Francis Trudeau | 3 May 00:53 2016
Picon

Daily Ruleset Update Summary 2016/05/02

 [***] Summary: [***]

 24 new Pro signatures.  MultiGrainPOS, Emissary, PoisonIvy.

 [+++]          Added rules:          [+++]

  2819996 - ETPRO TROJAN MultiGrainPOS CnC over DNS (trojan.rules)
  2819997 - ETPRO MOBILE_MALWARE Android.Adware.Ppoer.C Checkin (mobile_malware.rules)
  2819998 - ETPRO MOBILE_MALWARE Android/Inmobi.D Checkin (mobile_malware.rules)
  2819999 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Shedun.V Checkin (mobile_malware.rules)
  2820000 - ETPRO MOBILE_MALWARE Android/Styricka.A Checkin (mobile_malware.rules)
  2820001 - ETPRO CURRENT_EVENTS Adobe Online Document Phishing Landing May 2 (current_events.rules)
  2820004 - ETPRO TROJAN Malicious SSL Certificate Detected (Social Engineering Kit) (trojan.rules)
  2820005 - ETPRO TROJAN Emissary External IP Check 2 (trojan.rules)
  2820006 - ETPRO TROJAN Emissary CnC Beacon 2 (trojan.rules)
  2820007 - ETPRO TROJAN Emissary CnC Beacon 3 (trojan.rules)
  2820008 - ETPRO TROJAN Emissary CnC Beacon Response 2 (trojan.rules)
  2820009 - ETPRO TROJAN Emissary CnC Beacon 4 (trojan.rules)
  2820010 - ETPRO TROJAN Observerd Malvertising Domain SSL Cert (trojan.rules)
  2820011 - ETPRO MOBILE_MALWARE Android.Trojan.FakeFlash.T Checkin (mobile_malware.rules)
  2820012 - ETPRO CURRENT_EVENTS Successful NCB Online Phish May 2 (current_events.rules)
  2820013 - ETPRO CURRENT_EVENTS Possible XML Phishing Landing May 2 (current_events.rules)
  2820014 - ETPRO CURRENT_EVENTS Possible Successful SWF/XML Phish May 2 (current_events.rules)
  2820015 - ETPRO MALWARE MSIL/Adware.Testing24.A Checkin (malware.rules)
  2820016 - ETPRO TROJAN PoisonIvy Keepalive to CnC 321 (trojan.rules)
  2820017 - ETPRO TROJAN PoisonIvy Keepalive to CnC 322 (trojan.rules)
  2820018 - ETPRO TROJAN PoisonIvy Keepalive to CnC 323 (trojan.rules)
  2820019 - ETPRO TROJAN PoisonIvy Keepalive to CnC 324 (trojan.rules)
  2820020 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2016-05-02 1) (trojan.rules)
  2820021 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Svpeng.e Checkin (mobile_malware.rules)


 [///]     Modified active rules:     [///]

  2022736 - ET TROJAN ABUSE.CH SSL Blacklist MaliciET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC) (trojan.rules)
  2814183 - ETPRO MALWARE Win32.Instally.AD Checkin (malware.rules)
  2815103 - ETPRO TROJAN Ozone RAT CnC Beacon (trojan.rules)


 [---]         Removed rules:         [---]

  2811065 - ETPRO MALWARE PUP Win32/Instally.A CnC Beacon (malware.rules)

<div><div dir="ltr">
<div>
<div>&nbsp;[***] Summary: [***]</div>
<div><br></div>
<div>&nbsp;24 new Pro signatures.&nbsp; MultiGrainPOS, Emissary, PoisonIvy.</div>
<div><br></div>
<div>&nbsp;[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</div>
<div><br></div>
<div>&nbsp; 2819996 - ETPRO TROJAN MultiGrainPOS CnC over DNS (trojan.rules)</div>
<div>&nbsp; 2819997 - ETPRO MOBILE_MALWARE Android.Adware.Ppoer.C Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2819998 - ETPRO MOBILE_MALWARE Android/Inmobi.D Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2819999 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Shedun.V Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2820000 - ETPRO MOBILE_MALWARE Android/Styricka.A Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2820001 - ETPRO CURRENT_EVENTS Adobe Online Document Phishing Landing May 2 (current_events.rules)</div>
<div>&nbsp; 2820004 - ETPRO TROJAN Malicious SSL Certificate Detected (Social Engineering Kit) (trojan.rules)</div>
<div>&nbsp; 2820005 - ETPRO TROJAN Emissary External IP Check 2 (trojan.rules)</div>
<div>&nbsp; 2820006 - ETPRO TROJAN Emissary CnC Beacon 2 (trojan.rules)</div>
<div>&nbsp; 2820007 - ETPRO TROJAN Emissary CnC Beacon 3 (trojan.rules)</div>
<div>&nbsp; 2820008 - ETPRO TROJAN Emissary CnC Beacon Response 2 (trojan.rules)</div>
<div>&nbsp; 2820009 - ETPRO TROJAN Emissary CnC Beacon 4 (trojan.rules)</div>
<div>&nbsp; 2820010 - ETPRO TROJAN Observerd Malvertising Domain SSL Cert (trojan.rules)</div>
<div>&nbsp; 2820011 - ETPRO MOBILE_MALWARE Android.Trojan.FakeFlash.T Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2820012 - ETPRO CURRENT_EVENTS Successful NCB Online Phish May 2 (current_events.rules)</div>
<div>&nbsp; 2820013 - ETPRO CURRENT_EVENTS Possible XML Phishing Landing May 2 (current_events.rules)</div>
<div>&nbsp; 2820014 - ETPRO CURRENT_EVENTS Possible Successful SWF/XML Phish May 2 (current_events.rules)</div>
<div>&nbsp; 2820015 - ETPRO MALWARE MSIL/Adware.Testing24.A Checkin (malware.rules)</div>
<div>&nbsp; 2820016 - ETPRO TROJAN PoisonIvy Keepalive to CnC 321 (trojan.rules)</div>
<div>&nbsp; 2820017 - ETPRO TROJAN PoisonIvy Keepalive to CnC 322 (trojan.rules)</div>
<div>&nbsp; 2820018 - ETPRO TROJAN PoisonIvy Keepalive to CnC 323 (trojan.rules)</div>
<div>&nbsp; 2820019 - ETPRO TROJAN PoisonIvy Keepalive to CnC 324 (trojan.rules)</div>
<div>&nbsp; 2820020 - ETPRO TROJAN CoinMiner Known malicious stratum authline (2016-05-02 1) (trojan.rules)</div>
<div>&nbsp; 2820021 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Svpeng.e Checkin (mobile_malware.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[///] &nbsp; &nbsp; Modified active rules: &nbsp; &nbsp; [///]</div>
<div><br></div>
<div>&nbsp; 2022736 - ET TROJAN <a href="http://ABUSE.CH">ABUSE.CH</a> SSL Blacklist MaliciET TROJAN <a href="http://ABUSE.CH">ABUSE.CH</a> SSL Blacklist Malicious SSL certificate detected (Qadars CnC) (trojan.rules)</div>
<div>&nbsp; 2814183 - ETPRO MALWARE <a href="http://Win32.Instally.AD">Win32.Instally.AD</a> Checkin (malware.rules)</div>
<div>&nbsp; 2815103 - ETPRO TROJAN Ozone RAT CnC Beacon (trojan.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[---] &nbsp; &nbsp; &nbsp; &nbsp; Removed rules: &nbsp; &nbsp; &nbsp; &nbsp; [---]</div>
<div><br></div>
<div>&nbsp; 2811065 - ETPRO MALWARE PUP Win32/Instally.A CnC Beacon (malware.rules)</div>
</div>
<div><br></div>
</div></div>
John Meyer | 2 May 20:20 2016

Re: BLEXBot

Thanks!

I've placed that on a test machine, however I switched EXTERNAL_NET and HOME_NET in order to alert on incoming scans.



