Daily Ruleset Update Summary 2017/03/31

[***]            Summary:            [***]

44 new Open, 51 new Pro (44 + 7). Let's Encrypt Certs, Decimal Redirect, CopyKitten, Various Phishing, Various Android

Thanks: Kevin Ross

[+++]          Added rules:          [+++]

Open:

2024123 - ET MOBILE_MALWARE Android.C2P.Qd!c Ransomware CnC Beacon (mobile_malware.rules)
2024124 - ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M1 (current_events.rules)
2024125 - ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M2 (current_events.rules)
2024126 - ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M3 (current_events.rules)
2024127 - ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M4 (current_events.rules)
2024128 - ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M5 (current_events.rules)
2024129 - ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M6 (current_events.rules)
2024130 - ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M7 (current_events.rules)
2024131 - ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M8 (current_events.rules)
2024132 - ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M9 (current_events.rules)
2024133 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M1 (current_events.rules)
2024134 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M2 (current_events.rules)
2024135 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M3 (current_events.rules)
2024136 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M4 (current_events.rules)
2024137 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M5 (current_events.rules)
2024138 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M6 (current_events.rules)
2024139 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M7 (current_events.rules)
2024140 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M8 (current_events.rules)
2024141 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M9 (current_events.rules)
2024142 - ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M10 (current_events.rules)
2024143 - ET TROJAN Possible CopyKitten DNS Lookup (1e100 .tech) (trojan.rules)
2024144 - ET TROJAN Possible CopyKitten DNS Lookup (1m100 .tech) (trojan.rules)
2024145 - ET TROJAN Possible CopyKitten DNS Lookup (ads-youtube .online) (trojan.rules)
2024146 - ET TROJAN Possible CopyKitten DNS Lookup (akamaitechnology .com) (trojan.rules)
2024147 - ET TROJAN Possible CopyKitten DNS Lookup (alkamaihd .net) (trojan.rules)
2024148 - ET TROJAN Possible CopyKitten DNS Lookup (azurewebsites .tech) (trojan.rules)
2024149 - ET TROJAN Possible CopyKitten DNS Lookup (broadcast-microsoft .tech) (trojan.rules)
2024150 - ET TROJAN Possible CopyKitten DNS Lookup (chromeupdates .online) (trojan.rules)
2024151 - ET TROJAN Possible CopyKitten DNS Lookup (cloudmicrosoft .net) (trojan.rules)
2024152 - ET TROJAN Possible CopyKitten DNS Lookup (dnsserv .host) (trojan.rules)
2024153 - ET TROJAN Possible CopyKitten DNS Lookup (elasticbeanstalk .tech) (trojan.rules)
2024154 - ET TROJAN Possible CopyKitten DNS Lookup (fdgdsg .xyz) (trojan.rules)
2024155 - ET TROJAN Possible CopyKitten DNS Lookup (jguery .net) (trojan.rules)
2024156 - ET TROJAN Possible CopyKitten DNS Lookup (jguery .online) (trojan.rules)
2024157 - ET TROJAN Possible CopyKitten DNS Lookup (microsoft-ds .com) (trojan.rules)
2024158 - ET TROJAN Possible CopyKitten DNS Lookup (microsoft-security .host) (trojan.rules)
2024159 - ET TROJAN Possible CopyKitten DNS Lookup (nameserver .win) (trojan.rules)
2024160 - ET TROJAN Possible CopyKitten DNS Lookup (newsfeeds-microsoft .press) (trojan.rules)
2024161 - ET TROJAN Possible CopyKitten DNS Lookup (owa-microsoft .online) (trojan.rules)
2024162 - ET TROJAN Possible CopyKitten DNS Lookup (primeminister-goverment-techcenter .tech) (trojan.rules)
2024163 - ET TROJAN Possible CopyKitten DNS Lookup (qoldenlines .net) (trojan.rules)
2024164 - ET TROJAN Possible CopyKitten DNS Lookup (sharepoint-microsoft .co) (trojan.rules)
2024165 - ET TROJAN Possible CopyKitten DNS Lookup (ssl-gstatic .online) (trojan.rules)
2024166 - ET TROJAN Possible CopyKitten DNS Lookup (trendmicro .tech) (trojan.rules)

Pro:

2825692 - ETPRO CURRENT_EVENTS Successful Tmobile (DE) Phish Mar 31 2017 (current_events.rules)
2825693 - ETPRO CURRENT_EVENTS Successful Paypal Phish (IT) Mar 31 2017 (current_events.rules)
2825694 - ETPRO CURRENT_EVENTS Successful Office 365 Phish Mar 31 2017 (current_events.rules)
2825695 - ETPRO CURRENT_EVENTS Successful Blizzard Phish Mar 31 2017 (current_events.rules)
2825696 - ETPRO TROJAN W32/Unknown Coinminer Module DL (trojan.rules)
2825697 - ETPRO CURRENT_EVENTS Successful Caf.fr Phish Mar 31 2017 (current_events.rules)
2825698 - ETPRO TROJAN MSIL/Downloader Downloading NetwireRAT (trojan.rules)


[///]     Modified active rules:     [///]

2024121 - ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174) (exploit.rules)
2807086 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Obad.a Checkin 2 (mobile_malware.rules)
2808271 - ETPRO TROJAN BackDoor.Yebot Checkin (trojan.rules)
2820838 - ETPRO MOBILE_MALWARE ANDROIDOS_ROOTNIK.CBTCT / Godless Checkin (mobile_malware.rules)
2825618 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Triada.aw Checkin 3 (mobile_malware.rules)
 

Date: 
Friday, March 31, 2017 - 00:00