Leonard Jacobs | 23 May 00:53 2015

What is causing the flood of events

What is causing “TROJAN DNS Reply Sinkhole - Microsoft - 131.253.18.0/24” to flood?

 

Thanks.

 

Leonard

 

 

 

<div><div class="WordSection1">
<p class="MsoNormal">What is causing &ldquo;<span>TROJAN DNS Reply Sinkhole - Microsoft - 131.253.18.0/24&rdquo; to flood?<p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span>Thanks.</span><p></p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal"><span>Leonard<p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
<p class="MsoNormal"><p>&nbsp;</p></p>
</div></div>
Francis Trudeau | 22 May 23:52 2015
Picon

Daily Ruleset Update Summary 2015/05/22

 [***] Summary: [***]

 6 new Open signatures, 23 new Pro (6 + 17).  H1N1, DNSChanger,
Upatre, WordPress Symposium SQLi.

 Thanks:  Mike Worth,  <at> rmkml and  <at> kafeine.

 [+++]          Added rules:          [+++]

 Open:

  2021138 - ET WEB_SERVER ElasticSearch Directory Traversal Attempt
(CVE-2015-3337) (web_server.rules)
  2021139 - ET TROJAN H1N1 Loader CnC Beacon M1 (trojan.rules)
  2021140 - ET TROJAN H1N1 Loader CnC Beacon M2 (trojan.rules)
  2021141 - ET CURRENT_EVENTS DNSChanger EK Landing URI Struct May 22
2015 (current_events.rules)
  2021142 - ET TROJAN Win32/Bancos URL Structure (trojan.rules)
  2021143 - ET TROJAN MSIL/Autorun.AD Checkin (trojan.rules)

 Pro;

  2811064 - ETPRO TROJAN Win32/Blacked.dropper CnC Beacon (trojan.rules)
  2811065 - ETPRO MALWARE PUP Win32/Instally.A CnC Beacon (malware.rules)
  2811066 - ETPRO WEB_SPECIFIC_APPS WP Symposium Plugin 1.4 SQLi
Attempt (web_specific_apps.rules)
  2811067 - ETPRO MALWARE Win32/Adware.Odyssey.A CnC Beacon (malware.rules)
  2811068 - ETPRO TROJAN Win32/Jukbot.B CnC Beacon (trojan.rules)
  2811069 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.AAJ Checkin
(mobile_malware.rules)
  2811070 - ETPRO MOBILE_MALWARE Android.Trojan.MemPoDroid.A Checkin
(mobile_malware.rules)
  2811071 - ETPRO MALWARE PUP Win32/MediaMagnet.AP CnC Beacon (malware.rules)
  2811072 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.IB Checkin
(mobile_malware.rules)
  2811073 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(49405000) (trojan.rules)
  2811074 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(youguqm.yougu) (trojan.rules)
  2811075 - ETPRO POLICY DNS Query to .onion proxy Domain
(djismrkcida45.com) (policy.rules)
  2811076 - ETPRO TROJAN Upatre SSL Cert (trojan.rules)
  2811077 - ETPRO TROJAN Win32/Banload.BBG Dropping EXE (trojan.rules)
  2811078 - ETPRO MOBILE_MALWARE Android/Haynu.A Checkin (mobile_malware.rules)
  2811079 - ETPRO TROJAN Win32/Virut.BN Dropper HTTP Request (trojan.rules)
  2811080 - ETPRO TROJAN Win32/Banmailo.A Checkin (trojan.rules)

 [///]     Modified active rules:     [///]

 [---]         Removed rules:         [---]

  2810771 - ETPRO POLICY DNS Query to .onion proxy Domain
(7hwr34n18.com) (policy.rules)
  2810827 - ETPRO POLICY DNS Query to .onion proxy Domain
(gigapaysun.com) (policy.rules)
  2810828 - ETPRO POLICY DNS Query to .onion proxy Domain
(aenf387awmx28.com) (policy.rules)
  2810829 - ETPRO POLICY DNS Query to .onion proxy Domain
(paletoption.com) (policy.rules)
  2810901 - ETPRO WEB_SERVER ElasticSearch Directory Traversal Attempt
(CVE-2015-3337) (web_server.rules)
  2811013 - ETPRO POLICY DNS Query to .onion proxy Domain
(torhsbrowser.us) (policy.rules)
  2811059 - ETPRO TROJAN MSIL/Autorun.AD Checkin (trojan.rules)
rmkml | 21 May 23:49 2015
Picon