--
John Meyer


On Mon, May 2, 2016 at 2:14 PM, Travis Green <tgreen-KR6O7HwU5NEm7effSn6vN9HuzzzSOjJt@public.gmane.org> wrote:
Here is a sig that will work for that:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS BLEXBot User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| BLEXBot/"; fast_pattern:25,20; http_header; reference:url,webmeup.com/about.html; classtype:misc-activity; sid:10002006; rev:1;)

I'll add it to QA, thanks!
-Travis

On Mon, May 2, 2016 at 12:02 PM, John Meyer <john.meyer-03O0XwTbxF3QT0dZR+AlfA@public.gmane.org> wrote:
Hello,

I am seeing a good amount of traffic such as below in our server logs.  Does anyone happen to have a rule for BLEXBot?

xxx.xxx.xxx.xxx - - [02/May/2016:17:51:15 +0000] "GET /products/security/penetration-testing.html HTTP/1.1" 301 193 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +http://webmeup-crawler.com/)"

xxx.xxx.xxx.xxx - - [02/May/2016:17:51:23 +0000] "GET /security/030711.html HTTP/1.1" 301 193 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +http://webmeup-crawler.com/)"

xxx.xxx.xxx.xxx - - [02/May/2016:17:51:35 +0000] "GET /security/20040406.html HTTP/1.1" 301 193 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +http://webmeup-crawler.com/)"

xxx.xxx.xxx.xxx - - [02/May/2016:17:51:44 +0000] "GET /security/gm001.html HTTP/1.1" 301 193 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +http://webmeup-crawler.com/)"

If there isn't one existing, my team and I could write one :)

--
John Meyer

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs-QLpEr2logwxONy2houXFdO9NwHtMwxe5XqFh9Ls21Oc@public.gmane.org
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net





--
PGP: 0xBED7B297

<div><div dir="ltr">Thanks!<div><br></div>
<div>I've placed that on a test machine, however I switched EXTERNAL_NET and HOME_NET in order to alert on incoming scans.</div>
<div><br></div>
<div class="gmail_extra">
<br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div dir="ltr">
<div><br></div>
<div>--</div>John Meyer<br><br>
</div></div></div></div>
<br><div class="gmail_quote">On Mon, May 2, 2016 at 2:14 PM, Travis Green <span dir="ltr">&lt;<a href="mailto:tgreen@..." target="_blank">tgreen@...</a>&gt;</span> wrote:<br><blockquote class="gmail_quote">
<div dir="ltr">Here is a sig that will work for that:<div>
<br><div>
<div>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET USER_AGENTS BLEXBot User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b| BLEXBot/"; fast_pattern:25,20; http_header; reference:url,<a href="http://webmeup.com/about.html" target="_blank">webmeup.com/about.html</a>; classtype:misc-activity; sid:10002006; rev:1;)<br>
</div>
<div><br></div>
</div>
<div>I'll add it to QA, thanks!</div>
<div>-Travis</div>
</div>
</div>
<div class="gmail_extra">
<br><div class="gmail_quote">On Mon, May 2, 2016 at 12:02 PM, John Meyer <span dir="ltr">&lt;<a href="mailto:john.meyer@..." target="_blank">john.meyer@...</a>&gt;</span> wrote:<br><blockquote class="gmail_quote">
<div dir="ltr">Hello,<div><br></div>
<div>I am seeing a good amount of traffic such as below in our server logs.&nbsp; Does anyone happen to have a rule for BLEXBot?<br clear="all"><div><div><div dir="ltr"><div dir="ltr">
<div><br></div>
<div>
<div>xxx.xxx.xxx.xxx - - [02/May/2016:17:51:15 +0000] "GET /products/security/penetration-testing.html HTTP/1.1" 301 193 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +<a href="http://webmeup-crawler.com/" target="_blank">http://webmeup-crawler.com/</a>)"</div>
<div><br></div>
<div>xxx.xxx.xxx.xxx - - [02/May/2016:17:51:23 +0000] "GET /security/030711.html HTTP/1.1" 301 193 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +<a href="http://webmeup-crawler.com/" target="_blank">http://webmeup-crawler.com/</a>)"</div>
<div><br></div>
<div>xxx.xxx.xxx.xxx - - [02/May/2016:17:51:35 +0000] "GET /security/20040406.html HTTP/1.1" 301 193 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +<a href="http://webmeup-crawler.com/" target="_blank">http://webmeup-crawler.com/</a>)"</div>
<div><br></div>
<div>xxx.xxx.xxx.xxx - - [02/May/2016:17:51:44 +0000] "GET /security/gm001.html HTTP/1.1" 301 193 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +<a href="http://webmeup-crawler.com/" target="_blank">http://webmeup-crawler.com/</a>)"</div>
</div>
<div><br></div>
<div>If there isn't one existing, my team and I could write one :)</div>
<span class="HOEnZb"><div><br></div>
<div>--</div>John Meyer<br></span>
</div></div></div></div>
<span class="HOEnZb">
</span>
</div>
</div>
<span class="HOEnZb">
<br>_______________________________________________<br>
Emerging-sigs mailing list<br><a href="mailto:Emerging-sigs@..." target="_blank">Emerging-sigs@...</a><br><a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" rel="noreferrer" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br><br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" rel="noreferrer" target="_blank">http://www.emergingthreats.net</a><br><br><br></span>
</blockquote>
</div>
<span class="HOEnZb"><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr"><div><div dir="ltr">PGP:&nbsp;<a href="https://pgp.mit.edu/pks/lookup?op=get&amp;search=0x6B68453CBED7B297" target="_blank">0xBED7B297</a>
</div></div></div></div>
</span>
</div>
</blockquote>
</div>
<br>
</div>
</div></div>
John Meyer | 2 May 20:02 2016

BLEXBot

Hello,

I am seeing a good amount of traffic such as below in our server logs.  Does anyone happen to have a rule for BLEXBot?

xxx.xxx.xxx.xxx - - [02/May/2016:17:51:15 +0000] "GET /products/security/penetration-testing.html HTTP/1.1" 301 193 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +http://webmeup-crawler.com/)"

xxx.xxx.xxx.xxx - - [02/May/2016:17:51:23 +0000] "GET /security/030711.html HTTP/1.1" 301 193 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +http://webmeup-crawler.com/)"

xxx.xxx.xxx.xxx - - [02/May/2016:17:51:35 +0000] "GET /security/20040406.html HTTP/1.1" 301 193 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +http://webmeup-crawler.com/)"

xxx.xxx.xxx.xxx - - [02/May/2016:17:51:44 +0000] "GET /security/gm001.html HTTP/1.1" 301 193 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +http://webmeup-crawler.com/)"

If there isn't one existing, my team and I could write one :)

--
John Meyer
<div><div dir="ltr">Hello,<div><br></div>
<div>I am seeing a good amount of traffic such as below in our server logs.&nbsp; Does anyone happen to have a rule for BLEXBot?<br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div dir="ltr">
<div><br></div>
<div>
<div>xxx.xxx.xxx.xxx - - [02/May/2016:17:51:15 +0000] "GET /products/security/penetration-testing.html HTTP/1.1" 301 193 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +<a href="http://webmeup-crawler.com/">http://webmeup-crawler.com/</a>)"</div>
<div><br></div>
<div>xxx.xxx.xxx.xxx - - [02/May/2016:17:51:23 +0000] "GET /security/030711.html HTTP/1.1" 301 193 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +<a href="http://webmeup-crawler.com/">http://webmeup-crawler.com/</a>)"</div>
<div><br></div>
<div>xxx.xxx.xxx.xxx - - [02/May/2016:17:51:35 +0000] "GET /security/20040406.html HTTP/1.1" 301 193 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +<a href="http://webmeup-crawler.com/">http://webmeup-crawler.com/</a>)"</div>
<div><br></div>
<div>xxx.xxx.xxx.xxx - - [02/May/2016:17:51:44 +0000] "GET /security/gm001.html HTTP/1.1" 301 193 "-" "Mozilla/5.0 (compatible; BLEXBot/1.0; +<a href="http://webmeup-crawler.com/">http://webmeup-crawler.com/</a>)"</div>
</div>
<div><br></div>
<div>If there isn't one existing, my team and I could write one :)</div>
<div><br></div>
<div>--</div>John Meyer<br>
</div></div></div></div>
</div>
</div></div>
Francis Trudeau | 30 Apr 00:26 2016
Picon

Daily Ruleset Update Summary 2016/04/29

 [***] Summary: [***]

 2 new Open signatures, 17 new Pro (2 + 15).  PCRat/Gh0st, Rexpot, PoisonIvy.


