (current_events.rules)
  2816041 - ETPRO CURRENT_EVENTS Phishing Landing via Weebly.com Feb 2
M2 (current_events.rules)
  2816042 - ETPRO CURRENT_EVENTS Phishing Landing via Weebly.com Feb 2
M3 (current_events.rules)
  2816043 - ETPRO CURRENT_EVENTS Phishing Landing via Weebly.com Feb 2
M4 (current_events.rules)
  2816044 - ETPRO CURRENT_EVENTS Lloyds Bank Phishing Landing Feb 1
(current_events.rules)
  2816045 - ETPRO CURRENT_EVENTS Successful Lloyds Bank Phish Feb 1
(current_events.rules)
  2816046 - ETPRO TROJAN Dridex Fakes/Redirects SSL Cert (trojan.rules)
  2816047 - ETPRO TROJAN Possible PeaceDuke/Cozer SSL Cert (trojan.rules)
  2816048 - ETPRO TROJAN Gootkit CnC SSL Cert (trojan.rules)
  2816049 - ETPRO TROJAN Bladabindi/njRAT Variant CnC Server Response
(trojan.rules)
  2816050 - ETPRO TROJAN Bladabindi/njRAT Variant CnC Checkin (trojan.rules)
  2816051 - ETPRO TROJAN Win32.Banload Variant Downloading EXE (trojan.rules)
  2816052 - ETPRO TROJAN Possible Vawtrak Injects SSL Cert (trojan.rules)
  2816053 - ETPRO TROJAN Possible Vawtrak Injects SSL Cert (trojan.rules)
  2816054 - ETPRO TROJAN Win32/Uloz Botnet CnC Checkin (trojan.rules)
  2816055 - ETPRO TROJAN APT.Everty CnC Beacon 1 (trojan.rules)
  2816056 - ETPRO TROJAN APT.Everty CnC Beacon 2 (trojan.rules)
  2816057 - ETPRO TROJAN Win32/iSpySoft PWS Asset Download (trojan.rules)

 [///]     Modified active rules:     [///]

  2017511 - ET TROJAN APT.Agtid callback (trojan.rules)
  2021526 - ET TROJAN Linux/ChinaZ 2.0 DDoS Bot Checkin 3 (trojan.rules)
  2402000 - ET DROP Dshield Block Listed Source group 1 (dshield.rules)
  2808649 - ETPRO TROJAN Backdoor.Win32.Stantinko.A Checkin 3 (trojan.rules)
  2815769 - ETPRO TROJAN W32.Blackmoon Uploading Stolen Certificates
(trojan.rules)
  2815901 - ETPRO CURRENT_EVENTS Phishing Landing via MoonFruit.com
Jan 22 M1 (current_events.rules)
  2815905 - ETPRO CURRENT_EVENTS Phishing Landing via Webeden.co.uk
Jan 22 M1 (current_events.rules)

 [///]    Modified inactive rules:    [///]

  2012848 - ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI
International Mobile Equipment Identity in URI (mobile_malware.rules)
  2803305 - ETPRO TROJAN Common Downloader Header Pattern H (trojan.rules)
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs <at> lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net

Richard Monk | 2 Feb 20:40 2016
Picon
Gravatar

2816032 Not checking for version of Sparkle in use

Since there's now a patch, I suspect there needs to be a pcre check so versions
1.13.1 or greater don't trigger the alert?

-- 
Richard Monk (rmonk@...) - Security Analyst
Red Hat, Raleigh NC
GPG Key ID: 0x942CDB25

Since there's now a patch, I suspect there needs to be a pcre check so versions
1.13.1 or greater don't trigger the alert?

--

-- 
Richard Monk (rmonk@...) - Security Analyst
Red Hat, Raleigh NC
GPG Key ID: 0x942CDB25


Gmane