Offer a sig for detecting ElasticSearch dir traversal

Hi,

The http://etplc.org project offer a new sig for detecting ElasticSearch _plugin directory traversal attempt:

alert tcp any any -> any 9200 (msg:"WEB-MISC ElasticSearch _plugin directory traversal attempt"; 
flow:to_server,established; content:"GET"; nocase; content:"/_plugin/"; nocase; fast_pattern;
within:50; distance:0; content:"/../"; within:50; 
distance:0; pcre:"/^GET\s[^\n]*?\/_plugin\/[^\n]*?\/\.\.\//smi";
reference:url,www.exploit-db.com/exploits/37054/; 
classtype:web-application-attack; sid:1; rev:1;)

Or use "alert http ..." for Suricata IDPS engine.

Please send any comments.

Regards
 <at> Rmkml
Francis Trudeau | 21 May 23:46 2015
Picon

Daily Ruleset Update Summary 2015/05/21

 [***] Summary: [***]

 12 Open signatures, 29 new Pro (12 + 17).  Angler, Sundown, Korplug,
POSCardStealer.

 Thanks:   <at> EKWatcher,  <at> kafeine.

 [+++]          Added rules:          [+++]

 Open:

  2021126 - ET CURRENT_EVENTS Angler EK XTEA encrypted binary (24)
(current_events.rules)
  2021127 - ET CURRENT_EVENTS Angler EK XTEA encrypted binary (25)
(current_events.rules)
  2021128 - ET TROJAN Blue Bot DDoS Proxy Request (trojan.rules)
  2021129 - ET TROJAN Blue Bot DDoS Blog Request (trojan.rules)
  2021130 - ET TROJAN Blue Bot DDoS Target Request (trojan.rules)
  2021131 - ET TROJAN Blue Bot DDoS Logger Request (trojan.rules)
  2021132 - ET TROJAN JavaScriptBackdoor HTTP GET CnC Beacon (trojan.rules)
  2021133 - ET TROJAN JavaScriptBackdoor HTTP POST CnC Beacon (trojan.rules)
  2021134 - ET TROJAN JavaScriptBackdoor SSL Cert (trojan.rules)
  2021135 - ET TROJAN Suspicious X-mailer Synapse Inbound to SMTP
Server (trojan.rules)
  2021136 - ET CURRENT_EVENTS Sundown EK Landing May 21 2015 M1
(current_events.rules)
  2021137 - ET CURRENT_EVENTS Sundown EK Landing May 21 2015 M2
(current_events.rules)

 Pro:

  2811000 - ETPRO TROJAN Win32/Bancos.YW Checkin (trojan.rules)
  2811048 - ETPRO TROJAN Win32/Korplug.DY CnC POST (trojan.rules)
  2811049 - ETPRO TROJAN Yakes Possible SSL Cert (trojan.rules)
  2811050 - ETPRO TROJAN Likely Dridex Generic SSL Cert (trojan.rules)
  2811051 - ETPRO TROJAN KINS Possible SSL Cert (trojan.rules)
  2811052 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.BDO Checkin
(mobile_malware.rules)
  2811053 - ETPRO MALWARE Adware/OptimizerMonitor CnC Beacon 1 (malware.rules)
  2811054 - ETPRO MALWARE Adware/OptimizerMonitor CnC Beacon 2 (malware.rules)
  2811055 - ETPRO TROJAN Win32/Zegost.AD Checkin (trojan.rules)
  2811056 - ETPRO TROJAN Win32/Spy.POSCardStealer.N DNS Lookup
(mail.rumpleskin.org) (trojan.rules)
  2811057 - ETPRO TROJAN Python.A CnC Beacon (trojan.rules)
  2811058 - ETPRO POLICY External IP Lookup - ip.42.pl (policy.rules)
  2811059 - ETPRO TROJAN MSIL/Autorun.AD Checkin (trojan.rules)
  2811060 - ETPRO WEB_SPECIFIC_APPS WP Plugin FeedWordPress v2015.0426
SQLi Attempt (web_specific_apps.rules)
  2811061 - ETPRO TROJAN Win32/Spy.POSCardStealer.C FTP STOR Command
(trojan.rules)
  2811062 - ETPRO TROJAN Win32/Spy.POSCardStealer.O CnC Beacon 1 (trojan.rules)
  2811063 - ETPRO TROJAN Win32/Spy.POSCardStealer.O CnC Beacon 2 (trojan.rules)