 [+++]          Added rules:          [+++]

 Open:

  2022773 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 105 (trojan.rules)
  2022774 - ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 29 2016 (current_events.rules)

 Pro:

  2819980 - ETPRO TROJAN Downloader.Gofarer Checkin (trojan.rules)
  2819981 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.a Checkin 15 (mobile_malware.rules)
  2819982 - ETPRO EXPLOIT AirOS 6x Path Traversal (exploit.rules)
  2819983 - ETPRO EXPLOIT Netgear Multi Remote Code Execution Attempt (exploit.rules)
  2819984 - ETPRO EXPLOIT Netgear ProSafe Remote Code Execution Attempt (exploit.rules)
  2819985 - ETPRO EXPLOIT Technicolor tc7200 Password Disclosure Attempt (exploit.rules)
  2819986 - ETPRO TROJAN Possible APT.Inif Downloader Retrieving Payload (trojan.rules)
  2819987 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Hqwar.q Checkin (mobile_malware.rules)
  2819988 - ETPRO TROJAN PoisonIvy Keepalive to CnC 320 (trojan.rules)
  2819989 - ETPRO TROJAN APT.Rexpot Stage1 Variant CnC Beacon 2 (trojan.rules)
  2819990 - ETPRO TROJAN APT.Rexpot Stage1 Variant CnC Beacon 3 (trojan.rules)
  2819991 - ETPRO TROJAN Downloader Requesting Likely APT.Rexpot Variant (trojan.rules)
  2819993 - ETPRO TROJAN Win32/Spy.KeyLogger.NHM Retrieving Secondary CnC (trojan.rules)
  2819994 - ETPRO MOBILE_MALWARE Android.Trojan.SpyCall.A Checkin (mobile_malware.rules)
  2819995 - ETPRO CURRENT_EVENTS Successful Adobe Phish Apr 29 (current_events.rules)


 [///]     Modified active rules:     [///]

  2022772 - ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 28 2016 (current_events.rules)
  2803850 - ETPRO ACTIVEX Microsoft Internet Explorer htmlfile ActiveX control instantiation (activex.rules)
  2819826 - ETPRO TROJAN MSIL/BrLock Screenlocker Activity (trojan.rules)
  2819959 - ETPRO TROJAN Hancitor Dropper Checkin (trojan.rules)


 [---]         Removed rules:         [---]

  2018617 - ET MALWARE Downloader.NSIS.OutBrowse.b Checkin (malware.rules)
  2819916 - ETPRO CURRENT_EVENTS 404 With Login Form (Potential Phish) (current_events.rules)

<div><div dir="ltr">
<div>&nbsp;[***] Summary: [***]</div>
<div><br></div>
<div>&nbsp;2 new Open signatures, 17 new Pro (2 + 15).&nbsp; PCRat/Gh0st, Rexpot, PoisonIvy.</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</div>
<div><br></div>
<div>&nbsp;Open:</div>
<div><br></div>
<div>&nbsp; 2022773 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 105 (trojan.rules)</div>
<div>&nbsp; 2022774 - ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 29 2016 (current_events.rules)</div>
<div><br></div>
<div>&nbsp;Pro:</div>
<div><br></div>
<div>&nbsp; 2819980 - ETPRO TROJAN Downloader.Gofarer Checkin (trojan.rules)</div>
<div>&nbsp; 2819981 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.a Checkin 15 (mobile_malware.rules)</div>
<div>&nbsp; 2819982 - ETPRO EXPLOIT AirOS 6x Path Traversal (exploit.rules)</div>
<div>&nbsp; 2819983 - ETPRO EXPLOIT Netgear Multi Remote Code Execution Attempt (exploit.rules)</div>
<div>&nbsp; 2819984 - ETPRO EXPLOIT Netgear ProSafe Remote Code Execution Attempt (exploit.rules)</div>
<div>&nbsp; 2819985 - ETPRO EXPLOIT Technicolor tc7200 Password Disclosure Attempt (exploit.rules)</div>
<div>&nbsp; 2819986 - ETPRO TROJAN Possible APT.Inif Downloader Retrieving Payload (trojan.rules)</div>
<div>&nbsp; 2819987 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Hqwar.q Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2819988 - ETPRO TROJAN PoisonIvy Keepalive to CnC 320 (trojan.rules)</div>
<div>&nbsp; 2819989 - ETPRO TROJAN APT.Rexpot Stage1 Variant CnC Beacon 2 (trojan.rules)</div>
<div>&nbsp; 2819990 - ETPRO TROJAN APT.Rexpot Stage1 Variant CnC Beacon 3 (trojan.rules)</div>
<div>&nbsp; 2819991 - ETPRO TROJAN Downloader Requesting Likely APT.Rexpot Variant (trojan.rules)</div>
<div>&nbsp; 2819993 - ETPRO TROJAN Win32/Spy.KeyLogger.NHM Retrieving Secondary CnC (trojan.rules)</div>
<div>&nbsp; 2819994 - ETPRO MOBILE_MALWARE Android.Trojan.SpyCall.A Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2819995 - ETPRO CURRENT_EVENTS Successful Adobe Phish Apr 29 (current_events.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[///] &nbsp; &nbsp; Modified active rules: &nbsp; &nbsp; [///]</div>
<div><br></div>
<div>&nbsp; 2022772 - ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 28 2016 (current_events.rules)</div>
<div>&nbsp; 2803850 - ETPRO ACTIVEX Microsoft Internet Explorer htmlfile ActiveX control instantiation (activex.rules)</div>
<div>&nbsp; 2819826 - ETPRO TROJAN MSIL/BrLock Screenlocker Activity (trojan.rules)</div>
<div>&nbsp; 2819959 - ETPRO TROJAN Hancitor Dropper Checkin (trojan.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[---] &nbsp; &nbsp; &nbsp; &nbsp; Removed rules: &nbsp; &nbsp; &nbsp; &nbsp; [---]</div>
<div><br></div>
<div>&nbsp; 2018617 - ET MALWARE Downloader.NSIS.OutBrowse.b Checkin (malware.rules)</div>
<div>&nbsp; 2819916 - ETPRO CURRENT_EVENTS 404 With Login Form (Potential Phish) (current_events.rules)</div>
<div><br></div>
</div></div>
Francis Trudeau | 28 Apr 01:04 2016
Picon

Daily Ruleset Update Summary 2016/04/27

 [***] Summary [***]

 3 new Open signatures, 7 new Pro (3 + 4).  Locky, PoisonIvy, TrueCrypter.

 [+++]          Added rules:          [+++]

 Open:

  2022769 - ET TROJAN Ransomware Locky CnC Beacon 2 (trojan.rules)
  2022770 - ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016 (fbset) (current_events.rules)
  2022771 - ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016 (current_events.rules)

 Pro:

  2819949 - ETPRO TROJAN Win32/Adware.Offtoup.A Checkin (trojan.rules)
  2819950 - ETPRO TROJAN PoisonIvy Keepalive to CnC 317 (trojan.rules)
  2819951 - ETPRO TROJAN PoisonIvy Keepalive to CnC 318 (trojan.rules)
  2819952 - ETPRO TROJAN Ransomware/TrueCrypter Onion Domain Lookup (trojan.rules)
  2819953 - ETPRO TROJAN Ransomware TrueCrypter CnC Beacon (trojan.rules)


 [///]     Modified active rules:     [///]

  2022683 - ET TROJAN Win32/CryptFile2 Ransomware Checkin (trojan.rules)
  2819826 - ETPRO TROJAN MSIL/BrLock Screenlocker Activity (trojan.rules)

