[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] [Etpro-sigs] Daily Ruleset Update Summary 09/29/2014
From: Darien Huss <dhuss () emergingthreats ! net>
Date: 2014-09-30 12:05:02
Message-ID: CAKcCgkVcJCFvD0mHk1BP_isjHuw3R7LhBFzBwiuzeqrQMX8+hg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Also, thanks Kevin Ross for sids 2019294-2019304!
On Mon, Sep 29, 2014 at 6:51 PM, Francis Trudeau <
ftrudeau@emergingthreats.net> wrote:
> [***] Summary: [***]
>
> 27 new Open signatures, 34 new Pro (27+7). ShellshockCampaign,
> Sourtoff, Job314 EK.
>
> Thanks: Markus Manzke, rmkml, @EKwatcher, @abuse_ch and @kafeine.
>
> [+++] Added rules: [+++]
>
> Open:
>
> 2019291 - ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line
> Continuation Evasion LF (web_server.rules)
> 2019292 - ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line
> Continuation Evasion CRLF (web_server.rules)
> 2019293 - ET EXPLOIT Possible Qmail CVE-2014-6271 Mail From attempt
> (exploit.rules)
> 2019294 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Reporting IP
> (trojan.rules)
> 2019295 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Get Bot IP CnC
> Server Message (trojan.rules)
> 2019296 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Ping CnC Server
> Message (trojan.rules)
> 2019297 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Scanner CnC
> Server Message (trojan.rules)
> 2019298 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Execute Shell
> Command CnC Server Message (trojan.rules)
> 2019299 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Random Byte
> Flood CnC Server Message (trojan.rules)
> 2019300 - ET TROJAN Linux/ShellshockCampaign.DDOSBot UDP Flood CnC
> Server Message (trojan.rules)
> 2019301 - ET TROJAN Linux/ShellshockCampaign.DDOSBot TCP Flood CnC
> Server Message (trojan.rules)
> 2019302 - ET TROJAN Linux/ShellshockCampaign.DDOSBot HOLD TCP Flood
> CnC Server Message (trojan.rules)
> 2019303 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Kill Attack CnC
> Server Message (trojan.rules)
> 2019304 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Terminate
> Process CnC Server Message (trojan.rules)
> 2019305 - ET TROJAN Dyre SSL Cert 1 (trojan.rules)
> 2019306 - ET TROJAN Dyre SSL Cert 2 (trojan.rules)
> 2019307 - ET TROJAN Dyre SSL Cert 3 (trojan.rules)
> 2019308 - ET WEB_SERVER CURL Command Specifying Output in HTTP
> Headers (web_server.rules)
> 2019309 - ET WEB_SERVER WGET Command Specifying Output in HTTP
> Headers (web_server.rules)
> 2019310 - ET WEB_SERVER WGET Command Specifying Output in HTTP
> Headers (web_server.rules)
> 2019311 - ET CURRENT_EVENTS Upatre redirector GET Sept 29 2014
> (current_events.rules)
> 2019312 - ET TROJAN Sourtoff Download Simda Request (trojan.rules)
> 2019313 - ET TROJAN Sourtoff Receiving Simda Payload (trojan.rules)
> 2019314 - ET WEB_SERVER Possible bash shell piped to dev udp Inbound
> to WebServer (web_server.rules)
> 2019315 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Sep 29 2014
> (current_events.rules)
> 2019316 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
> certificate detected (KINS CnC) (trojan.rules)
> 2019317 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
> detected (UPATRE CnC) (trojan.rules)
>
> Pro:
>
> 2808907 - ETPRO MALWARE W32.HfsAutoB Checkin (malware.rules)
