Francis Trudeau | 1 Jul 00:01 2016
Picon

Daily Ruleset Update Summary 2016/06/30

 [***] Summary: [***]

 8 new Open signatures, 12 new Pro (8 + 4).  Symantec vulns, Dridex, WildFire.

 Thanks:  Kevin Ross.

 [+++]          Added rules:          [+++]

 Open:

  2022929 - ET TROJAN Win32/Satana Ransomware Checkin (trojan.rules)
  2022930 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing
Buffer Overflow (exploit.rules)
  2022932 - ET EXPLOIT Possible Symantec Malicious MIME Doc Name
Overflow (EICAR) toclient M2 (exploit.rules)
  2022933 - ET EXPLOIT Possible Symantec Malicious MIME Doc Name
Overflow (EICAR) toclient M1 (exploit.rules)
  2022935 - ET EXPLOIT Possible Symantec Malicious MIME Doc Name
Overflow (EICAR) toserver M3 (exploit.rules)
  2022936 - ET EXPLOIT Possible Symantec Malicious MIME Doc Name
Overflow (EICAR) toclient M4 (exploit.rules)
  2022937 - ET EXPLOIT Possible Symantec Malicious MIME Doc Name
Overflow (EICAR) toclient M3 (exploit.rules)
  2022938 - ET EXPLOIT Possible Symantec Malicious MIME Doc Name
Overflow (EICAR) toserver M4 (exploit.rules)

 Pro:

  2820942 - ETPRO TROJAN WildFire Locker CnC Activity (trojan.rules)
  2820943 - ETPRO TROJAN PoisonIvy Keepalive to CnC 438 (trojan.rules)
(Continue reading)

Kevin Ross | 30 Jun 10:28 2016

SIG: ET TROJAN W32/Satana.Ransomware Ransomware CnC Beacon

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Satana.Ransomware Ransomware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/add.php"; http_uri; depth:8; content:!"Referer|3A|"; http_header; content:"id="; http_client_body; depth:3; content:"&code="; http_client_body; distance:0; content:"&sdata="; http_client_body; distance:0; content:"&name="; http_client_body; distance:0; content:"&md5="; http_client_body; distance:0; content:"&dlen="; http_client_body; distance:0; classtype:trojan-activity; reference:url,blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/; reference:md5,d236fcc8789f94f085137058311e848b; sid:171441; rev:1;)

Kind Regards,
Kevin Ross


<div><div dir="ltr"><div>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN 
W32/Satana.Ransomware Ransomware CnC Beacon"; 
flow:established,to_server; content:"POST"; http_method; 
content:"/add.php"; http_uri; depth:8; content:!"Referer|3A|"; 
http_header; content:"id="; http_client_body; depth:3; 
content:"&amp;code="; http_client_body; distance:0; 
content:"&amp;sdata="; http_client_body; distance:0; 
content:"&amp;name="; http_client_body; distance:0; content:"&amp;md5=";
 http_client_body; distance:0; content:"&amp;dlen="; http_client_body; 
distance:0; classtype:trojan-activity; reference:url,<a href="http://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/" target="_blank">blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/</a>; reference:md5,d236fcc8789f94f085137058311e848b; sid:171441; rev:1;)<br><br>Kind Regards,<br>Kevin Ross<br><br><br>
</div></div></div>
Francis Trudeau | 30 Jun 00:21 2016
Picon

Daily Ruleset Update Summary 2016/06/29

 [***] Summary: [***]

 6 new Open signatures, 38 new Pro.  CVE-2016-2209, Zeus Panda, WildFire Locker.

