Daily Ruleset Update Summary 2017/02/14

[***] Summary: [***]

9 new Open signatures, 44 new Pro (9 + 35). Adobe MAPP, Bunitu, Dragon BR Banker.

Thanks: Shane Boissevain, @rmkml and @CERT_Polska_en.

Adobe CVE to ET Sid mapping:

CVE-2017-2984 -> 2824933
CVE-2017-2984 -> 2824934
CVE-2017-2984 -> 2824935
CVE-2017-2986 -> 2824936
CVE-2017-2990 -> 2824937
CVE-2017-2990 -> 2824938
CVE-2017-2992 -> 2824939
CVE-2017-2991 -> 2824940

[+++]          Added rules:          [+++]

Open:

2023900 - ET INFO MP4 in HTTP Flowbit Set M3 (info.rules)
2023901 - ET TELNET busybox MEMES Hackers - Possible Brute Force Attack (telnet.rules)
2023902 - ET TROJAN Unknown Malicious SSL Cert 1 (trojan.rules)
2023903 - ET TROJAN Unknown Malicious SSL Cert 2 (trojan.rules)
2023904 - ET TROJAN Unknown Malicious SSL Cert 3 (trojan.rules)
2023905 - ET TROJAN Unknown Malicious SSL Cert 4 (trojan.rules)
2023906 - ET TROJAN Unknown Malicious SSL Cert 5 (trojan.rules)
2023907 - ET TROJAN Unknown Malicious SSL Cert 6 (trojan.rules)
2023908 - ET TROJAN Unknown Malicious SSL Cert 7 (trojan.rules)

Pro:

2824932 - ETPRO TROJAN Banker.Win32.Alreay SSL SNI (trojan.rules)
2824933 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory Access M1 (CVE-2017-2984) (web_client.rules)
2824934 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory Access M2 (CVE-2017-2984) (web_client.rules)
2824935 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory Access M3 (CVE-2017-2984) (web_client.rules)
2824936 - ETPRO WEB_CLIENT Possible Adobe Flash FLV parsing OOB Memory Access (CVE-2017-2986) (web_client.rules)
2824937 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory Access M1 (CVE-2017-2990) (web_client.rules)
2824938 - ETPRO WEB_CLIENT Possible Adobe Flash MP4 parsing OOB Memory Access M2 (CVE-2017-2990) (web_client.rules)
2824939 - ETPRO EXPLOIT Flash Player Heap Overflow (CVE-2017-2992) (exploit.rules)
2824940 - ETPRO EXPLOIT Flash Player Memory Corruption (CVE-2017-2991) (exploit.rules)
2824941 - ETPRO TROJAN Observed Malicious JS Checkin (trojan.rules)
2824942 - ETPRO TROJAN Possible Observed Malicious JS Connectivity Check (trojan.rules)
2824943 - ETPRO TROJAN Win32.Bunitu DNS Lookup (trojan.rules)
2824944 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.san SMS/Contacts Exfil via SMTP (mobile_malware.rules)
2824945 - ETPRO MOBILE_MALWARE Android/Styricka.A Checkin 2 (mobile_malware.rules)
2824946 - ETPRO CURRENT_EVENTS Microsoft Live External Link Phishing Landing Feb 14 2017 (current_events.rules)
2824947 - ETPRO CURRENT_EVENTS Successful Microsoft Live External Link Phish Feb 14 2017 (current_events.rules)
2824948 - ETPRO TROJAN W32/Dragon BR Banker v1.x Checkin M1 (trojan.rules)
2824949 - ETPRO TROJAN W32/Dragon BR Banker v1.x Checkin M2 (trojan.rules)
2824950 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ay SMS Exfil via SMTP (mobile_malware.rules)
2824951 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.eg SMS Exfil via SMTP 2 (mobile_malware.rules)
2824952 - ETPRO TROJAN DNS Query to Cerber Domain (1nmrtq . top) (trojan.rules)
2824953 - ETPRO TROJAN DNS Query to Cerber Domain (1gnlsi . top) (trojan.rules)
2824954 - ETPRO TROJAN DNS Query to Cerber Domain (1cglxz . top) (trojan.rules)
2824955 - ETPRO TROJAN DNS Query to Cerber Domain (1ktjse . top) (trojan.rules)
2824956 - ETPRO TROJAN DNS Query to Cerber Domain (12umzf . top) (trojan.rules)
2824957 - ETPRO TROJAN DNS Query to Cerber Domain (1psts4 . top) (trojan.rules)
2824958 - ETPRO TROJAN VanToM RAT Checkin Response 2 (trojan.rules)
2824959 - ETPRO POLICY SmartEmailExtractor Checkin (policy.rules)
2824960 - ETPRO TROJAN MSIL/Unknown PWS CnC Checkin (trojan.rules)
2824961 - ETPRO TROJAN MSIL/Unknown PWS Data Exfil (trojan.rules)
2824962 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish to myjino.ru hosted domain Feb 14 2017 (current_events.rules)
2824963 - ETPRO CURRENT_EVENTS Unknown Phishing DNS Lookup (current_events.rules)
2824968 - ETPRO CURRENT_EVENTS Successful Excel Online Phish Feb 14 2017 (current_events.rules)
2824969 - ETPRO CURRENT_EVENTS Microsoft Live External Link Phishing Landing M2 Feb 14 2017 (current_events.rules)
2824970 - ETPRO CURRENT_EVENTS Successful Microsoft Live External Link Phish M2 Feb 14 2017 (current_events.rules)

[///]     Modified active rules:     [///]

2008052 - ET MALWARE User-Agent (Internet Explorer) (malware.rules)
2014726 - ET POLICY Outdated Windows Flash Version IE (policy.rules)
2021030 - ET TROJAN BePush/Kilim CnC Beacon (trojan.rules)
2815653 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Ewind.ao Checkin (mobile_malware.rules)
2823937 - ETPRO CURRENT_EVENTS Successful Generic Phish (302) Dec 16 2016 (current_events.rules)
2824590 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.dj SMS
Exfil via SMTP (mobile_malware.rules)
2824669 - ETPRO TROJAN APT.ChChes CnC Beacon 1 (trojan.rules)
2824670 - ETPRO TROJAN APT.ChChes CnC Beacon 2 (trojan.rules)

[---]         Removed rules:         [---]

2023529 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Malware CnC) (trojan.rules)
2023881 - ET CURRENT_EVENTS Possible Craigslist Phishing Domain Feb 07 2017 (current_events.rules)
 

Date: 
Tuesday, February 14, 2017 - 00:00