Russell Fulton | 1 Sep 00:15 2014
Picon
Picon

FP: ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12 2017936

FYI

I am seen a trickle of hits on this sig for sessions from out flash server to various local IPs.

payload: 789CF4DA9851A24D x....Q.M

Russell
Francis Trudeau | 29 Aug 23:50 2014
Picon

Daily Ruleset Update Summary 08/29/2014

 [***] Summary: [***]

 15 new Open signatures, 30 new Pro (15+15).  ScanBox, iBryte, BIG-IP
rsync vuln, Archie EK.

 Thanks:  <at> jaimeblascob and  <at> kafeine

 [+++]          Added rules:          [+++]

  2019084 - ET TROJAN Syrian Malware Checkin (trojan.rules)
  2019085 - ET EXPLOIT Metasploit FireFox WebIDL Privileged Javascript
Injection (exploit.rules)
  2019086 - ET CURRENT_EVENTS Unknown Trojan Dropped by Angler Aug 29
2014 (current_events.rules)
  2019087 - ET TROJAN F5 BIG-IP rsync cmi access attempt (trojan.rules)
  2019088 - ET TROJAN F5 BIG-IP rsync cmi authorized_keys access
attempt (trojan.rules)
  2019089 - ET TROJAN F5 BIG-IP rsync cmi authorized_keys successful
exfiltration (trojan.rules)
  2019090 - ET TROJAN F5 BIG-IP rsync cmi authorized_keys successful
upload (trojan.rules)
  2019091 - ET EXPLOIT Metasploit Random Base CharCode JS Encoded
String (exploit.rules)
  2019093 - ET CURRENT_EVENTS ScanBox Framework used in WateringHole
Attacks (current_events.rules)
  2019094 - ET CURRENT_EVENTS ScanBox Framework used in WateringHole
Attacks Intial (POST) (current_events.rules)
  2019095 - ET CURRENT_EVENTS ScanBox Framework used in WateringHole
Attacks (POST) PluginData (current_events.rules)
  2019096 - ET CURRENT_EVENTS ScanBox Framework used in WateringHole
(Continue reading)

Francis Trudeau | 29 Aug 00:35 2014
Picon

Daily Ruleset Update Summary 08/28/2014

 [***] Summary: [***]

 5 new Open signatures, 18 new Pro (5+13).  ABUSE.CH SSL Blacklist,
PCRat/Gh0st, Various Android.

 Thanks:   <at> rmkml and  <at> abuse_ch

 [+++]          Added rules:          [+++]

 Open:

  2019079 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2019080 - ET TROJAN Windows arp -a Microsoft Windows DOS prompt
command exit OUTBOUND (trojan.rules)
  2019081 - ET TROJAN Windows set Microsoft Windows DOS prompt command
exit OUTBOUND (trojan.rules)
  2019082 - ET TROJAN Windows route Microsoft Windows DOS prompt
command exit OUTBOUND (trojan.rules)
  2019083 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 41 (trojan.rules)

  Pro:

  2808683 - ETPRO TROJAN Win32/VB.VX Checkin (trojan.rules)
  2808684 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Talp.a Checkin
(mobile_malware.rules)
  2808685 - ETPRO TROJAN Carbon FormGrabber/Retgate.A Checkin (trojan.rules)
  2808686 - ETPRO TROJAN WIN32.AGENT.ADRNK Checkin FTP (trojan.rules)
  2808687 - ETPRO TROJAN Trojan.Win32.Jorik.IRCbot USER command (trojan.rules)
(Continue reading)

Balasubramaniam Natarajan | 28 Aug 14:26 2014
Picon

Mofify SID: 2013170

Hi

Could we please modify the following signature ?

Original
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.cu.cc domain"; flow:established,to_server; content:".cu.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013170; rev:1;)

Modified
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.cu.cc domain"; flow:established,to_server; content:"Host:"; content:".cu.cc|0D 0A|"; distance:1; within:65; http_header; classtype:bad-unknown; sid:2013170; rev:2;)


Original sig fires off

GET /go/?q=sogou.com&service=whois HTTP/1.1
Host: whois.domaintools.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://whois.domaintools.com/onlinestudy.cu.cc
Connection: keep-alive


--
Regards,
Balasubramaniam Natarajan
http://blog.etutorshop.com
<div><div dir="ltr">
<div>Hi<br><br>
</div>Could we please modify the following signature ?<br><br>Original<br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.cu.cc domain"; flow:established,to_server; content:".cu.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013170; rev:1;)<br><br>Modified<br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.cu.cc domain"; flow:established,to_server; <span>content:"Host:"; </span>content:".cu.cc|0D 0A|"; <span>distance:1; within:65;</span> http_header; classtype:bad-unknown; sid:2013170; rev:<span>2</span>;)<br clear="all"><div>
<div>
<br><br>
</div>
<div>Original sig fires off<br><br>GET /go/?q=<a href="http://sogou.com">sogou.com</a>&amp;service=whois HTTP/1.1<br>Host: <a href="http://whois.domaintools.com">whois.domaintools.com</a><br>

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0<br>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br>Accept-Language: en-US,en;q=0.5<br>Accept-Encoding: gzip, deflate<br>

Referer: <a href="http://whois.domaintools.com/onlinestudy.cu.cc">http://whois.domaintools.com/onlinestudy.cu.cc</a><br>Connection: keep-alive<br>
</div>
<div>
<br><br>-- <br><div dir="ltr">Regards,<br>Balasubramaniam Natarajan<br><a href="http://blog.etutorshop.com" target="_blank">http://blog.etutorshop.com</a><br>
</div>
</div>
</div>
</div></div>
C. L. Martinez | 28 Aug 10:35 2014
Picon