 [+++]          Added rules:          [+++]

 Open:

  2022923 - ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint
Parsing Buffer Overflow M1 (exploit.rules)
  2022924 - ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint
Parsing Buffer Overflow M2 (exploit.rules)
  2022925 - ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29
M1 (current_events.rules)
  2022926 - ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29
M2 (current_events.rules)
  2022927 - ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29
M3 (current_events.rules)
  2022928 - ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29
M4 (current_events.rules)

 Pro:

  2820910 - ETPRO MALWARE Win32/Obfuscated.NGJ PUA/Adware Checkin
Activity M1 (malware.rules)
  2820911 - ETPRO MALWARE Win32/Obfuscated.NGJ PUA/Adware Checkin
Activity M2 (malware.rules)
  2820912 - ETPRO MALWARE Win32/Obfuscated.NGJ PUA/Adware Checkin
Activity M3 (malware.rules)
  2820913 - ETPRO MALWARE Win32/Obfuscated.NGJ PUA/Adware Checkin
Activity M4 (malware.rules)
  2820914 - ETPRO MALWARE Win32/Obfuscated.NGJ PUA/Adware Checkin
Activity M5 (malware.rules)
  2820915 - ETPRO MALWARE Win32/Obfuscated.NGJ PUA/Adware Checkin
Activity M6 (malware.rules)
  2820916 - ETPRO MALWARE Win32/Obfuscated.NGJ PUA/Adware Checkin
Activity M7 (malware.rules)
  2820917 - ETPRO MALWARE Win32/Obfuscated.NGJ PUA/Adware Checkin
Activity M8 (malware.rules)
  2820918 - ETPRO MALWARE Win32/Obfuscated.NGJ PUA/Adware Checkin
Activity M9 (malware.rules)
  2820919 - ETPRO MALWARE Win32/Obfuscated.NGJ PUA/Adware Report
Checkin (malware.rules)
  2820920 - ETPRO INFO Data Submitted to ukit domain - Possible
Phishing M1 (info.rules)
  2820921 - ETPRO INFO Data Submitted to ukit domain - Possible
Phishing M2 (info.rules)
  2820922 - ETPRO CURRENT_EVENTS Phishing Landing via udo.photo (set)
Jun 28 (current_events.rules)
  2820923 - ETPRO CURRENT_EVENTS Phishing Landing via udo.photo Jun 28
M1 (current_events.rules)
  2820924 - ETPRO CURRENT_EVENTS Phishing Landing via udo.photo Jun 28
M2 (current_events.rules)
  2820925 - ETPRO CURRENT_EVENTS Phishing Landing via ulcraft.com
(set) Jun 28 (current_events.rules)
  2820926 - ETPRO CURRENT_EVENTS Phishing Landing via ulcraft.com Jun
28 M1 (current_events.rules)
  2820927 - ETPRO CURRENT_EVENTS Phishing Landing via biennale.info
(set) Jun 28 (current_events.rules)
  2820928 - ETPRO CURRENT_EVENTS Phishing Landing via biennale.info
Jun 28 M1 (current_events.rules)
  2820929 - ETPRO CURRENT_EVENTS Phishing Landing via biennale.info
Jun 28 M2 (current_events.rules)
  2820930 - ETPRO CURRENT_EVENTS Phishing Landing via topstyle.me
(set) Jun 28 (current_events.rules)
  2820931 - ETPRO CURRENT_EVENTS Phishing Landing via topstyle.me Jun
28 M1 (current_events.rules)
  2820932 - ETPRO CURRENT_EVENTS Phishing Landing via topstyle.me Jun
28 M2 (current_events.rules)
  2820933 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate
Detected (trojan.rules)
  2820934 - ETPRO TROJAN Win32/Satana Ransomware Checkin (trojan.rules)
  2820935 - ETPRO MOBILE_MALWARE Android/Agent.UH Checkin (mobile_malware.rules)
  2820936 - ETPRO TROJAN Ransomware WildFire Locker .onion Payment
Domain (gsxrmcgsygcxfkbb) (trojan.rules)
  2820937 - ETPRO TROJAN PoisonIvy Keepalive to CnC 436 (trojan.rules)
  2820938 - ETPRO TROJAN PoisonIvy Keepalive to CnC 437 (trojan.rules)
  2820939 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.VL
Checkin (mobile_malware.rules)
  2820940 - ETPRO MALWARE Win32/Unknown Reporting Clickfraud (malware.rules)
  2820941 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Acecard.m
.Onion Proxy (mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2018389 - ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted
Request Method 3 (Inbound to Common SSL Port) (current_events.rules)
  2815487 - ETPRO MOBILE_MALWARE Android OIMobi Checkin 5 (mobile_malware.rules)
Jose Vila | 29 Jun 08:50 2016
Picon

Problem with 2018389

Hello all,

I've noticed there's a mismatch between the actual rule in the ruleset and the documentation on the wiki. Doc shows revision 3 but in the ruleset you have revision 2:
http://doc.emergingthreats.net/2018389

I think I'm having the same problem of FP as stated in the doc.