<div><div dir="ltr">
<div>&nbsp;[***] Summary [***]</div>
<div><br></div>
<div>&nbsp;3 new Open signatures, 7 new Pro (3 + 4).&nbsp; Locky, PoisonIvy, TrueCrypter.</div>
<div><br></div>
<div>&nbsp;[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</div>
<div><br></div>
<div>&nbsp;Open:</div>
<div><br></div>
<div>&nbsp; 2022769 - ET TROJAN Ransomware Locky CnC Beacon 2 (trojan.rules)</div>
<div>&nbsp; 2022770 - ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016 (fbset) (current_events.rules)</div>
<div>&nbsp; 2022771 - ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016 (current_events.rules)</div>
<div><br></div>
<div>&nbsp;Pro:</div>
<div><br></div>
<div>&nbsp; 2819949 - ETPRO TROJAN Win32/Adware.Offtoup.A Checkin (trojan.rules)</div>
<div>&nbsp; 2819950 - ETPRO TROJAN PoisonIvy Keepalive to CnC 317 (trojan.rules)</div>
<div>&nbsp; 2819951 - ETPRO TROJAN PoisonIvy Keepalive to CnC 318 (trojan.rules)</div>
<div>&nbsp; 2819952 - ETPRO TROJAN Ransomware/TrueCrypter Onion Domain Lookup (trojan.rules)</div>
<div>&nbsp; 2819953 - ETPRO TROJAN Ransomware TrueCrypter CnC Beacon (trojan.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[///] &nbsp; &nbsp; Modified active rules: &nbsp; &nbsp; [///]</div>
<div><br></div>
<div>&nbsp; 2022683 - ET TROJAN Win32/CryptFile2 Ransomware Checkin (trojan.rules)</div>
<div>&nbsp; 2819826 - ETPRO TROJAN MSIL/BrLock Screenlocker Activity (trojan.rules)</div>
<div><br></div>
</div></div>
rmkml | 26 Apr 20:27 2016
Picon

ET fwrules not updated since 15 mars...

Hi ET,

Could you check why fwrules not updated since 15 mars please ?

http://rules.emergingthreats.net/fwrules/ :

  FWrev                             2016-03-15 00:30    5
  emerging-Block-IPs.txt            2016-03-15 00:30   24K
  emerging-IPF-ALL.rules            2016-03-15 00:30  137K
  emerging-IPF-CC.rules             2016-03-15 00:30   64K
  emerging-IPF-DROP.rules           2016-03-15 00:30   73K
  emerging-IPF-DSHIELD.rules        2016-03-15 00:30  3.7K
  emerging-IPTABLES-ALL.rules       2016-03-15 00:30   97K
  emerging-IPTABLES-CC.rules        2016-03-15 00:30   46K
  emerging-IPTABLES-DROP.rules      2016-03-15 00:30   52K
  emerging-IPTABLES-DSHIELD.rules   2016-03-15 00:30  3.4K
  emerging-PF-ALL.rules             2016-03-15 00:30   31K
  emerging-PF-CC.rules              2016-03-15 00:30   18K
  emerging-PF-DROP.rules            2016-03-15 00:30   15K
  emerging-PF-DSHIELD.rules         2016-03-15 00:30  2.3K
  emerging-PIX-ALL.rules            2016-03-15 00:30   70K
  emerging-PIX-CC.rules             2016-03-15 00:30   25K
  emerging-PIX-DROP.rules           2016-03-15 00:30   46K
  emerging-PIX-DSHIELD.rules        2016-03-15 00:30  3.2K
  emerging-iptables-update.pl       2008-06-20 08:25  100

Regards
 <at> Rmkml

Davide Paltrinieri | 26 Apr 09:22 2016
Picon

[FP] sid 2816734 (Successful Chase Phish Mar 23)

Hello!

I spot what it looks to be a FP related to the signature below:
    2816734 - ETPRO CURRENT_EVENTS Successful Chase Phish Mar 23 (current_events.rules)

This get triggered on the NASDAQ related website for JPmorgan Chase

There are several links in the page that points to the original website like chaseonline.chase.com that are triggering the rule.

If needed a PCAP can be provided.
Cheers
Davide




On Wed, Mar 23, 2016 at 11:09 PM, Francis Trudeau <ftrudeau <at> emergingthreats.net> wrote:
 [***] Results from Oinkmaster started Wed Mar 23 18:00:37 2016 [***]

 13 new Open signatures, 23 new Pro (13 + 10).  Locky, Cryptolocker, PoisonIvy.

 Thanks:  Anthony Rodgers, <at> Certego_IRT and <at> rmkml.

 [+++]          Added rules:          [+++]

 Open:

  2022637 - ET TROJAN Possible Locky Ransomware Writing Encrypted File
over - SMB and SMB-DS v1 Unicode (trojan.rules)
  2022638 - ET TROJAN Possible Locky Ransomware Writing Encrypted File
over - SMB and SMB-DS v1 ASCII (trojan.rules)
  2022639 - ET TROJAN Possible Locky Ransomware Writing Encrypted File
over - SMB and SMB-DS v2 (trojan.rules)
  2022640 - ET TROJAN PE EXE or DLL Windows file download Text M2 (trojan.rules)
  2022641 - ET POLICY DNS Query to a *.ngrok domain (ngrok.com) (policy.rules)
  2022642 - ET POLICY DNS Query to a *.ngrok domain (ngrok.io) (policy.rules)
  2022643 - ET POLICY DNS Query to a *.neokred domain - Likely Hostile
(policy.rules)
  2022644 - ET POLICY DNS Query to .onion proxy Domain (torgate.es)
(policy.rules)
  2022645 - ET POLICY DNS Query to .onion proxy Domain (tormaster.fr)
(policy.rules)
  2022646 - ET POLICY DNS Query to .onion proxy Domain (torgateway.li)
(policy.rules)
  2022647 - ET TROJAN Cryptolocker Payment Page (3qbyaoohkcqkzrz6)
(trojan.rules)
  2022648 - ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain
Mar 23 (current_events.rules)
  2022649 - ET CURRENT_EVENTS Fake AV Phone Scam Mar 23 (current_events.rules)

 Pro:

  2816726 - ETPRO TROJAN Win32/Neshta.A Checkin 6 (trojan.rules)
  2816727 - ETPRO TROJAN PoisonIvy Keepalive to CnC 310 (trojan.rules)
  2816728 - ETPRO MALWARE Win32.AdLoad.unbg Checkin (malware.rules)
  2816730 - ETPRO TROJAN Observed Malvertising Domain SSL Cert (trojan.rules)
  2816731 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.hu
Checkin (mobile_malware.rules)
  2816732 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.hu
Checkin 2 (mobile_malware.rules)
  2816733 - ETPRO CURRENT_EVENTS Successful Chase Phish Mar 23
(current_events.rules)
  2816734 - ETPRO CURRENT_EVENTS Chase Phishing Obfuscated Landing Mar
23 (current_events.rules)
  2816735 - ETPRO POLICY Possible FixMe.IT / Techinline Remote Access
Tool SSL Cert (policy.rules)
  2816736 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Paccy.b Checkin
(mobile_malware.rules)


 [///]     Modified active rules:     [///]

  2007994 - ET MALWARE Suspicious User-Agent (1 space) (malware.rules)
  2014726 - ET POLICY Outdated Windows Flash Version IE (policy.rules)
  2020936 - ET TROJAN PunkeyPOS HTTP CnC Beacon 2 (trojan.rules)
  2022636 - ET INFO SUSPICIOUS Single JS file inside of ZIP Download
(Observed as lure in malspam campaigns) (info.rules)
  2815391 - ETPRO MOBILE_MALWARE Android/Spy.Agent.QW Checkin
(mobile_malware.rules)


 [---]         Removed rules:         [---]

  2015973 - ET CURRENT_EVENTS PHISH Gateway POST to gateway-p
(current_events.rules)
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs <at> lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net


<div><div dir="ltr">
<div>Hello!</div>
<div><br></div>
<div>I spot what it looks to be a FP related to the signature below:</div>
<span>&nbsp; &nbsp; 2816734 - ETPRO CURRENT_EVENTS Successful&nbsp;</span><span class="">Chase</span><span>&nbsp;Phish Mar 23&nbsp;</span><span>(current_events.rules)</span><div><span><br></span></div>
<div><span>This get triggered on the NASDAQ related website for JPmorgan Chase</span></div>
<div><span><a href="https://investor.shareholder.com/jpmorganchase/sec.cfm">https://investor.shareholder.com/jpmorganchase/sec.cfm</a></span></div>
<div><span><br></span></div>
<div>
<span>There are several links in the page that points to the original website like <a href="http://chaseonline.chase.com">chaseonline.chase.com</a> that are triggering the rule.<br></span><div class="gmail_extra"><br></div>
<div class="gmail_extra">If needed a PCAP can be provided.</div>
<div class="gmail_extra">Cheers</div>
<div class="gmail_extra">
<div><div class="gmail_signature">
<div dir="ltr">Davide</div>
<div dir="ltr"><br></div>
<div dir="ltr"><br></div>
</div></div>
<div class="gmail_extra"><br></div>
<br><div class="gmail_quote">On Wed, Mar 23, 2016 at 11:09 PM, Francis Trudeau <span dir="ltr">&lt;<a href="mailto:ftrudeau@..." target="_blank">ftrudeau <at> emergingthreats.net</a>&gt;</span> wrote:<br><blockquote class="gmail_quote">&nbsp;[***] Results from Oinkmaster started Wed Mar 23 18:00:37 2016 [***]<br><br>
&nbsp;13 new Open signatures, 23 new Pro (13 + 10).&nbsp; Locky, Cryptolocker, PoisonIvy.<br><br>
&nbsp;Thanks:&nbsp; Anthony Rodgers,  <at> Certego_IRT and  <at> rmkml.<br><br>
&nbsp;[+++]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Added rules:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [+++]<br><br>
&nbsp;Open:<br><br>
&nbsp; 2022637 - ET TROJAN Possible Locky Ransomware Writing Encrypted File<br>
over - SMB and SMB-DS v1 Unicode (trojan.rules)<br>
&nbsp; 2022638 - ET TROJAN Possible Locky Ransomware Writing Encrypted File<br>
over - SMB and SMB-DS v1 ASCII (trojan.rules)<br>
&nbsp; 2022639 - ET TROJAN Possible Locky Ransomware Writing Encrypted File<br>
over - SMB and SMB-DS v2 (trojan.rules)<br>
&nbsp; 2022640 - ET TROJAN PE EXE or DLL Windows file download Text M2 (trojan.rules)<br>
&nbsp; 2022641 - ET POLICY DNS Query to a *.ngrok domain (<a href="http://ngrok.com" rel="noreferrer" target="_blank">ngrok.com</a>) (policy.rules)<br>
&nbsp; 2022642 - ET POLICY DNS Query to a *.ngrok domain (<a href="http://ngrok.io" rel="noreferrer" target="_blank">ngrok.io</a>) (policy.rules)<br>
&nbsp; 2022643 - ET POLICY DNS Query to a *.neokred domain - Likely Hostile<br>
(policy.rules)<br>
&nbsp; 2022644 - ET POLICY DNS Query to .onion proxy Domain (<a href="http://torgate.es" rel="noreferrer" target="_blank">torgate.es</a>)<br>
(policy.rules)<br>
&nbsp; 2022645 - ET POLICY DNS Query to .onion proxy Domain (<a href="http://tormaster.fr" rel="noreferrer" target="_blank">tormaster.fr</a>)<br>
(policy.rules)<br>
&nbsp; 2022646 - ET POLICY DNS Query to .onion proxy Domain (<a href="http://torgateway.li" rel="noreferrer" target="_blank">torgateway.li</a>)<br>
(policy.rules)<br>
&nbsp; 2022647 - ET TROJAN Cryptolocker Payment Page (3qbyaoohkcqkzrz6)<br>
(trojan.rules)<br>
&nbsp; 2022648 - ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain<br>
Mar 23 (current_events.rules)<br>
&nbsp; 2022649 - ET CURRENT_EVENTS Fake AV Phone Scam Mar 23 (current_events.rules)<br><br>
&nbsp;Pro:<br><br>
&nbsp; 2816726 - ETPRO TROJAN Win32/Neshta.A Checkin 6 (trojan.rules)<br>
&nbsp; 2816727 - ETPRO TROJAN PoisonIvy Keepalive to CnC 310 (trojan.rules)<br>
&nbsp; 2816728 - ETPRO MALWARE Win32.AdLoad.unbg Checkin (malware.rules)<br>
&nbsp; 2816730 - ETPRO TROJAN Observed Malvertising Domain SSL Cert (trojan.rules)<br>
&nbsp; 2816731 - ETPRO MOBILE_MALWARE <a href="http://Trojan-Spy.AndroidOS.SmForw.hu" rel="noreferrer" target="_blank">Trojan-Spy.AndroidOS.SmForw.hu</a><br>
Checkin (mobile_malware.rules)<br>
&nbsp; 2816732 - ETPRO MOBILE_MALWARE <a href="http://Trojan-Spy.AndroidOS.SmForw.hu" rel="noreferrer" target="_blank">Trojan-Spy.AndroidOS.SmForw.hu</a><br>
Checkin 2 (mobile_malware.rules)<br>
&nbsp; 2816733 - ETPRO CURRENT_EVENTS Successful Chase Phish Mar 23<br>
(current_events.rules)<br>
&nbsp; 2816734 - ETPRO CURRENT_EVENTS Chase Phishing Obfuscated Landing Mar<br>
23 (current_events.rules)<br>
&nbsp; 2816735 - ETPRO POLICY Possible FixMe.IT / Techinline Remote Access<br>
Tool SSL Cert (policy.rules)<br>
&nbsp; 2816736 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Paccy.b Checkin<br>
(mobile_malware.rules)<br><br><br>
&nbsp;[///]&nbsp; &nbsp; &nbsp;Modified active rules:&nbsp; &nbsp; &nbsp;[///]<br><br>
&nbsp; 2007994 - ET MALWARE Suspicious User-Agent (1 space) (malware.rules)<br>
&nbsp; 2014726 - ET POLICY Outdated Windows Flash Version IE (policy.rules)<br>
&nbsp; 2020936 - ET TROJAN PunkeyPOS HTTP CnC Beacon 2 (trojan.rules)<br>
&nbsp; 2022636 - ET INFO SUSPICIOUS Single JS file inside of ZIP Download<br>
(Observed as lure in malspam campaigns) (info.rules)<br>
&nbsp; 2815391 - ETPRO MOBILE_MALWARE Android/Spy.Agent.QW Checkin<br>
(mobile_malware.rules)<br><br><br>
&nbsp;[---]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Removed rules:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[---]<br><br>
&nbsp; 2015973 - ET CURRENT_EVENTS PHISH Gateway POST to gateway-p<br>
(current_events.rules)<br>
_______________________________________________<br>
Emerging-sigs mailing list<br><a href="mailto:Emerging-sigs@...">Emerging-sigs <at> lists.emergingthreats.net</a><br><a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" rel="noreferrer" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br><br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" rel="noreferrer" target="_blank">http://www.emergingthreats.net</a><br><br>
</blockquote>
</div>
<br>
</div>
</div>
</div></div>
Darren S. | 25 Apr 19:54 2016
Picon

Rule 2022479 hex strings

Was curious the reason for lack of ASCII strings in this rule and
wondering why it was implemented completely with hex escapes. One
obvious shortcoming is that it makes it difficult to audit the rule to
gauge matchability to a sample payload one is reviewing, and if you're
attempting to use a string search on the ruleset to find a matching
rule for the threat, no bueno.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
EITest Evil Redirect Leading to EK Feb 01 2016";
flow:established,from_server; file_data; content:"|7a 2d 69 6e 64 65
78 3a 2d 31 3b|"; content:"|6f 70 61 63 69 74 79 3a 30 3b 66 69 6c 74
65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 3b 20 2d 6d
6f 7a 2d 6f 70 61 63 69 74 79 3a 30 3b 22 3e|"; fast_pattern:32,20;
distance:0; content:"|63 6c 73 69 64 3a 64 32 37 63 64 62 36 65 2d 61
65 36 64 2d 31 31 63 66 2d 39 36 62 38 2d 34 34 34 35 35 33 35 34 30
30 30 30|"; nocase; within:500;
reference:url,malware-traffic-analysis.net/2016/01/26/index.html;
classtype:trojan-activity; sid:2022479; rev:3;)

z-index:-1;

opacity:0;filter:alpha(opacity=0); -moz-opacity:0;">

clsid:d27cdb6e-ae6d-11cf-96b8-444553540000

Some characters need to be hex encoded, but totally encoding the
string matches effectively obfuscates this from defenders (or at least
inconveniences them).

--

-- 
Darren Spruell
phatbuckett@...
Anshuman Anil Deshmukh | 25 Apr 07:50 2016

Possible FP for ET USER_AGENTS Suspicious User-Agent Beginning with digits [1:2010697]

Hi,

 

The said signature fired for this traffic, which we think is a false positive. The server is a centralized Symantec LiveUpdate Server which bring updates for Symantec Endpoint Servers.

