Daily Ruleset Update Summary 2017/03/08

[***]            Summary:            [***]

6 new Open signatures, 28 new Pro (6 + 22). TrumpLocker/VenusLocker, StoneDrill Wiper, (?:Drupal|Struts) Vulns, TorrentLocker, Various mobile, Phishing.

Thanks: Kevin Ross, @DidierStevens

[+++]          Added rules:          [+++]

Open:

2024034 - ET WEB_CLIENT Possible MacOSX HelpViewer 10.12.1 XSS Arbitrary File Execution and Arbitrary File Read (CVE-2017-2361) (web_client.rules)
2024035 - ET TROJAN WS/JS Downloader Mar 07 2017 M1 (trojan.rules)
2024036 - ET TROJAN WS/JS Downloader Mar 07 2017 M2 (trojan.rules)
2024037 - ET CURRENT_EVENTS Evil Redirect Leading to EK March 07 2017 (current_events.rules)
2024038 - ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (web_specific_apps.rules)
2024039 - ET WEB_SPECIFIC_APPS Possible Drupal Object Unserialize Exploit Attempt (web_specific_apps.rules)

Pro:

2823837 - ETPRO WEB_CLIENT Microsoft Edge Memory Corruption Vulnerability (CVE-2016-7286) (web_client.rules)
2825293 - ETPRO TROJAN StoneDrill CnC Server Selection Request (trojan.rules)
2825294 - ETPRO TROJAN StoneDrill POST Login Request (trojan.rules)
2825295 - ETPRO TROJAN MSIL/Neptune Reporting System Information (trojan.rules)
2825296 - ETPRO TROJAN Win32/Agent.YDZ CnC Initial Request DNS Beacon (trojan.rules)
2825297 - ETPRO CURRENT_EVENTS Successful HSBC Phish M1 Mar 07 2017 (current_events.rules)
2825298 - ETPRO CURRENT_EVENTS Successful HSBC Phish M2 Mar 07 2017 (current_events.rules)
2825299 - ETPRO CURRENT_EVENTS Successful HSBC Phish M3 Mar 07 2017 (current_events.rules)
2825300 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.IC File Download (mobile_malware.rules)
2825301 - ETPRO TROJAN August Stealer CnC Checkin M2 (trojan.rules)
2825302 - ETPRO TROJAN TorrentLocker C2 Domain (trojan.rules)
2825303 - ETPRO TROJAN TorrentLocker C2 Domain (trojan.rules)
2825304 - ETPRO TROJAN TorrentLocker C2 Domain (trojan.rules)
2825305 - ETPRO MOBILE_MALWARE PUA Android/Agent.K Checkin (mobile_malware.rules)
2825306 - ETPRO TROJAN TorrentLocker C2 Domain (trojan.rules)
2825307 - ETPRO CURRENT_EVENTS Docusign Phishing Landing Mar 08 2017 (current_events.rules)
2825308 - ETPRO MOBILE_MALWARE AndroidOS/Secapk.A Checkin (mobile_malware.rules)
2825309 - ETPRO TROJAN Win32.Emdivi CnC Beacon (trojan.rules)
2825310 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Dowgin.d CnC Beacon 3 (mobile_malware.rules)
2825311 - ETPRO TROJAN Unknown Coinminer .onion Proxy Domain (trojan.rules)
2825312 - ETPRO MALWARE Win32/Amonetize CnC Beacon (malware.rules)
2825313 - ETPRO TROJAN TrumpLocker/VenusLocker .onion Proxy Domain (trojan.rules)

[///]     Modified active rules:     [///]

2010969 - ET POLICY Possible ProxyShell Anonymous Access Connection (policy.rules)
2010972 - ET POLICY Possible ProxyShell Hide IP Installation file download (policy.rules)
2011769 - ET TROJAN Shiz/Rohimafo Binary Download Request (trojan.rules)
2011871 - ET POLICY SubmitToTDWTF.asmx DailyWTF Potential Source Code Leakage (policy.rules)
2012201 - ET WORM Possible Worm Sohanad.Z or Other Infection Request for setting.nql (worm.rules)
2012955 - ET POLICY HTTP Request to a *.co.tv domain (policy.rules)
2014116 - ET TROJAN Suspicious User-Agent build - possibly Delf/Troxen/Zema (trojan.rules)
2014566 - ET TROJAN W32/UltimateDefender.FakeAV Checkin (trojan.rules)
2014802 - ET CURRENT_EVENTS Fragus Exploit jar Download (current_events.rules)
2014843 - ET TROJAN Blackhole Exploit Kit Request tkr (trojan.rules)
2014864 - ET TROJAN W32.Gimemo/Aldibot CnC POST (trojan.rules)
2014884 - ET CURRENT_EVENTS Request to malicious SutraTDS - lonly= in cookie (current_events.rules)
2015015 - ET POLICY Download Request to Hotfile.com (policy.rules)
2015019 - ET TROJAN W32/Icoo CnC Checkin (trojan.rules)
2015547 - ET TROJAN Pakes2 - EXE Download Request (trojan.rules)
2015581 - ET TROJAN Atadommoc.C - HTTP CnC (trojan.rules)
2015907 - ET CURRENT_EVENTS BoA -Account Phished (current_events.rules)
2016170 - ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (2) (current_events.rules)
2016328 - ET TROJAN ZeuS Post to C&C footer.php (trojan.rules)
2016693 - ET INFO SUSPICIOUS UA starting with Mozilla/8 (info.rules)
2016773 - ET TROJAN Mutter Backdoor Checkin (trojan.rules)
2016912 - ET TROJAN W32/KeyLogger.ACQH!tr Checkin (trojan.rules)
2017927 - ET POLICY check.torproject.org IP lookup/Tor Usage check over HTTP (policy.rules)
2018026 - ET MALWARE W32/BettrExperience.Adware Update Checkin (malware.rules)
2018667 - ET TROJAN Possible Zeus P2P Variant Check-in (trojan.rules)
2020847 - ET CURRENT_EVENTS Chrome Form Data Theft April 06 2015 (current_events.rules)
2021226 - ET TROJAN Poweliks Clickfraud CnC M1 (trojan.rules)
2021270 - ET CURRENT_EVENTS Angler EK Landing URI Struct Jun 15 M2 (current_events.rules)
2021271 - ET CURRENT_EVENTS Angler EK Landing URI Struct Jun 15 M3 (current_events.rules)
2022123 - ET POLICY IP Lookup Geoip.co.uk (policy.rules)
2022245 - ET TROJAN NetBackdoor User-Agent (.net backdor) (trojan.rules)
2022246 - ET TROJAN Backdoor User-Agent (InstallCapital) (trojan.rules)
2022351 - ET POLICY External IP Lookup - ipecho.net (policy.rules)
2022377 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsalias.ru Domain (info.rules)
2022378 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsip.ru Domain (info.rules)
2022379 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyn-dns.ru Domain (info.rules)
2022380 - ET INFO DYNAMIC_DNS HTTP Request to a *.dns-free.ru Domain (info.rules)
2022519 - ET TROJAN Bedep Connectivity Check M3 (trojan.rules)
2023240 - ET MOBILE_MALWARE iOS DualToy Checkin (mobile_malware.rules)
2023520 - ET POLICY External IP Lookup (tinytools.nu) (policy.rules)
2023653 - ET TROJAN TeleBots BCS-server User-Agent (trojan.rules)
2023654 - ET TROJAN TeleBots VBS Backdoor CnC Beacon 1 (trojan.rules)
2023874 - ET POLICY Hamas Terrorist Propaganda TV Channel (aqsatv.ps) (policy.rules)
2024028 - ET TROJAN Infostealer.Bancos ProxyChanger Checkin (trojan.rules)
2800868 - ETPRO EXPLOIT Powerpoint Download (exploit.rules)
2800888 - ETPRO WEB_SPECIFIC_APPS Microsoft Forefront Unified Access Gateway Signurl.asp Cross-Site Scripting (web_specific_apps.rules)
2800957 - ETPRO USER_AGENTS RogueSoftware.Win32.RClean User-Agent (user_agents.rules)
2800966 - ETPRO WEB_CLIENT Microsoft Office Insecure Library Loading WebDAV PROPFIND pptimpconv.dll (web_client.rules)
2801000 - ETPRO WEB_CLIENT Microsoft Windows Movie Maker Insecure Library Loading WebDAV PROPFIND hhctrl.ocx (web_client.rules)
2801001 - ETPRO WEB_CLIENT Microsoft Windows Movie Maker Insecure Library Loading WebDAV GET hhctrl.ocx (web_client.rules)
2801248 - ETPRO USER_AGENTS Malware Related User-Agent RepairR (user_agents.rules)
2803027 - ETPRO WEB_CLIENT Microsoft Excel Malformed Selection (type 0x1D) BIFF record (web_client.rules)
2804168 - ETPRO INFO DYNAMIC_DNS HTTP Request to a *.ddns.mobi Domain (info.rules)
2804956 - ETPRO TROJAN herpnet C&C (trojan.rules)
2805036 - ETPRO TROJAN TrojanDownloader.Banload.brce Checkin (trojan.rules)
2805273 - ETPRO MALWARE ApplicUnwnt.Win32.AdWare.InstallCore.2 (malware.rules)
2805434 - ETPRO TROJAN Trojan-Downloader.Win32.SpyAgent.r Checkin (trojan.rules)
2805685 - ETPRO WEB_CLIENT Microsoft .NET Framework Insecure Library Loading (web_client.rules)
2805772 - ETPRO TROJAN Trojan-Ransomware Checkin (trojan.rules)
2805824 - ETPRO TROJAN Mal/FakeSg-B Checkin (trojan.rules)
2805865 - ETPRO TROJAN TROJ_MOTMOT.CI Checkin (trojan.rules)
2806172 - ETPRO TROJAN Trojan-Clicker.Win32.Galepo.bu Checkin (trojan.rules)
2806422 - ETPRO TROJAN Trojan-Dropper.Win32.Dapato.bfjn Download (trojan.rules)
2806779 - ETPRO TROJAN Trojan-PSW.Win32.Delf.qc Checkin (trojan.rules)
2806807 - ETPRO MOBILE_MALWARE AndroidOS/GingerMaster.A (mobile_malware.rules)
2806866 - ETPRO TROJAN Win32/TrojanDropper.Agent.POP Checkin (trojan.rules)
2807035 - ETPRO TROJAN Trojan.Win32.Delf Variant Checkin (trojan.rules)
2807215 - ETPRO TROJAN Orbit downloader checkin 2 (trojan.rules)
2807287 - ETPRO TROJAN Trojan-Dropper.Win32.Agent.iish Checkin (trojan.rules)
2807411 - ETPRO POLICY geo IP lookup service ip-who-is.com (policy.rules)
2808248 - ETPRO TROJAN Win32/Poweliks.A Checkin (trojan.rules)
2808357 - ETPRO MOBILE_MALWARE Android/TelMan.A Checkin (mobile_malware.rules)
2810116 - ETPRO MOBILE_MALWARE AndroidOS/DroidDream.A Checkin (mobile_malware.rules)
2810737 - ETPRO TROJAN Simda CnC Beacon (trojan.rules)
2810766 - ETPRO MOBILE_MALWARE Unknown Checkin (mobile_malware.rules)
2811058 - ETPRO POLICY External IP Lookup - ip.42.pl (policy.rules)
2811246 - ETPRO TROJAN Win32/Nivdort Empty Checkin (trojan.rules)
2811451 - ETPRO TROJAN Asterope CnC Beacon (trojan.rules)
2811662 - ETPRO MALWARE PUP.PricePeep.A Checkin (malware.rules)
2812176 - ETPRO CURRENT_EVENTS Possible Successful Google Drive Phish July 27 M2 (current_events.rules)
2812251 - ETPRO MALWARE Win32/Stocksoft.Downloader PUP Activity (malware.rules)
2812790 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.fj Checkin (mobile_malware.rules)
2812962 - ETPRO TROJAN Backdoor.Bot Activity (trojan.rules)
2813047 - ETPRO MOBILE_MALWARE Android/Andup.Y Checkin (mobile_malware.rules)
2815026 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.MobiDash.c Checkin (mobile_malware.rules)
2815148 - ETPRO CURRENT_EVENTS Successful MCB Bank Phish Nov 30 (current_events.rules)
2815177 - ETPRO CURRENT_EVENTS PowerShell Empire Session via Excel Macro (current_events.rules)
2815281 - ETPRO MALWARE Unknown PUP/KR Checkin (malware.rules)
2815658 - ETPRO TROJAN W32.Unknown Checkin (trojan.rules)
2815726 - ETPRO MOBILE_MALWARE AndroidOS/SMSreg.CC Checkin (mobile_malware.rules)
2815854 - ETPRO CURRENT_EVENTS Shared Document Base64 Phishing Landing Jan 19 (current_events.rules)
2816907 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.Agent.i Checkin (mobile_malware.rules)
2819953 - ETPRO TROJAN Ransomware TrueCrypter CnC Beacon (trojan.rules)
2820935 - ETPRO MOBILE_MALWARE Android/Agent.UH Checkin (mobile_malware.rules)
2821362 - ETPRO TROJAN R980 Ransomware Requesting Image 1 (trojan.rules)
2821363 - ETPRO TROJAN R980 Ransomware Requesting Image 2 (trojan.rules)
2821594 - ETPRO CURRENT_EVENTS Successful TD Commercial Banking Phish Aug 10 2016 (current_events.rules)
2821603 - ETPRO TROJAN Win32.Getapula Stealer Checkin (trojan.rules)
2821735 - ETPRO TROJAN Cromwi Fake User-Agent (trojan.rules)
2821761 - ETPRO CURRENT_EVENTS Successful Adobe Shared Document Phish Aug 19 2016 (current_events.rules)
2821978 - ETPRO CURRENT_EVENTS Successful Google Drive Phish Sept M2 1 2016 (current_events.rules)
2821979 - ETPRO CURRENT_EVENTS Successful Google Drive Phish Sept M1 1 2016 (current_events.rules)
2821988 - ETPRO TROJAN MSIL/Unknown HTTP Bot Screenshot Upload (trojan.rules)
2822639 - ETPRO CURRENT_EVENTS Successful Google Drive Phish Oct 14 2016 (current_events.rules)
2822685 - ETPRO TROJAN TheTrick Banking Trojan Affiliate Download (trojan.rules)
2822756 - ETPRO CURRENT_EVENTS Successful Credit Agricole Bank (FR) Phish M1 Oct 19 2016 (current_events.rules)
2824672 - ETPRO TROJAN Rerdom Variant CnC M2 (trojan.rules)
2824971 - ETPRO TROJAN Fareit/Pony Variant CnC Beacon (trojan.rules)
2825084 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Shedun.Z Config Download (mobile_malware.rules)
2825142 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Dowgin.d CnC Beacon (mobile_malware.rules)
2825191 - ETPRO TROJAN MSIL/Unk HTTP CnC Activity (trojan.rules)
2825273 - ETPRO TROJAN MSIL/Enjey Crypter Ransomware CnC Checkin (trojan.rules)

[---]  Disabled and modified rules:  [---]

2806627 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free 3 CVE-2013-3115 (web_client.rules)
2806628 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free 4 CVE-2013-3115 (web_client.rules)
2807936 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1755) (web_client.rules)
2808998 - ETPRO WEB_CLIENT Possible Internet Explorer Memory Corruption Vulnerability CVE-2014-4137 (web_client.rules)
2810028 - ETPRO WEB_CLIENT MS15-018 Internet Explorer Elevation of Privilege Vulnerability CVE-2015-1623 (web_client.rules)
2823145 - ETPRO WEB_CLIENT Possible Microsoft Edge Buffer Overflow M1 (CVE-2016-7202) (web_client.rules)
2823160 - ETPRO WEB_CLIENT Possible Microsoft Edge JSON.parse RCE (CVE-2016-7241) (web_client.rules)

[---]         Removed rules:         [---]

2823837 - ETPRO EXPLOIT Microsoft Edge Memory Corruption Vulnerability (CVE-2016-7286) (exploit.rules)
 

Date: 
Wednesday, March 8, 2017 - 00:00