Daily Ruleset Update Summary 2017/05/09

[***]            Summary:            [***]

4 new Open, 49 new Pro (4 + 45). MAPP, OSX/Proton.B DNS, Turla SHIRIME DNS, Various Mobile, Various Phishing.

Thanks: @yanaimoyal

CVE to ET Sid mapping for MAPP:

CVE-2017-0171->2826329
CVE-2017-0221->2826330
CVE-2017-0227->2826331
CVE-2017-0228->2826332
CVE-2017-0234->2826333
CVE-2017-0236->2826334
CVE-2017-0238->2826335
CVE-2017-0240->2826336
CVE-2017-0259->2826337
CVE-2017-0263->2826338
CVE-2017-0266->2826339
CVE-2017-3069->2826340
CVE-2017-3070->2826341

[+++]          Added rules:          [+++]

Open:

2024283 - ET INFO Miniproxy Cloned Page - Possible Phishing Landing (info.rules)
2024284 - ET TROJAN OSX/Proton.B DNS Lookup (trojan.rules)
2024285 - ET TROJAN OSX/Proton.B Domain in SNI (trojan.rules)
2024286 - ET TROJAN Turla SHIRIME DNS Lookup (trojan.rules)

Pro:

2826298 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ic SMS/Contact Exfil via SMTP (mobile_malware.rules)
2826299 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ar Reporting via SMTP (mobile_malware.rules)
2826300 - ETPRO CURRENT_EVENTS Successful Alibaba Phish May 08 2017 (current_events.rules)
2826301 - ETPRO CURRENT_EVENTS Docusign Phishing Landing May 08 2017 (current_events.rules)
2826302 - ETPRO CURRENT_EVENTS Successful Apple iCloud Phish May 08 2017 (current_events.rules)
2826303 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 84 (mobile_malware.rules)
2826304 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 85 (mobile_malware.rules)
2826305 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 86 (mobile_malware.rules)
2826306 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 87 (mobile_malware.rules)
2826307 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 88 (mobile_malware.rules)
2826308 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 89 (mobile_malware.rules)
2826309 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 90 (mobile_malware.rules)
2826310 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 91 (mobile_malware.rules)
2826311 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 92 (mobile_malware.rules)
2826312 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 93 (mobile_malware.rules)
2826313 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 94 (mobile_malware.rules)
2826314 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 95 (mobile_malware.rules)
2826315 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 96 (mobile_malware.rules)
2826316 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 97 (mobile_malware.rules)
2826317 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 99 (mobile_malware.rules)
2826318 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 100 (mobile_malware.rules)
2826319 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 101 (mobile_malware.rules)
2826320 - ETPRO MOBILE_MALWARE Android BankBot Checkin 2 (mobile_malware.rules)
2826321 - ETPRO MOBILE_MALWARE Android BankBot Checkin 3 (mobile_malware.rules)
2826322 - ETPRO CURRENT_EVENTS Successful Paypal Phish May 09 2017 (current_events.rules)
2826323 - ETPRO MOBILE_MALWARE Android BankBot Checkin 4 (mobile_malware.rules)
2826324 - ETPRO CURRENT_EVENTS Successful Personalized Secure Cloud File Phish May 09 2017 (current_events.rules)
2826325 - ETPRO CURRENT_EVENTS Secure Cloud File Phishing Landing May 09 2017 (current_events.rules)
2826326 - ETPRO MOBILE_MALWARE Android BankBot CnC Beacon (mobile_malware.rules)
2826327 - ETPRO TROJAN W32/Emotet Empty CnC Beacon (trojan.rules)
2826328 - ETPRO EXPLOIT Microsoft Malware Protection Engine Remote Code Execution Vulnerability (CVE-2017-0290) (exploit.rules)
2826329 - ETPRO DOS MS DNS CHAOS Denial of Service (CVE-2017-0171) (dos.rules)
2826330 - ETPRO WEB_CLIENT Microsoft Edge Memory Corruption Vulnerability (CVE-2017-0221) (web_client.rules)
2826331 - ETPRO WEB_CLIENT Possible Edge Type Confusion Exploit (CVE-2017-0227) (web_client.rules)
2826332 - ETPRO WEB_CLIENT Possible Edge Chakra UAF Exploit (CVE-2017-0228) (web_client.rules)
2826333 - ETPRO WEB_CLIENT Scripting Engine Memory Corruption Vulnerability (CVE-2017-0234) (web_client.rules)
2826334 - ETPRO WEB_CLIENT Microsoft Edge Scripting Engine Memory Corruption (CVE-2017-0236) (web_client.rules)
2826335 - ETPRO WEB_CLIENT Possible Edge Type Confusion Exploit (CVE-2017-0238) (web_client.rules)
2826336 - ETPRO WEB_CLIENT Possible Edge UAF Exploit (CVE-2017-0240) (web_client.rules)
2826337 - ETPRO EXPLOIT Windows Kernel Information Disclosure Vulnerability (CVE-2017-0259) (exploit.rules)
2826338 - ETPRO EXPLOIT Win32k Elevation of Privilege Vulnerability (CVE-2017-0263) (exploit.rules)
2826339 - ETPRO WEB_CLIENT Microsoft Edge Chakra Core Type Confusion Vuln (CVE-2017-0266) (web_client.rules)
2826340 - ETPRO EXPLOIT Possible Adobe Flash BlendMode Vuln (CVE-2017-3069) (exploit.rules)
2826341 - ETPRO EXPLOIT Possible Adobe Flash BlendMode Vuln (CVE-2017-3070) (exploit.rules)
2826342 - ETPRO TROJAN MSIL/Agent.AUK CnC Checkin (trojan.rules)

