[***] Summary: [***]

5 new Open signatures, 18 new Pro (5+13). ABUSE.CH SSL Blacklist, PCRat/Gh0st, Various Android.

Thanks: @rmkml and @abuse_ch

[+++] Added rules: [+++]

Open:

2019079 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (trojan.rules)
2019080 - ET TROJAN Windows arp -a Microsoft Windows DOS prompt command exit OUTBOUND (trojan.rules)
2019081 - ET TROJAN Windows set Microsoft Windows DOS prompt command exit OUTBOUND (trojan.rules)
2019082 - ET TROJAN Windows route Microsoft Windows DOS prompt command exit OUTBOUND (trojan.rules)
2019083 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 41 (trojan.rules)

Pro:

2808683 - ETPRO TROJAN Win32/VB.VX Checkin (trojan.rules)
2808684 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Talp.a Checkin (mobile_malware.rules)
2808685 - ETPRO TROJAN Carbon FormGrabber/Retgate.A Checkin (trojan.rules)
2808686 - ETPRO TROJAN WIN32.AGENT.ADRNK Checkin FTP (trojan.rules)
2808687 - ETPRO TROJAN Trojan.Win32.Jorik.IRCbot USER command (trojan.rules)
2808688 - ETPRO TROJAN Win32/Dynamer Checkin (trojan.rules)
2808689 - ETPRO TROJAN Win32/Kaaneut.A Callback (trojan.rules)
2808690 - ETPRO MOBILE_MALWARE DroidKungFu Checkin 4 (mobile_malware.rules)
2808691 - ETPRO POLICY Showmypc.com remote access (SSH Futty) (policy.rules)
2808692 - ETPRO TROJAN Win32.Hyteod Checkin (trojan.rules)
2808693 - ETPRO TROJAN Win32.Rogue Checkin (trojan.rules)
2808694 - ETPRO TROJAN Win32.Hyteod Checkin Response (trojan.rules)
2808695 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.SpamSold.a Checkin (mobile_malware.rules)

[+++] Enabled rules: [+++]

2010909 - ET TROJAN Arucer Command Execution (trojan.rules)
2010910 - ET TROJAN Arucer DIR Listing (trojan.rules)
2010911 - ET TROJAN Arucer WRITE FILE command (trojan.rules)
2010912 - ET TROJAN Arucer READ FILE Command (trojan.rules)
2010914 - ET TROJAN Arucer FIND FILE Command (trojan.rules)
2010915 - ET TROJAN Arucer YES Command (trojan.rules)
2010916 - ET TROJAN Arucer ADD RUN ONCE Command (trojan.rules)
2010917 - ET TROJAN Arucer DEL FILE Command (trojan.rules)

[+++] Enabled and modified rules: [+++]

2012045 - ET EXPLOIT VMware Tools Update OS Command Injection Attempt (exploit.rules)
2014153 - ET CURRENT_EVENTS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA (current_events.rules)

[///] Modified active rules: [///]

2008052 - ET MALWARE User-Agent (Internet Explorer) (malware.rules)
2010621 - ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts) (web_server.rules)
2010667 - ET WEB_SERVER /bin/bash In URI, Possible Shell Command Execution Attempt Within Web Exploit (web_server.rules)
2010698 - ET WEB_SERVER Possible D-Link Router HNAP Protocol Security Bypass Attempt (web_server.rules)
2010720 - ET WEB_SERVER PHP Scan Precursor (web_server.rules)
2010872 - ET TROJAN Pragma hack Detected Outbound - Likely Infected Source (trojan.rules)
2010954 - ET SCAN crimscanner User-Agent detected (scan.rules)
2010956 - ET SCAN Skipfish Web Application Scan Detected (2) (scan.rules)
2011028 - ET SCAN HZZP Scan in Progress calc in Headers (scan.rules)
2011088 - ET SCAN Possible DavTest WebDav Vulnerability Scanner Initial Check Detected (scan.rules)
2011124 - ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced) (malware.rules)
2011174 - ET WEB_SERVER SQL Injection Attempt (Agent CZxt2s) (web_server.rules)
2011175 - ET WEB_SERVER Casper Bot Search RFI Scan (web_server.rules)
2011243 - ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like, planetwork) (web_server.rules)
2011285 - ET WEB_SERVER Bot Search RFI Scan (Casper-Like, Jcomers Bot scan) (web_server.rules)
2011389 - ET SCAN w3af Scan Remote File Include Retrieval (scan.rules)
2011390 - ET SCAN Nikto Scan Remote File Include Retrieval (scan.rules)
2011720 - ET SCAN Possible WafWoof Web Application Firewall Detection Scan (scan.rules)
2011767 - ET TROJAN Avzhan DDOS Bot Inbound Hardcoded Malformed GET Request Denial Of Service Attack Detected (trojan.rules)
2011821 - ET CURRENT_EVENTS User-Agent used in known DDoS Attacks Detected outbound (current_events.rules)
2011822 - ET CURRENT_EVENTS User-Agent used in known DDoS Attacks Detected inbound (current_events.rules)
2011823 - ET CURRENT_EVENTS User-Agent used in known DDoS Attacks Detected outbound 2 (current_events.rules)
2011824 - ET CURRENT_EVENTS User-Agent used in known DDoS Attacks Detected inbound 2 (current_events.rules)
2011887 - ET SCAN Medusa User-Agent (scan.rules)
2011915 - ET SCAN DotDotPwn User-Agent (scan.rules)
2011966 - ET CURRENT_EVENTS Trojan downloader (AS8514) (current_events.rules)
2011968 - ET CURRENT_EVENTS Trojan Banker (AS33182) (current_events.rules)
2011980 - ET CURRENT_EVENTS Suspicious executable download possible Ircbrute Trojan (current_events.rules)
2011981 - ET CURRENT_EVENTS Suspicious executable download possible Eleonore Exploit Pack / Trojan Brebolab (current_events.rules)
2011982 - ET CURRENT_EVENTS Suspicious executable download possible Trojan Ransom.AM (current_events.rules)
2011983 - ET CURRENT_EVENTS Suspicious executable download possible Fast Flux Trojan (current_events.rules)
2011984 - ET CURRENT_EVENTS Suspicious executable download possible Fast Flux Rogue Antivirus MalvRem (current_events.rules)
2011985 - ET CURRENT_EVENTS Suspicious executable download possible Fast Flux Rogue Antivirus avdistr (current_events.rules)
2011986 - ET CURRENT_EVENTS Suspicious executable download possible Fast Flux Rogue Antivirus RunAV (current_events.rules)
2011990 - ET CURRENT_EVENTS Suspicious executable download possible Rogue AV (installer.xxxx.exe) (current_events.rules)
2011995 - ET CURRENT_EVENTS invoice.scr download most likely a TROJAN (current_events.rules)
2011999 - ET TROJAN Trojan.Spy.YEK MAC and IP POST (trojan.rules)
2012101 - ET EXPLOIT Oracle Virtual Server Agent Command Injection Attempt (exploit.rules)
2012116 - ET WEB_SERVER DD-WRT Information Disclosure Attempt (web_server.rules)
2012117 - ET WEB_SERVER Successful DD-WRT Information Disclosure (web_server.rules)
2012150 - ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS in URI (web_server.rules)
2012286 - ET WEB_SERVER Automated Site Scanning for backupdata (web_server.rules)
2012287 - ET WEB_SERVER Automated Site Scanning for backup_data (web_server.rules)
2012586 - ET TROJAN Suspicious User-Agent Im Luo (trojan.rules)
2013170 - ET CURRENT_EVENTS HTTP Request to a *.cu.cc domain (current_events.rules)
2804240 - ETPRO TROJAN TrojanDownloader.Win32/Delf.NK (trojan.rules)
2804288 - ETPRO TROJAN Win32/OnLineGames.NM Install (trojan.rules)
2804301 - ETPRO TROJAN Win32/TrojanDownloader.Banload.QOM Checkin (trojan.rules)
2804317 - ETPRO TROJAN TrojanDownloader.Win32/Banload.ACI Checkin (trojan.rules)
2804400 - ETPRO TROJAN Win32/DelpBanc.A Checkin (trojan.rules)
2804414 - ETPRO TROJAN TrojanDropper.Win32/Agent.KA Checkin (trojan.rules)
2804423 - ETPRO TROJAN TrojanDownloader.Win32/Banload.ACK receiving config (trojan.rules)
2804457 - ETPRO TROJAN TrojanSpy.Win32/Bancos.gen!A sending info via smtp (trojan.rules)
2804460 - ETPRO TROJAN Infostealer.Onlinegame Checkin (trojan.rules)
2804565 - ETPRO TROJAN TrojanDropper.Win32/Buzus.B Checkin (trojan.rules)
2804642 - ETPRO TROJAN Trojan.Win32.Buzus.jytd Checkin (trojan.rules)
2804678 - ETPRO MALWARE Spyware.Known_Bad_Sites Install (malware.rules)
2804752 - ETPRO TROJAN Trojan-Banker.Win32.Banker2.bwv Checkin (trojan.rules)
2804881 - ETPRO TROJAN Trojan.Agent-275138 Checkin (trojan.rules)
2804885 - ETPRO TROJAN Win32/TrojanDownloader.Banload.QYJ Checkin (trojan.rules)
2808624 - ETPRO TROJAN Password Stealer PWS.Y!B2F Checkin 1 (trojan.rules)

[///] Modified inactive rules: [///]

2010721 - ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Outbound (user_agents.rules)
2010722 - ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound (user_agents.rules)

[---] Disabled and modified rules: [---]

2011759 - ET WEB_SERVER TIEHTTP User-Agent (web_server.rules)

[---] Disabled rules: [---]

2010913 - ET TROJAN Arucer NOP Command (trojan.rules)

[---] Removed rules: [---]

2000900 - ET P2P JoltID Agent Probing or Announcing UDP (p2p.rules)
2000901 - ET P2P JoltID Agent Communicating TCP (p2p.rules)
2001015 - ET P2P JoltID Agent Keep-Alive (p2p.rules)
2001654 - ET P2P JoltID Agent Requesting File (p2p.rules)
2010706 - ET USER_AGENTS Internet Explorer 6 in use - Significant Security Risk (user_agents.rules)
2010797 - ET POLICY Twitter Status Update (policy.rules)
2010815 - ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud (policy.rules)
2011233 - ET TROJAN Troxen GetSpeed Request (trojan.rules)
2011416 - ET TROJAN General Trojan FakeAV Downloader (trojan.rules)
2011897 - ET CURRENT_EVENTS vb exploits / trojan vietshow (current_events.rules)
2011899 - ET CURRENT_EVENTS Trojan perflogger ~duydati/inst_PCvw.exe (current_events.rules)
2011901 - ET CURRENT_EVENTS Hacked server to exploits ~rio1/admin/login.php (current_events.rules)
2011902 - ET CURRENT_EVENTS Phishing ~mbscom/moneybookers/app/login/login.html (current_events.rules)
2011903 - ET CURRENT_EVENTS iframe Phoenix Exploit & ZBot vt073pd/photo.exe (current_events.rules)
2011904 - ET CURRENT_EVENTS fast flux rogue antivirus download.php?id=2004 (current_events.rules)
2011905 - ET CURRENT_EVENTS exploit kit x/index.php?s=dexc (current_events.rules)
2011907 - ET CURRENT_EVENTS exploit kit x/l.php?s=dexc (current_events.rules)
2011908 - ET CURRENT_EVENTS exploit kit x/exe.php?x=mdac (current_events.rules)
2011909 - ET CURRENT_EVENTS trojan renos Flash.HD.exe (current_events.rules)
2011916 - ET CURRENT_EVENTS SEO/Malvertising Executable Landing exe2.php (current_events.rules)
2011919 - ET CURRENT_EVENTS FAKEAV Gemini - packupdate*.exe download (current_events.rules)
2011951 - ET CURRENT_EVENTS DRIVEBY SEO Client Exploited By SMB/JavaWebStart (current_events.rules)
2011952 - ET CURRENT_EVENTS DRIVEBY SEO Client Exploited By PDF (current_events.rules)
2011953 - ET CURRENT_EVENTS DRIVEBY SEO Client Requesting Malicious jjar.jar (current_events.rules)
2011954 - ET CURRENT_EVENTS DRIVEBY SEO Client Requesting Malicious loadjjar.php (current_events.rules)
2011955 - ET CURRENT_EVENTS DRIVEBY SEO Client Requesting Malicious lib.pdf (current_events.rules)
2011956 - ET CURRENT_EVENTS DRIVEBY SEO Client Requesting Malicious loadpeers.php (current_events.rules)
2011958 - ET CURRENT_EVENTS DRIVEBY SEO Obfuscated JavaScript desttable (current_events.rules)
2011959 - ET CURRENT_EVENTS DRIVEBY SEO Obfuscated JavaScript srctable (current_events.rules)
2011993 - ET CURRENT_EVENTS ProFTPD Backdoor outbound Request Sent (current_events.rules)
2012156 - ET WEB_CLIENT Possible Adobe Reader 9.4 doc.printSeps Memory Corruption Attempt (web_client.rules)
2012275 - ET CURRENT_EVENTS Post Express Inbound SPAM (possible Spyeye) (current_events.rules)
2012301 - ET TROJAN Potential Trojan dropper Wlock.A (AS1680) (trojan.rules)
2012332 - ET CURRENT_EVENTS Possible Fast Flux Trojan Rogue Antivirus (current_events.rules)
2012410 - ET MOBILE_MALWARE DroidDream Android Trojan info upload (mobile_malware.rules)
2012447 - ET TROJAN Possible Fast Flux Rogue Antivirus (trojan.rules)
2012450 - ET MOBILE_MALWARE Android Trojan HongTouTou Command and Control Communication (mobile_malware.rules)
2012538 - ET CURRENT_EVENTS Possible Zbot Trojan (current_events.rules)
2012539 - ET CURRENT_EVENTS Possible Rogue Antivirus (current_events.rules)
2012540 - ET CURRENT_EVENTS Possible Win32 Backdoor Poison (current_events.rules)
2012685 - ET CURRENT_EVENTS Win32/CazinoSilver Download VegasVIP_setup.exe (current_events.rules)
2012688 - ET CURRENT_EVENTS Potential Blackhole Exploit Pack landing (current_events.rules)
2012802 - ET MALWARE Spoofed MSIE 8 User-Agent Likely Ponmocup (malware.rules)
2013406 - ET POLICY SSL MiTM Vulnerable or EOL iOS 3.x device (policy.rules)
2013407 - ET POLICY SSL MiTM Vulnerable or EOL iOS 4.x device (policy.rules)
2013753 - ET TROJAN Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-2 (trojan.rules)
2013754 - ET TROJAN Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-2 (trojan.rules)
2014041 - ET WORM AirOS .css Worm Outbound Propagation Sweep (worm.rules)
2014042 - ET WORM AirOS admin.cgi/css Exploit Attempt (worm.rules)
2019041 - ET CURRENT_EVENTS Possible Upatre SSL Cert ara-photos.net (current_events.rules)
2019066 - ET CURRENT_EVENTS Possible Upatre SSL Cert slmp-550-105.slc.westdc.net (current_events.rules)
2800490 - ETPRO WEB_CLIENT Mozilla Network Security Services Regexp Heap Overflow (web_client.rules)
2808625 - ETPRO TROJAN Password Stealer PWS.Y!B2F Checkin 2 (trojan.rules)

Date:
Summary title:
5 new Open signatures, 18 new Pro (5+13). ABUSE.CH SSL Blacklist, PCRat/Gh0st, Various Android.