Francis Trudeau | 29 Jul 00:53 2015
Picon

Daily Ruleset Update Summary 2015/07/28

 [***] Summary: [***]

 6 new Open signatures, 47 new Pro (6 + 41).  ScanBox, Nlex, Asterope.

 Thanks:   <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2021542 - ET CURRENT_EVENTS ScanBox Jun 06 2015 M1 T1 (current_events.rules)
  2021543 - ET CURRENT_EVENTS ScanBox Jun 06 2015 M2 T1 (current_events.rules)
  2021544 - ET CURRENT_EVENTS ScanBox Jun 06 2015 M3 T1 (current_events.rules)
  2021545 - ET TROJAN EncryptorRaas .onion Proxy Domain (trojan.rules)
  2021546 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gozi CnC) (trojan.rules)
  2021547 - ET TROJAN EncryptorRaas .onion Proxy Domain (trojan.rules)

 Pro:

  2812181 - ETPRO MALWARE Win32/RaonMedia PUP Downloader Activity
(malware.rules)
  2812182 - ETPRO TROJAN ZIP file embedded in Large JPG (~10-100MB)
(trojan.rules)
  2812183 - ETPRO TROJAN ZIP file embedded in JPG (trojan.rules)
  2812184 - ETPRO TROJAN ZIP file embedded in JPG containing EXE (trojan.rules)
  2812185 - ETPRO CURRENT_EVENTS Possible Successful BofA PHISH July
27 M1 (current_events.rules)
  2812186 - ETPRO CURRENT_EVENTS Possible Successful BofA PHISH July
27 M2 (current_events.rules)
(Continue reading)

Francis Trudeau | 28 Jul 00:33 2015
Picon

Daily Ruleset Update Summary 2015/07/27

 [***] Summary: [***]

 9 new Open signatures, 30 new Pro (9 + 21).  Poshcoder, Neshta.A,
MSIL/Cyborg.A.

 Thanks:   <at> rmkml and   <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2021533 - ET POLICY Possible External IP Lookup myip.kz (policy.rules)
  2021534 - ET TROJAN Poshcoder .onion Proxy Domain (hlvumvvclxy2nw7j)
(trojan.rules)
  2021535 - ET CURRENT_EVENTS Google Drive Phish - Landing Page July
24 M1 (current_events.rules)
  2021536 - ET CURRENT_EVENTS Google Drive Phish - Landing Page July
24 M2 (current_events.rules)
  2021537 - ET CURRENT_EVENTS Possible Successful PHISH - function
Validate (current_events.rules)
  2021538 - ET CURRENT_EVENTS Possible Successful PHISH - function
Validate (current_events.rules)
  2021539 - ET CURRENT_EVENTS Possible Successful PHISH - function
Validate (current_events.rules)
  2021540 - ET CURRENT_EVENTS Possible Successful PHISH - function
Validate (current_events.rules)
  2021541 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Ransomware CnC) (trojan.rules)

 Pro:
(Continue reading)

Francis Trudeau | 24 Jul 23:59 2015
Picon

Daily Ruleset Update Summary 2015/07/24

 [***] Summary: [***]

 4 new Open signatures, 31 new Pro (4 + 27).  W2KM_BARTALEX, Pirpi, AlphaCrypt.

 Thanks:   <at> kafeine and  <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2021529 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex CnC) (trojan.rules)
  2021530 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gozi MITM) (trojan.rules)
  2021531 - ET TROJAN W2KM_BARTALEX Downloading Payload M2 (set) (trojan.rules)
  2021532 - ET TROJAN W2KM_BARTALEX Downloading Payload M2 (trojan.rules)

 Pro:

  2812134 - ETPRO TROJAN AlphaCrypt .onion Proxy Domain (trojan.rules)
  2812135 - ETPRO POLICY Possible IRC Botnet Activity - Throttled
Connection (policy.rules)
  2812136 - ETPRO MOBILE_MALWARE Android/Clicker.M Download
(mobile_malware.rules)
  2812137 - ETPRO TROJAN Win32/Venik.L Checkin (trojan.rules)
  2812138 - ETPRO MALWARE Win32/VK.SerfingBot PUP Activity (malware.rules)
  2812139 - ETPRO TROJAN Pirpi CnC Beacon Response (trojan.rules)
  2812140 - ETPRO TROJAN Pirpi CnC Beacon Response Fake 404 (trojan.rules)
  2812141 - ETPRO TROJAN Pirpi CnC Beacon HTTP POST (trojan.rules)
  2812142 - ETPRO TROJAN Possible Pirpi DNS Lookup
(Continue reading)