About sig 2008052

Hi all,

 I don't quite understand why an alert is triggered by this signature.
StreamDB capture is:

Returning 2 of 2 at offset 0 from Tue Aug 26 11:24:10 2014 to Tue Aug
26 11:24:10 2014 (1019 ms)

2014-08-26 11:24:10 10.99.130.21:3376 <- 10.99.0.15:80 0s 6343 bytes RST

CONNECT iecvlist.microsoft.com:443iecvlist.microsoft.com:443

oid=52-1395265496-5300-0

200 data

oid=52-1395270796-6343-0

200 Connection established
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
X-HTTP-Version: 1.1

....]...Y...?.!....SJ$.....{....b.vEw.}.t..
......Lv.G[h..*z.<.j.....dqy...h.........................
...
..
.. K0. G0../............op............0
. *.H..
.....0..1.0 ..U....US1.0...U...
Washington1.0...U....Redmond1.0...U.
..Microsoft Corporation1.0...U... Microsoft IT1.0...U....Microsoft IT
SSL SHA10..
140723063643Z.
160722063643Z0.1.0...U.. .*.vo.msecnd.net0.."0
. *.H..
..........0..
.......J.......y....{....3.p%...T.T,.............2JU.Q)....t.....N.
..a...-....).....B..Q...q.J.
..}Y;r.6...........|.$,N+T&.U.uI.... <at> .3...K..C=....7.p>.D..1.....tG5yb%...x.x...E.Sb....5..<~..0
.$k$~..[\.*o.jJ..m.F../...5......7...<....lX..>..:....K...`....
...........0...0...U........0..4..U.....+0..'..*.microsoft.com.
*.msn-int.com. *.msn.com..*.live-int.com..*.windowsphone-int.com..*.windowsphone.com.#*.cmsresources.windowsphone-int.com.#*.marketplace.windowsmobile-int.com..*.wlxrs-int.com..*.shared.live-int.com..*.shared.live.com..*.wlxrs.com..*.cdn.office.net..*.ads2.msads.net..*.aspnetcdn.com..*.c3scs.jp.msn.com..*.cmsresources.windowsphone.com..*.f1ds.shared.live-int.com..*.f1ds.wlxrs-int.com.
*.jp.msn.com..*.live-int.net.
*.live.com.
*.live.net..*.manage.microsoft.com.$*.marketplace.windowsmobile-perf.com..*.marketplace.windowsmobile.com..*.microsoft-sbs-domains.com..*.msads.net.!*.partner-df.windowsphone-int.com..*.partners.msn.com..*.s-msn.com..*.st.s-msn.com..*.stb.s-msn.com..*.stc.s-msn.com..*.stj.s-msn.com..*.wlxrsu-int.com.#images.partner.windowsphone-int.com..images.partner.windowsphone.com..*.dev.skype.com..*.ucwa.lync.com..*.vo.msecnd.net..*.s.windows.microsoft.com..*.azureedge.net..*.wpc.azureedge.net..*.wac.azureedge.net..*.adn.azureedge.net..*.fms.azureedge.net..*.azurecomcdn.net..*.cdn.skype.net..*.cdn.skype.com.
*.msdn.com0...U........p.'D9.
..Q.{.8P.+.0...U.#..0.....-.lM=.P3...x....$.0}..U...v0t0r.p.n.6http://mscrl.microsoft.com/pki/mscorp/crl/msitwww1.crl.4http://crl.microsoft.com/pki/mscorp/crl/msitwww1.crl0p..+........d0b0<..+.....0..0http://www.microsoft.com/pki/mscorp/msitwww1.crt0"..+.....0...http://ocsp.msocsp.com0...U.%..0...+.........+.......0N..U.
.G0E0C. +.....7*.0604..+........(http://www.microsoft.com/pki/mscorp/cps.0'.
+.....7.
..0.0
..+.......0
..+.......0
. *.H..
..........
..F..Hg{.j...g...K|.C/R.C....=...]../`.......
D..F..0.vdG...<aBD.G...l..7.?....n.v...b........j.s_..s-....[...+.c..<.V.r4.o.4.7.uH...Q.....#......E.!..=....bb.\w....#
&...BL.N....e..X...
...C.7..V.TDS.`Tk...B... .,.. 5*cf....f`.......u.WA.....;..
>!G..Ex....0...0..n........'..0
. *.H..
.....0Z1.0 ..U....IE1.0...U.
. Baltimore1.0...U...
CyberTrust1"0 ..U....Baltimore CyberTrust Root0..
131219201000Z.
171219200925Z0..1.0 ..U....US1.0...U...
Washington1.0...U....Redmond1.0...U.
..Microsoft Corporation1.0...U... Microsoft IT1.0...U....Microsoft IT
SSL SHA10.."0
. *.H..
..........0..
.......
x..N.X>....g.e#5..1..
