[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] [Emerging-updates] Daily Ruleset Update Summary 2017/09/18
From: Francis Trudeau <ftrudeau () emergingthreats ! net>
Date: 2017-09-19 5:03:59
Message-ID: CAA-Ja_7v5ygyXr-t5Y0A_iyHNSdGEig4dermOrKXA2NdvqDu3w () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
We will look into this tomorrow. AFAIK we don't have coverage yet but I
could be wrong.
FT
On Sep 18, 2017 10:34 PM, "David Thomsen" <davidmthomsen@gmail.com> wrote:
> Good evening everyone,
>
> I was wondering if there were any snort rule for the new Apache
> optionsbleed HTTP OPTIONS method leak. CVE-2017-9798 ?
>
> Sent from my iPhone
>
> On Sep 18, 2017, at 18:15, Travis Green <tgreen@emergingthreats.net>
> wrote:
>
> [***] Summary: [***]
>
> 13 new Open, 31 new Pro (13 + 18). CCleaner Backdoor DGA, Lucifer Loader,
> Various Phishing, Mobile.
>
>
> [+++] Added rules: [+++]
>
> Open:
>
> 2024707 - ET CURRENT_EVENTS Possible Apple Phishing Landing - Title over
> non SSL (current_events.rules)
> 2024708 - ET TROJAN CCleaner Backdoor DGA Feb 2017 (trojan.rules)
> 2024709 - ET TROJAN CCleaner Backdoor DGA Mar 2017 (trojan.rules)
> 2024710 - ET TROJAN CCleaner Backdoor DGA Apr 2017 (trojan.rules)
> 2024711 - ET TROJAN CCleaner Backdoor DGA May 2017 (trojan.rules)
> 2024712 - ET TROJAN CCleaner Backdoor DGA Jun 2017 (trojan.rules)
> 2024713 - ET TROJAN CCleaner Backdoor DGA Jul 2017 (trojan.rules)
> 2024714 - ET TROJAN CCleaner Backdoor DGA Aug 2017 (trojan.rules)
> 2024715 - ET TROJAN CCleaner Backdoor DGA Sep 2017 (trojan.rules)
> 2024716 - ET TROJAN CCleaner Backdoor DGA Oct 2017 (trojan.rules)
> 2024717 - ET TROJAN CCleaner Backdoor DGA Nov 2017 (trojan.rules)
> 2024718 - ET TROJAN CCleaner Backdoor DGA Dec 2017 (trojan.rules)
> 2024719 - ET TROJAN Lucifer Loader Requesting Payload (trojan.rules)
>
> Pro:
>
> 2827974 - ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.Hqwar.gen /
> BankBot Checkin (mobile_malware.rules)
> 2827975 - ETPRO CURRENT_EVENTS Successful Docusign Phish Sep 18 2017
> (current_events.rules)
> 2827976 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
> 209 (mobile_malware.rules)
> 2827977 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
> 210 (mobile_malware.rules)
> 2827978 - ETPRO TROJAN PE EXE Windows File Hex Text Download
> (trojan.rules)
> 2827979 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
> 211 (mobile_malware.rules)
> 2827980 - ETPRO TROJAN Unknown CnC Activity (trojan.rules)
> 2827981 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
> 212 (mobile_malware.rules)
> 2827982 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
> 213 (mobile_malware.rules)
> 2827983 - ETPRO CURRENT_EVENTS Successful Generic Phish Sep 18 2017
> (current_events.rules)
> 2827984 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
> 214 (mobile_malware.rules)
> 2827985 - ETPRO MALWARE Observed Malicious SSL Cert (Adware/PUP
> Installer) (malware.rules)
> 2827986 - ETPRO TROJAN Observed CoinMiner Downloader in SNI via SSL
> (trojan.rules)
> 2827987 - ETPRO TROJAN MSIL.GuFran EXE DL (trojan.rules)
> 2827988 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin
> 215 (mobile_malware.rules)
> 2827989 - ETPRO TROJAN Malicious Miner Downloading CoinMiner Binary M2
> (trojan.rules)
> 2827990 - ETPRO TROJAN Malicious Miner Downloading CoinMiner
> Configuration M2 (trojan.rules)
> 2827991 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL)
> (current_events.rules)
>
>
> [///] Modified active rules: [///]
>
> 2012849 - ET POLICY Possible Mobile Malware POST of IMSI International
> Mobile Subscriber Identity in URI (policy.rules)
> 2019158 - ET TROJAN Possible Malicious Invoice EXE (trojan.rules)
> 2816313 - ETPRO CURRENT_EVENTS Chalbhai Phishing Landing Feb 18
> (current_events.rules)
> 2823937 - ETPRO CURRENT_EVENTS Successful Generic Phish (302) Dec 16 2016
> (current_events.rules)
> 2823949 - ETPRO TROJAN Malicious Miner Downloading CoinMiner Binary M1
> (trojan.rules)
> 2823950 - ETPRO TROJAN Malicious Miner Downloading CoinMiner
> Configuration M1 (trojan.rules)
>
>
> --
> PGP: 0xBED7B297
> <https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297>
>
> _______________________________________________
> Emerging-updates mailing list
> Emerging-updates@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-updates
>
>
> _______________________________________________
> Emerging-updates mailing list
> Emerging-updates@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-updates
>
>
[Attachment #5 (text/html)]
<div dir="auto">We will look into this tomorrow. AFAIK we don't have coverage yet \
but I could be wrong.<div dir="auto"><br></div><div dir="auto">FT</div><div \
dir="auto"><br></div><div dir="auto"><br></div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Sep 18, 2017 10:34 PM, \
"David Thomsen" <<a \
href="mailto:davidmthomsen@gmail.com">davidmthomsen@gmail.com</a>> wrote:<br \
type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>Good evening \
everyone, </div><div id="m_7626238111019751846AppleMailSignature"><br></div><div \
id="m_7626238111019751846AppleMailSignature">I was wondering if there were any snort \
rule for the new Apache optionsbleed HTTP OPTIONS method leak. CVE-2017-9798 \
?<br><br>Sent from my iPhone</div><div><br>On Sep 18, 2017, at 18:15, Travis Green \
<<a href="mailto:tgreen@emergingthreats.net" \
target="_blank">tgreen@emergingthreats.net</a>> wrote:<br><br></div><blockquote \
type="cite"><div><div dir="ltr"><div>[***] Summary: \
[***]<br></div><div><br></div><div>13 new Open, 31 new Pro (13 + 18). CCleaner \
Backdoor DGA, Lucifer Loader, Various Phishing, \
Mobile.</div><div><br></div><div><br></div><div>[+++] Added rules: \
[+++]</div><div><br></div><div>Open:</div><div><br></div><div> 2024707 - ET \
CURRENT_EVENTS Possible Apple Phishing Landing - Title over non SSL \
(current_events.rules)</div><div> 2024708 - ET TROJAN CCleaner Backdoor DGA Feb 2017 \
(trojan.rules)</div><div> 2024709 - ET TROJAN CCleaner Backdoor DGA Mar 2017 \
(trojan.rules)</div><div> 2024710 - ET TROJAN CCleaner Backdoor DGA Apr 2017 \
(trojan.rules)</div><div> 2024711 - ET TROJAN CCleaner Backdoor DGA May 2017 \
(trojan.rules)</div><div> 2024712 - ET TROJAN CCleaner Backdoor DGA Jun 2017 \
(trojan.rules)</div><div> 2024713 - ET TROJAN CCleaner Backdoor DGA Jul 2017 \
(trojan.rules)</div><div> 2024714 - ET TROJAN CCleaner Backdoor DGA Aug 2017 \
(trojan.rules)</div><div> 2024715 - ET TROJAN CCleaner Backdoor DGA Sep 2017 \
(trojan.rules)</div><div> 2024716 - ET TROJAN CCleaner Backdoor DGA Oct 2017 \
(trojan.rules)</div><div> 2024717 - ET TROJAN CCleaner Backdoor DGA Nov 2017 \
(trojan.rules)</div><div> 2024718 - ET TROJAN CCleaner Backdoor DGA Dec 2017 \
(trojan.rules)</div><div> 2024719 - ET TROJAN Lucifer Loader Requesting Payload \
(trojan.rules)</div><div><br></div><div>Pro:</div><div><br></div><div> 2827974 - \
ETPRO MOBILE_MALWARE Trojan-Dropper.AndroidOS.<wbr>Hqwar.gen / BankBot Checkin \
(mobile_malware.rules)</div><div> 2827975 - ETPRO CURRENT_EVENTS Successful Docusign \
Phish Sep 18 2017 (current_events.rules)</div><div> 2827976 - ETPRO MOBILE_MALWARE \
Trojan-Banker.AndroidOS.<wbr>Asacub.a Checkin 209 (mobile_malware.rules)</div><div> \