Kevin Ross | 24 Jul 12:48 2015

SIG: ET CURRENT_EVENTS W32/CryptoWall global1.jpg Distribution Campaign

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS W32/CryptoWall global1.jpg Distribution Campaign"; flow:established,to_server; content:"/images/global1.jpg"; http_uri; depth:20; classtype:trojan-activity; reference:md5,0f5a5f029aacad212322fe5cf259cdd1; sid:1566911; rev:1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr">alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS W32/CryptoWall global1.jpg Distribution Campaign"; flow:established,to_server; content:"/images/global1.jpg"; http_uri; depth:20; classtype:trojan-activity; reference:md5,0f5a5f029aacad212322fe5cf259cdd1; sid:1566911; rev:1;)<br><div><br></div>
<div><br></div>
<div>Kind Regards,</div>
<div>Kevin Ross</div>
</div></div>
Leonard Jacobs | 24 Jul 01:46 2015

CVE-2015-5119

Is there a signature to cover this CVE or any of the other Hacking Team Adobe Flash exploits?

 

Thanks.

 

Leonard

 

 

 

<div><div class="WordSection1">
<p class="MsoNormal">Is there a signature to cover this CVE or any of the other Hacking Team Adobe Flash exploits?<p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal">Thanks.<p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal"><span>Leonard <p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
</div></div>
Francis Trudeau | 23 Jul 23:46 2015
Picon

Daily Ruleset Update Summary 2015/07/23

 [***] Summary: [***]

 11 new Open signatures, 21 new Pro (11 + 10).  Dridex, KINS/ZeusVM, PoisonIvy.

 Thanks:   Jake Warren,  <at> kafeine,  <at> abuse_ch,  <at> EKwatcher and  <at> MalwareMustDie.

 [+++]          Added rules:          [+++]

 Open:

  2021518 - ET TROJAN Likely Dridex SSL Cert (trojan.rules)
  2021519 - ET TROJAN Likely Dridex SSL Cert (trojan.rules)
  2021520 - ET TROJAN KINS/ZeusVM Variant CnC Beacon (trojan.rules)
  2021521 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dyre CnC) (trojan.rules)
  2021522 - ET CURRENT_EVENTS Fake AV Phone Scam Landing July 23 2015
(current_events.rules)
  2021523 - ET TROJAN PoisonIvy HTTP CnC Beacon (trojan.rules)
  2021524 - ET TROJAN KINS/ZeusVM Variant CnC Beacon (trojan.rules)
  2021525 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Ransomware CnC) (trojan.rules)
  2021526 - ET TROJAN Linux/ChinaZ DDoS Bot Checkin 3 (trojan.rules)
  2021527 - ET TROJAN Possible Zberp receiving config via image file
(steganography) 3 (trojan.rules)
  2021528 - ET TROJAN KINS/ZeusVM Variant Retrieving Config (trojan.rules)

 Pro:

  2812123 - ETPRO MALWARE Win32/Adware.FileTour Variant PUP Checkin 2
(malware.rules)
  2812124 - ETPRO MALWARE Win32/Adware.FileTour Variant PUP - IE
Redirect (malware.rules)
  2812125 - ETPRO TROJAN Win32/Renocide.gen!H Checkin (trojan.rules)
  2812126 - ETPRO TROJAN Win32/Poindampa.A Geolocate Request (trojan.rules)
  2812128 - ETPRO TROJAN PoisonIvy Keepalive to CnC 205 (trojan.rules)
  2812129 - ETPRO POLICY SpyHunter Spyware Removal Tool PUP Checkin
(policy.rules)
  2812130 - ETPRO POLICY SpyHunter Spyware Removal Tool PUP User-Agent
(SpyHunter) (policy.rules)
  2812131 - ETPRO MOBILE_MALWARE Android PUP Wodsha-E Checkin 2
(mobile_malware.rules)
  2812132 - ETPRO TROJAN Malicious SSL certificate detected (Dridex
CnC) (trojan.rules)
  2812133 - ETPRO TROJAN PoisonIvy DNS Lookup (xp.homeunix.org) (trojan.rules)