C+.s...........d.&q.}.jA.T...?..........]].....G.S..
...b).....r......f..-f).??..n-%...TQ._...y.'.'..a.........Tp.^.........l.....T
.8..........3)...z..!.e...:...nY `
>.P...5L..&f...-.1...5...=\-.......0...[...Q`._;.dL....}...qC.=a........
0...0...U.......0.......0S..U. .L0J0H.
+.....>..0;09..+........-http://cybertrust.omniroot.com/repository.cfm0...U...........0...U.%..0...+.........+.......0...U.#..0.....Y0.GX....T6.{:..M.0B..U...;0907.5.3.1http://cdp1.public-trust.com/CRL/Omniroot2025.crl0...U........-.lM=.P3...x....$.0
. *.H..
............
.S.V_..)...J..CZ...%..'.......d.<..PB.d
.aO..%..%.PR.. .. <at> nXE.m......%
Ylc
.tro....}...-.K4....
QU... q....4v......w.>..#..MMc}.dG.......g+.....2.X=....|.3.\.cz.y.....a.."z.....D>....V.}....Jk..].wzT3.].~..b...A.l.j.a.cd...N.......Ga...J.}.y.6....R.c..1.............0...
......0.... +.....0......0...0.......j.....N+...#c........20140824022240Z0..0..0L0
..+...........p.....!M.....PH.O....-.lM=.P3...x....$........op................20140824022240Z....20140828022240Z."0
0.. +.....0......20130824022240Z0
. *.H..
..........f,V....c .i.V...R....H.[_;.39...!
....MG1..H.Mg.T..lp.....l.$
.../..........220. .....l........)v.....
0.....Tun.=...G....?.S.4....9`.....u.P8J.n.1..C.ml.........<6Wx.\-.R=...=.A....I..4Qd..]G....z..N. <at> A....v<..
.O_..H.<...o^...+.O...T.
>.x..^..6C...gvt.......0...0...0.................\ .R........0
. *.H..
.....0..1.0 ..U....US1.0...U...
Washington1.0...U....Redmond1.0...U.
..Microsoft Corporation1.0...U... Microsoft IT1.0...U....Microsoft IT
SSL SHA10..
140821225400Z.
141104225400Z0!1.0...U....Should be ignore by CA0.."0
. *.H..
..........0..
......1._G....#.L;!>Q.z.m?e8 -1\...Scf....0.....E(/F.(..nN.
.U....3"&M./.
r-2 <at> ....th..u;...j.k..\.d'...s2D...W6
g.9...xk................Q.GZK.1.\-.E.......l.h.]%i4....v.....J.-.
O.+?.*...A3...h
#..."..c....PhV.>..;...Y...._.".t....|c......3.l.YUZ."p.r..C.U-[y..........0..0...U.......j.....N+...#c......0...U.#..0.....-.lM=.P3...x....$.0...U...........0...U.%.
0
..+...... 0.. +.....7.
..0 0
..+...... 0.. +.....0......0
. *.H..
..........B.Z..bB <at> tWA........,..3.3......0.
.R......%......y.......+..c.i.....^..4l..d:.....D6.<..a..*.Q....NO..
.eI...s<...5"4..;....]..x
1...Q.^po..Z....B..ks.A.=..X.g.8....}"e..m+.....'..p..{.u..#........*...1|00.....<.
>..J.<=rHW?v .......x|t.....U7...H*... <\.....M
..I...A.O.)1.......Jj.X../oj....3E...&.g........o.w......!.o .[=.#....
 ......5...W.3&,.
>ri.:.....w.........)=.(s....?."U......HHJ.z....[.k.6..$.....0.....w..2.d6..E.......Xb.~........Ab....6..Ob<J..O$...i..B...m..A.......c.r..d...y..76....ba...h...........f....sf)YqW.kG.....+.%....9vj;?'..B
.<.]...C8....n..8;._..$....$E.Q.2?....................... <at> ..2..g..r.....t..h.9.N:.
...-..a.}D(..O|.5.....K.R.q..&...\/........p..f....7q.l.|3....
+., .....\......b..9...(.K...Qi!$.O.S.H.A...-....CQ}..q..+.......y....+.9K.........*...5.....jO......j.....2G.........;/C1..Z.d...x.I.g.......c.........L....W.....o...T../...i....l.h.D.SVPF..y..t.....N <at> X.Y."..... <at> b.J..e._{...hB..5...}....._....:.gO....>....P._na..A..w.q...ud..^......V7..l.{69=......A+e^.
1..+$\.s.Lc..........I...XYAx.4v.t.&...i../.....I-2.A{.........]...Z.<e8.,....0....by...KN-c......H..n.....m...Z......z.^&{. <at> .^0i.t..Q/Z.H....*^....V..q....
SlY~1.....G.....CK..P.Z.(.......#];lJ.......R.+.5!....4...N....in.B.{..}......]..C...."..t......V../.nI.V.j:.=.........T.!......y*..............j0b

