[***] Summary: [***] 20 new Open rules, 25 new Pro (20/5). Winspy, Zeus, Torlocker, Operation Windigo. Thanks: @MalwareMustDie and Kevin Ross Emerging Threats would also like to thank ESET for their excellent write-up on Operation Windigo and allowing us to publish associated rules in our ruleset. http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf
[+++] Added rules: [+++] Open: 2018264 - ET TROJAN Linux/Kimodin SSH backdoor activity (trojan.rules)
2018265 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018266 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018267 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018268 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018269 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018270 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018271 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018272 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018273 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018274 - ET TROJAN Perl/Calfbot C&C DNS request (trojan.rules)
2018275 - ET TROJAN Linux/Onimiki DNS trojan activity long format (Outbound) (trojan.rules)
2018276 - ET TROJAN Linux/Onimiki DNS trojan activity long format (Inbound) (trojan.rules)
2018290 - ET WEB_SERVER WEBSHELL CFM Shell Access (web_server.rules)
2018291 - ET TROJAN MultiThreat/Winspy.RAT Keep-Alive (flowbit set) (trojan.rules)
2018292 - ET TROJAN MultiThreat/Winspy.RAT Keep-Alive Server Response (trojan.rules)
2018293 - ET TROJAN MultiThreat/Winspy.RAT SMTP Data Exfiltration (trojan.rules)
2018294 - ET TROJAN MultiThreat/Winspy.RAT FTP File Download Command (trojan.rules)
2018295 - ET TROJAN Mal/Ransom-CE Connectivity Check (trojan.rules)
2018296 - ET TROJAN Zeus GameOver Checkin (trojan.rules) Pro: 2807850 - ETPRO TROJAN Trojan/MSIL.bfsx Checkin (trojan.rules)
2807851 - ETPRO MOBILE_MALWARE Android/Nopoc.A Checkin (mobile_malware.rules)
2807852 - ETPRO MALWARE AdWare.Win32.ScreenSaver.ablp Checkin (malware.rules)
2807853 - ETPRO TROJAN TorLocker Downloading Tor (trojan.rules)
2807854 - ETPRO CURRENT_EVENTS SUSPICIOUS Non-SSL Tor Executable Download as (Observed in TorLocker) (current_events.rules)
[///] Modified active rules: [///] 2001306 - ET MALWARE Gator/Clarian Agent (malware.rules)
2013361 - ET CURRENT_EVENTS HTran/SensLiceld.A response to infected host (current_events.rules)
2016794 - ET CURRENT_EVENTS Possible Linux/Cdorked.A Incoming Command (current_events.rules)
2017417 - ET TROJAN Bladabindi/njrat CnC Keep-Alive (INBOUND) (trojan.rules)
2018019 - ET TROJAN Win32.WinSpy.pob Sending Data over SMTP (trojan.rules)
2018020 - ET TROJAN Win32.WinSpy.pob Sending Data over SMTP 2 (trojan.rules)
2807179 - ETPRO TROJAN Trojan.DownLoader10.36780 User-Agent (odin) (trojan.rules)
[///] Modified inactive rules: [///] 2009582 - ET SCAN NMAP -sS window 1024 (scan.rules)
2009583 - ET SCAN NMAP -sS window 3072 (scan.rules)
2009584 - ET SCAN NMAP -sS window 4096 (scan.rules)
[---] Disabled and modified rules: [---] 2807462 - ETPRO TROJAN Net-Worm.Win32.Koobface.ght Ping (trojan.rules)

 

Date: 
Monday, March 17, 2014 - 22:00