Francis Trudeau | 7 Jul 00:44 2015
Picon

Daily Ruleset Update Summary 2015/07/06

 [***] Summary: [***]

 6 new Open signatures, 30 new Pro (6 + 24).   Zegost, PoisonIvy,
Beaugrit, Dridex.

 Thanks:  Anthony Rodgers,  <at> malwaremustdie,  <at> kafeine,  <at> dragonthreatlab
and  <at> rmkml.

 [+++]          Added rules:          [+++]

 Open:

  2021379 - ET TROJAN Mocelpa Client Hello CnC Beacon (trojan.rules)
  2021380 - ET TROJAN Dridex SSL Cert July 6 2015 (trojan.rules)
  2021384 - ET USER_AGENTS WildTangent User-Agent (WT Games App)
(user_agents.rules)
  2021385 - ET TROJAN Win32/Denisca.A CnC Beacon (trojan.rules)
  2021386 - ET MOBILE_MALWARE Android BatteryBotPro Checkin
(mobile_malware.rules)
  2021387 - ET MOBILE_MALWARE Android BatteryBotPro Checkin 2
(mobile_malware.rules)

 Pro:

  2811787 - ETPRO MALWARE Small.ALK PUP Checkin (malware.rules)
  2811798 - ETPRO TROJAN Win32/Beaugrit.gen!AAA Checkin (trojan.rules)
  2811799 - ETPRO TROJAN Win32/Beaugrit.gen!AAA Checkin (trojan.rules)
  2811800 - ETPRO TROJAN Win32/Beaugrit.gen!AAA Checkin (trojan.rules)
  2811801 - ETPRO TROJAN LAPY CnC Beacon (trojan.rules)
  2811802 - ETPRO TROJAN Win32.Generic Downloader Checkin (trojan.rules)
(Continue reading)

Russell Fulton | 5 Jul 04:32 2015
Picon

FP: ET DOS Apple CoreText Exploit Specific string 2017397

I got a couple of hits on this — it is iOS 6 specific from two years ago.  Time to retire?

For the record the destination is a Dell Desktop.

R
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs <at> lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net

Packet Hack | 5 Jul 01:04 2015
Picon

Python User Agent

Seem to be seeing lots of hits from various sigs with this
UA:

  User-Agent: python-requests/2.2.1 CPython/2.7.6 Linux/3.16.0-41-generic

Anyone seeing the same?

-- pckthck
Packet Hack | 3 Jul 21:03 2015
Picon

ET TROJAN Possible Duqu 2.0 Accessing SMB/SMB2 backdoor

See this tripping a lot - how reliable is it?

--pckthck
Kevin Ross | 3 Jul 10:59 2015

SIGS: ET TROJAN W32/Banload.VZS Download & Banker

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Banload.VZS Downloader CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".png"; http_uri; content:".png HTTP/1.1"; content:"User-Agent: Firefox/15.0.1|0D 0A|"; http_header; fast_pattern:12,16; content:!"Referer|3A|"; http_header; conent:!"Accept"; http_header; classtype:trojan-activity; reference:md5,3f30e3a023a720f0227a0a8653484239; sid:156771; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Banload.VZS Banker POST CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/adm/contador.php"; http_uri; fast_pattern:only; content:"User-Agent3A| Firefox/15.0.1|0D 0A|"; http_header; classtype:trojan-activity; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; sid:156772; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Banload.VZS Banker POST CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"/upload.php"; http_uri; depth:11; content:"conteudo="; http_client_body; depth:9; content:"&myFile="; http_client_body; distance:0; classtype:trojan-activity; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; sid:156773; rev:1;)

Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>
<div>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN W32/Banload.VZS Downloader CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:".png"; http_uri; content:".png HTTP/1.1"; content:"User-Agent: Firefox/15.0.1|0D 0A|"; http_header; fast_pattern:12,16; content:!"Referer|3A|"; http_header; conent:!"Accept"; http_header; classtype:trojan-activity; reference:md5,3f30e3a023a720f0227a0a8653484239; sid:156771; rev:1;)<br><br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN W32/Banload.VZS Banker POST CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/adm/contador.php"; http_uri; fast_pattern:only; content:"User-Agent3A| Firefox/15.0.1|0D 0A|"; http_header; classtype:trojan-activity; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; sid:156772; rev:1;)<br><br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN W32/Banload.VZS Banker POST CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"/upload.php"; http_uri; depth:11; content:"conteudo="; http_client_body; depth:9; content:"&amp;myFile="; http_client_body; distance:0; classtype:trojan-activity; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; sid:156773; rev:1;)<br><br>
</div>Kind Regards,<br>
</div>Kevin Ross<br>
</div></div>
Francis Trudeau | 3 Jul 00:09 2015
Picon

Daily Ruleset Update Summary 2015/07/02

 [***] Summary: [***]

 5 new Open signatures, 23 new Pro (5 + 18).  Linux.DDoS.E, Zbot, PoisonIvy.