2827977 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.<wbr>Asacub.a Checkin 210 \
(mobile_malware.rules)</div><div> 2827978 - ETPRO TROJAN PE EXE Windows File Hex \
Text Download (trojan.rules)</div><div> 2827979 - ETPRO MOBILE_MALWARE \
Trojan-Banker.AndroidOS.<wbr>Asacub.a Checkin 211 (mobile_malware.rules)</div><div> \
2827980 - ETPRO TROJAN Unknown CnC Activity (trojan.rules)</div><div> 2827981 - \
ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.<wbr>Asacub.a Checkin 212 \
(mobile_malware.rules)</div><div> 2827982 - ETPRO MOBILE_MALWARE \
Trojan-Banker.AndroidOS.<wbr>Asacub.a Checkin 213 (mobile_malware.rules)</div><div> \
2827983 - ETPRO CURRENT_EVENTS Successful Generic Phish Sep 18 2017 \
(current_events.rules)</div><div> 2827984 - ETPRO MOBILE_MALWARE \
Trojan-Banker.AndroidOS.<wbr>Asacub.a Checkin 214 (mobile_malware.rules)</div><div> \
2827985 - ETPRO MALWARE Observed Malicious SSL Cert (Adware/PUP Installer) \
(malware.rules)</div><div> 2827986 - ETPRO TROJAN Observed CoinMiner Downloader in \
SNI via SSL (trojan.rules)</div><div> 2827987 - ETPRO TROJAN MSIL.GuFran EXE DL \
(trojan.rules)</div><div> 2827988 - ETPRO MOBILE_MALWARE \
Trojan-Banker.AndroidOS.<wbr>Asacub.a Checkin 215 (mobile_malware.rules)</div><div> \
2827989 - ETPRO TROJAN Malicious Miner Downloading CoinMiner Binary M2 \
(trojan.rules)</div><div> 2827990 - ETPRO TROJAN Malicious Miner Downloading \
CoinMiner Configuration M2 (trojan.rules)</div><div> 2827991 - ETPRO CURRENT_EVENTS \
Observed Malicious SSL Cert (MalDoc DL) \
(current_events.rules)</div><div><br></div><div><br></div><div>[///] Modified \
active rules: [///]</div><div><br></div><div> 2012849 - ET POLICY Possible \
Mobile Malware POST of IMSI International Mobile Subscriber Identity in URI \
(policy.rules)</div><div> 2019158 - ET TROJAN Possible Malicious Invoice EXE \
(trojan.rules)</div><div> 2816313 - ETPRO CURRENT_EVENTS Chalbhai Phishing Landing \
Feb 18 (current_events.rules)</div><div> 2823937 - ETPRO CURRENT_EVENTS Successful \
Generic Phish (302) Dec 16 2016 (current_events.rules)</div><div> 2823949 - ETPRO \
TROJAN Malicious Miner Downloading CoinMiner Binary M1 (trojan.rules)</div><div> \
2823950 - ETPRO TROJAN Malicious Miner Downloading CoinMiner Configuration M1 \
(trojan.rules)</div><div><br></div><div><br></div>-- <br><div \
class="m_7626238111019751846gmail_signature"><div dir="ltr"><div><div dir="ltr"><font \
face="monospace, monospace" size="1">PGP: <a \
href="https://pgp.mit.edu/pks/lookup?op=get&search=0x6B68453CBED7B297" \
target="_blank">0xBED7B297</a></font></div></div></div></div> </div>
</div></blockquote><blockquote \
type="cite"><div><span>______________________________<wbr>_________________</span><br><span>Emerging-updates \
mailing list</span><br><span><a \
href="mailto:Emerging-updates@lists.emergingthreats.net" \
target="_blank">Emerging-updates@lists.<wbr>emergingthreats.net</a></span><br><span><a \
href="https://lists.emergingthreats.net/mailman/listinfo/emerging-updates" \
target="_blank">https://lists.emergingthreats.<wbr>net/mailman/listinfo/emerging-<wbr> \
updates</a></span><br></div></blockquote></div><br>______________________________<wbr>_________________<br>
Emerging-updates mailing list<br>
<a href="mailto:Emerging-updates@lists.emergingthreats.net">Emerging-updates@lists.<wbr>emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-updates" \
rel="noreferrer" target="_blank">https://lists.emergingthreats.<wbr>net/mailman/listinfo/emerging-<wbr>updates</a><br>
<br></blockquote></div></div>
[Attachment #6 (text/plain)]
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic