Daily Ruleset Update Summary 2017/02/17

[***] Summary: [***]

40 new Pro signatures, 59 new Pro (40 + 19). CozyCar, ShellCrew APT, TP-LINK DNSChanger, Sundown EK.

Thanks: @illegalFawn.

[+++]          Added rules:          [+++]

Open:

2023965 - ET TROJAN CozyCar CnC Beacon (trojan.rules)
2023966 - ET TROJAN CozyCar V2 CnC Beacon (trojan.rules)
2023967 - ET TROJAN APT29 Implant8 - Evil Twitter Callback (trojan.rules)
2023968 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 1 (trojan.rules)
2023969 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 2 (trojan.rules)
2023970 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 3 (trojan.rules)
2023971 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 4 (trojan.rules)
2023972 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 5 (trojan.rules)
2023973 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 6 (trojan.rules)
2023974 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 7 (trojan.rules)
2023975 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 8 (trojan.rules)
2023976 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 9 (trojan.rules)
2023977 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 10 (trojan.rules)
2023978 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 11 (trojan.rules)
2023979 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 12 (trojan.rules)
2023980 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 13 (trojan.rules)
2023981 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 14 (trojan.rules)
2023982 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 15 (trojan.rules)
2023983 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 16 (trojan.rules)
2023984 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 17 (trojan.rules)
2023985 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 18 (trojan.rules)
2023986 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 19 (trojan.rules)
2023987 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 20 (trojan.rules)
2023988 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 21 (trojan.rules)
2023989 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 22 (trojan.rules)
2023990 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 23 (trojan.rules)
2023991 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 24 (trojan.rules)
2023992 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 25 (trojan.rules)
2023993 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 26 (trojan.rules)
2023994 - ET TROJAN ShellCrew.APT StreamEx DNS Lookup 27 (trojan.rules)
2023995 - ET EXPLOIT TP-LINK DNS Change GET Request (DNSChanger EK) (exploit.rules)
2023996 - ET EXPLOIT TP-LINK Password Change GET Request (DNSChanger EK) (exploit.rules)
2023997 - ET INFO Potentially unsafe SMBv1 protocol in use (info.rules)
2023998 - ET TROJAN ABUSE.CH Ransomware Domain Detected (TorrentLocker C2) (trojan.rules)
2023999 - ET CURRENT_EVENTS Successful Apple Account Phish Feb 17 2017 (current_events.rules)
2024000 - ET CURRENT_EVENTS Successful iCloud (CN) Phish Feb 17 2017 (current_events.rules)
2024001 - ET CURRENT_EVENTS Successful California Bank & Trust Phish Feb 17 2017 (current_events.rules)
2024002 - ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish Feb 17 2017 (current_events.rules)
2024003 - ET CURRENT_EVENTS Possible Phishing Verified by Visa title over non SSL Feb 17 2017 (current_events.rules)
2024004 - ET TROJAN APT29 Implant8 - MAL_REFERER (trojan.rules)

Pro:

2825013 - ETPRO TROJAN Gabby.APT/Rambo DNS Lookup (trojan.rules)
2825014 - ETPRO TROJAN Gabby.APT/Rambo DNS Lookup (trojan.rules)
2825015 - ETPRO MOBILE_MALWARE Android.Trojan.Ogel.AU CnC Beacon (mobile_malware.rules)
2825016 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iop.j Checkin (mobile_malware.rules)
2825017 - ETPRO MOBILE_MALWARE Android.Adware.Mulad.AD Checkin (mobile_malware.rules)
2825018 - ETPRO TROJAN Sage Ransomware Domain (er29sl . com) (trojan.rules)
2825019 - ETPRO TROJAN Torrentlocker Ransomware Domain (fixnix . pl) (trojan.rules)
2825020 - ETPRO TROJAN Sage Ransomware Domain (pbt2ac . com) (trojan.rules)
2825021 - ETPRO TROJAN Sage Ransomware Domain (op7su2 . com) (trojan.rules)
2825022 - ETPRO TROJAN DNS Query to Cerber Domain (1enbyr . top) (trojan.rules)
2825023 - ETPRO TROJAN DNS Query to Cerber Domain (18kkhl . top) (trojan.rules)
2825024 - ETPRO TROJAN DNS Query to Cerber Domain (17g6gc . top) (trojan.rules)
2825025 - ETPRO TROJAN DNS Query to Cerber Domain (1cb19l . top) (trojan.rules)
2825026 - ETPRO TROJAN Win32.Abnores.R Checkin (trojan.rules)
2825027 - ETPRO CURRENT_EVENTS Possible SunDown EK Landing URI Struct T2 Feb 17 2017 (current_events.rules)
2825028 - ETPRO CURRENT_EVENTS Possible SunDown EK Payload T2 Feb 17 2017 (current_events.rules)
2825029 - ETPRO TROJAN Unknown Stealer CnC Activity (trojan.rules)
2825030 - ETPRO POLICY SSL Cert Free File Hosting Site (lewd . se) (policy.rules)
2825032 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate Detected (trojan.rules)

[///]     Modified active rules:     [///]

2010677 - ET MALWARE Suspicious User-Agent (My Session) (malware.rules)
2022894 - ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD IE Flash request to set non-standard filename (some overlap with 2021752) (current_events.rules)
2022896 - ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 (current_events.rules)
2820592 - ETPRO CURRENT_EVENTS Firesale gTLD and QHEX Likely Magintude EK URI struct June 13 2016 (current_events.rules)
2822886 - ETPRO TROJAN Unknown APT Downloader Receiving Payload (Rambo Backdoor) (trojan.rules)
2822887 - ETPRO TROJAN APT.Gabby/Rambo CnC Beacon (trojan.rules)
2822888 - ETPRO TROJAN APT.Gabby/Rambo CnC Beacon Response (trojan.rules)
2823788 - ETPRO TROJAN DNSChanger Rogue DNS Server (A Lookup) (trojan.rules)
2823855 - ETPRO CURRENT_EVENTS SunDown EK Flash Exploit Dec 13 2016 (current_events.rules)
 

Date: 
Friday, February 17, 2017 - 00:00