Daily Ruleset Update Summary 2017/04/26

[***]            Summary:            [***]

2 new Open, 24 new Pro (2 + 22). DANDERSPRITZ, Linux.Shishiga, Various Phishing, Various Mobile

Thanks: Kevin Branch, MS-ISAC

[+++]          Added rules:          [+++]

Open:

2024247 - ET TROJAN Possible DANDERSPRITZ Default HTTP Headers (trojan.rules)
2024248 - ET TROJAN Possible DANDERSPRITZ HTTP Beacon (trojan.rules)

Pro:

2826111 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 82 (mobile_malware.rules)
2826112 - ETPRO MOBILE_MALWARE Android/SMForw.RL Contact Exfil (mobile_malware.rules)
2826113 - ETPRO CURRENT_EVENTS Successful Administrator Password Reset Phish Apr 26 2017 (current_events.rules)
2826114 - ETPRO CURRENT_EVENTS Successful Netflix Payment Information Phish Apr 26 2017 (current_events.rules)
2826115 - ETPRO CURRENT_EVENTS Successful National Australia Bank Phish M1 Apr 26 2017 (current_events.rules)
2826116 - ETPRO CURRENT_EVENTS Successful National Australia Bank Phish M2 Apr 26 2017 (current_events.rules)
2826117 - ETPRO TROJAN Linux.Shishiga HTTP Checkin (trojan.rules)
2826118 - ETPRO CURRENT_EVENTS Successful Paypal Phish Apr 26 2017 (current_events.rules)
2826119 - ETPRO POLICY DeskShare Desktop Sharing Tool Checkin (policy.rules)
2826120 - ETPRO TROJAN DNS Query to Sage Domain (qlkrwn . com) (trojan.rules)
2826121 - ETPRO TROJAN DNS Query to Cerber Domain (1c1ajf . top) (trojan.rules)
2826122 - ETPRO TROJAN DNS Query to Cerber Domain (1nkkem . top) (trojan.rules)
2826123 - ETPRO TROJAN MSIL/Unk.CoinMiner CnC Install Activity (trojan.rules)
2826124 - ETPRO TROJAN DNS Query to Cerber Domain (17u2yg . top) (trojan.rules)
2826125 - ETPRO TROJAN DNS Query to Cerber Domain (17m14u . top) (trojan.rules)
2826126 - ETPRO TROJAN DNS Query to Cerber Domain (1mee2x . top) (trojan.rules)
2826127 - ETPRO TROJAN DNS Query to Cerber Domain (1g6evx . top) (trojan.rules)
2826128 - ETPRO TROJAN DNS Query to Cerber Domain (13bi2c . top) (trojan.rules)
2826129 - ETPRO TROJAN DNS Query to Cerber Domain (1j43kf . top) (trojan.rules)
2826130 - ETPRO TROJAN DNS Query to Cerber Domain (1evjph . top) (trojan.rules)
2826131 - ETPRO TROJAN DNS Query to Cerber Domain (1fnjrj . top) (trojan.rules)
2826132 - ETPRO TROJAN DNS Query to Cerber Domain (14szpx . top) (trojan.rules)

[///]     Modified active rules:     [///]

2020962 - ET TROJAN CozyDuke APT HTTP Checkin (trojan.rules)
2814860 - ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) (trojan.rules)
2815563 - ETPRO CURRENT_EVENTS Base64 Javascript URL Refresh - Common Phish Landing Obfuscation Dec 31 (current_events.rules)

[---]         Disabled rules:        [---]

2800075 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
2800076 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
2800077 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
2800078 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
2800079 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
2800080 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
2800081 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
2800082 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
2800083 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
2800084 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
2800085 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
2800086 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
2800087 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
2800088 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
2800101 - ETPRO ACTIVEX CA eTrust Intrusion Detection CallCode ActiveX Control Code Execution (activex.rules)
2800102 - ETPRO ACTIVEX CA eTrust Intrusion Detection CallCode ActiveX Control Code Execution (activex.rules)
2800117 - ETPRO ACTIVEX Microsoft Internet Explorer ActiveX Object  Objectsafety Implementation Code Execution clsid Attempt (activex.rules)
2800119 - ETPRO ACTIVEX Microsoft Internet Explorer Pdwizard.ocx ActiveX Object Memory Corruption clsid (activex.rules)
2800120 - ETPRO ACTIVEX Microsoft Internet Explorer Pdwizard.ocx ActiveX Object Memory Corruption activex (activex.rules)
2800121 - ETPRO ACTIVEX Microsoft Internet Explorer Pdwizard.ocx ActiveX Object Memory Corruption (activex.rules)
2800141 - ETPRO EXPLOIT RealNetworks Helix DNA Server RTSP Service Heap Overflow (exploit.rules)
2800148 - ETPRO ACTIVEX Microsoft SQL Server Distributed Management Objects Buffer Overflow (activex.rules)
2800152 - ETPRO ACTIVEX Microsoft Windows MFC Library FileFind Class Heap Overflow (activex.rules)
2800190 - ETPRO SMTP IBM Lotus Notes MIF Attachment Viewer Buffer Overflow 1 (smtp.rules)
2800191 - ETPRO SMTP IBM Lotus Notes MIF Attachment Viewer Buffer Overflow 2 (smtp.rules)
2800216 - ETPRO ACTIVEX BitDefender Online Scanner ActiveX Control Buffer Overflow 1 (activex.rules)
2800217 - ETPRO ACTIVEX BitDefender Online Scanner ActiveX Control Buffer Overflow 2 (activex.rules)
2800218 - ETPRO ACTIVEX BitDefender Online Scanner ActiveX Control Buffer Overflow 3 (activex.rules)
2800219 - ETPRO ACTIVEX BitDefender Online Scanner ActiveX Control Buffer Overflow 4 (activex.rules)
2800220 - ETPRO ACTIVEX BitDefender Online Scanner ActiveX Control Buffer Overflow 5 (activex.rules)
2800221 - ETPRO ACTIVEX BitDefender Online Scanner ActiveX Control Buffer Overflow 6 (activex.rules)
2800231 - ETPRO EXPLOIT Apple QuickTime RTSP Response Crafted Content-Type Header Buffer Overflow 2 (exploit.rules)
2800258 - ETPRO ACTIVEX HP Software Update Tool ActiveX Control File Overwrite (activex.rules)
2800259 - ETPRO ACTIVEX HP Software Update Tool ActiveX Control File Overwrite (activex.rules)
2800271 - ETPRO ACTIVEX Microsoft Visual FoxPro vfp6r.dll DoCmd ActiveX Control Command Execution 1 (activex.rules)
2800272 - ETPRO ACTIVEX Microsoft Visual FoxPro vfp6r.dll DoCmd ActiveX Control Command Execution 2 (activex.rules)
2800292 - ETPRO EXPLOIT Sybase SQL Anywhere MobiLink Crafted Strings Buffer Overflow 1 (exploit.rules)
2800293 - ETPRO EXPLOIT Sybase SQL Anywhere MobiLink Crafted Strings Buffer Overflow 2 (exploit.rules)
2800294 - ETPRO EXPLOIT Sybase SQL Anywhere MobiLink Crafted Strings Buffer Overflow 3 (exploit.rules)
2800305 - ETPRO ACTIVEX Microsoft Office Web Components URL Parsing Buffer Overflow (activex.rules)
2800309 - ETPRO ACTIVEX Microsoft Office Web Components DateSource Code Execution 1 (activex.rules)
2800310 - ETPRO ACTIVEX Microsoft Office Web Components DateSource Code Execution 2 (activex.rules)
2800317 - ETPRO ACTIVEX CA Multiple Products ActiveX Control Use (activex.rules)
2800318 - ETPRO ACTIVEX CA Multiple Products ActiveX Control ListCtrl Use (activex.rules)
2800319 - ETPRO ACTIVEX CA Multiple Products ActiveX Control ListCtrl AddColumn Buffer Overflow 1 (activex.rules)
2800320 - ETPRO ACTIVEX CA Multiple Products ActiveX Control ListCtrl AddColumn Buffer Overflow 4 (activex.rules)
2800345 - ETPRO MALWARE BugsPrey (Init Connection) (malware.rules)
2800346 - ETPRO MALWARE BugsPrey (Init Connection Reply) (malware.rules) 
2800353 - ETPRO ACTIVEX Microsoft SQL Server 2000 Client Components ActiveX Control Buffer Overflow 1 (activex.rules)
2800354 - ETPRO ACTIVEX Microsoft SQL Server 2000 Client Components ActiveX Control Buffer Overflow 2 (activex.rules)
2800358 - ETPRO ACTIVEX Macrovision InstallShield Update Service Agent ActiveX 1 (activex.rules)
2800359 - ETPRO ACTIVEX Macrovision InstallShield Update Service Agent ActiveX 2 (activex.rules)
2800360 - ETPRO ACTIVEX Macrovision InstallShield Update Service Agent ActiveX Memory Corruption (activex.rules)
2800361 - ETPRO TROJAN aSpy v2.12 (trojan.rules)
2800363 - ETPRO ACTIVEX Autodesk Multiple Products LiveUpdate ActiveX Control Code Execution 1 (activex.rules)
2800364 - ETPRO ACTIVEX Autodesk Multiple Products LiveUpdate ActiveX Control Code Execution 2 (activex.rules)
2800383 - ETPRO MALWARE LOST DOOR 3.0 (init connection) (malware.rules)
2800391 - ETPRO TROJAN SRaT 1.6 Checkin (trojan.rules)
2800404 - ETPRO ACTIVEX SAP GUI TabOne ActiveX Control Caption List Buffer Overflow 1 (activex.rules)
2800405 - ETPRO ACTIVEX SAP GUI TabOne ActiveX Control Caption List Buffer Overflow 2 (activex.rules)
2800406 - ETPRO ACTIVEX SAP GUI TabOne ActiveX Control Caption List Buffer Overflow 3 (activex.rules)
2800407 - ETPRO ACTIVEX SAP GUI TabOne ActiveX Control Caption List Buffer Overflow 4 (activex.rules)
2800418 - ETPRO SMTP Novell Groupwise Internet Agent RCPT Command Buffer Overflow (smtp.rules)
2800419 - ETPRO EXPLOIT Oracle Application Server Portal Cross Site Scripting (exploit.rules)
2800430 - ETPRO SQL MySQL XML Functions Scalar XPath Denial of Service (sql.rules)
2800431 - ETPRO SQL MySQL XML Functions Scalar XPath Denial of Service (sql.rules)
2800461 - ETPRO WEB_CLIENT Adobe Reader JavaScript getAnnots Method Memory Corruption (web_client.rules)
2800493 - ETPRO FTP Microsoft Internet Information Services FTP Server Remote Buffer Overflow (ftp.rules)
2800501 - ETPRO WEB_CLIENT FFmpeg OGV File Format Memory Corruption (web_client.rules)
2800502 - ETPRO ACTIVEX SAP GUI WebViewer3D ActiveX Control Arbitrary File Overwrite 1 (activex.rules)
2800503 - ETPRO ACTIVEX SAP GUI WebViewer3D ActiveX Control Arbitrary File Overwrite 2 (activex.rules)
2800504 - ETPRO ACTIVEX SAP GUI WebViewer3D ActiveX Control Arbitrary File Overwrite 3 (activex.rules)
2800505 - ETPRO ACTIVEX SAP GUI WebViewer3D ActiveX Control Arbitrary File Overwrite 4 (activex.rules)
2800506 - ETPRO ACTIVEX EMC Captiva QuickScan Pro KeyHelp ActiveX Control Buffer Overflow (activex.rules)
 

Date: 
Wednesday, April 26, 2017 - 00:00