Can you please check it, and modify the rule if needed?

Regards,

Jose.
<div><div dir="ltr">
<div>
<div>
<div>
<div>Hello all,<br>
</div>
<div>
<br>I've noticed there's a mismatch between the actual rule in the ruleset and the documentation on the wiki. Doc shows revision 3 but in the ruleset you have revision 2:<br><a href="http://doc.emergingthreats.net/2018389">http://doc.emergingthreats.net/2018389</a><br><br>
</div>I think I'm having the same problem of FP as stated in the doc.<br><br>
</div>Can you please check it, and modify the rule if needed?<br><br>
</div>Regards,<br><br>
</div>Jose.<br>
</div></div>
Francis Trudeau | 29 Jun 02:30 2016
Picon

Daily Ruleset Update Summary 2016/06/28

 [***] Summary: [***]

 10 new Pro signatures.  TowerWeb / Anonpop, DarkComet.

 [+++]          Added rules:          [+++]

  2820900 - ETPRO MALWARE Win32/AdWare.CNBTech.D Reporting Install
(malware.rules)
  2820901 - ETPRO TROJAN TowerWeb/Anonpop Ransomware Image Download
(trojan.rules)
  2820902 - ETPRO TROJAN Unknown CnC Checkin (trojan.rules)
  2820903 - ETPRO TROJAN Unknown CnC POST (trojan.rules)
  2820904 - ETPRO TROJAN MSIL/DarkComet Checking External IP Address
(trojan.rules)
  2820905 - ETPRO INFO Data Submitted to MyFreeSites.com - Possible
Phishing (info.rules)
  2820906 - ETPRO CURRENT_EVENTS Successful ATT Mobile Phish Jun 28
(current_events.rules)
  2820907 - ETPRO CURRENT_EVENTS Successful Outlook Web App (OWA)
Phish Jun 28 (current_events.rules)
  2820908 - ETPRO TROJAN PoisonIvy Keepalive to CnC 434 (trojan.rules)
  2820909 - ETPRO TROJAN PoisonIvy Keepalive to CnC 435 (trojan.rules)

 [///]     Modified active rules:     [///]

  2018518 - ET TROJAN Trojan.Win32.VBKrypt.cugq/Umbra Checkin (trojan.rules)
  2811491 - ETPRO TROJAN Java/Jacksbot CnC Beacon (trojan.rules)

 [---]         Removed rules:         [---]

  2811312 - ETPRO TROJAN Win32/Ziploader Downloading Zip SET (trojan.rules)
  2811313 - ETPRO TROJAN Win32/Ziploader Downloading Zip Server
Response (trojan.rules)
Francis Trudeau | 27 Jun 23:21 2016
Picon

Daily Ruleset Update Summary 2016/06/27

 [***] Summary: [***]

 6 new Open signatures, 27 new Pro (6 + 21).  Locky, Filecoder, Zeus
Panda Banker.

 Thanks:   <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2022917 - ET TROJAN Ransomware Locky .onion Payment Domain
(mphtadhci5mrdlju) (trojan.rules)
  2022918 - ET INFO DYNAMIC_DNS Query to *.duckdns. Domain (info.rules)
  2022919 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
Certificate Detected (Malware C2) (trojan.rules)
  2022920 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
Certificate Detected (Gootkit C2) (trojan.rules)
  2022921 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
Certificate Detected (Malware C2) (trojan.rules)
  2022922 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
Certificate Detected (H1N1 C2) (trojan.rules)

 Pro:

  2820872 - ETPRO MOBILE_MALWARE Android/Spy.Agent.SC Checkin
(mobile_malware.rules)
  2820873 - ETPRO TROJAN Possible Win32/TrojanDownloader.IndigoRose.R
Downloading EXE (exe from IDNA domain and .su) (trojan.rules)
  2820874 - ETPRO TROJAN Zeus Variant CnC SSL Cert (trojan.rules)
  2820875 - ETPRO TROJAN Win32/QQpass.A Checkin (trojan.rules)
  2820876 - ETPRO TROJAN Unknown CnC Checkin (trojan.rules)
  2820877 - ETPRO CURRENT_EVENTS Successful Amazon.com Phish Jun 27 M1
(current_events.rules)
  2820878 - ETPRO CURRENT_EVENTS Successful Amazon.com Phish Jun 27 M2
(current_events.rules)
  2820879 - ETPRO CURRENT_EVENTS Mailbox Upgrade Phishing Landing Jun
27 (current_events.rules)
  2820880 - ETPRO CURRENT_EVENTS Successful Mailbox Upgrade Phish Jun
27 M1 (current_events.rules)
  2820881 - ETPRO CURRENT_EVENTS Successful Mailbox Upgrade Phish Jun
27 M2 (current_events.rules)
  2820882 - ETPRO CURRENT_EVENTS Successful Avast Email Virus Phish
Jun 27 (current_events.rules)
  2820883 - ETPRO TROJAN PoisonIvy Keepalive to CnC 429 (trojan.rules)
  2820884 - ETPRO TROJAN PoisonIvy Keepalive to CnC 430 (trojan.rules)
  2820885 - ETPRO TROJAN PoisonIvy Keepalive to CnC 431 (trojan.rules)
  2820886 - ETPRO TROJAN PoisonIvy Keepalive to CnC 432 (trojan.rules)
  2820887 - ETPRO TROJAN PoisonIvy Keepalive to CnC 433 (trojan.rules)
  2820888 - ETPRO MOBILE_MALWARE Android/Agent.YB Checkin (mobile_malware.rules)
  2820889 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Cloudatlas.a Checkin
(mobile_malware.rules)
  2820890 - ETPRO MALWARE MSIL/Toolbar.Linkury PUP External IP Address
Check (malware.rules)
  2820895 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate
Detected (trojan.rules)
  2820897 - ETPRO TROJAN Win32/Filecoder Ransomware Variant .onion
Proxy Domain (trojan.rules)

 [+++]  Enabled and modified rules:   [+++]

  2820557 - ETPRO CURRENT_EVENTS Suspicious Compound Refresh -
Possible Phishing Redirect Jun 9 (current_events.rules)

 [///]     Modified active rules:     [///]

  2008975 - ET TROJAN Suspicious Malformed Double Accept Header (trojan.rules)
  2816403 - ETPRO TROJAN Win32/Evotob.B Variant Checkin Response (trojan.rules)

 [---]         Removed rules:         [---]

  2815775 - ETPRO TROJAN Win32/Micrass.B Checkin (trojan.rules)
Francis Trudeau | 24 Jun 23:04 2016
Picon

Daily Ruleset Update Summary 2016/06/24

 [***] Summary: [***]

 1 new Open signature, 23 new Pro (1 + 22).  Job314/Neutrino,
PoisonIvy, VARIOUS PHISHING.

 Thanks:   <at> Briz0lator.

 [+++]          Added rules:          [+++]

 Open:

  2022915 - ET INFO Web Proxy Auto Discovery Protocol WPAD DHCP 252
option Possible BadTunnel (info.rules)

 Pro:

  2820849 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing
June 11 2016 M2 (current_events.rules)
  2820850 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing
June 11 2016 M3 (current_events.rules)
  2820851 - ETPRO CURRENT_EVENTS Possible Neutrino Landing Landing URI
Struct (fb set) (current_events.rules)
  2820852 - ETPRO CURRENT_EVENTS Job314/Neutrino Reboot EK Landing
June 11 2016 M4 (with URI Primer) (current_events.rules)
  2820853 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Luckycat.c Checkin
(mobile_malware.rules)
  2820854 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite . com
(set) Jun 24 (current_events.rules)
  2820855 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite . com
Jun 24 M1 (current_events.rules)
  2820856 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite . com
Jun 24 M2 (current_events.rules)
  2820857 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite . com
Jun 24 M3 (current_events.rules)
  2820858 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite . com
Jun 24 M4 (current_events.rules)
  2820859 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite . com
Jun 24 M5 (current_events.rules)
  2820860 - ETPRO CURRENT_EVENTS Phishing Landing via yolasite . com
Jun 24 M6 (current_events.rules)
  2820861 - ETPRO CURRENT_EVENTS Possible Phishing Data Submitted to
yolasite . com (current_events.rules)
  2820862 - ETPRO TROJAN PoisonIvy Keepalive to CnC 427 (trojan.rules)
  2820863 - ETPRO TROJAN PoisonIvy Keepalive to CnC 428 (trojan.rules)
  2820864 - ETPRO TROJAN Malicious SSL certificate detected
(Rockloader) (trojan.rules)
  2820865 - ETPRO POLICY DNS Query to .onion proxy Domain (305iot .
win) (policy.rules)
  2820866 - ETPRO POLICY DNS Query to .onion proxy Domain (djre89 .
win) (policy.rules)
  2820867 - ETPRO POLICY DNS Query to .onion proxy Domain (fkri48 .
win) (policy.rules)
  2820868 - ETPRO POLICY DNS Query to .onion proxy Domain (45tori .
win) (policy.rules)
  2820869 - ETPRO POLICY DNS Query to .onion proxy Domain (xmfjr7 .
top) (policy.rules)
  2820870 - ETPRO CURRENT_EVENTS Successful Amex Phish Jun 24
(current_events.rules)

 [///]     Modified active rules:     [///]

  2820675 - ETPRO TROJAN Goopic Ransomware User Agent (trojan.rules)
  2820676 - ETPRO TROJAN Goopic Ransomware Checkin (trojan.rules)
Francis Trudeau | 24 Jun 01:11 2016
Picon

Daily Ruleset Update Summary 2016/06/23

 [***] Summary: [***]

 2 new Open signatures, 15 new Pro (2 + 13).  Wbmoney, Sundown EK,
VARIOUS PHISHING.

 [+++]          Added rules:          [+++]

 Open:

  2022913 - ET INFO WinHttp AutoProxy Request wpad.dat Possible
BadTunnel (info.rules)
  2022914 - ET INFO NBNS Name Query Response Possible WPAD Spoof
BadTunnel (info.rules)

 Pro:

  2820836 - ETPRO TROJAN W32/Unknown Stealer Sending Passwords (trojan.rules)
  2820837 - ETPRO TROJAN W32/Wbmoney Checkin (trojan.rules)
  2820838 - ETPRO MOBILE_MALWARE ANDROIDOS_ROOTNIK.CBTCT / Godless
Checkin (mobile_malware.rules)
  2820839 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2016-06-22 1) (trojan.rules)
  2820840 - ETPRO CURRENT_EVENTS SunDown EK Flash Exploit M2 June 20
2016 (current_events.rules)
  2820841 - ETPRO CURRENT_EVENTS SunDown EK Landing June 21 2016 M1
(current_events.rules)
  2820842 - ETPRO INFO HTML-Encoder HTML Obfuscation (info.rules)
  2820843 - ETPRO CURRENT_EVENTS Shipping Document Phishing Landing
Jun 23 (current_events.rules)
  2820844 - ETPRO CURRENT_EVENTS Successful AT&T Webmail Phish Jun 23
(current_events.rules)
  2820845 - ETPRO CURRENT_EVENTS Successful Microsoft Encrypted Email
Phish Jun 23 M2 (current_events.rules)
  2820846 - ETPRO CURRENT_EVENTS Microsoft Encrypted Email Phishing
Landing Jun 23 (current_events.rules)
  2820847 - ETPRO CURRENT_EVENTS Successful Standard Bank Phish Jun 23
(current_events.rules)
  2820848 - ETPRO TROJAN Win32/TrojanDownloader.IndigoRose.R
Downloading EXE (trojan.rules)

 [///]     Modified active rules:     [///]

  2808948 - ETPRO TROJAN Trojan/Woool.c Checkin (trojan.rules)
  2814126 - ETPRO CURRENT_EVENTS Successful Vmware/Zimbra Phish Sept
28 (current_events.rules)
  2815244 - ETPRO CURRENT_EVENTS Successful Wildblue/CenturyLink Phish
Dec 8 (current_events.rules)
  2820756 - ETPRO CURRENT_EVENTS SunDown EK Payload June 20 2016 M2
(current_events.rules)
Francis Trudeau | 23 Jun 00:55 2016
Picon

Daily Ruleset Update Summary 2016/06/22

 [***] Summary: [***]

 4 new Open signatures, 40 new Pro (4 + 36).  Neshta, Bladabindi /
njRAT, Banload.