 Is it due to an unsupported IE version??

Thanks.
Francis Trudeau | 28 Aug 00:02 2014
Picon

Daily Ruleset Update Summary 08/27/2014

 [***] Summary: [***]

 54 new Open signatures, 77 new Pro (54+23).  Lots of Upatre SSL,
NullHole EK, Various Android.

 Thanks:  Nathan Fowler and  <at> kafeine

 [+++]          Added rules:          [+++]

  2019025 - ET CURRENT_EVENTS Possible Upatre SSL Cert freeb4u.com
(current_events.rules)
  2019026 - ET CURRENT_EVENTS Possible Upatre SSL Cert
developmentinn.com (current_events.rules)
  2019027 - ET CURRENT_EVENTS Possible Upatre SSL Cert directory92.com
(current_events.rules)
  2019028 - ET CURRENT_EVENTS Possible Upatre SSL Cert epr-co.ch
(current_events.rules)
  2019029 - ET CURRENT_EVENTS Possible Upatre SSL Cert pouyasazan.org
(current_events.rules)
  2019030 - ET CURRENT_EVENTS Possible Upatre SSL Cert ara-photos.net
(current_events.rules)
  2019031 - ET CURRENT_EVENTS Possible Upatre SSL Cert tecktalk.com
(current_events.rules)
  2019032 - ET CURRENT_EVENTS Possible Upatre SSL Cert cyclivate.com
(current_events.rules)
  2019033 - ET CURRENT_EVENTS Possible Upatre SSL Cert
mentoringgroup.com (current_events.rules)
  2019034 - ET CURRENT_EVENTS Possible Upatre SSL Cert
dineshuthayakumar.in (current_events.rules)
  2019035 - ET CURRENT_EVENTS Possible Upatre SSL Cert ssshosting.net
(current_events.rules)
  2019036 - ET CURRENT_EVENTS Possible Upatre SSL Cert erotikturk.com
(current_events.rules)
  2019037 - ET CURRENT_EVENTS Possible Upatre SSL Cert
mtnoutfitters.com (current_events.rules)
  2019038 - ET CURRENT_EVENTS Possible Upatre SSL Cert
jojik-international.com (current_events.rules)
  2019039 - ET CURRENT_EVENTS Possible Upatre SSL Cert
abarsolutions.com (current_events.rules)
  2019040 - ET CURRENT_EVENTS Possible Upatre SSL Cert
eastwoodvalley.com (current_events.rules)
  2019041 - ET CURRENT_EVENTS Possible Upatre SSL Cert ara-photos.net
(current_events.rules)
  2019042 - ET CURRENT_EVENTS Possible Upatre SSL Cert pejlain.se
(current_events.rules)
  2019043 - ET CURRENT_EVENTS Possible Upatre SSL Cert dominionthe.com
(current_events.rules)
  2019044 - ET CURRENT_EVENTS Possible Upatre SSL Cert delanecanada.ca
(current_events.rules)
  2019045 - ET CURRENT_EVENTS Possible Upatre SSL Cert
hebergement-solutions.com (current_events.rules)
  2019046 - ET CURRENT_EVENTS Possible Upatre SSL Cert
sportofteniq.com (current_events.rules)
  2019047 - ET CURRENT_EVENTS Possible Upatre SSL Cert adoraacc.com
(current_events.rules)
  2019048 - ET CURRENT_EVENTS Possible Upatre SSL Cert tristacey.com
(current_events.rules)
  2019049 - ET CURRENT_EVENTS Possible Upatre SSL Cert nbc-mail.com
(current_events.rules)
  2019050 - ET CURRENT_EVENTS Possible Upatre SSL Cert
tridayacipta.com (current_events.rules)
  2019051 - ET CURRENT_EVENTS Possible Upatre SSL Cert
trainthetrainerinternational.com (current_events.rules)
  2019052 - ET CURRENT_EVENTS Possible Upatre SSL Cert
lingayasuniversity.edu.in (current_events.rules)
  2019053 - ET CURRENT_EVENTS Possible Upatre SSL Cert uleideargan.com
(current_events.rules)
  2019054 - ET CURRENT_EVENTS Possible Upatre SSL Cert
picklingtank.com (current_events.rules)
  2019055 - ET CURRENT_EVENTS Possible Upatre SSL Cert vcomdesign.com
(current_events.rules)
  2019056 - ET CURRENT_EVENTS Possible Upatre SSL Cert technosysuk.com
(current_events.rules)
  2019057 - ET CURRENT_EVENTS Possible Upatre SSL Cert
slmp-550-105.slc.westdc.net (current_events.rules)
  2019058 - ET CURRENT_EVENTS Possible Upatre SSL Cert
itiltrainingcertworkshop.com (current_events.rules)
  2019059 - ET CURRENT_EVENTS Possible Upatre SSL Cert
udderperfection.com (current_events.rules)
  2019060 - ET CURRENT_EVENTS Possible Upatre SSL Cert efind.co.il
(current_events.rules)
  2019061 - ET CURRENT_EVENTS Possible Upatre SSL Cert bloodsoft.com
(current_events.rules)
  2019062 - ET CURRENT_EVENTS Possible Upatre SSL Cert walletmix.com
(current_events.rules)
  2019063 - ET CURRENT_EVENTS Possible Upatre SSL Cert
turnaliinsaat.com (current_events.rules)
  2019064 - ET CURRENT_EVENTS Possible Upatre SSL Cert
mdus-pp-wb12.webhostbox.net (current_events.rules)
  2019065 - ET CURRENT_EVENTS Possible Upatre SSL Cert
plastics-technology.com (current_events.rules)
  2019066 - ET CURRENT_EVENTS Possible Upatre SSL Cert
slmp-550-105.slc.westdc.net (current_events.rules)
  2019067 - ET CURRENT_EVENTS Possible Upatre SSL Cert deserve.org.uk
(current_events.rules)
  2019068 - ET CURRENT_EVENTS Possible Upatre SSL Cert worldbuy.biz
(current_events.rules)
  2019069 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2019070 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2019071 - ET CURRENT_EVENTS NullHole EK Landing Aug 27 2014
(current_events.rules)
  2019072 - ET CURRENT_EVENTS RIG EK Landing URI Struct (current_events.rules)
  2019073 - ET CURRENT_EVENTS NullHole EK Landing Redirect Aug 27 2014
(current_events.rules)
  2019074 - ET TROJAN Vawtrak/NeverQuest Posting Data (trojan.rules)
  2019075 - ET CURRENT_EVENTS Possible Upatre SSL Cert
paydaypedro.co.uk (current_events.rules)
  2019076 - ET CURRENT_EVENTS Possible Upatre SSL Cert chatso.com
(current_events.rules)
  2019077 - ET CURRENT_EVENTS Possible Upatre SSL Cert
ventureonsite.com (current_events.rules)
  2019078 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Aug 27 2014
(current_events.rules)

 Pro:

  2808649 - ETPRO TROJAN Backdoor.Win32.Stantinko.A Checkin 3 (trojan.rules)
  2808661 - ETPRO MALWARE Adware.Win32.Midia.A Checkin (malware.rules)
  2808662 - ETPRO TROJAN Win32.Boaxxe Variant Callback (trojan.rules)
  2808663 - ETPRO MOBILE_MALWARE Android/Adware.MobWin.A Checkin
(mobile_malware.rules)
  2808664 - ETPRO MALWARE Win32/ExpressDownloader Callback (malware.rules)
  2808665 - ETPRO MALWARE KopHack Checkin (malware.rules)
  2808666 - ETPRO MALWARE Adware.Winner Uploading Host Info (malware.rules)
  2808667 - ETPRO TROJAN Win32/ProxyChanger.RD Checkin (trojan.rules)
  2808668 - ETPRO TROJAN TROJAN.WIN32.DIZTAKUN.ATK Checkin FTP (trojan.rules)
  2808669 - ETPRO TROJAN TROJANSPY.MSIL/GOLROTED.A Checkin FTP (trojan.rules)
  2808670 - ETPRO TROJAN POSCARDSTEALER.Q Checkin (trojan.rules)
  2808671 - ETPRO TROJAN MONITOR.MSIL.KEYLOGGER Checkin (trojan.rules)
  2808672 - ETPRO TROJAN Win32/Spy.Agent.OKH Checkin (trojan.rules)
  2808673 - ETPRO MOBILE_MALWARE Android/Spyoo.I Checkin (mobile_malware.rules)
  2808674 - ETPRO MOBILE_MALWARE Android/Spyoo.I Checkin 2
(mobile_malware.rules)
  2808675 - ETPRO MOBILE_MALWARE Android/Spyoo.I Checkin 3
(mobile_malware.rules)
  2808676 - ETPRO MALWARE Win32/GameHack.CSO Checkin (malware.rules)
  2808677 - ETPRO MOBILE_MALWARE Android/SMForw.AT Checkin
(mobile_malware.rules)
  2808678 - ETPRO MOBILE_MALWARE Android/SMForw.AT Checkin 2
(mobile_malware.rules)
  2808679 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.BK Checkin
(mobile_malware.rules)
  2808680 - ETPRO MOBILE_MALWARE Adware.Youmi.A Checkin (mobile_malware.rules)
  2808681 - ETPRO MALWARE Win32/InstallRex.Adware Checkin (malware.rules)
  2808682 - ETPRO MOBILE_MALWARE AndroidOS/UUPay.B Checkin 2
(mobile_malware.rules)

 [+++]  Enabled and modified rules:   [+++]

  2010463 - ET WEB_SERVER RFI Scanner Success (Fx29ID) (web_server.rules)

 [///]     Modified active rules:     [///]

  2001616 - ET ATTACK_RESPONSE Zone-H.org defacement notification
(attack_response.rules)
  2009029 - ET WEB_SERVER SQL Injection Attempt (Agent NV32ts)
(web_server.rules)
  2009038 - ET SCAN SQLNinja MSSQL Version Scan (scan.rules)
  2009039 - ET SCAN SQLNinja MSSQL XPCmdShell Scan (scan.rules)
  2009158 - ET SCAN WebShag Web Application Scan Detected (scan.rules)
  2009359 - ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap
NSE) (scan.rules)
  2009480 - ET SCAN Grendel Web Scan - Default User Agent Detected (scan.rules)
  2009799 - ET WEB_SERVER PHP Attack Tool Morfeus F Scanner - M
(web_server.rules)
  2009827 - ET SCAN Pavuk User Agent Detected - Website Mirroring Tool
for Off-line Analysis (scan.rules)
  2009833 - ET SCAN WITOOL SQL Injection Scan (scan.rules)
  2009882 - ET SCAN Default Mysqloit User Agent Detected - Mysql
Injection Takover Tool (scan.rules)
  2009883 - ET SCAN Possible Mysqloit Operating System Fingerprint/SQL
Injection Test Scan Detected (scan.rules)
  2010004 - ET WEB_SERVER SQL sp_start_job attempt (web_server.rules)
  2010037 - ET WEB_SERVER Possible SQL Injection INTO OUTFILE
Arbitrary File Write Attempt (web_server.rules)
  2010215 - ET SCAN SQL Injection Attempt (Agent uil2pn) (scan.rules)
  2010267 - ET TROJAN Sinowal/Torpig Checkin (trojan.rules)
  2010268 - ET TROJAN W32.SillyFDC Checkin (trojan.rules)
  2806067 - ETPRO MALWARE Casino.E Install (malware.rules)

 [///]    Modified inactive rules:    [///]

  2010231 - ET CURRENT_EVENTS
FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF
download 1 (current_events.rules)
  2010281 - ET WEB_SERVER Apache mod_perl Apache Status and Apache2
Status Cross Site Scripting Attempt (web_server.rules)
  2010343 - ET SCAN pangolin SQL injection tool (scan.rules)

 [---]         Removed rules:         [---]

  2009036 - ET TROJAN Armitage Loader Check-in (trojan.rules)
  2009797 - ET TROJAN Bifrose Response from victim (trojan.rules)
  2010289 - ET TROJAN Clod/Sereki Communication with C&C (trojan.rules)
  2010290 - ET TROJAN Clod/Sereki Checkin with C&C (noalert) (trojan.rules)
  2010291 - ET TROJAN Clod/Sereki Checkin Response (trojan.rules)
  2101377 - GPL FTP wu-ftp bad file completion attempt (ftp.rules)
  2101378 - GPL FTP wu-ftp bad file completion attempt with brace (ftp.rules)
Anand Aherkar | 27 Aug 06:23 2014

Nuclear EK redirect to actual exploit hosting site

Hi,

Very simple sig to help to detect redirection Nuclear EK site...pls comment

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear 
exploit kit redirection to exploit hosting site"; uricontent:"/show_ads.js?
ver="; nocase; pcre:"/show_ads.js?ver=[0-9]$/i"; reference:url,http://malware-
traffic-analysis.net/2014/08/25/index2.html; sid:xxxxxx; gid:1; rev:1;)

Regards,

Francis Trudeau | 27 Aug 01:06 2014
Picon

Daily Ruleset Update Summary 08/26/2014

 [***] Summary: [***]

 2 new Open signatures, 23 new Pro (2+21).  BleedingLife EK, FlashPack, Zeus.

 Thanks:  rmkml

 [+++]          Added rules:          [+++]

 Open:

  2019023 - ET CURRENT_EVENTS BleedingLife EK Variant Aug 26 2014
(current_events.rules)
  2019024 - ET CURRENT_EVENTS Offensive Security EMET Bypass Observed
in BleedingLife Variant Aug 26 2014 (current_events.rules)

 Pro:

  2808639 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.SendPay.a
Checkin (mobile_malware.rules)
  2808640 - ETPRO TROJAN Win32/Zbot Downloading PE (trojan.rules)
  2808641 - ETPRO TROJAN W32/Badur.ZYP Checkin (trojan.rules)
  2808642 - ETPRO TROJAN Win32.BHO Variant Checkin (trojan.rules)
  2808643 - ETPRO TROJAN Zeus variant C2 (trojan.rules)
  2808644 - ETPRO TROJAN Win32/Hupigon.NYK Checkin (trojan.rules)
  2808645 - ETPRO TROJAN MSIL/Agent.RQ Checkin (trojan.rules)
  2808646 - ETPRO TROJAN W32/ZEGOST.AAGP!TR.BDR Checkin (trojan.rules)
  2808647 - ETPRO TROJAN Backdoor.Win32.Stantinko.A Checkin (trojan.rules)
  2808648 - ETPRO TROJAN Backdoor.Win32.Stantinko.A Checkin 2 (trojan.rules)
  2808650 - ETPRO TROJAN PWS.MicroGaming Checkin (trojan.rules)
  2808651 - ETPRO TROJAN TROJAN-DROPPER.WIN32.FRAUDROP.AETPC Checkin
(trojan.rules)
  2808652 - ETPRO TROJAN TROJAN-DROPPER.WIN32.DINWOD.SIL Checkin (trojan.rules)
  2808653 - ETPRO TROJAN Win32.Badur variant payload retrieval (trojan.rules)
  2808654 - ETPRO TROJAN BackDoor.Ebot Checkin (trojan.rules)
  2808655 - ETPRO TROJAN WIN32/LOCKSCREEN.BIK Checkin (trojan.rules)
  2808656 - ETPRO POLICY LabTech PC remote control session setup (policy.rules)
  2808657 - ETPRO TROJAN W32/Delf.GY Callback (trojan.rules)
  2808658 - ETPRO CURRENT_EVENTS FlashPack URI Struct Thread 1
Specific (current_events.rules)
  2808659 - ETPRO CURRENT_EVENTS FlashPack URI Struct Thread 2
Specific (current_events.rules)
  2808660 - ETPRO TROJAN Win32.Badur variant c2 (trojan.rules)

 [///]     Modified active rules:     [///]

  2008358 - ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports
(trojan.rules)
  2013439 - ET TROJAN Dirt Jumper/Russkill3 Checkin (trojan.rules)
  2014523 - ET TROJAN OSX/Flashback.K/I reporting successful infection
2 (trojan.rules)
  2016591 - ET DNS Reply Sinkhole - 106.187.96.49
blacklistthisdomain.com (dns.rules)
  2018578 - ET TROJAN Dyreza RAT Ex-filtrating Data (trojan.rules)
  2018579 - ET TROJAN Dyreza RAT Checkin (trojan.rules)
  2018596 - ET TROJAN Dyreza RAT Checkin Response (trojan.rules)
  2018597 - ET TROJAN Dyreza RAT Checkin Response 2 (trojan.rules)
  2018683 - ET TROJAN Dyreza RAT Checkin 2 (trojan.rules)
  2018749 - ET TROJAN Dyreza RAT Checkin 3 (trojan.rules)
  2018770 - ET TROJAN Dridex/Bugat/Feodo Cookie (trojan.rules)
  2018771 - ET TROJAN Dridex/Bugat/Feodo POST Checkin (trojan.rules)
  2018772 - ET TROJAN Dridex/Bugat/Feodo GET Checkin (trojan.rules)
  2018775 - ET TROJAN Dyreza RAT Fake Server Header (trojan.rules)
Francis Trudeau | 26 Aug 00:30 2014
Picon

Daily Ruleset Update Summary 08/25/2014

 [***] Summary: [***]

 29 new Open signatures, 42 new Pro (29+13).  Archie EK, NTP DDOS,
FlashPack EK, Abuse.ch SSL Blacklist.