[///]     Modified active rules:     [///]

2001622 - ET ACTIVEX winhlp32 ActiveX control attack - phase 1 (activex.rules)
2001623 - ET ACTIVEX winhlp32 ActiveX control attack - phase 2 (activex.rules)
2001624 - ET ACTIVEX winhlp32 ActiveX control attack - phase 3 (activex.rules)
2008476 - ET EXPLOIT Foofus.net Password dumping dll injection (exploit.rules)
2008830 - ET WEB_SPECIFIC_APPS DevelopItEasy Photo Gallery cat_id parameter SQL Injection (web_specific_apps.rules)
2008831 - ET WEB_SPECIFIC_APPS DevelopItEasy Photo Gallery photo_id parameter SQL Injection (web_specific_apps.rules)
2009229 - ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Parameter Remote File Inclusion (web_specific_apps.rules)
2009230 - ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Parameter Local File Inclusion (web_specific_apps.rules)
2012219 - ET WEB_SPECIFIC_APPS BetMore Site Suite mainx_a.php bid Parameter Blind SQL Injection Attempt (web_specific_apps.rules)
2012730 - ET TROJAN Known Hostile Domain ilo.brenz .pl Lookup (trojan.rules)
2013117 - ET WEB_SPECIFIC_APPS Apache Tomcat Sort Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
2013118 - ET WEB_SPECIFIC_APPS Apache Tomcat Orderby Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
2014726 - ET POLICY Outdated Windows Flash Version IE (policy.rules)
2015559 - ET CURRENT_EVENTS Cridex Self Signed SSL Certificate (TR Some-State Internet Widgits) (current_events.rules)
2020605 - ET CURRENT_EVENTS WindowBase64.atob Function In Edwards Packed JavaScript - Possible iFrame Injection Detected (current_events.rules)
2022859 - ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 03 2016 (current_events.rules)
2024282 - ET EXPLOIT Intel AMT Login Attempt Detected (CVE 2017-5689) (exploit.rules)
2808207 - ETPRO CURRENT_EVENTS Safe/Critx/FlashPack URI Struct June 18 2014 1 (current_events.rules)
2808208 - ETPRO CURRENT_EVENTS Safe/Critx/FlashPack URI Struct June 18 2014 2 (current_events.rules)
2808212 - ETPRO CURRENT_EVENTS Safe/Critx/FlashPack URI Struct June 19 2014 1 (current_events.rules)
2808213 - ETPRO CURRENT_EVENTS Safe/Critx/FlashPack URI Struct June 19 2014 2 (current_events.rules)
2816583 - ETPRO CURRENT_EVENTS Successful Apple Phish Mar 8 (current_events.rules)
2823549 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish Nov 30 2016 (current_events.rules)
2824604 - ETPRO MOBILE_MALWARE Anubis Android Loader / BankBot Checkin (mobile_malware.rules)

[---]         Disabled rules:        [---]

2000005 - ET EXPLOIT Cisco Telnet Buffer Overflow (exploit.rules)
2000007 - ET EXPLOIT Catalyst SSH protocol mismatch (exploit.rules)
2000010 - ET DOS Cisco 514 UDP flood DoS (dos.rules)
2000031 - ET EXPLOIT CVS server heap overflow attempt (target BSD) (exploit.rules)
2000048 - ET EXPLOIT CVS server heap overflow attempt (target Linux) (exploit.rules)
2000049 - ET EXPLOIT CVS server heap overflow attempt (target Solaris) (exploit.rules)
2000342 - ET EXPLOIT Squid NTLM Auth Overflow Exploit (exploit.rules)
2000366 - ET MALWARE Binet (download complete) (malware.rules)
2000367 - ET MALWARE Binet (set_pix) (malware.rules)
2000371 - ET MALWARE Binet (randreco.exe) (malware.rules)
2000377 - ET EXPLOIT MS-SQL heap overflow attempt (exploit.rules)
2000380 - ET EXPLOIT MS-SQL Spike buffer overflow (exploit.rules)
2000574 - ET MALWARE Bargain Buddy (malware.rules)
2000593 - ET MALWARE Binet Ad Retrieval (malware.rules)
2000903 - ET MALWARE Avres Agent Receiving Instructions (malware.rules)
2000931 - ET MALWARE Comet Systems Spyware Traffic (malware.rules)
2001033 - ET MALWARE Casino on Net Data Download (malware.rules)
2001041 - ET MALWARE Casino on Net Install (malware.rules)
2001198 - ET MALWARE Twaintec Download Attempt (malware.rules)
2001199 - ET MALWARE Twaintec Ad Retrieval (malware.rules)
2001228 - ET MALWARE Advertising.com Data Post (villains) (malware.rules)
2001230 - ET MALWARE Advertising.com Data Post (cakedeal) (malware.rules)
2001345 - ET MALWARE Bonziportal Traffic (malware.rules)
2001385 - ET EXPLOIT Possible ShixxNote buffer-overflow + remote shell attempt (exploit.rules)
2001441 - ET MALWARE Abox Install Report (malware.rules)
2001447 - ET MALWARE 2nd-thought (W32.Daqa.C) Download (malware.rules)
2001450 - ET MALWARE Wintools Download/Configure (malware.rules)
2001451 - ET MALWARE Bundleware Spyware Download (malware.rules)
2001452 - ET MALWARE Bundleware Spyware CHM Download (malware.rules)
2001458 - ET MALWARE Bundleware Spyware cab Download (malware.rules)
2001530 - ET MALWARE ak-networks.com Spyware Code Download (malware.rules)
2001655 - ET MALWARE Comet Systems Spyware Traffic (context.xml) (malware.rules)
2001658 - ET MALWARE Comet Systems Spyware Reporting (malware.rules)
2001730 - ET MALWARE A-d-w-a-r-e.com Activity (popup) (malware.rules)
2001735 - ET MALWARE A-d-w-a-r-e.com Activity (cmd) (malware.rules)
2001737 - ET MALWARE ak-networks.com Spyware Code Install (malware.rules)
2001742 - ET EXPLOIT Arkeia full remote access without password or authentication (exploit.rules)
2001780 - ET EXPLOIT Solaris TTYPROMPT environment variable set (exploit.rules)
2001795 - ET DOS Excessive SMTP MAIL-FROM DDoS (dos.rules)
2001885 - ET MALWARE Begin2Search.com Spyware (malware.rules)
2001988 - ET EXPLOIT MySQL MaxDB Buffer Overflow (exploit.rules)
2001990 - ET EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt (exploit.rules)
2001999 - ET MALWARE BTGrab.com Spyware Downloading Ads (malware.rules)
2002003 - ET MALWARE 180solutions Spyware Install (malware.rules)
2002048 - ET MALWARE 180solutions Spyware Defs Download (malware.rules)
2002065 - ET EXPLOIT Veritas backupexec_agent exploit (exploit.rules)
2002068 - ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon (exploit.rules)
2002089 - ET MALWARE CWS qck.cc Spyware Installer (in.php) (malware.rules)
2002095 - ET MALWARE CWS qck.cc Spyware Installer (web.php) (malware.rules)
2002099 - ET MALWARE 180solutions Spyware config Download (malware.rules)
2002101 - ET GAMES Battle.net Starcraft login (games.rules)
2002102 - ET GAMES Battle.net Brood War login (games.rules)
2002103 - ET GAMES Battle.net Diablo login (games.rules)
2002104 - ET GAMES Battle.net Diablo 2 login (games.rules)
2002105 - ET GAMES Battle.net Diablo 2 Lord of Destruction login (games.rules)
2002106 - ET GAMES Battle.net Warcraft 2 login (games.rules)
2002107 - ET GAMES Battle.net Warcraft 3 login (games.rules)
2002108 - ET GAMES Battle.net Warcraft 3 The Frozen throne login (games.rules)
2002109 - ET GAMES Battle.net old game version (games.rules)
2002110 - ET GAMES Battle.net invalid version (games.rules)
2002111 - ET GAMES Battle.net invalid cdkey (games.rules)
2002112 - ET GAMES Battle.net cdkey in use (games.rules)
2002113 - ET GAMES Battle.net banned key (games.rules)
2002114 - ET GAMES Battle.net wrong product (games.rules)
2002115 - ET GAMES Battle.net failed account login (OLS) wrong password (games.rules)
2002116 - ET GAMES Battle.net failed account login (NLS) wrong password (games.rules)
2002118 - ET GAMES Battle.net user in channel (games.rules)
2002119 - ET GAMES Battle.net outgoing chat message (games.rules)
2002138 - ET GAMES World of Warcraft connection (games.rules)
2002139 - ET GAMES World of Warcraft failed logon (games.rules)
2002140 - ET GAMES Battle.net user joined channel (games.rules)
2002141 - ET GAMES Battle.net user left channel (games.rules)
2002142 - ET GAMES Battle.net received whisper message (games.rules)
2002143 - ET GAMES Battle.net received server broadcast (games.rules)
2002144 - ET GAMES Battle.net joined channel (games.rules)
2002145 - ET GAMES Battle.net user had a flags update (games.rules)
2002146 - ET GAMES Battle.net sent a whisper (games.rules)
2002147 - ET GAMES Battle.net channel full (games.rules)
2002148 - ET GAMES Battle.net channel doesn't exist (games.rules)
2002149 - ET GAMES Battle.net channel is restricted (games.rules)
2002150 - ET GAMES Battle.net informational message (games.rules)
2002151 - ET GAMES Battle.net error message (games.rules)
2002152 - ET GAMES Battle.net 'emote' message (games.rules)
2002155 - ET GAMES Steam connection (games.rules)
2002170 - ET GAMES Battle.net incoming chat message (games.rules)
2002181 - ET EXPLOIT Backup Exec Windows Agent Remote File Access - Attempt (exploit.rules)
2002182 - ET EXPLOIT Backup Exec Windows Agent Remote File Access - Vulnerable (exploit.rules)
2002349 - ET MALWARE Alexa Spyware Reporting URL (malware.rules)
2002351 - ET MALWARE Comet Systems Spyware Update Download (malware.rules)
2002352 - ET MALWARE Comet Systems Spyware Context Report (malware.rules)
2002354 - ET MALWARE 180solutions Spyware versionconfig POST (malware.rules)
2002406 - ET EXPLOIT TAC Attack Directory Traversal (exploit.rules)
2002845 - ET EXPLOIT MSSQL Hello Overflow Attempt (exploit.rules)
2002852 - ET EXPLOIT HP-UX Printer LPD Command Insertion (exploit.rules)
2002886 - ET EXPLOIT SYS get_domain_index_metadata Privilege Escalation Attempt (exploit.rules)
2002887 - ET EXPLOIT SYS get_domain_index_tables Access (exploit.rules)
2002888 - ET EXPLOIT SYS get_v2_domain_index_tables Privilege Escalation Attempt (exploit.rules)
2002896 - ET EXPLOIT Symantec Scan Engine Request Password Hash (exploit.rules)
2002933 - ET MALWARE CWS Spy-Sheriff.com Infeced Buy Page Request (malware.rules)
2822415 - ETPRO CURRENT_EVENTS Successful Adobe PDF Online Phish Oct 05 2016 (current_events.rules)

Date: 
Tuesday, May 9, 2017 - 00:00