 [+++]          Added rules:          [+++]

 Open:

  2022909 - ET CURRENT_EVENTS Evil Redirect Leading to EK Jun 22 2016
M1 (current_events.rules)
  2022910 - ET CURRENT_EVENTS Evil Redirect Leading to EK Jun 22 2016
M2 (current_events.rules)
  2022911 - ET MALWARE LoadMoney User-Agent (malware.rules)
  2022912 - ET WEB_SERVER Apache Continuum Arbitrary Command Execution
(web_server.rules)

 Pro:

  2820795 - ETPRO TROJAN Backdoor.Win32.Androm.jufj .onion Proxy
Domain (trojan.rules)
  2820801 - ETPRO CURRENT_EVENTS Possible barclays.co.uk Phishing
Domain Jun 22 (current_events.rules)
  2820802 - ETPRO CURRENT_EVENTS Successful Singtel Phish Jun 22
(current_events.rules)
  2820803 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Jun
22 (current_events.rules)
  2820804 - ETPRO CURRENT_EVENTS Phishing Landing via Weebly.com June
21 (current_events.rules)
  2820805 - ETPRO CURRENT_EVENTS Email Termination Phishing Landing
Jun 22 (current_events.rules)
  2820806 - ETPRO CURRENT_EVENTS Successful Email Termination Phish
Jun 22 (current_events.rules)
  2820807 - ETPRO CURRENT_EVENTS H&M Revenue Phishing Landing Jun 22
(current_events.rules)
  2820808 - ETPRO CURRENT_EVENTS Successful H&M Revenue Phish Jun 22
M1 (current_events.rules)
  2820809 - ETPRO CURRENT_EVENTS Successful H&M Revenue Phish Jun 22
M2 (current_events.rules)
  2820810 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website
(set) Jun 21 (current_events.rules)
  2820811 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website
Jun 21 M1 (current_events.rules)
  2820812 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website
Jun 21 M2 (current_events.rules)
  2820813 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website
Jun 21 M3 (current_events.rules)
  2820814 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website
Jun 21 M4 (current_events.rules)
  2820815 - ETPRO CURRENT_EVENTS Phishing Landing via my-free.website
Jun 21 M5 (current_events.rules)
  2820816 - ETPRO INFO Data Submitted to my-free.website - Possible
Phishing (info.rules)
  2820817 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2820818 - ETPRO POLICY DNS Query to .onion proxy Domain (dkrti5.win)
(policy.rules)
  2820819 - ETPRO POLICY DNS Query to .onion proxy Domain (vmfu48.win)
(policy.rules)
  2820820 - ETPRO POLICY DNS Query to .onion proxy Domain (gkfit9.win)
(policy.rules)
  2820821 - ETPRO POLICY DNS Query to .onion proxy Domain (cneo59.win)
(policy.rules)
  2820822 - ETPRO POLICY DNS Query to .onion proxy Domain (onion.rip)
(policy.rules)
  2820823 - ETPRO POLICY DNS Query to .onion proxy Domain (xmfir0.win)
(policy.rules)
  2820824 - ETPRO TROJAN Win32/Neshta.A CnC Checkin M1 (set) (trojan.rules)
  2820825 - ETPRO TROJAN Win32/Neshta.A CnC Checkin M1 (trojan.rules)
  2820826 - ETPRO TROJAN Win32/Neshta.A CnC Checkin M2 (set) (trojan.rules)
  2820827 - ETPRO TROJAN Win32/Neshta.A CnC Checkin M2 (trojan.rules)
  2820828 - ETPRO TROJAN Bladabindi/njRAT Variant CnC Checkin (trojan.rules)
  2820829 - ETPRO MALWARE MSIL/PUP.Wizzcaster Adware Checkin (malware.rules)
  2820830 - ETPRO TROJAN W32/Banload Variant Connectivity Check (trojan.rules)
  2820831 - ETPRO CURRENT_EVENTS Successful Webmail Phish Jun 22 M1
(current_events.rules)
  2820832 - ETPRO CURRENT_EVENTS Webmail Phishing Landing Jun 22
(current_events.rules)
  2820833 - ETPRO CURRENT_EVENTS Successful Webmail Phish Jun 22 M2
(current_events.rules)
  2820834 - ETPRO CURRENT_EVENTS Successful Webmail Phish Jun 22 M3
(current_events.rules)
  2820835 - ETPRO INFO Suspicious Redirect to Recursive PHP - Possible
Phishing (info.rules)