 [///]     Modified active rules:     [///]

  2008512 - ET TROJAN Suspicious User-Agent (C slash) (trojan.rules)
  2810583 - ETPRO CURRENT_EVENTS DRIVEBY Magnitude Landing Dec 03 2014
M2 (current_events.rules)
  2812067 - ETPRO TROJAN SOGU DNS CnC Channel TXT Lookup (trojan.rules)
Kevin Ross | 23 Jul 11:59 2015

Dridex Download Pattern Change Heads Up

Hi,

Dridex campaigns (or at least some of them) no longer following the numeric number format which made up most of them - at least the ones I was seeing and not the weird dropbox ones. Today's is a pattern of /mini/mmpy.exe for those wanting to check and just to be aware of this change in hunting.

Kind Regards,
Kevin Ross


Document Download:


Dridex File:

<div><div dir="ltr">Hi,<div><br></div>
<div>Dridex campaigns (or at least some of them) no longer following the numeric number format which made up most of them - at least the ones I was seeing and not the weird dropbox ones. Today's is a pattern of /mini/mmpy.exe for those wanting to check and just to be aware of this change in hunting.</div>
<div><br></div>
<div>Kind Regards,</div>
<div>Kevin Ross</div>
<div><br></div>
<div><br></div>
<div>Document Download:</div>
<div><br></div>
<div><br></div>
<div>Dridex File:</div>
<div><br></div>
</div></div>
Francis Trudeau | 23 Jul 00:50 2015
Picon

Daily Ruleset Update Summary 2015/07/22

 [***] Summary: [***]

 10 new Open signatures, 33 new Pro (10 + 23).  NullHole, CozyCar,
Banload, CVE-2015-2425.

 Thanks:  Duane Howard,  <at> kafeine and  <at> techhelplistcom.

 [+++]          Added rules:          [+++]

 Open:

  2021506 - ET TROJAN Sednit Connectivity Check 0 Byte POST (trojan.rules)
  2021507 - ET CURRENT_EVENTS NullHole URI Struct Jul 22 2015 M2
(current_events.rules)
  2021508 - ET CURRENT_EVENTS NullHole URI Struct Jul 22 2015 M3
(current_events.rules)
  2021511 - ET POLICY Edwards Packed proxy.pac from 724sky (policy.rules)
  2021512 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex CnC) (trojan.rules)
  2021513 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex CnC) (trojan.rules)
  2021514 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex CnC) (trojan.rules)
  2021515 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gozi MITM) (trojan.rules)
  2021516 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gozi MITM) (trojan.rules)
  2021517 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gozi MITM) (trojan.rules)

 Pro:

  2812099 - ETPRO TROJAN APT CozyCar SSL Cert 9 (trojan.rules)
  2812100 - ETPRO TROJAN Win32/TrojanDownloader.Banload.TXV Receiving
compressed PE set (ZIP) (trojan.rules)
  2812101 - ETPRO TROJAN Win32/TrojanDownloader.Banload.TXV Receiving
compressed PE (trojan.rules)
  2812102 - ETPRO MALWARE Win32/Zilix Downloader PUP Checkin (malware.rules)
  2812103 - ETPRO MALWARE Win32/Zilix Downloader PUP IP Check (malware.rules)
  2812104 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(4fbe7202) (trojan.rules)
  2812105 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(4e811e00) (trojan.rules)
  2812106 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(4723b001) (trojan.rules)
  2812107 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(50115c00) (trojan.rules)
  2812108 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(4b253200) (trojan.rules)
  2812109 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(48a8fc01) (trojan.rules)
  2812110 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(4f40d200) (trojan.rules)
  2812111 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(4a69e600) (trojan.rules)
  2812112 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(c2VsamFrX2JvcmlzOmdvb2dsZQ==) (trojan.rules)
  2812113 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(aHNob3J0eTkxQGdtYWlsLmNvbTpoYWR5bjMwMDUxOTkx) (trojan.rules)
  2812114 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(bnV0c2hlbGw6YXNlcw==) (trojan.rules)
  2812116 - ETPRO POLICY External IP Address/Location Disclosure -
geoplugin.net (policy.rules)
  2812117 - ETPRO TROJAN Win32/VB.RZM Checkin (trojan.rules)
  2812118 - ETPRO TROJAN APT CozyCar SSL Cert 11 (trojan.rules)
  2812119 - ETPRO TROJAN Win32/Banload.BBN Checkin (trojan.rules)
  2812120 - ETPRO TROJAN PoisonIvy Keepalive to CnC 204 (trojan.rules)
  2812121 - ETPRO TROJAN MSIL/Zaviso.A Checkin via SQL (trojan.rules)
  2812122 - ETPRO WEB_CLIENT Internet Explorer JScript9 Memory
Corruption Vulnerability (CVE-2015-2425) (web_client.rules)