 

Here is the payload

 

(Hex)

0000000: 47 45 54 20 2f 6c 69 76 65 75 70 64 61   74 65 5f 33 2e 33 2e 30 2e 31 30 31 5f  GET./liveupdate_3.3.0.101_

000001A: 65 6e 67 6c 69 73 68 5f 6c 69 76 65 74   72 69 2e 7a 69 70 20 48 54 54 50 2f 31  english_livetri.zip.HTTP/1

0000034: 2e 31 0d 0a 41 63 63 65 70 74 3a 20 2a   2f 2a 0d 0a 43 61 63 68 65 2d 43 6f 6e  .1..Accept:.*/*..Cache-Con

000004E: 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65   3d 30 0d 0a 55 73 65 72 2d 41 67 65 6e  trol:.max-age=0..User-Agen

0000068: 74 3a 20 34 68 6f 63 58 66 7a 62 46 41   4f 6f 65 63 50 72 32 2f 54 76 6c 42 52  t:.4hocXfzbFAOoecPr2/TvlBR

0000082: 6a 46 67 34 72 48 55 64 56 77 41 41 41   41 41 0d 0a 48 6f 73 74 3a 20 6c 69 76  jFg4rHUdVwAAAAA..Host:.liv

000009C: 65 75 70 64 61 74 65 2e 73 79 6d 61 6e   74 65 63 6c 69 76 65 75 70 64 61 74 65  eupdate.symantecliveupdate

00000B6: 2e 63 6f 6d 0d 0a 43 6f 6e 6e 65 63 74   69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69  .com..Connection:.Keep-Ali

00000D0: 76 65 0d 0a 0d 0a                                                                ve....

 

(Ascii)

GET./liveupdate_3.3.0.101_english_livetri.zip.HTTP/1.1

.Accept:.*/*

.Cache-Control:.max-age=0

.User-Agent:.4hocXfzbFAOoecPr2/TvlBRjFg4rHUdVwAAAAA

.Host:.liveupdate.symantecliveupdate.com

.Connection:.Keep-Alive

.

.

 

 

Regards,

Anshuman

anshuman <at> cybage.com

 

 

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com

<div>
<div class="WordSection1">
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span>Hi,<p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span>The said signature fired for this traffic, which we think is a false positive. The server is a centralized Symantec LiveUpdate Server which bring updates for
 Symantec Endpoint Servers.<p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span>Here is the payload
<p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span>(Hex)<p></p></span></p>
<div>
<p class="MsoNormal">
<span>0000000:</span><span>
</span><span>47 45 54 20 2f 6c 69 76 65 75 70 64 61 &nbsp;&nbsp;74 65 5f 33 2e 33 2e 30 2e 31 30 31 5f
</span><span>&nbsp;</span><span>GET./liveupdate_3.3.0.101_≤/span><span><p></p></span></p>
<p class="MsoNormal">
<span>000001A:</span><span>
</span><span>65 6e 67 6c 69 73 68 5f 6c 69 76 65 74&nbsp;&nbsp; 72 69 2e 7a 69 70 20 48 54 54 50 2f 31
</span><span>&nbsp;</span><span>english_livetri.zip.HTTP/1</span><span><p></p></span></p>
<p class="MsoNormal">
<span>0000034:</span><span>
</span><span>2e 31 0d 0a 41 63 63 65 70 74 3a 20 2a&nbsp;&nbsp; 2f 2a 0d 0a 43 61 63 68 65 2d 43 6f 6e
</span><span>&nbsp;</span><span>.1..Accept:.*/*..Cache-Con</span><span><p></p></span></p>
<p class="MsoNormal">
<span>000004E:</span><span>
</span><span>74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65&nbsp;&nbsp; 3d 30 0d 0a 55 73 65 72 2d 41 67 65 6e
</span><span>&nbsp;</span><span>trol:.max-age=0..User-Agen</span><span><p></p></span></p>
<p class="MsoNormal">
<span>0000068:</span><span>
</span><span>74 3a 20 34 68 6f 63 58 66 7a 62 46 41&nbsp;&nbsp; 4f 6f 65 63 50 72 32 2f 54 76 6c 42 52
</span><span>&nbsp;</span><span>t:.4hocXfzbFAOoecPr2/TvlBR</span><span><p></p></span></p>
<p class="MsoNormal">
<span>0000082:</span><span>
</span><span>6a 46 67 34 72 48 55 64 56 77 41 41 41&nbsp;&nbsp; 41 41 0d 0a 48 6f 73 74 3a 20 6c 69 76
</span><span>&nbsp;</span><span>jFg4rHUdVwAAAAA..Host:.liv</span><span><p></p></span></p>
<p class="MsoNormal">
<span>000009C:</span><span>
</span><span>65 75 70 64 61 74 65 2e 73 79 6d 61 6e&nbsp;&nbsp; 74 65 63 6c 69 76 65 75 70 64 61 74 65
</span><span>&nbsp;</span><span>eupdate.symantecliveupdate</span><span><p></p></span></p>
<p class="MsoNormal">
<span>00000B6:</span><span>
</span><span>2e 63 6f 6d 0d 0a 43 6f 6e 6e 65 63 74&nbsp;&nbsp; 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69
</span><span>&nbsp;</span><span>.com..Connection:.Keep-Ali</span><span><p></p></span></p>
<p class="MsoNormal">
<span>00000D0:</span><span>
</span><span>76 65 0d 0a 0d 0a&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span><span>&nbsp;</span><span>ve....</span><span><p></p></span></p>
</div>
<p class="MsoNormal"><span>&nbsp;</span><span><p></p></span></p>
<p class="MsoNormal"><span>(Ascii)<p></p></span></p>
<span class="payload-ascii"><span>GET./liveupdate_3.3.0.101_english_livetri.zip.HTTP/1.1<p></p></span></span>
<span class="payload-ascii"><span>.Accept:.*/*<p></p></span></span>
<span class="payload-ascii"><span>.Cache-Control:.max-age=0<p></p></span></span>
<span class="payload-ascii"><span>.User-Agent:.4hocXfzbFAOoecPr2/TvlBRjFg4rHUdVwAAAAA<p></p></span></span>
<span class="payload-ascii"><span>.Host:.liveupdate.symantecliveupdate.com<p></p></span></span>
<span class="payload-ascii"><span>.Connection:.Keep-Alive<p></p></span></span>
<span class="payload-ascii"><span>.<p></p></span></span>
<span class="payload-ascii"><span>.</span></span><span><p></p></span>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span>Regards,<p></p></span></p>
<p class="MsoNormal"><span>Anshuman<p></p></span></p>
<p class="MsoNormal"><span><a href="mailto:anshuman <at> cybage.com"><span>anshuman <at> cybage.com</span></a>
<p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
</div>
<p><span>"Legal
 Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you
 are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and
 all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content
 checks before opening the e-mail or attachment." www.cybage.com<p></p></span></p>
</div>
Francis Trudeau | 20 Apr 23:40 2016
Picon

Daily Ruleset Update Summary 2016/04/20

 [***] Summary: [***]

 3 new Pro signatures, 27 new Pro (3 + 24).  MultiGrainPOS, Nuclear EK, Fareit/Pony.

 [+++]          Added rules:          [+++]

 Open:

  2022749 - ET TROJAN Win32/Agent.XST/UP007 Checkin 2 (trojan.rules)
  2022750 - ET TROJAN Win32/Agent.XST/UP007 Keepalive 2 (trojan.rules)
  2022751 - ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 20 2016 (current_events.rules)

 Pro:

  2816877 - ETPRO TROJAN MSIL/Sharik.il SSL Cert (trojan.rules)
  2819860 - ETPRO TROJAN MultiGrainPOS CnC over DNS (trojan.rules)
  2819861 - ETPRO TROJAN MultiGrainPOS Checkin (trojan.rules)
  2819862 - ETPRO TROJAN MultiGrainPOS Checkin (trojan.rules)
  2819863 - ETPRO MOBILE_MALWARE RemoteAdmin.AndroidOS.Omni.a Checkin (mobile_malware.rules)
  2819864 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Batmob.b Checkin (mobile_malware.rules)
  2819865 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Hiddad.v Checkin (mobile_malware.rules)
  2819866 - ETPRO MOBILE_MALWARE Android.Trojan.Downloader.CI Checkin (mobile_malware.rules)
  2819867 - ETPRO MOBILE_MALWARE Android/iBanking.bot Checkin 2 (mobile_malware.rules)
  2819868 - ETPRO TROJAN Bladabindi/njRat Variant CnC Checkin (trojan.rules)
  2819869 - ETPRO TROJAN Bladabindi/njRat Variant CnC Reply (trojan.rules)
  2819870 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.fm Checkin (mobile_malware.rules)
  2819871 - ETPRO TROJAN Fareit/Pony .onion Domain (trojan.rules)
  2819872 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2819873 - ETPRO TROJAN DiamondFox HTTP POST CnC Beacon 4 (trojan.rules)
  2819874 - ETPRO POLICY DNS Query to .onion proxy Domain (torclassik.li) (policy.rules)
  2819875 - ETPRO POLICY DNS Query to .onion proxy Domain (tortelevision.li) (policy.rules)
  2819876 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.aq Checkin (mobile_malware.rules)
  2819877 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Dowgin.d Checkin (mobile_malware.rules)
  2819878 - ETPRO MOBILE_MALWARE Adware.AndroidOS.Youmi.Startapp Checkin (mobile_malware.rules)
  2819879 - ETPRO MOBILE_MALWARE Android.HongTouTou Checkin 2 (mobile_malware.rules)
  2819880 - ETPRO CURRENT_EVENTS Nuclear EK Flash Version IE PostBack M1 Apr 20 2016 (current_events.rules)
  2819881 - ETPRO CURRENT_EVENTS Possible Nuclear EK IE PostBack M1 Apr 20 2016(fb set) (current_events.rules)
  2819882 - ETPRO CURRENT_EVENTS Possible Nuclear EK IE PostBack Response M1 Apr 20 2016 (current_events.rules)


 [///]     Modified active rules:     [///]

  2019401 - ET POLICY Vulnerable Java Version 1.8.x Detected (policy.rules)
  2022535 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (trojan.rules)
  2022738 - ET POLICY Windows Quicktime User-Agent EOL With Known Bugs (policy.rules)
  2809636 - ETPRO MOBILE_MALWARE Android/Locker.Q - SET (mobile_malware.rules)
  2810051 - ETPRO MOBILE_MALWARE Android/SMSAgent.Z Checkin (mobile_malware.rules)
  2810477 - ETPRO MOBILE_MALWARE Android/Locker.Q Response (mobile_malware.rules)
  2815401 - ETPRO TROJAN Send-Safe Enterprise Mailer UDP Beacon (trojan.rules)
  2816152 - ETPRO TROJAN Backdoor.Mizzmo CnC Beacon 2 (trojan.rules)
  2816763 - ETPRO TROJAN Ransomware/Cerber Checkin 2 (trojan.rules)
  2819807 - ETPRO CURRENT_EVENTS Redirect to Adobe Shared Document Phishing M1 Apr 15 (current_events.rules)
  2819808 - ETPRO CURRENT_EVENTS Redirect to Adobe Shared Document Phishing M2 Apr 15 (current_events.rules)
  2819809 - ETPRO CURRENT_EVENTS Redirect to Adobe Shared Document Phishing M3 Apr 15 (current_events.rules)
  2819810 - ETPRO CURRENT_EVENTS Adobe Shared Document Phishing Landing Apr 15 (current_events.rules)
  2819822 - ETPRO TROJAN Trojan/Win32.Miuref Posting Screenshot M1 (trojan.rules)
  2819823 - ETPRO TROJAN Unknown vbs Checkin M1 (trojan.rules)
  2819825 - ETPRO TROJAN Unknown vbs Checkin M3 (trojan.rules)


 [---]         Removed rules:         [---]

  2810855 - ETPRO MOBILE_MALWARE Android/Locker.Q Response 2 (mobile_malware.rules)
  2811372 - ETPRO MOBILE_MALWARE Android/Locker.Q Response 3 (mobile_malware.rules)
  2816877 - ETPRO POLICY MSIL/Sharik.il SSL Cert (policy.rules)

<div><div dir="ltr">
<div>&nbsp;[***] Summary: [***]</div>
<div><br></div>
<div>&nbsp;3 new Pro signatures, 27 new Pro (3 + 24).&nbsp; MultiGrainPOS, Nuclear EK, Fareit/Pony.</div>
<div><br></div>
<div>&nbsp;[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</div>
<div><br></div>
<div>&nbsp;Open:</div>
<div><br></div>
<div>&nbsp; 2022749 - ET TROJAN Win32/Agent.XST/UP007 Checkin 2 (trojan.rules)</div>
<div>&nbsp; 2022750 - ET TROJAN Win32/Agent.XST/UP007 Keepalive 2 (trojan.rules)</div>
<div>&nbsp; 2022751 - ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 20 2016 (current_events.rules)</div>
<div><br></div>
<div>&nbsp;Pro:</div>
<div><br></div>
<div>&nbsp; 2816877 - ETPRO TROJAN MSIL/Sharik.il SSL Cert (trojan.rules)</div>
<div>&nbsp; 2819860 - ETPRO TROJAN MultiGrainPOS CnC over DNS (trojan.rules)</div>
<div>&nbsp; 2819861 - ETPRO TROJAN MultiGrainPOS Checkin (trojan.rules)</div>
<div>&nbsp; 2819862 - ETPRO TROJAN MultiGrainPOS Checkin (trojan.rules)</div>
<div>&nbsp; 2819863 - ETPRO MOBILE_MALWARE RemoteAdmin.AndroidOS.Omni.a Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2819864 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Batmob.b Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2819865 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Hiddad.v Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2819866 - ETPRO MOBILE_MALWARE <a href="http://Android.Trojan.Downloader.CI">Android.Trojan.Downloader.CI</a> Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2819867 - ETPRO MOBILE_MALWARE Android/iBanking.bot Checkin 2 (mobile_malware.rules)</div>
<div>&nbsp; 2819868 - ETPRO TROJAN Bladabindi/njRat Variant CnC Checkin (trojan.rules)</div>
<div>&nbsp; 2819869 - ETPRO TROJAN Bladabindi/njRat Variant CnC Reply (trojan.rules)</div>
<div>&nbsp; 2819870 - ETPRO MOBILE_MALWARE <a href="http://Trojan-SMS.AndroidOS.FakeInst.fm">Trojan-SMS.AndroidOS.FakeInst.fm</a> Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2819871 - ETPRO TROJAN Fareit/Pony .onion Domain (trojan.rules)</div>
<div>&nbsp; 2819872 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)</div>
<div>&nbsp; 2819873 - ETPRO TROJAN DiamondFox HTTP POST CnC Beacon 4 (trojan.rules)</div>
<div>&nbsp; 2819874 - ETPRO POLICY DNS Query to .onion proxy Domain (<a href="http://torclassik.li">torclassik.li</a>) (policy.rules)</div>
<div>&nbsp; 2819875 - ETPRO POLICY DNS Query to .onion proxy Domain (<a href="http://tortelevision.li">tortelevision.li</a>) (policy.rules)</div>
<div>&nbsp; 2819876 - ETPRO MOBILE_MALWARE <a href="http://Trojan-Spy.AndroidOS.SmsThief.aq">Trojan-Spy.AndroidOS.SmsThief.aq</a> Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2819877 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Dowgin.d Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2819878 - ETPRO MOBILE_MALWARE Adware.AndroidOS.Youmi.Startapp Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2819879 - ETPRO MOBILE_MALWARE Android.HongTouTou Checkin 2 (mobile_malware.rules)</div>
<div>&nbsp; 2819880 - ETPRO CURRENT_EVENTS Nuclear EK Flash Version IE PostBack M1 Apr 20 2016 (current_events.rules)</div>
<div>&nbsp; 2819881 - ETPRO CURRENT_EVENTS Possible Nuclear EK IE PostBack M1 Apr 20 2016(fb set) (current_events.rules)</div>
<div>&nbsp; 2819882 - ETPRO CURRENT_EVENTS Possible Nuclear EK IE PostBack Response M1 Apr 20 2016 (current_events.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[///] &nbsp; &nbsp; Modified active rules: &nbsp; &nbsp; [///]</div>
<div><br></div>
<div>&nbsp; 2019401 - ET POLICY Vulnerable Java Version 1.8.x Detected (policy.rules)</div>
<div>&nbsp; 2022535 - ET TROJAN <a href="http://ABUSE.CH">ABUSE.CH</a> SSL Blacklist Malicious SSL certificate detected (Dridex) (trojan.rules)</div>
<div>&nbsp; 2022738 - ET POLICY Windows Quicktime User-Agent EOL With Known Bugs (policy.rules)</div>
<div>&nbsp; 2809636 - ETPRO MOBILE_MALWARE Android/Locker.Q - SET (mobile_malware.rules)</div>
<div>&nbsp; 2810051 - ETPRO MOBILE_MALWARE Android/SMSAgent.Z Checkin (mobile_malware.rules)</div>
<div>&nbsp; 2810477 - ETPRO MOBILE_MALWARE Android/Locker.Q Response (mobile_malware.rules)</div>
<div>&nbsp; 2815401 - ETPRO TROJAN Send-Safe Enterprise Mailer UDP Beacon (trojan.rules)</div>
<div>&nbsp; 2816152 - ETPRO TROJAN Backdoor.Mizzmo CnC Beacon 2 (trojan.rules)</div>
<div>&nbsp; 2816763 - ETPRO TROJAN Ransomware/Cerber Checkin 2 (trojan.rules)</div>
<div>&nbsp; 2819807 - ETPRO CURRENT_EVENTS Redirect to Adobe Shared Document Phishing M1 Apr 15 (current_events.rules)</div>
<div>&nbsp; 2819808 - ETPRO CURRENT_EVENTS Redirect to Adobe Shared Document Phishing M2 Apr 15 (current_events.rules)</div>
<div>&nbsp; 2819809 - ETPRO CURRENT_EVENTS Redirect to Adobe Shared Document Phishing M3 Apr 15 (current_events.rules)</div>
<div>&nbsp; 2819810 - ETPRO CURRENT_EVENTS Adobe Shared Document Phishing Landing Apr 15 (current_events.rules)</div>
<div>&nbsp; 2819822 - ETPRO TROJAN Trojan/Win32.Miuref Posting Screenshot M1 (trojan.rules)</div>
<div>&nbsp; 2819823 - ETPRO TROJAN Unknown vbs Checkin M1 (trojan.rules)</div>
<div>&nbsp; 2819825 - ETPRO TROJAN Unknown vbs Checkin M3 (trojan.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[---] &nbsp; &nbsp; &nbsp; &nbsp; Removed rules: &nbsp; &nbsp; &nbsp; &nbsp; [---]</div>
<div><br></div>
<div>&nbsp; 2810855 - ETPRO MOBILE_MALWARE Android/Locker.Q Response 2 (mobile_malware.rules)</div>
<div>&nbsp; 2811372 - ETPRO MOBILE_MALWARE Android/Locker.Q Response 3 (mobile_malware.rules)</div>
<div>&nbsp; 2816877 - ETPRO POLICY MSIL/Sharik.il SSL Cert (policy.rules)</div>
<div><br></div>
</div></div>
Rodgers, Anthony (DTMB | 18 Apr 13:24 2016
Picon