 [///]     Modified active rules:     [///]

 [---]         Removed rules:         [---]

  2811000 - ETPRO MALWARE Win32/Bancos.YW Checkin (malware.rules)
Mike Worth | 21 May 22:08 2015
Picon

Some more rules for miscellaneous commodity 3vil

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible Zusy Worm"; flow:to_server,established; content:"vvv.byethost32.com"; nocase; reference:url,https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm:MSIL/Autorun.AD#tab=2, https://www.virustotal.com/en/file/9b57e6a137882be5a6e8c085cfa23f26294c2ac9427a99d0e54e9d26fc46c087/analysis/; classtype:trojan-activity; sid:XXXXXXXX; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible Win32/Upatre.BF"; flow:to_server,established; content:"/vpic21.png"; http_uri; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}/"; reference:url,https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader:Win32/Upatre.BF#tab=2, https://www.virustotal.com/en/file/901c8ab1c3d135f2a9e935fe9ba9bf01cd5eec89a9b6da83368583a2b7ee2c1a/analysis/; classtype:trojan-activity; sid:XXXXXXXX; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible Bancos URL structure"; flow:to_server,established; content:"GET"; http_method; content:"infects"; pcre:"//[a-z]{1}/infects//"; nocase; reference:url,https://www.virustotal.com/en/file/2d29b6ad0dc2f431ce7f14d302ca93bda714632dc7abbf6d70bef25e934cb8ed/analysis/, https://www.virustotal.com/en/file/65335e9df2d4cb5267bdab0dd9e3d1bcdff957fa4d40e3219fc9267af94a318e/analysis/; classtype:trojan-activity; sid:XXXXXXXX; rev:1;)

hope this is helps. 
<div><div dir="ltr"><div>
<div>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"Possible Zusy Worm"; flow:to_server,established; content:"<a href="http://vvv.byethost32.com">vvv.byethost32.com</a>"; nocase; reference:url,<a href="https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm:MSIL/Autorun.AD#tab=2">https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm:MSIL/Autorun.AD#tab=2</a>, <a href="https://www.virustotal.com/en/file/9b57e6a137882be5a6e8c085cfa23f26294c2ac9427a99d0e54e9d26fc46c087/analysis/">https://www.virustotal.com/en/file/9b57e6a137882be5a6e8c085cfa23f26294c2ac9427a99d0e54e9d26fc46c087/analysis/</a>; classtype:trojan-activity; sid:XXXXXXXX; rev:1;)</div>
<div><br></div>
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"Possible Win32/Upatre.BF"; flow:to_server,established; content:"/vpic21.png"; http_uri; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}/"; reference:url,<a href="https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader:Win32/Upatre.BF#tab=2">https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader:Win32/Upatre.BF#tab=2</a>, <a href="https://www.virustotal.com/en/file/901c8ab1c3d135f2a9e935fe9ba9bf01cd5eec89a9b6da83368583a2b7ee2c1a/analysis/">https://www.virustotal.com/en/file/901c8ab1c3d135f2a9e935fe9ba9bf01cd5eec89a9b6da83368583a2b7ee2c1a/analysis/</a>; classtype:trojan-activity; sid:XXXXXXXX; rev:1;)</div>
<div><br></div>
<div>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"Possible Bancos URL structure"; flow:to_server,established; content:"GET"; http_method; content:"infects"; pcre:"//[a-z]{1}/infects//"; nocase; reference:url,<a href="https://www.virustotal.com/en/file/2d29b6ad0dc2f431ce7f14d302ca93bda714632dc7abbf6d70bef25e934cb8ed/analysis/">https://www.virustotal.com/en/file/2d29b6ad0dc2f431ce7f14d302ca93bda714632dc7abbf6d70bef25e934cb8ed/analysis/</a>, <a href="https://www.virustotal.com/en/file/65335e9df2d4cb5267bdab0dd9e3d1bcdff957fa4d40e3219fc9267af94a318e/analysis/">https://www.virustotal.com/en/file/65335e9df2d4cb5267bdab0dd9e3d1bcdff957fa4d40e3219fc9267af94a318e/analysis/</a>; classtype:trojan-activity; sid:XXXXXXXX; rev:1;)</div>
<div><br></div>
<div>hope this is helps.&nbsp;</div>
</div></div></div>
James Lay | 21 May 19:33 2015
Picon