> 2808908 - ETPRO MALWARE Win32.Adware.Bho.Szux Checkin (malware.rules)
> 2808909 - ETPRO TROJAN W32/Virtumonde.OQ HTTP Client Headers
> (trojan.rules)
> 2808910 - ETPRO TROJAN Trojan-Spy.MSIL.KeyLogger.babx Checkin
> (trojan.rules)
> 2808911 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.O Leaking
> Private Information (mobile_malware.rules)
> 2808912 - ETPRO TROJAN Win32/Hyteod Checkin (trojan.rules)
> 2808914 - ETPRO TROJAN Win32/Banker-LAR Dropping Files (trojan.rules)
>
>
> [///] Modified active rules: [///]
>
> 2017135 - ET CURRENT_EVENTS PHISH Remax - function Validate
> (current_events.rules)
> 2018194 - ET MALWARE Adware.iBryte.B Install (malware.rules)
> 2019282 - ET CURRENT_EVENTS BlackEnergy Possible SSL Cert Sept 26
> 2014 (current_events.rules)
> 2019285 - ET WEB_SERVER Possible bash shell piped to dev tcp Inbound
> to WebServer (web_server.rules)
> 2019287 - ET CURRENT_EVENTS DRIVEBY Job314 EK Landing
> (current_events.rules)
> 2804505 - ETPRO MALWARE Riskware/Cheathappens Checkin (malware.rules)
> 2808881 - ETPRO TROJAN Flooder.LYI Checkin (trojan.rules)
>
>
> [---] Removed rules: [---]
>
> 2808745 - ETPRO TROJAN Win32/Battdil.B SSL Cert 1 (trojan.rules)
> 2808746 - ETPRO TROJAN Win32/Battdil.B SSL Cert 2 (trojan.rules)
> 2808749 - ETPRO TROJAN Win32/Battdil.B SSL Cert 3 (trojan.rules)
> _______________________________________________
> Etpro-sigs mailing list
> Etpro-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/etpro-sigs
>
[Attachment #5 (text/html)]
<div dir="ltr">Also, thanks Kevin Ross for sids 2019294-2019304!</div><div \
class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 29, 2014 at 6:51 PM, \
Francis Trudeau <span dir="ltr"><<a href="mailto:ftrudeau@emergingthreats.net" \
target="_blank">ftrudeau@emergingthreats.net</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> [***] Summary: [***]<br> <br>
27 new Open signatures, 34 new Pro (27+7). ShellshockCampaign,<br>
Sourtoff, Job314 EK.<br>
<br>
Thanks: Markus Manzke, rmkml, @EKwatcher, @abuse_ch and @kafeine.<br>
<br>
[+++] Added rules: [+++]<br>
<br>
Open:<br>
<br>
2019291 - ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line<br>
Continuation Evasion LF (web_server.rules)<br>
2019292 - ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line<br>
Continuation Evasion CRLF (web_server.rules)<br>
2019293 - ET EXPLOIT Possible Qmail CVE-2014-6271 Mail From attempt<br>
(exploit.rules)<br>
2019294 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Reporting IP<br>
(trojan.rules)<br>
2019295 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Get Bot IP CnC<br>
Server Message (trojan.rules)<br>
2019296 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Ping CnC Server<br>
Message (trojan.rules)<br>
2019297 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Scanner CnC<br>
Server Message (trojan.rules)<br>
2019298 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Execute Shell<br>
Command CnC Server Message (trojan.rules)<br>
2019299 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Random Byte<br>
Flood CnC Server Message (trojan.rules)<br>
2019300 - ET TROJAN Linux/ShellshockCampaign.DDOSBot UDP Flood CnC<br>
Server Message (trojan.rules)<br>
2019301 - ET TROJAN Linux/ShellshockCampaign.DDOSBot TCP Flood CnC<br>
Server Message (trojan.rules)<br>
2019302 - ET TROJAN Linux/ShellshockCampaign.DDOSBot HOLD TCP Flood<br>