ET POLICY HotSpotShield Activity (1:2022342)

Can we take another look at this one:

 

POST / HTTP/1.1

Host: 54.220.227.29

Content-Type: multipart/form-data; boundary=AfPr0xY

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:22.0; v:5.1.7) Gecko/20100101 Firefox/22.0

Content-Length: 609

 

--AfPr0xY

Content-Disposition: form-data; name=afu

 

IFF7A9C5F68BCF50AAE6245BBCD90CF12

--AfPr0xY

Content-Disposition: form-data; name=ce

 

1460952721

--AfPr0xY

Content-Disposition: form-data; name=ch

 

773

--AfPr0xY

Content-Disposition: form-data; name=ct

 

1460952721

--AfPr0xY

Content-Disposition: form-data; name=dt

 

1460952721

--AfPr0xY

Content-Disposition: form-data; name=nReqOrigin

 

1

--AfPr0xY

Content-Disposition: form-data; name=sdt

 

 

--AfPr0xY

Content-Disposition: form-data; name=t

 

1460952721

--AfPr0xY

Content-Disposition: form-data; name=ver

 

5.1.7

--AfPr0xY--

 

Seems to me that we should get rid of “content:"/hss-sdu.php"; http_uri;” – it’s not always present, and the rest of the sig is specific enough.

 

Thanks!

--

Anthony Rodgers

Security Analyst

Michigan Security Operations Center (MiSOC)

DTMB, Michigan Cyber Security

 

<div>
<div class="WordSection1">
<p class="MsoNormal"><span>Can we take another look at this one:<p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p><span>POST / HTTP/1.1</span><p></p></p>
<p><span>Host: 54.220.227.29</span><p></p></p>
<p><span>Content-Type: multipart/form-data; boundary=AfPr0xY</span><p></p></p>
<p><span>User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:22.0; v:5.1.7) Gecko/20100101 Firefox/22.0</span><p></p></p>
<p><span>Content-Length: 609</span><p></p></p>
<p>
<span><p>&nbsp;</p></span></p>
<p><span>--AfPr0xY</span><p></p></p>
<p><span>Content-Disposition: form-data; name=afu</span><p></p></p>
<p>
<span><p>&nbsp;</p></span></p>
<p><span>IFF7A9C5F68BCF50AAE6245BBCD90CF12</span><p></p></p>
<p><span>--AfPr0xY</span><p></p></p>
<p><span>Content-Disposition: form-data; name=ce</span><p></p></p>
<p>
<span><p>&nbsp;</p></span></p>
<p><span>1460952721</span><p></p></p>
<p><span>--AfPr0xY</span><p></p></p>
<p><span>Content-Disposition: form-data; name=ch</span><p></p></p>
<p>
<span><p>&nbsp;</p></span></p>
<p><span>773</span><p></p></p>
<p><span>--AfPr0xY</span><p></p></p>
<p><span>Content-Disposition: form-data; name=ct</span><p></p></p>
<p>
<span><p>&nbsp;</p></span></p>
<p><span>1460952721</span><p></p></p>
<p><span>--AfPr0xY</span><p></p></p>
<p><span>Content-Disposition: form-data; name=dt</span><p></p></p>
<p>
<span><p>&nbsp;</p></span></p>
<p><span>1460952721</span><p></p></p>
<p><span>--AfPr0xY</span><p></p></p>
<p><span>Content-Disposition: form-data; name=nReqOrigin</span><p></p></p>
<p>
<span><p>&nbsp;</p></span></p>
<p><span>1</span><p></p></p>
<p><span>--AfPr0xY</span><p></p></p>
<p><span>Content-Disposition: form-data; name=sdt</span><p></p></p>
<p>
<span><p>&nbsp;</p></span></p>
<p>
<span><p>&nbsp;</p></span></p>
<p><span>--AfPr0xY</span><p></p></p>
<p><span>Content-Disposition: form-data; name=t</span><p></p></p>
<p>
<span><p>&nbsp;</p></span></p>
<p><span>1460952721</span><p></p></p>
<p><span>--AfPr0xY</span><p></p></p>
<p><span>Content-Disposition: form-data; name=ver</span><p></p></p>
<p>
<span><p>&nbsp;</p></span></p>
<p><span>5.1.7</span><p></p></p>
<p><span>--AfPr0xY--</span><p></p></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span>Seems to me that we should get rid of &ldquo;content:"/hss-sdu.php"; http_uri;&rdquo; &ndash; it&rsquo;s not always present, and the rest of the sig is specific enough.<p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span>Thanks!<p></p></span></p>
<p class="MsoNormal"><span>--<p></p></span></p>
<p class="MsoNormal"><span>Anthony Rodgers<p></p></span></p>
<p class="MsoNormal"><span>Security Analyst<p></p></span></p>
<p class="MsoNormal"><span>Michigan Security Operations Center (MiSOC)<p></p></span></p>
<p class="MsoNormal"><span>DTMB, Michigan Cyber Security<p></p></span></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
</div>
</div>

Gmane