Dridex/Kryptik Pascal Library X-Mailer sig

Saw a fair bit of malicious emails with:

X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer

set.  These included this type of malicious link (brackets added):

meows://www.google[.]com/url?q=meows%3A%2F%2Fcopy[.]com%2FBmlHcclqSfe7COabPactDgg%2FWire_%2520transfer411A.zip%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNHGxjvBdYV5kCQpDyaS4LSYSl1pOA

These lead to badness:

https://www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/
https://www.hybrid-analysis.com/search?query=d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43+

Below should catch this particular mailer:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Possible 
Malicious Email with Pascal TCP/IP library X-mailer"; 
flow:to_server,established; content:"X-mailer|3a| Synapse - Pascal 
TCP|2f|IP library by Lukas Gebauer"; fast_pattern:only; 
classtype:bad-unknown; sid:10000160; rev:1;)

James
Francis Trudeau | 21 May 00:02 2015
Picon

Daily Ruleset Update Summary 2015/05/20

 [***] Summary: [***]

 9 new Open signatures, 16 new Pro (9 + 7).  Logjam, Alphacrypt,
TorrentLocker, SpyBanker.

 Thanks:  Mike Worth,  <at> malwareforme,  <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2021106 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex CnC) (trojan.rules)
  2021118 - ET TROJAN SPEAR CnC Beacon (trojan.rules)
  2021119 - ET TROJAN SPEAR CnC Beacon 2 (trojan.rules)
  2021120 - ET POLICY External Timezone Check (earthtools.org) (policy.rules)
  2021121 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS CnC) (trojan.rules)
  2021122 - ET TROJAN Worm.VBS.Jenxcus.H URL Structure (trojan.rules)
  2021123 - ET TROJAN Worm.VBS.Jenxcus.H User Agent (trojan.rules)
  2021124 - ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server
(exploit.rules)
  2021125 - ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server
(exploit.rules)

 Pro:

  2811041 - ETPRO TROJAN SpyBanker Install (trojan.rules)
  2811042 - ETPRO TROJAN Alphacrypt CnC Beacon (trojan.rules)
  2811043 - ETPRO TROJAN Alphacrypt CnC Beacon Response (trojan.rules)
  2811044 - ETPRO TROJAN Unknown Checkin (trojan.rules)
  2811045 - ETPRO TROJAN Unknown Dropper Checkin (trojan.rules)
  2811046 - ETPRO TROJAN TorrentLocker SSL Cert (trojan.rules)
  2811047 - ETPRO POLICY DNS Query to .onion proxy Domain
(foi48wmc5de44.com) (policy.rules)

 [///]     Modified active rules:     [///]

  2020422 - ET TROJAN MultiPlug.J Checkin (trojan.rules)

 [---]         Removed rules:         [---]

  2020658 - ET EXPLOIT FREAK Weak Export Suite From Server
(CVE-2015-0204) (exploit.rules)
  2021106 - ET CURRENT_EVENTS ABUSE.CH SSL Blacklist Malicious SSL
certificate detected (Dridex CnC) (current_events.rules)
Mike Worth | 20 May 14:23 2015
Picon

rules that have had positive hits on Worm.VBS.Jenxcus.H

alert http any any -> any $HTTP_PORTS (msg:"Possible Worm.VBS.Jenxcus.H
 url structure is-rinoy"; flow:to_server,established; uricontent:"/is-rinoy"; reference:url,"https://www.virustotal.com/en/file/a00eaca44c480843b1a8a11ac8870a931477be08d98f0476d1f8f60433e3f40a/analysis/"; classtype:trojan-activity; sid:xxxxxxx; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible Worm.VBS.Jenxcus.H
 user agent"; content:"POST"; http_method; content:"User-Agent|3a| Hacked"; http_header; classtype:trojan-activity;reference:url,https://www.virustotal.com/en/file/a00eaca44c480843b1a8a11ac8870a931477be08d98f0476d1f8f60433e3f40a/analysis/; sid:xxxxxxxx; rev:1;)

These could probably be combined into one rule, but I like to keep User agents and URI content separated. 