 [///]     Modified active rules:     [///]

  2011341 - ET TROJAN Suspicious POST to WINDOWS Folder Possible
Malware Infection (trojan.rules)
Francis Trudeau | 22 Jun 00:51 2016
Picon

Daily Ruleset Update Summary 2016/06/21

 [***] Summary: [***]

 2 new Open signatures, 42 new Pro (2 + 40).  Sundown EK, RumbleCrypt,
DiamondFox.

 Thanks:   <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2022907 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL Certificate
Detected (Sinkhole) (trojan.rules)
  2022908 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL Certificate
Detected (Sinkhole) (trojan.rules)

 Pro:

  2820755 - ETPRO CURRENT_EVENTS Sundown EK Payload June 20 2016 M1
(current_events.rules)
  2820756 - ETPRO CURRENT_EVENTS SunDown EK Payload June 20 2016 M2
(current_events.rules)
  2820757 - ETPRO TROJAN APT SWC PluginDetect/Evercookie DNS Lookup
(trojan.rules)
  2820758 - ETPRO TROJAN APT SWC PluginDetect/Evercookie DNS Lookup
(trojan.rules)
  2820759 - ETPRO TROJAN APT SWC PluginDetect/Evercookie DNS Lookup
(trojan.rules)
  2820760 - ETPRO TROJAN APT SWC PluginDetect/Evercookie DNS Lookup
(trojan.rules)
  2820761 - ETPRO TROJAN RumbleCrypt Ransomware .onion Proxy Domain
(trojan.rules)
  2820762 - ETPRO CURRENT_EVENTS Possible Amazon Phishing Domain Jun
20 (current_events.rules)
  2820763 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820764 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820765 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820766 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820767 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820768 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820769 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820770 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820771 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820772 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820773 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820774 - ETPRO TROJAN Known Malicious Ethereum Traffic (trojan.rules)
  2820775 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro
Jun 21 2016 T1 (current_events.rules)
  2820776 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro
Jun 21 2016 T2 (current_events.rules)
  2820777 - ETPRO TROJAN W32/Trojan.Offend Checkin (trojan.rules)
  2820778 - ETPRO TROJAN PoisonIvy Keepalive to CnC 426 (trojan.rules)
  2820779 - ETPRO TROJAN APT SWC Redirected Request June 21 2016 (trojan.rules)
  2820780 - ETPRO TROJAN APT SWC Redirected Request June 21 2016 (trojan.rules)
  2820781 - ETPRO TROJAN Possible APT SWC Redirecting to
PluginDetect/Evercookie Landing June 21 2016 (trojan.rules)
  2820782 - ETPRO CURRENT_EVENTS APT SWC Redirected
PluginDetect/Evercookie Landing June 21 2016 (current_events.rules)
  2820783 - ETPRO TROJAN RumbleCrypt Ransomware Domain in SNI (trojan.rules)
  2820784 - ETPRO TROJAN RumbleCrypt SSL Cert (trojan.rules)
  2820785 - ETPRO TROJAN Syscan Tool Results Upload (trojan.rules)
  2820786 - ETPRO TROJAN DiamondFox HTTP POST CnC Beacon 5 (trojan.rules)
  2820787 - ETPRO TROJAN DiamondFox HTTP POST CnC Response (trojan.rules)
  2820788 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.MG Checkin
(mobile_malware.rules)
  2820789 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2820790 - ETPRO TROJAN Malicious SSL certificate detected (Gootkit
Injects) (trojan.rules)
  2820791 - ETPRO TROJAN Ursnif Injects Domain in SNI (trojan.rules)
  2820792 - ETPRO TROJAN Ursnif Injects Domain in SNI (trojan.rules)
  2820793 - ETPRO TROJAN Ursnif Injects Domain in SNI (trojan.rules)
  2820794 - ETPRO TROJAN Ursnif Injects Domain in SNI (trojan.rules)

 [///]     Modified active rules:     [///]

  2012892 - ET TROJAN JKDDOS Bot CnC Phone Home Message (trojan.rules)
  2811723 - ETPRO CURRENT_EVENTS APT SWC Redirected Request June 29
2015 (current_events.rules)
  2811724 - ETPRO CURRENT_EVENTS APT SWC Redirected PluginDetect
Landing June 29 2015 (current_events.rules)
  2820126 - ETPRO WEB_CLIENT Possible Adobe Reader (CVE-2016-1041)
(web_client.rules)
  2820153 - ETPRO WEB_CLIENT Possible Adobe Acrobat Reader
(CVE-2016-1086) (web_client.rules)
  2820175 - ETPRO TROJAN Possible Ruckguv Module Download (trojan.rules)

 [///]    Modified inactive rules:    [///]

  2019417 - ET CURRENT_EVENTS excessive fatal alerts (possible POODLE
attack against client) (current_events.rules)
Francis Trudeau | 21 Jun 02:37 2016
Picon

Daily Ruleset Update Summary 2016/06/20

 [***] Summary: [***]

 1 new Open signature, 19 new Pro (1 + 18).  Farfli RAT, Agent_Tesla, Magnitude.

 Thanks:  Russel Fulton.

 [+++]          Added rules:          [+++]

 Open:

  2022906 - ET TROJAN Unknown Ransomware Landing Page (trojan.rules)

 Pro:

  2820736 - ETPRO TROJAN W32/Farfli RAT Variant Checkin (trojan.rules)
  2820737 - ETPRO TROJAN Omaneat .onion Proxy Domain (trojan.rules)
  2820738 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2820739 - ETPRO TROJAN Malicious SSL certificate detected (Ursnif
Injects) (trojan.rules)
  2820740 - ETPRO TROJAN PoisonIvy Keepalive to CnC 423 (trojan.rules)
  2820741 - ETPRO TROJAN PoisonIvy Keepalive to CnC 424 (trojan.rules)
  2820742 - ETPRO TROJAN PoisonIvy Keepalive to CnC 425 (trojan.rules)
  2820743 - ETPRO TROJAN Unknown Ransomware Ransom Image Download (trojan.rules)
  2820744 - ETPRO MOBILE_MALWARE Android/Agent.WI Checkin (mobile_malware.rules)
  2820745 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.Toreoc.a Checkin
(mobile_malware.rules)
  2820747 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.SC
Checkin (mobile_malware.rules)
  2820748 - ETPRO TROJAN Agent_Tesla Exfil via FTP (trojan.rules)
  2820749 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.kb
Checkin (mobile_malware.rules)
  2820750 - ETPRO TROJAN Possible Gootkit CnC Domain in SNI (trojan.rules)
  2820751 - ETPRO TROJAN Malicious SSL Certificate Detected (Gootkit
C2) (trojan.rules)
  2820752 - ETPRO TROJAN Malicious SSL Certificate Detected (Gootkit
C2) (trojan.rules)
  2820753 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.fz
Checkin (mobile_malware.rules)
  2820754 - ETPRO CURRENT_EVENTS Magnitude EK Landing Jun 20 2016
(current_events.rules)

 [///]     Modified active rules:     [///]

  2814068 - ETPRO TROJAN XCodeGhost Beacon (trojan.rules)

 [---]         Removed rules:         [---]

  2816611 - ETPRO CURRENT_EVENTS American Express Phishing Landing Mar
10 (current_events.rules)
  2820606 - ETPRO EXPLOIT Win32k Privilege Elevation Vuln
(CVE-2016-3221 1) (exploit.rules)

Gmane