 Thanks:  Jake Warren, ABUSE.CH and  <at> kafeine

 [+++]          Added rules:          [+++]

 Open:

  2018994 - ET TROJAN Win32/Xema dropping file (trojan.rules)
  2018995 - ET CURRENT_EVENTS Archie EK CVE-2014-0515 Aug 24 2014
(current_events.rules)
  2018996 - ET CURRENT_EVENTS Archie EK CVE-2014-0497 Aug 24 2014
(current_events.rules)
  2018997 - ET CURRENT_EVENTS Archie EK Secondary Landing Aug 24 2014
(current_events.rules)
  2018998 - ET CURRENT_EVENTS Archie EK Landing Aug 24 2014
(current_events.rules)
  2018999 - ET TROJAN Win32/Spy.Tuscas (trojan.rules)
  2019000 - ET TROJAN Windows ipconfig Microsoft Windows DOS prompt
command exit OUTBOUND (trojan.rules)
  2019001 - ET TROJAN Windows net start Microsoft Windows DOS prompt
command exit OUTBOUND (trojan.rules)
  2019002 - ET TROJAN Windows systeminfo Microsoft Windows DOS prompt
command exit OUTBOUND (trojan.rules)
  2019003 - ET TROJAN Windows netstat Microsoft Windows DOS prompt
command exit OUTBOUND (trojan.rules)
  2019004 - ET CURRENT_EVENTS FlashPack EK Exploit Flash Post Aug 25
2014 (current_events.rules)
  2019005 - ET CURRENT_EVENTS FlashPack EK Redirect Aug 25 2014
(current_events.rules)
  2019006 - ET CURRENT_EVENTS FlashPack EK Exploit Landing Aug 25 2014
(current_events.rules)
  2019007 - ET CURRENT_EVENTS FlashPack EK JS Include Aug 25 2014
(current_events.rules)
  2019008 - ET CURRENT_EVENTS Safe/CritX/FlashPack Java Payload
(current_events.rules)
  2019009 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2019010 - ET DOS Likely NTP DDoS In Progress PEER_LIST Response to
Non-Ephemeral Port IMPL 0x02 (dos.rules)
  2019011 - ET DOS Likely NTP DDoS In Progress PEER_LIST Response to
Non-Ephemeral Port IMPL 0x03 (dos.rules)
  2019012 - ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response
to Non-Ephemeral Port IMPL 0x02 (dos.rules)
  2019013 - ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response
to Non-Ephemeral Port IMPL 0x03 (dos.rules)
  2019014 - ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response
to Non-Ephemeral Port IMPL 0x03 (dos.rules)
  2019015 - ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response
to Non-Ephemeral Port IMPL 0x02 (dos.rules)
  2019016 - ET DOS Possible NTP DDoS Inbound Frequent Un-Authed
PEER_LIST Requests IMPL 0x03 (dos.rules)
  2019017 - ET DOS Possible NTP DDoS Inbound Frequent Un-Authed
PEER_LIST Requests IMPL 0x02 (dos.rules)
  2019018 - ET DOS Possible NTP DDoS Inbound Frequent Un-Authed
PEER_LIST_SUM Requests IMPL 0x03 (dos.rules)
  2019019 - ET DOS Possible NTP DDoS Inbound Frequent Un-Authed
PEER_LIST_SUM Requests IMPL 0x02 (dos.rules)
  2019020 - ET DOS Possible NTP DDoS Inbound Frequent Un-Authed
GET_RESTRICT Requests IMPL 0x03 (dos.rules)
  2019021 - ET DOS Possible NTP DDoS Inbound Frequent Un-Authed
GET_RESTRICT Requests IMPL 0x02 (dos.rules)
  2019022 - ET DOS Likely NTP DDoS In Progress Multiple UNSETTRAP Mode
6 Responses (dos.rules)

 Pro:

  2808626 - ETPRO TROJAN Win32.Dapato.Ang Checkin (trojan.rules)
  2808627 - ETPRO MALWARE PUP/MultiToolbar.A Checkin (malware.rules)
  2808628 - ETPRO TROJAN Win32/Asper.O Checkin (trojan.rules)
  2808629 - ETPRO MALWARE PUP Win32/bmMedia.D Checkin (malware.rules)
  2808630 - ETPRO MALWARE Adware Win32/IEMao.A Checkin (malware.rules)
  2808631 - ETPRO TROJAN Variant.Kazy.365193(B) Checkin (trojan.rules)
  2808632 - ETPRO TROJAN Win32.Sinresby C2 (trojan.rules)
  2808633 - ETPRO MALWARE Win32.Conducent Checkin (malware.rules)
  2808634 - ETPRO TROJAN MSIL/Injector.P Checkin (trojan.rules)
  2808635 - ETPRO MALWARE Riskware.Chindo Checkin (malware.rules)
  2808636 - ETPRO MOBILE_MALWARE Android.Trojan.SmsSpy.DO Checkin
(mobile_malware.rules)
  2808637 - ETPRO MOBILE_MALWARE Adware.Android.AppLovin.A Checkin
(mobile_malware.rules)
  2808638 - ETPRO MALWARE Win32/InstallBrain.BH Retrieving info (malware.rules)

