Daily Ruleset Update Summary 2016/11/08

[***] Summary: [***]

9 new Open signatures, 48 new Pro (9 + 39). Patch Tuesday, Tinba, Gozi, AVTECH IP Camera Vulnerability,

Thanks: Waldo Kitty & @abuse_ch.

Patch Tuesday Coverage:

Multiple CVE->2823135
Multiple CVE->2823136
CVE-2016-3340->2823137
CVE-2016-3342->2823138
CVE-2016-3343->2823139
CVE-2016-7195->2823140
CVE-2016-7196->2823141
CVE-2016-7198->2823142
CVE-2016-7200->2823143
CVE-2016-7201->2823144
CVE-2016-7202->2823145
CVE-2016-7203->2823146
CVE-2016-7204->2823147
CVE-2016-7214->2823148
CVE-2016-7215->2823149
CVE-2016-7217->2823150
CVE-2016-7217->2823151
CVE-2016-7218->2823152
CVE-2016-7221->2823153
CVE-2016-7224->2823154
CVE-2016-7225->2823155
CVE-2016-7226->2823156
CVE-2016-7227->2823157
CVE-2016-7228->2823158
CVE-2016-7240->2823159
CVE-2016-7241->2823160
CVE-2016-7242->2823161
CVE-2016-7246->2823162
CVE-2016-7250->2823163
CVE-2016-7250->2823164

[+++]          Added rules:          [+++]

Open:

2023486 - ET TROJAN Sednit/APT28/Sofacy Delphocy CnC Beacon (trojan.rules)
2023487 - ET CURRENT_EVENTS Successful Tesco Bank Phish M1 Nov 08 2016 (current_events.rules)
2023488 - ET CURRENT_EVENTS Successful Tesco Bank Phish M2 Nov 08 2016 (current_events.rules)
2023489 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (trojan.rules)
2023490 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (trojan.rules)
2023491 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (trojan.rules)
2023492 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (trojan.rules)
2023493 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (trojan.rules)
2023494 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (trojan.rules)

Pro:

2823135 - ETPRO EXPLOIT Possible CLFS.sys File Load Vulnerability (Multiple CVE) (exploit.rules)
2823136 - ETPRO EXPLOIT Possible CLFS.sys File Load Vulnerability (Multiple CVE) (exploit.rules)
2823137 - ETPRO EXPLOIT Possible CLFS.sys File Load Vulnerability (CVE-2016-3340) (exploit.rules)
2823138 - ETPRO EXPLOIT Possible CLFS.sys File Load Vulnerability (CVE-2016-3342) (exploit.rules)
2823139 - ETPRO EXPLOIT Possible CLFS.sys File Load Vulnerability (CVE-2016-3343) (exploit.rules)
2823140 - ETPRO EXPLOIT Microsoft Internet Explorer Null Character Classid RCE (CVE-2016-7195) (exploit.rules)
2823141 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Use After Free Vulnerability (CVE-2016-7196) (web_client.rules)
2823142 - ETPRO WEB_CLIENT Possible Microsoft Edge edgehtml Memory Corruption (CVE-2016-7198) (web_client.rules)
2823143 - ETPRO WEB_CLIENT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200) (web_client.rules)
2823144 - ETPRO WEB_CLIENT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7201) (web_client.rules)
2823145 - ETPRO WEB_CLIENT Possible Microsoft Edge Buffer Overflow (CVE-2016-7202) (web_client.rules)
2823146 - ETPRO WEB_CLIENT Possible Microsoft Edge Chakra.dll Heap Overflow (CVE-2016-7203) (web_client.rules)
2823147 - ETPRO WEB_CLIENT Possible Microsoft Edge File Disclosure Vulnerablity (CVE-2016-7204) (web_client.rules)
2823148 - ETPRO EXPLOIT Possible Win32k UAF Information Disclosure Exe Inbound (CVE-2016-7214) (exploit.rules)
2823149 - ETPRO EXPLOIT Possible Win32k Elevation of Privilege Exe Inbound (CVE-2016-7215) (exploit.rules)
2823150 - ETPRO WEB_CLIENT Possible Microsoft Edge Buffer Overflow (CVE-2016-7217) M1 (web_client.rules)
2823151 - ETPRO WEB_CLIENT Possible Microsoft Edge Buffer Overflow (CVE-2016-7217) M2 (web_client.rules)
2823152 - ETPRO EXPLOIT Possible Browser.sys Information Disclosure Exe Inbound (CVE-2016-7218) (exploit.rules)
2823153 - ETPRO EXPLOIT Possible Windows 10 CoCreateInstance Elevation of Privilege (CVE-2016-7221) (exploit.rules)
2823154 - ETPRO EXPLOIT Possible Windows 10 VHDMP ZwOpenFile Vulnerability (CVE-2016-7224) (exploit.rules)
2823155 - ETPRO EXPLOIT Possible Windows 10 VHDMP ZwDeleteFile Vulnerability (CVE-2016-7225) (exploit.rules)
2823156 - ETPRO EXPLOIT Possible Windows 10 VHDMP ZwCreateFile Vulnerability (CVE-2016-7226) (exploit.rules)
2823157 - ETPRO WEB_CLIENT Microsoft Internet Explorer 11 Windows 10 Information Disclosure (CVE-2016-7227) (web_client.rules)
2823158 - ETPRO WEB_CLIENT Microsoft Excel corrupted incorrect COLINFO record download (CVE-2016-7228) (web_client.rules)
2823159 - ETPRO WEB_CLIENT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7240) (web_client.rules)
2823160 - ETPRO WEB_CLIENT Possible Microsoft Edge JSON.parse RCE (CVE-2016-7241) (web_client.rules)
2823161 - ETPRO WEB_CLIENT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7242) (web_client.rules)
2823162 - ETPRO EXPLOIT Possible CLFS.sys File Load Vulnerability (CVE-2016-7246) (exploit.rules)
2823163 - ETPRO EXPLOIT Possible UNC Path in Vulnerable SQL Query (CVE-2016-7250) (exploit.rules)
2823164 - ETPRO EXPLOIT Possible UNC Path in Vulnerable SQL Query (CVE-2016-7250) (exploit.rules)
2823165 - ETPRO TROJAN Win32/RediModiUpd CnC Checkin (trojan.rules)
2823166 - ETPRO TROJAN Unknown Banker CnC Checkin (trojan.rules)
2823167 - ETPRO EXPLOIT AVTECH IP Camera Auth Bypass Vulnerablity (2016-10-11) (exploit.rules)
2823168 - ETPRO EXPLOIT AVTECH IP Camera Unauthenticated CGI Dir Vulnerablity (exploit.rules)
2823169 - ETPRO TROJAN Mocker Retrieving Payload (trojan.rules)
2823170 - ETPRO CURRENT_EVENTS MalDoc Requesting Payload Nov 08 (current_events.rules)
2823171 - ETPRO CURRENT_EVENTS MalDoc Payload Inbound Nov 08 (current_events.rules)
2823172 - ETPRO TROJAN Tinba Variant Checkin (trojan.rules)
2823173 - ETPRO CURRENT_EVENTS Evil Redirector Leading to EK Keitaro TDS Nov 01 2016 (current_events.rules)

[///]     Modified active rules:     [///]

2014726 - ET POLICY Outdated Windows Flash Version IE (policy.rules)
2023333 - ET TROJAN Linux.Mirai Login Attempt (xc3511) (trojan.rules)
2023430 - ET TROJAN Possible Linux.Mirai Login Attempt (1111111) (trojan.rules)
2023431 - ET TROJAN Possible Linux.Mirai Login Attempt (54321) (trojan.rules)
2023432 - ET TROJAN Possible Linux.Mirai Login Attempt (666666) (trojan.rules)
2023433 - ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0admin) (trojan.rules)
2023434 - ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) (trojan.rules)
2023435 - ET TROJAN Possible Linux.Mirai Login Attempt (888888) (trojan.rules)
2023436 - ET TROJAN Possible Linux.Mirai Login Attempt (anko) (trojan.rules)
2023437 - ET TROJAN Possible Linux.Mirai Login Attempt (dreambox) (trojan.rules)
2023438 - ET TROJAN Possible Linux.Mirai Login Attempt (fucker) (trojan.rules)
2023439 - ET TROJAN Possible Linux.Mirai Login Attempt (hi3518) (trojan.rules)
2023440 - ET TROJAN Possible Linux.Mirai Login Attempt (ikwb) (trojan.rules)
2023441 - ET TROJAN Possible Linux.Mirai Login Attempt (juantech) (trojan.rules)
2023442 - ET TROJAN Possible Linux.Mirai Login Attempt (jvbzd) (trojan.rules)
2023443 - ET TROJAN Possible Linux.Mirai Login Attempt (klv123) (trojan.rules)
2023444 - ET TROJAN Possible Linux.Mirai Login Attempt (klv1234) (trojan.rules)
2023445 - ET TROJAN Possible Linux.Mirai Login Attempt (meinsm) (trojan.rules)
2023446 - ET TROJAN Possible Linux.Mirai Login Attempt (realtek) (trojan.rules)
2023447 - ET TROJAN Possible Linux.Mirai Login Attempt (service) (trojan.rules)
2023448 - ET TROJAN Possible Linux.Mirai Login Attempt (ubnt) (trojan.rules)
2023449 - ET TROJAN Possible Linux.Mirai Login Attempt (vizxv) (trojan.rules)
2023450 - ET TROJAN Possible Linux.Mirai Login Attempt (xmhdipc) (trojan.rules)
2023451 - ET TROJAN Possible Linux.Mirai Login Attempt (zlxx) (trojan.rules)
2023452 - ET TROJAN Possible Linux.Mirai Login Attempt (Zte521) (trojan.rules)
2812067 - ETPRO TROJAN SOGU DNS CnC Channel TXT Lookup (trojan.rules)
2822738 - ETPRO TROJAN MSIL/Exotic CnC Checkin (trojan.rules)

[---]         Removed rules:         [---]

2815248 - ETPRO CURRENT_EVENTS Successful Paypal Phish Dec 8 M2 (current_events.rules)
 

Date: 
Tuesday, November 8, 2016 - 00:00