CnC Server Message (trojan.rules)<br>
2019303 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Kill Attack CnC<br>
Server Message (trojan.rules)<br>
2019304 - ET TROJAN Linux/ShellshockCampaign.DDOSBot Terminate<br>
Process CnC Server Message (trojan.rules)<br>
2019305 - ET TROJAN Dyre SSL Cert 1 (trojan.rules)<br>
2019306 - ET TROJAN Dyre SSL Cert 2 (trojan.rules)<br>
2019307 - ET TROJAN Dyre SSL Cert 3 (trojan.rules)<br>
2019308 - ET WEB_SERVER CURL Command Specifying Output in HTTP<br>
Headers (web_server.rules)<br>
2019309 - ET WEB_SERVER WGET Command Specifying Output in HTTP<br>
Headers (web_server.rules)<br>
2019310 - ET WEB_SERVER WGET Command Specifying Output in HTTP<br>
Headers (web_server.rules)<br>
2019311 - ET CURRENT_EVENTS Upatre redirector GET Sept 29 2014<br>
(current_events.rules)<br>
2019312 - ET TROJAN Sourtoff Download Simda Request (trojan.rules)<br>
2019313 - ET TROJAN Sourtoff Receiving Simda Payload (trojan.rules)<br>
2019314 - ET WEB_SERVER Possible bash shell piped to dev udp Inbound<br>
to WebServer (web_server.rules)<br>
2019315 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Sep 29 2014<br>
(current_events.rules)<br>
2019316 - ET TROJAN <a href="http://ABUSE.CH" target="_blank">ABUSE.CH</a> SSL \
Fingerprint Blacklist Malicious SSL<br> certificate detected (KINS CnC) \
(trojan.rules)<br> 2019317 - ET TROJAN <a href="http://ABUSE.CH" \
target="_blank">ABUSE.CH</a> SSL Blacklist Malicious SSL certificate<br> detected \
(UPATRE CnC) (trojan.rules)<br> <br>
Pro:<br>
<br>
2808907 - ETPRO MALWARE W32.HfsAutoB Checkin (malware.rules)<br>
2808908 - ETPRO MALWARE Win32.Adware.Bho.Szux Checkin (malware.rules)<br>
2808909 - ETPRO TROJAN W32/Virtumonde.OQ HTTP Client Headers (trojan.rules)<br>
2808910 - ETPRO TROJAN Trojan-Spy.MSIL.KeyLogger.babx Checkin (trojan.rules)<br>
2808911 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.O Leaking<br>
Private Information (mobile_malware.rules)<br>
2808912 - ETPRO TROJAN Win32/Hyteod Checkin (trojan.rules)<br>
2808914 - ETPRO TROJAN Win32/Banker-LAR Dropping Files (trojan.rules)<br>
<br>
<br>
[///] Modified active rules: [///]<br>
<br>
2017135 - ET CURRENT_EVENTS PHISH Remax - function Validate<br>
(current_events.rules)<br>
2018194 - ET MALWARE Adware.iBryte.B Install (malware.rules)<br>
2019282 - ET CURRENT_EVENTS BlackEnergy Possible SSL Cert Sept 26<br>
2014 (current_events.rules)<br>
2019285 - ET WEB_SERVER Possible bash shell piped to dev tcp Inbound<br>
to WebServer (web_server.rules)<br>
2019287 - ET CURRENT_EVENTS DRIVEBY Job314 EK Landing (current_events.rules)<br>
2804505 - ETPRO MALWARE Riskware/Cheathappens Checkin (malware.rules)<br>
2808881 - ETPRO TROJAN Flooder.LYI Checkin (trojan.rules)<br>
<br>
<br>
[---] Removed rules: [---]<br>
<br>
2808745 - ETPRO TROJAN Win32/Battdil.B SSL Cert 1 (trojan.rules)<br>
2808746 - ETPRO TROJAN Win32/Battdil.B SSL Cert 2 (trojan.rules)<br>
2808749 - ETPRO TROJAN Win32/Battdil.B SSL Cert 3 (trojan.rules)<br>
_______________________________________________<br>
Etpro-sigs mailing list<br>
<a href="mailto:Etpro-sigs@lists.emergingthreats.net">Etpro-sigs@lists.emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/etpro-sigs" \
target="_blank">https://lists.emergingthreats.net/mailman/listinfo/etpro-sigs</a><br> \
</blockquote></div><br></div>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic