Daily Ruleset Update Summary 2017/04/20

[***]            Summary:            [***]

4 new Open, 34 new Pro (4 + 30). Lets Encrypt w/Punycode, Various Phishing, Various Mobile

Thanks: Kevin Ross

[+++]          Added rules:          [+++]

Open:

2024227 - ET INFO Lets Encrypt Free SSL Cert Observed with IDN/Punycode Domain - Possible Phishing (info.rules)
2024228 - ET INFO Suspicious HTML Decimal Obfuscated Title - Possible Phishing Landing Apr 19 2017 (info.rules)
2024229 - ET CURRENT_EVENTS Known Malicious Expires Header Seen In Malicious JavaScript Downloader Campaign (current_events.rules)
2024230 - ET CURRENT_EVENTS iCloud Phishing Landing Sept 2 2016 (current_events.rules)

Pro:

2826036 - ETPRO CURRENT_EVENTS Successful Generic SSN Financial Phish Apr 19 2017 (current_events.rules)
2826037 - ETPRO CURRENT_EVENTS Successful Dropbox Phish Apr 19 (current_events.rules)
2826038 - ETPRO CURRENT_EVENTS Successful Adobe Phish Apr 19 2017 (current_events.rules)
2826039 - ETPRO CURRENT_EVENTS Successful Google Drive Phish Apr 19 2017 (current_events.rules)
2826040 - ETPRO CURRENT_EVENTS Successful Western Union Phish M1 Apr 20 2017 (current_events.rules)
2826041 - ETPRO CURRENT_EVENTS Successful Western Union Phish M2 Apr 20 2017 (current_events.rules)
2826042 - ETPRO CURRENT_EVENTS Successful Western Union Phish M3 Apr 20 2017 (current_events.rules)
2826043 - ETPRO CURRENT_EVENTS Possible Successful Generic Phish Apr 20 2017 (current_events.rules)
2826044 - ETPRO TROJAN Oilrig VBS DNS Lookup (trojan.rules)
2826045 - ETPRO MALWARE PUP Win32/ELEX Checkin 3 (malware.rules)
2826046 - ETPRO MOBILE_MALWARE Android.Trojan.SLocker.TX CnC Beacon (mobile_malware.rules)
2826047 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Rootnik.bw CnC Beacon (mobile_malware.rules)
2826048 - ETPRO CURRENT_EVENTS Microsoft Word Nemucod Phishing Landing Apr 20 2017 (current_events.rules)
2826049 - ETPRO CURRENT_EVENTS Successful Nemucod Zipped JS Download - Possible Miuref/Kovter/Panda Banker Apr 20 2017 (current_events.rules)
2826050 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate Detected (trojan.rules)
2826051 - ETPRO MOBILE_MALWARE Android.Trojan.Agent.EZ CnC Beacon (mobile_malware.rules)
2826052 - ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate Detected (trojan.rules)
2826053 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.zs Checkin (mobile_malware.rules)
2826054 - ETPRO EXPLOIT Huawei HG532n - Enable Portmapping (exploit.rules) 
2826055 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Boogr.gsh DNS Lookup (mobile_malware.rules)
2826056 - ETPRO TROJAN DNS Query to Cerber Domain (1j2ien . top) (trojan.rules)
2826057 - ETPRO TROJAN DNS Query to Cerber Domain (12smak . top) (trojan.rules)
2826058 - ETPRO TROJAN ZLoader Malicious SSL Cert Observed (trojan.rules)
2826059 - ETPRO TROJAN DNS Query to Cerber Domain (15bjqq . top) (trojan.rules)
2826060 - ETPRO TROJAN DNS Query to Cerber Domain (1ms2rx . top) (trojan.rules)
2826061 - ETPRO MOBILE_MALWARE Android.Trojan.Guerrilla.n Checkin (mobile_malware.rules)
2826062 - ETPRO TROJAN DNS Query to Cerber Domain (12zucf . top) (trojan.rules)
2826063 - ETPRO TROJAN DNS Query to Cerber Domain (1ntyds . top) (trojan.rules)
2826064 - ETPRO TROJAN DNS Query to Cerber Domain (1c7osg . top) (trojan.rules)
2826065 - ETPRO TROJAN DNS Query to Cerber Domain (1cnkik . top) (trojan.rules)

[///]     Modified active rules:     [///]

2024104 - ET TROJAN ABUSE.CH Ransomware/Cerber Onion Domain Lookup (trojan.rules)
2810640 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.BW Checkin (mobile_malware.rules)
2815174 - ETPRO CURRENT_EVENTS Successful iCloud Phish Dec 2 (current_events.rules)

[---]         Disabled rules:        [---]

2003000 - ET MALWARE PopupSh.ocx Access Attempt (malware.rules)
2003039 - ET EXPLOIT UPnP DLink M-Search Overflow Attempt (exploit.rules)
2003048 - ET POLICY Proxy Judge Discovery/Evasion (proxyjudge.cgi) (policy.rules)
2003055 - ET MALWARE Suspicious FTP 220 Banner on Local Port (-) (malware.rules)
2003057 - ET MALWARE 180solutions Spyware Actionlibs Download (malware.rules)
2003058 - ET MALWARE 180solutions (Zango) Spyware Installer Download (malware.rules)
2003059 - ET MALWARE 180solutions (Zango) Spyware TB Installer Download (malware.rules)
2003061 - ET MALWARE 180solutions (Zango) Spyware Event Activity Post (malware.rules)
2003072 - ET EXPLOIT Linksys WRT54g Authentication Bypass Attempt (exploit.rules)
2003074 - ET MALWARE Content-loader.com Spyware Install (malware.rules)
2003075 - ET MALWARE Content-loader.com Spyware Install 2 (malware.rules)
2003076 - ET MALWARE Content-loader.com (ownusa.info) Spyware Install (malware.rules)
2003081 - ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) (netbios.rules)
2003082 - ET NETBIOS NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) (netbios.rules)
2003083 - ET TROJAN Dialer (trojan.rules)
2003084 - ET MALWARE TROJAN_VB Microjoin (malware.rules)
2003086 - ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Command Execution (web_server.rules)
2003087 - ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Directory Traversal Attempt (web_server.rules)
2003302 - ET TROJAN psyBNC IRC Server Connection (trojan.rules)
2003304 - ET MALWARE Effectivebrands.com Spyware Checkin (malware.rules)
2003307 - ET MALWARE Comet Systems Spyware Cursor DL (malware.rules)
2003308 - ET P2P Edonkey IP Request (p2p.rules)
2003309 - ET P2P Edonkey IP Reply (p2p.rules)
2003314 - ET P2P Edonkey Search Request (by file hash) (p2p.rules)
2003316 - ET P2P Edonkey IP Query End (p2p.rules)
2003318 - ET P2P Edonkey Get Sources Request (by hash) (p2p.rules)
2003323 - ET P2P Edonkey Client to Server Hello (p2p.rules)
2003324 - ET P2P Edonkey Server Status (p2p.rules)
2003329 - ET VOIP Centrality IP Phone (PA-168 Chipset) Session Hijacking (voip.rules)
2003348 - ET MALWARE Gamehouse.com Activity (malware.rules)
2003353 - ET MALWARE Winferno Registry Fix Spyware Download (malware.rules)
2003354 - ET MALWARE Yourscreen.com Spyware Download (malware.rules)
2003358 - ET MALWARE Catchonlife.com Spyware (malware.rules)
2003360 - ET MALWARE Effectivebrands.com Spyware Checkin 2 (malware.rules)
2003362 - ET MALWARE Freeze.com Spyware/Adware (Pulling Ads) (malware.rules)
2003364 - ET MALWARE Hotbar Agent Adopt/Zango (malware.rules)
2003370 - ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS (exploit.rules)
2003375 - ET MALWARE Spy-Not.com Spyware Pulling Fake Sigs (malware.rules)
2003376 - ET MALWARE Instafinder.com spyware (malware.rules)
2003377 - ET MALWARE Spy-Not.com Spyware Updating (malware.rules)
2003378 - ET EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow (exploit.rules)
2003388 - ET MALWARE Hotbar Keywords Download (malware.rules)
2003391 - ET MALWARE SurfAccuracy.com Spyware Pulling Ads (malware.rules)
2003400 - ET EXPLOIT US-ASCII Obfuscated script (exploit.rules)
2003401 - ET EXPLOIT US-ASCII Obfuscated VBScript download file (exploit.rules)
2003403 - ET EXPLOIT US-ASCII Obfuscated VBScript (exploit.rules)
2003410 - ET POLICY FTP Login Successful (policy.rules)
2003411 - ET EXPLOIT Solaris telnet USER environment vuln Attack inbound (exploit.rules)
2003412 - ET EXPLOIT Solaris telnet USER environment vuln Attack outbound (exploit.rules)
2003414 - ET MALWARE Epilot.com Spyware Reporting (malware.rules)
2003416 - ET MALWARE Epilot.com Spyware Reporting Clicks (malware.rules)
2003417 - ET MALWARE CNSMIN (3721.com) Spyware Activity (malware.rules)
2003418 - ET MALWARE CNSMIN (3721.com) Spyware Activity 2 (malware.rules)
2003419 - ET MALWARE CNSMIN (3721.com) Spyware Activity 3 (malware.rules)
2003434 - ET EXPLOIT Trend Micro Web Interface Auth Bypass Vulnerable Cookie Attempt (exploit.rules)
2003435 - ET TROJAN Stormy Variant HTTP Request (trojan.rules)
2003437 - ET P2P Ares over UDP (p2p.rules)
2003438 - ET MALWARE Abcsearch.com Spyware Reporting (malware.rules)
2003444 - ET MALWARE Deskwizz.com Spyware Install Code Download (malware.rules)
2003450 - ET MALWARE Specificclick.net Spyware Activity (malware.rules)
2003451 - ET MALWARE K8l.info Spyware Activity (malware.rules)
2003462 - ET MALWARE CoolDeskAlert Spyware Activity (malware.rules)
2003466 - ET WEB_SERVER PHP Attack Tool Morfeus F Scanner (web_server.rules)
2003472 - ET MALWARE DelFin Project Spyware (setup-alt) (malware.rules)
2003473 - ET MALWARE DelFin Project Spyware (payload-alt) (malware.rules)
2003474 - ET VOIP Asterisk Register with no URI or Version DOS Attempt (voip.rules)
2003479 - ET POLICY Radmin Remote Control Session Setup Initiate (policy.rules)
2003480 - ET POLICY Radmin Remote Control Session Setup Response (policy.rules)
2003481 - ET POLICY Radmin Remote Control Session Authentication Initiate (policy.rules)
2003482 - ET POLICY Radmin Remote Control Session Authentication Response (policy.rules)
2003504 - ET MALWARE E2give Spyware Reporting (check url) (malware.rules)
2003518 - ET EXPLOIT Computer Associates Brightstor ARCServe Backup Mediasvr.exe Remote Exploit (exploit.rules)
2003525 - ET MALWARE Supergames.aavalue.com Spyware (malware.rules)
2003533 - ET MALWARE Sytes.net Related Spyware Reporting (malware.rules)
2003537 - ET TROJAN Trojan.Duntek establishing remote connection (trojan.rules)
2003538 - ET TROJAN Klom.A Connecting to Controller (trojan.rules)
2003543 - ET MALWARE Winfixmaster.com Fake Anti-Spyware Install (malware.rules)
2003547 - ET MALWARE Privacyprotector.com Fake Anti-Spyware Install (malware.rules)
2003556 - ET TROJAN Bandook v1.35 Keepalive Send (trojan.rules)
2003557 - ET TROJAN Bandook v1.35 Keepalive Reply (trojan.rules)
2003558 - ET TROJAN Bandook v1.35 Create Registry Key Command Send (trojan.rules)
2003559 - ET TROJAN Bandook v1.35 Create Directory Command Send (trojan.rules)
2003560 - ET TROJAN Bandook v1.35 Window List Command Send (trojan.rules)
2003561 - ET TROJAN Bandook v1.35 Window List Reply (trojan.rules)
2003562 - ET TROJAN Bandook v1.35 Get Processes Command Send (trojan.rules)
2003563 - ET TROJAN Bandook v1.35 Start Socks5 Proxy Command Send (trojan.rules)
2003564 - ET TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply (trojan.rules)
2003565 - ET TROJAN Bandook v1.35 Get Processes Command Reply (trojan.rules)
2003577 - ET MALWARE Mirarsearch.com Spyware Posting Data (malware.rules)
2003579 - ET MALWARE Findwhat.com Spyware (clickthrough) (malware.rules)
2003581 - ET MALWARE Findwhat.com Spyware (sendmedia) (malware.rules)
2003605 - ET MALWARE Baidu.com Spyware Bar Activity (malware.rules)
2003606 - ET MALWARE Alexa Spyware Reporting URL Visited (malware.rules)
2003610 - ET MALWARE Zango Spyware (tbrequest data post) (malware.rules)
2003611 - ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Updating (malware.rules)
2003612 - ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Download (malware.rules)
2003617 - ET MALWARE MyWebSearch Toolbar Posting Activity Report (malware.rules)
2003619 - ET MALWARE Alexa Spyware Redirecting User (malware.rules)
2003630 - ET MALWARE Baidu.com Spyware Sobar Bar Activity (malware.rules)
2003631 - ET POLICY Centralops.net Probe (policy.rules)
2003750 - ET EXPLOIT CA Brightstor ARCServe caloggerd DoS (exploit.rules)
2003751 - ET EXPLOIT CA Brightstor ARCServe Mediasvr DoS (exploit.rules)
2003869 - ET SCAN ProxyReconBot CONNECT method to Mail (scan.rules)
2003870 - ET SCAN ProxyReconBot POST method to Mail (scan.rules)
2003903 - ET WEB_SERVER Microsoft SharePoint XSS Attempt default.aspx (web_server.rules)
2003904 - ET WEB_SERVER Microsoft SharePoint XSS Attempt index.php form mail (web_server.rules)
2003936 - ET TROJAN Bandok phoning home (xor by 0xe9 to decode) (trojan.rules)
2003937 - ET TROJAN Bandook iwebho/BBB-phish trojan leaking user data (trojan.rules)
2009799 - ET WEB_SERVER PHP Attack Tool Morfeus F Scanner - M (web_server.rules)
2011527 - ET NETBIOS windows recycler .exe request - suspicious (netbios.rules)

[---]         Removed rules:         [---]

2821995 - ETPRO CURRENT_EVENTS iCloud Phishing Landing Sept 2 2016 (current_events.rules)
2824170 - ETPRO TROJAN DNS Query to Cerber Domain (1bpfr1 . top) (trojan.rules)
2824490 - ETPRO TROJAN DNS Query to Cerber Domain (19ob95 . top) (trojan.rules)
2824491 - ETPRO TROJAN DNS Query to Cerber Domain (16gjpm . top) (trojan.rules)
2824492 - ETPRO TROJAN DNS Query to Cerber Domain (12gzrv . top) (trojan.rules)
2824494 - ETPRO TROJAN DNS Query to Cerber Domain (17ldrv . top) (trojan.rules)
2824495 - ETPRO TROJAN DNS Query to Cerber Domain (15rnwa . top) (trojan.rules)
2824498 - ETPRO TROJAN DNS Query to Cerber Domain (1pbu64 . top) (trojan.rules)
2824499 - ETPRO TROJAN DNS Query to Cerber Domain (191jcq . top) (trojan.rules)
2824500 - ETPRO TROJAN DNS Query to Cerber Domain (1kdfj8 . top) (trojan.rules)
 

Date: 
Thursday, April 20, 2017 - 00:00