 [///]     Modified active rules:     [///]

  2017813 - ET CURRENT_EVENTS Safe/CritX/FlashPack Payload
(current_events.rules)
  2018983 - ET CURRENT_EVENTS Probable OneLouder downloader (Zeus P2P)
(current_events.rules)
  2807086 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Obad.a Checkin 2
(mobile_malware.rules)

 [---]         Removed rules:         [---]

  2807750 - ETPRO TROJAN Trojan-Dropper.Win32.Dinwod.rbd Checkin (trojan.rules)
Jake Warren | 25 Aug 19:49 2014

Tuscas Check-in Sig

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Tuscas C&C Check-in"; flow:established,to_server; content:"?version="; http_uri; content:"&group="; http_uri; content:"&client="; http_uri; content:"&computer="; http_uri; content:"&os="; http_uri; content:"&crc="; http_uri; pcre:"/^\/[ti]\?version=[0-9]+&group=[0-9]+&client=[a-z0-9]+&computer=.*?&os=[0-9\.]+&latency&crc=[0-9a-f]+$/U"; reference:url,stopmalvertising.com/malware-reports/analysis-of-tuscas.html; classtype:trojan-activity; sid:xxxxx; rev:1;)

Jake Warren
Level 2 Sr. Network Security Analyst
www.masergy.com

<div><div dir="ltr">alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"Tuscas C&amp;C Check-in"; flow:established,to_server; content:"?version="; http_uri; content:"&amp;group="; http_uri; content:"&amp;client="; http_uri; content:"&amp;computer="; http_uri; content:"&amp;os="; http_uri; content:"&amp;crc="; http_uri; pcre:"/^\/[ti]\?version=[0-9]+&amp;group=[0-9]+&amp;client=[a-z0-9]+&amp;computer=.*?&amp;os=[0-9\.]+&amp;latency&amp;crc=[0-9a-f]+$/U"; reference:url,<a href="http://stopmalvertising.com/malware-reports/analysis-of-tuscas.html">stopmalvertising.com/malware-reports/analysis-of-tuscas.html</a>; classtype:trojan-activity; sid:xxxxx; rev:1;)<br clear="all"><div><div dir="ltr"><div><span class=""><div><div dir="ltr"><div><span><span><div>
        <div>
          <div dir="ltr">
            <div><span>
                  <div>
                    <p>Jake Warren <br> <span>Level

                                2 Sr. Network Security Analyst</span><br><a href="http://www.masergy.com/" target="_blank">www.masergy.com</a></p>
                  </div>
                </span></div>
          </div>
        </div>
      </div></span></span></div></div></div></span></div></div></div>
</div></div>
Will Metcalf | 23 Aug 21:38 2014

Malvertising Realted EK sigs (Weekend Update)

[***]          Summary:          [***]

<at> malware_traffic Did a write-up on updates to  a malvertising related EK that <at> malwaresigs spotted in Oct 2013.

http://malware-traffic-analysis.net/2014/08/22/index2.html

We pushed out some rules to detect the updated version.
[+++]          Added rules:          [+++]

  2018988 - ET CURRENT_EVENTS Unknown Malvertising EK Landing Aug 22 2014 (current_events.rules)
  2018989 - ET CURRENT_EVENTS Unknown Malvertising EK Landing URI Sruct Aug 22 2014 (current_events.rules)
  2018990 - ET CURRENT_EVENTS Unknown Malvertising EK Payload URI Sruct Aug 22 2014 (current_events.rules)
  2018991 - ET CURRENT_EVENTS Unknown Malvertising EK Silverlight URI Sruct Aug 22 2014 (current_events.rules)
  2018992 - ET CURRENT_EVENTS Unknown Malvertising EK Flash URI Sruct Aug 22 2014 (current_events.rules)
  2018993 - ET CURRENT_EVENTS Unknown Malvertising EK Payload URI Sruct Aug 22 2014 (current_events.rules)
<div><div dir="ltr">[***]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Summary:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [***]<br><br> <at> malware_traffic Did a write-up on updates to&nbsp; a malvertising related EK that  <at> malwaresigs spotted in Oct 2013.<br><br><a href="http://malware-traffic-analysis.net/2014/08/22/index2.html">http://malware-traffic-analysis.net/2014/08/22/index2.html</a><br><br>We pushed out some rules to detect the updated version.<br>[+++]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Added rules:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [+++]<br><br>
&nbsp; 2018988 - ET CURRENT_EVENTS Unknown Malvertising EK Landing Aug 22 2014 (current_events.rules)<br>
&nbsp; 2018989 - ET CURRENT_EVENTS Unknown Malvertising EK Landing URI Sruct Aug 22 2014 (current_events.rules)<br>
&nbsp; 2018990 - ET CURRENT_EVENTS Unknown Malvertising EK Payload URI Sruct Aug 22 2014 (current_events.rules)<br>
&nbsp; 2018991 - ET CURRENT_EVENTS Unknown Malvertising EK Silverlight URI Sruct Aug 22 2014 (current_events.rules)<br>
&nbsp; 2018992 - ET CURRENT_EVENTS Unknown Malvertising EK Flash URI Sruct Aug 22 2014 (current_events.rules)<br>
&nbsp; 2018993 - ET CURRENT_EVENTS Unknown Malvertising EK Payload URI Sruct Aug 22 2014 (current_events.rules)<br>
</div></div>

Gmane