 [///]     Modified active rules:     [///]

  2020623 - ET CURRENT_EVENTS Possible Tsukuba Banker Edwards Packed
proxy.pac (current_events.rules)
  2021036 - ET CURRENT_EVENTS CottonCastle/Niteris EK URI Struct April
29 2015 (current_events.rules)

 [---]         Removed rules:         [---]

  2018497 - ET CURRENT_EVENTS Angler EK SilverLight Payload Request -
May 2014 (current_events.rules)
  2812075 - ETPRO TROJAN Likely Dridex SSL Cert 1 (trojan.rules)
  2812076 - ETPRO TROJAN Likely Dridex SSL Cert 2 (trojan.rules)
rmkml | 22 Jul 16:30 2015
Picon

RE : CVE-2015-5122 signature from Rook Security

Thx Andrea for sharing, 

Please add file_data; .

Regards 
<at> Rmkml 



-------- Message d'origine --------
De : Andrea De Pasquale <andrea <at> de-pasquale.name>
Date : 22/07/2015 16:05 (GMT+01:00)
À : Emerging Sigs <emerging-sigs <at> emergingthreats.net>
Objet : [Emerging-Sigs] CVE-2015-5122 signature from Rook Security

I haven't seen this CVE-2015-5122 signature in ET ruleset, so here is one from Rook Security (https://www.rooksecurity.com/hacking-team-malware-detection-utility/):

alert tcp $EXTERNAL_NET any -­> $HOME_NET any (msg:"CVE­-2015-­5122: Adobe Flash Exploit (Memory Corruption)"; flow:from_server,established; content:"|43 57 53|"; content:"|c9 66 3d 21 24 49 68 69 69 39 12 61 04 4a 49 4e|"; offset:127; sid:9931892; rev:2;)  

Probably a reference URL should be added.

Regards,
--
Andrea De Pasquale
<div>Thx Andrea for sharing,&nbsp;<div><br></div>
<div>Please add file_data; .</div>
<div><br></div>
<div>Regards&nbsp;</div>
<div> <at> Rmkml&nbsp;</div>
<div><br></div>
<br><br>-------- Message d'origine --------<br>De : Andrea De Pasquale &lt;andrea <at> de-pasquale.name&gt; <br>Date : 22/07/2015  16:05  (GMT+01:00) <br>&Agrave; : Emerging Sigs &lt;emerging-sigs <at> emergingthreats.net&gt; <br>Objet : [Emerging-Sigs] CVE-2015-5122 signature from Rook Security <br><br><div dir="ltr">I haven't seen this CVE-2015-5122 signature in ET ruleset, so here is one from Rook Security (<a href="https://www.rooksecurity.com/hacking-team-malware-detection-utility/">https://www.rooksecurity.com/hacking-team-malware-detection-utility/</a>):<div><br></div>
<div><div>alert tcp $EXTERNAL_NET any -&shy;&gt; $HOME_NET any (msg:"CVE&shy;-2015-&shy;5122: Adobe Flash Exploit (Memory Corruption)"; flow:from_server,established; content:"|43 57 53|"; content:"|c9 66 3d 21 24 49 68 69 69 39 12 61 04 4a 49 4e|"; offset:127; sid:9931892; rev:2;) &nbsp;</div></div>
<div><br></div>
<div>Probably a reference URL should be added.<br clear="all"><div><br></div>
<div>Regards,</div>-- <br><div class="gmail_signature">Andrea De Pasquale<br>
</div>
</div>
</div>
</div>
rmkml | 22 Jul 16:28 2015
Picon

RE : Re: SIG: ET W32 Backdoor.IsSpace

Thx Abhinav, 

Could you add no capture (?:...) on pcre please ? 

Regards 
<at> Rmkml 



-------- Message d'origine --------
De : abhinav singh <abhinavbom <at> gmail.com>
Date : 22/07/2015 16:05 (GMT+01:00)
À : emerging-sigs <at> lists.emergingthreats.net
Objet : Re: [Emerging-Sigs] SIG: ET W32 Backdoor.IsSpace

Apology for the quick post guys. Was in a bit of hurry to catch public transport. Went back home and tested the rule. Made a couple of blunders in CP. 

Here is the tested rule: 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET W32 Backdoor.IsSpace CnC"; flow:established,to_server; content:"POST"; http_method; content:"/SNews.asp?HostID="; http_uri; fast_pattern:only; pcre:"/\?HostID=([0-9a-fA-F]{2}-){5}[0-9a-fA-F]{2}$/U"; reference:url, http://researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/; classtype:trojan-activity; sid:1; rev:1;)

Thanks to rmkml and Per Kristian.

Regards,
Abhinav
<div>Thx Abhinav,&nbsp;<div><br></div>
<div>Could you add no capture (?:...) on pcre please ?&nbsp;</div>
<div><br></div>
<div>Regards&nbsp;</div>
<div> <at> Rmkml&nbsp;</div>
<div><br></div>
<br><br>-------- Message d'origine --------<br>De : abhinav singh &lt;abhinavbom <at> gmail.com&gt; <br>Date : 22/07/2015  16:05  (GMT+01:00) <br>&Agrave; : emerging-sigs <at> lists.emergingthreats.net <br>Objet : Re: [Emerging-Sigs] SIG: ET W32 Backdoor.IsSpace <br><br><div dir="ltr">Apology for the quick post guys. Was in a bit of hurry to catch public transport. Went back home and tested the rule. Made a couple of blunders in CP.&nbsp;<div><br></div>
<div>Here is the tested rule:&nbsp;</div>
<div><br></div>
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET W32 Backdoor.IsSpace CnC"; flow:established,to_server; content:"POST"; http_method; content:"/SNews.asp?HostID="; http_uri; fast_pattern:only; pcre:"/\?HostID=([0-9a-fA-F]{2}-){5}[0-9a-fA-F]{2}$/U"; reference:url, <a href="http://researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/">http://researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/</a>; classtype:trojan-activity; sid:1; rev:1;)<br>
</div>
<div><br></div>
<div>Thanks to rmkml and Per Kristian.</div>
<div><br></div>
<div>Regards,</div>
<div>Abhinav</div>
</div>
</div>
Andrea De Pasquale | 22 Jul 16:05 2015

CVE-2015-5122 signature from Rook Security

I haven't seen this CVE-2015-5122 signature in ET ruleset, so here is one from Rook Security (https://www.rooksecurity.com/hacking-team-malware-detection-utility/):

alert tcp $EXTERNAL_NET any -­> $HOME_NET any (msg:"CVE­-2015-­5122: Adobe Flash Exploit (Memory Corruption)"; flow:from_server,established; content:"|43 57 53|"; content:"|c9 66 3d 21 24 49 68 69 69 39 12 61 04 4a 49 4e|"; offset:127; sid:9931892; rev:2;)  

Probably a reference URL should be added.

Regards,
--
Andrea De Pasquale
<div><div dir="ltr">I haven't seen this CVE-2015-5122 signature in ET ruleset, so here is one from Rook Security (<a href="https://www.rooksecurity.com/hacking-team-malware-detection-utility/">https://www.rooksecurity.com/hacking-team-malware-detection-utility/</a>):<div><br></div>
<div><div>alert tcp $EXTERNAL_NET any -&shy;&gt; $HOME_NET any (msg:"CVE&shy;-2015-&shy;5122: Adobe Flash Exploit (Memory Corruption)"; flow:from_server,established; content:"|43 57 53|"; content:"|c9 66 3d 21 24 49 68 69 69 39 12 61 04 4a 49 4e|"; offset:127; sid:9931892; rev:2;) &nbsp;</div></div>
<div><br></div>
<div>Probably a reference URL should be added.<br clear="all"><div><br></div>
<div>Regards,</div>-- <br><div class="gmail_signature">Andrea De Pasquale<br>
</div>
</div>
</div></div>

Gmane