 Thanks:  Andrea De Pasquale, Russell Fulton  <at> EKwatcher and  <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2021374 - ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 02
(current_events.rules)
  2021375 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (Gozi CnC) (trojan.rules)
  2021376 - ET TROJAN UpDocX Checkin (trojan.rules)
  2021377 - ET TROJAN UpDocX Download (trojan.rules)
  2021378 - ET POLICY External IP Lookup - checkip.dyndns.org (policy.rules)

 Pro:

  2811776 - ETPRO TROJAN Linux.DDoS.E Checkin (trojan.rules)
  2811777 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.hapm Checkin (trojan.rules)
  2811778 - ETPRO TROJAN W32/Zbot.AVTH .onion Proxy Domain (trojan.rules)
  2811779 - ETPRO CURRENT_EVENTS Angler EK Landing June 30 2015 M6
(current_events.rules)
  2811780 - ETPRO MALWARE Win32/TomorrowSoftware.Downloader PUP
Checkin 2 (malware.rules)
  2811781 - ETPRO TROJAN PoisonIvy Keepalive to CnC 190 (trojan.rules)
  2811782 - ETPRO TROJAN PoisonIvy Keepalive to CnC 191 (trojan.rules)
  2811783 - ETPRO TROJAN PoisonIvy Keepalive to CnC 192 (trojan.rules)
  2811784 - ETPRO POLICY DNS Query to .onion proxy Domain
(paybalanceto.com) (policy.rules)
  2811785 - ETPRO MALWARE FlyStudio Variant Checkin (malware.rules)
  2811786 - ETPRO MALWARE ADWARE/MultiPlug.Gen4 Checkin (malware.rules)
  2811787 - ETPRO TROJAN Win32/TrojanDownloader.Small.ALK CnC Checkin
(trojan.rules)
  2811788 - ETPRO WEB_SPECIFIC_APPS ipTIME firmware < 9.58 RCE
(web_specific_apps.rules)
  2811789 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(WmVSMF90c3Q6dHN0) (trojan.rules)
  2811790 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(b3JyaWNvbi4xMjM0NTo1NDMyMQ==) (trojan.rules)
  2811791 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(ZDM4YTM5eXNfbDNrcHk6cGFzc3dvcmQ=) (trojan.rules)
  2811792 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(Y29pbm9ib3QuMjoxMjM0) (trojan.rules)
  2811793 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(cmVkZW1fY2hlY2s6Y2hlY2s=) (trojan.rules)

 [///]     Modified active rules:     [///]

  2017713 - ET TROJAN Taidoor Checkin (trojan.rules)
  2018052 - ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin
(current_events.rules)
  2809459 - ETPRO MOBILE_MALWARE Android/Adware.AirPush.J Checkin
(mobile_malware.rules)

 [---]         Removed rules:         [---]

  2015698 - ET CURRENT_EVENTS SPL Landing Page Requested (current_events.rules)
Andrea De Pasquale | 2 Jul 11:00 2015

SPL Landing Page Requested hitting on possible BetterSurf/BrowserShop adware

Hello,
SID 2015698 "ET CURRENT_EVENTS SPL Landing Page Requested"
occasionally hits on requests related to some adware that have
"YWZmaWQ9" in the URL. Same clients are also firing SID 2020712 "ET
MALWARE AdWare.Win32.BetterSurf.b SSL Cert", so I guess it's something
related to that or to "Browser Shop". Maybe you could add some
negation based on the referer, the cookie, or the base64 text (e.g.
{"title":"Powered by Browser Shop"}).