Hope this helps 
<div><div dir="ltr">
<div>alert http any any -&gt; any $HTTP_PORTS (msg:"Possible Worm.VBS.Jenxcus.H<br>&nbsp;url structure is-rinoy";&nbsp;flow:to_server,established; uricontent:"/is-rinoy"; reference:url,"<a href="https://www.virustotal.com/en/file/a00eaca44c480843b1a8a11ac8870a931477be08d98f0476d1f8f60433e3f40a/analysis/">https://www.virustotal.com/en/file/a00eaca44c480843b1a8a11ac8870a931477be08d98f0476d1f8f60433e3f40a/analysis/</a>"; classtype:trojan-activity; sid:xxxxxxx; rev:1;)</div>
<div><br></div>
<div>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"Possible Worm.VBS.Jenxcus.H<br>&nbsp;user agent";&nbsp;content:"POST"; http_method; content:"User-Agent|3a| Hacked"; http_header; classtype:trojan-activity;reference:url,<a href="https://www.virustotal.com/en/file/a00eaca44c480843b1a8a11ac8870a931477be08d98f0476d1f8f60433e3f40a/analysis/">https://www.virustotal.com/en/file/a00eaca44c480843b1a8a11ac8870a931477be08d98f0476d1f8f60433e3f40a/analysis/</a>; sid:xxxxxxxx; rev:1;)</div>
<div><br></div>
<div>These could probably be combined into one rule, but I like to keep User agents and URI content separated.&nbsp;</div>
<div><br></div>
<div>Hope this helps&nbsp;</div>
</div></div>
Francis Trudeau | 19 May 23:18 2015
Picon

Daily Ruleset Update Summary 2015/05/19

 [***] Summary: [***]

 2 new Open signatures, 10 new Pro (2 + 8).  APT17, Banload, CRUCMS SQLi.

 Thanks:  James Lay, Anthony Rodgers,  <at> jaimeblascob,  <at> mflage and  <at> kafeine.

 [+++]          Added rules:          [+++]

 Open:

  2021116 - ET TROJAN Possible APT17 CnC Content in Public Website
(trojan.rules)
  2021117 - ET TROJAN Win32/Rallovs.A CnC Beacon (trojan.rules)

 Pro:

  2811003 - ETPRO TROJAN W32/Banload.UOL!tr.dldr Checkin (trojan.rules)
  2811034 - ETPRO TROJAN DDoS.Win32/Nitol.gen!A Checkin 3 (trojan.rules)
  2811035 - ETPRO INFO Application Installer Prompt via Smart
Installer (info.rules)
  2811036 - ETPRO WEB_SPECIFIC_APPS CRUCMS Crucial Networking SQLi
Attempt (projects-cat.php) (web_specific_apps.rules)
  2811037 - ETPRO TROJAN PowerShell Win32/Filecoder.CS Ransomware
Download (trojan.rules)
  2811038 - ETPRO MOBILE_MALWARE Android.Adware.Dowgin.EI Checkin
(mobile_malware.rules)
  2811039 - ETPRO TROJAN TeslaCrypt/AlphaCrypt Variant .onion Proxy
Domain (2k7vcwbzor5ybfto) (trojan.rules)
  2811040 - ETPRO MALWARE Adware.EoRezo CnC Beacon (malware.rules)

 [///]     Modified active rules:     [///]

  2018462 - ET TROJAN W32/Fsysna.Downloader CnC Beacon (trojan.rules)
  2020022 - ET TROJAN Possible VirLock Connectivity Check (trojan.rules)
  2020746 - ET TROJAN Win32.Chroject.B Retrieving encoded payload (trojan.rules)

 [---]         Removed rules:         [---]

  2804603 - ETPRO TROJAN Lethic.B XOR key 1 (trojan.rules)
  2806941 - ETPRO TROJAN Lethic.B XOR Key 2 (trojan.rules)
James Lay | 19 May 16:06 2015
Picon

RFI: Rule 2016101

Any intel on this?

May 19 08:29:33 ids snort[28471]: [1:2016101:2] ET TROJAN DNS Reply 
Sinkhole - Microsoft - 131.253.18.0/24 [Classification: A Network Trojan 
was Detected] [Priority: 1] {UDP} x.x.x.x:53 -> x.x.x.x:61237

Actual request is here:

2015-05-19T08:29:53+0000        C178Fb1AE5nXOaNPLi      x.x.x.x    50029 
   x.x.x.x     53      udp     54728   settings-win.data.microsoft.com 1  
      C_INTERNET      1       A       0       NOERROR F       F       T   
     T       0       
settings.data.glbdns2.microsoft.com,blackhole6.glbdns2.microsoft.com,131.253.18.253 
  2744.000000,4.000000,0.000000    F

I can't find anything showing malicious activity from the subnet or the 
hostname:

https://urlquery.net/report.php?id=1432044224951

and

https://urlquery.net/search.php?q=settings-win&type=string&start=2011-06-25&end=2015-05-19&max=50

on the surface this looks like someone made a boo-boo, but I'd like to 
confirm.  Thank you.