GET /B4gLhi0XwuT2cJCf/?d=W3sicmVmZXJlciI6IiJ9LHsiY291bnRyeSI6Iml0In0seyJ1cmwiOiJodHRwOi8vdmlldy5jb250ZXh0dWFseWllbGQuY29tL3NjanMvdGIvY3R4anMvaW5kZXgucGhwP2t3Mj13d3cueW91dHViZS5jb20mYWZmaWQ9MTE1MSZzdWJhZmZfaWQ9NjY4XzIwODQ3JmludGZvcm1hdD1yb2xsJm5leHRwYWdlPWh0dHBzJTNBJTJGJTJGd3d3LnlvdXR1YmUuY29tJTJGd2F0Y2glM0Z2JTNEdVNENHZzaDF6REEmY2g9MTA3NDImc2JyYW5kPUJyb3dzZXIlMjBTaG9wJmZvbGRlcj12OC41LjcmdHlwcmQ9b290ZCZjdT0zNDU5NyZjb3VudHJ5PUlUJm9yaWdpbmFsX2NvdW50cnk9SVQmdXVpZD05MTcxNTQ0MzU4MTM0MjcxMTQzNDY2MjM5NiJ9LHsidTEiOiIxYTZmMmY4Yi1jMjZjLTQ4ZDMtODE4OC1hZjg0NDU3MWQ3ZWYifSx7InRpdGxlIjoiUG93ZXJlZCBieSBCcm93c2VyIFNob3AifSx7ImhlYWRsaW5lIjoiIn0seyJjaGFubmVsIjoiOTEwMC0xMDMzIn0seyJldiI6IiJ9LHsiY3R4X3ZhbHVlIjoiIn0seyJnbGJ2IjoiMWE2ZjQyNjE4OSJ9LHsicHBtIjowfV0%3D
HTTP/1.1
Host: tyi.evocativelybefuddled.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
Referer: http://view.contextualyield.com/scjs/tb/ctxjs/index.php?kw2=www.youtube.com&affid=1151&subaff_id=668_20847&intformat=roll&nextpage=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DuSD4vsh1zDA&ch=10742&sbrand=Browser%20Shop&folder=v8.5.7&typrd=ootd&cu=34597&country=IT&original_country=IT&uuid=91715443581342711434662396
Accept-Encoding: gzip, deflate, sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: glob=YTo0OntzOjk6InVzZXJfZ3VpZCI7czoyNDoiNTU5NDFlMDQ1MTg3

Regards,
--

-- 
Andrea De Pasquale
Russell Fulton | 2 Jul 08:54 2015
Picon
Picon

possible FP: ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin 2018052

two machine on the student wireless network with one alert each — same payload except for the cookie:

ET /xaddinupdate/xaddinupdate.bin HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E;
.NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; InfoPath.3)
Host: conf.xmp.kankan.com
Connection: Keep-Alive
Cookie: KANKANWEBUID=ce6133ec89f775030148bd0afd350673; adFilter_ck=1.0; ztId_ck=1.0;
XMP_WEB_index_light_status=open; XMP_WEB_index_guanggao_num_9=8

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs <at> lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net

Russell Fulton | 2 Jul 08:50 2015
Picon
Picon

possible FP: ET TROJAN Taidoor Checkin 2017713

GET /logins.jsp?df=hao123 HTTP/1.1 
User-Agent: User-Agent.Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 
Host: reg.163.com:443 
Cache-Control: no-cache 
Cookie: usertrack=c+5+hlT9BbyoZCwqi1a6Ag== 

From our student wireless network.

Russell 
Francis Trudeau | 2 Jul 00:37 2015
Picon

Daily Ruleset Update Summary 2015/07/01

 [***] Summary: [***]

 2 new Open signatures, 17 new Pro (2 + 15).  Dridex, PoisonIvy, MSIL/Kryptik.

 Thanks:   <at> kafeine and  <at> EKwatcher

 [+++]          Added rules:          [+++]

  2021372 - ET TROJAN Dridex SSL Cert 1 July 2015 (trojan.rules)
  2021373 - ET CURRENT_EVENTS NullHole EK Landing URI struct
(current_events.rules)

 Pro:

  2811761 - ETPRO TROJAN MSIL/Injector.KJW .onion Proxy Domain (trojan.rules)
  2811762 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK
(Anti-AV Check) (current_events.rules)
  2811763 - ETPRO MOBILE_MALWARE Monitoring-Tool Android/SafeKidZone.A
Checkin (mobile_malware.rules)
  2811764 - ETPRO MOBILE_MALWARE Monitoring-Tool Android/SafeKidZone.A
Checkin 2 (mobile_malware.rules)
  2811765 - ETPRO MOBILE_MALWARE Android PUP Wodsha-E Checkin
(mobile_malware.rules)
  2811766 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(1Na4UFCkw1jwnU25bJSdmfKvxAfnCbumTG) (trojan.rules)
  2811767 - ETPRO TROJAN CoinMiner Known malicious stratum authline
(1Aif3YzbkpHRZJuRRvEVVFTodDMmLJjbN6.LCOMPUT) (trojan.rules)
  2811768 - ETPRO TROJAN CoinMiner Known malicious stratum authline
2015-07-01 (trojan.rules)
  2811769 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(dXNlcjM6VUI5N2FkMg==) (trojan.rules)
  2811770 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(a2VuYWJsb0Bob3RtYWlsLmNvbV8xOk4xOTkw) (trojan.rules)
  2811771 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(NDUxNjU6dUpmQ0Zj) (trojan.rules)
  2811772 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(d2hhdHN3cm9uZ19zdWJzOmtlbm5zdG5pY2h0) (trojan.rules)
  2811773 - ETPRO TROJAN MSIL/Kryptik Variant Keepalive (trojan.rules)
  2811774 - ETPRO TROJAN MSIL/Kryptik Variant Checkin (trojan.rules)
  2811775 - ETPRO TROJAN PoisonIvy Keepalive to CnC 189 (trojan.rules)

 [///]     Modified active rules:     [///]

  2807010 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.u Checkin
2 (mobile_malware.rules)
  2808613 - ETPRO MOBILE_MALWARE RemoteAdmin.AndroidOS.Wodsha.a
Checkin (mobile_malware.rules)
Francis Trudeau | 30 Jun 23:14 2015
Picon

Daily Ruleset Update Summary 2015/06/30

 [***] Summary: [***]

 2 new Open signatures, 20 new Pro (2 + 18).  Dridex, LockScreen.AVP,
AnimalFarm APT.

 Thanks:  Anthony Rodgers and  <at> kafeine.

 [+++]          Added rules:          [+++]

 Open:

  2021370 - ET TROJAN Dridex SSL Cert 30 June 2015 (trojan.rules)
  2021371 - ET POLICY Possible External IP Lookup www.whatsmyip.us
(policy.rules)

 Pro:

  2811738 - ETPRO MALWARE Win32/Adload.hkra Checkin (malware.rules)
  2811739 - ETPRO MOBILE_MALWARE Android/Qysly.A Checkin (mobile_malware.rules)
  2811740 - ETPRO TROJAN LockScreen.AVP Downloader (trojan.rules)
  2811741 - ETPRO MOBILE_MALWARE Android/SMSreg.KU Checkin 3
(mobile_malware.rules)
  2811742 - ETPRO MALWARE Win32/TomorrowSoftware.Downloader PUP
Checkin (malware.rules)
  2811748 - ETPRO WEB_SPECIFIC_APPS GeniXCMS register.php SQLi Attempt
(web_specific_apps.rules)
  2811749 - ETPRO MALWARE W32.HfsAdware Checkin (malware.rules)
  2811750 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.ep Checkin
3 (mobile_malware.rules)
  2811751 - ETPRO TROJAN AnimalFarm APT Trojan CnC Beacon 2 (trojan.rules)
  2811752 - ETPRO TROJAN CoinMiner Known malicious stratum authline
2015-06-30 (trojan.rules)
  2811753 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(bWFjaG94dGFjb18xOnBlcnNpYW5vaw==) (trojan.rules)
  2811754 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(MTFkaWd6YW50QGdtYWlsLmNvbTppZGRxZDY4NA==) (trojan.rules)
  2811755 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(bTFuM3JfQTphYWEzcmVsaXRl) (trojan.rules)
  2811756 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(aG9sYWtvOTNfaG9sYWtvOTM6cmVkZmllbGQ=) (trojan.rules)
  2811757 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(dG9wdGVzdHMuMzp4) (trojan.rules)
  2811758 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(UXVhbnR1bVdoaXNrZXkuY29rZToxMjM0) (trojan.rules)
  2811759 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(MUZIajNhc2pMZHhjN0V1Y1l0cEFydkRITUhkZVdZTlVuTjp4) (trojan.rules)
  2811760 - ETPRO TROJAN Bitcoin miner known malicious basic auth
(cGFuZGE5MTFfcGFuZGFibHVlOnBhbmRhMQ==) (trojan.rules)

 [///]     Modified active rules:     [///]

  2020422 - ET TROJAN MultiPlug.J Checkin (trojan.rules)
  2021369 - ET CURRENT_EVENTS Possible Upatre or Dyre SSL Cert June 29
2015 (current_events.rules)

 [---]         Removed rules:         [---]

  2002932 - ET MALWARE CWS Related Installer (malware.rules)
  2021161 - ET POLICY External IP Lookup - whoer.net (policy.rules)

Gmane