James
Francis Trudeau | 19 May 00:39 2015
Picon

Daily Ruleset Update Summary 2015/05/18

 [***] Summary: [***]

 4 new Open signatures, 22 new Pro (4 + 18).  Darpapox, Pacman, SMSPay, Yahoyah.

 Thanks:  Anthony Rodgers,  <at> abuse_ch,  <at> mflage

 [+++]          Added rules:          [+++]

  2021112 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex CnC) (trojan.rules)
  2021113 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dyre CnC) (trojan.rules)
  2021114 - ET TROJAN Yahoyah CnC Beacon (trojan.rules)
  2021115 - ET TROJAN CTB-Locker .onion Proxy Domain
(tlunjscxn5n76iyz) (trojan.rules)

 Pro:

  2811015 - ETPRO TROJAN Adware.SMSHoax Install (trojan.rules)
  2811016 - ETPRO TROJAN Backdoor.Darpapox CNAME CnC Beacon (WinVer
5.0) (trojan.rules)
  2811017 - ETPRO TROJAN Backdoor.Darpapox CNAME CnC Beacon (WinVer
5.1) (trojan.rules)
  2811018 - ETPRO TROJAN Backdoor.Darpapox CNAME CnC Beacon (WinVer
5.2) (trojan.rules)
  2811019 - ETPRO TROJAN Backdoor.Darpapox CNAME CnC Beacon (WinVer
6.0) (trojan.rules)
  2811020 - ETPRO TROJAN Backdoor.Darpapox CNAME CnC Beacon (WinVer
6.1) (trojan.rules)
  2811021 - ETPRO TROJAN Backdoor.Darpapox CNAME CnC Beacon (WinVer
6.2) (trojan.rules)
  2811022 - ETPRO TROJAN Backdoor.Darpapox CNAME CnC Beacon (WinVer
6.3) (trojan.rules)
  2811023 - ETPRO TROJAN Backdoor.Darpapox CNAME CnC Beacon (WinVer
10.0) (trojan.rules)
  2811024 - ETPRO TROJAN Win32/Troldesh.A Ransomware External IP Check
2 (trojan.rules)
  2811025 - ETPRO TROJAN Unknown Checkin (trojan.rules)
  2811026 - ETPRO TROJAN Win32/Duetag.A Checkin 1 (trojan.rules)
  2811028 - ETPRO TROJAN Pacman Ransomware C2 crypted.php (trojan.rules)
  2811029 - ETPRO TROJAN Pacman Ransomware C2 locked.php (trojan.rules)
  2811030 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(sabyd.1) (trojan.rules)
  2811031 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(Stradan.united) (trojan.rules)
  2811032 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.IH Checkin
(mobile_malware.rules)
  2811033 - ETPRO TROJAN PoisonIvy Keepalive to CnC 162 (trojan.rules)

 [///]     Modified active rules:     [///]

  2016870 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE
5. (policy.rules)
  2017599 - ET TROJAN W32.Nemim Checkin (trojan.rules)
  2017600 - ET TROJAN Backdoor.Egobot Checkin (trojan.rules)
  2018394 - ET TROJAN Common Upatre Header Structure (trojan.rules)
  2018635 - ET TROJAN Common Upatre Header Structure 2 (trojan.rules)
  2019363 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (TeslaCrypt) (trojan.rules)
  2020295 - ET TROJAN Common Upatre Header Structure 3 (trojan.rules)
  2021102 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Dridex CnC) (trojan.rules)
  2021106 - ET CURRENT_EVENTS ABUSE.CH SSL Blacklist Malicious SSL
certificate detected (Dridex CnC) (current_events.rules)
  2806591 - ETPRO CURRENT_EVENTS Deka Infostealer FTP upload
(current_events.rules)
  2809615 - ETPRO TROJAN Critroni Likely Malicious Tor Proxy Cookie
(trojan.rules)

 [---]         Removed rules:         [---]

  2808775 - ETPRO TROJAN Trojan.MulDrop3.53344 Checkin (trojan.rules)

Gmane