Daily Ruleset Update Summary 2017/05/12 - Special Update

All, we have performed a ruleset update to bring you coverage for WannaCry Ransomware and associated infection activity. The regular update schedule will not be affected.

[***]            Summary:            [***]

2 new Open, 5 new Pro (2 + 3). WannaCry DNS Lookup, Bitcoin QR Code Generated via Btcfrog.com, Bank Phishing.

[+++]          Added rules:          [+++]

Open:

2024291 - ET TROJAN Possible WannaCry DNS Lookup (trojan.rules)
2024292 - ET INFO Bitcoin QR Code Generated via Btcfrog.com (info.rules)

Pro:

2826370 - ETPRO TROJAN Win32/TrojanDownloader.VB.RBO CnC Beacon (trojan.rules)
2826371 - ETPRO CURRENT_EVENTS Successful National Australia Bank Phish May 12 2017 (current_events.rules)
2826372 - ETPRO CURRENT_EVENTS Successful Suntrust Bank Phish May 12 2017 (current_events.rules)

[///]     Modified active rules:     [///]

2001569 - ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection (scan.rules)
2001579 - ET SCAN Behavioral Unusual Port 139 traffic Potential Scan or Infection (scan.rules)
2001580 - ET SCAN Behavioral Unusual Port 137 traffic Potential Scan or Infection (scan.rules)
2001581 - ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection (scan.rules)
2001582 - ET SCAN Behavioral Unusual Port 1434 traffic Potential Scan or Infection (scan.rules)
2001583 - ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection (scan.rules)
2001972 - ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound) (scan.rules)
2003380 - ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc) (trojan.rules)
2008017 - ET TROJAN Philis.J ICMP Sweep (Payload Hello World) (trojan.rules)
2008150 - ET MALWARE Avsystemcare.com Fake AV User-Agent (LocusSoftware NetInstaller) (malware.rules)
2008738 - ET TROJAN Suspicious Accept-Language HTTP Header zh-cn likely Kernelbot/Conficker Trojan Related (trojan.rules)
2009714 - ET WEB_SERVER Script tag in URI Possible Cross Site Scripting Attempt (web_server.rules)
2010087 - ET SCAN Suspicious User-Agent Containing SQL Inject/ion Likely SQL Injection Scanner (scan.rules)
2010088 - ET SCAN Suspicious User-Agent Containing Web Scan/er Likely Web Scanner (scan.rules)
2010089 - ET SCAN Suspicious User-Agent Containing Security Scan/ner Likely Scan (scan.rules)
2010284 - ET WEB_SERVER SELECT INSTR in URI Possible ORACLE Related Blind SQL Injection Attempt (web_server.rules)
2010285 - ET WEB_SERVER SELECT SUBSTR/ING in URI Possible Blind SQL Injection Attempt (web_server.rules)
2010494 - ET SCAN Multiple MySQL Login Failures Possible Brute Force Attempt (scan.rules)
2010625 - ET TROJAN FakeAV Landing Page (aid sid) (trojan.rules)
2010641 - ET SCAN ICMP @hello request Likely Precursor to Scan (scan.rules)
2010681 - ET SCAN ICMP Delphi Likely Precursor to Scan (scan.rules)
2010719 - ET WEB_SPECIFIC_APPS e107 CMS backdoor access admin-access cookie and HTTP POST (web_specific_apps.rules)
2011243 - ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like planetwork) (web_server.rules)
2011285 - ET WEB_SERVER Bot Search RFI Scan (Casper-Like Jcomers Bot scan) (web_server.rules)
2011457 - ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share Possible DLL Preloading Exploit Attempt (web_client.rules)
2011499 - ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash Possibly Related to Remote Code Execution Attempt (web_client.rules)
2011505 - ET WEB_CLIENT PDF With Embedded Flash Possible Remote Code Execution Attempt (web_client.rules)
2013479 - ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound) (scan.rules)
2017528 - ET WEB_SERVER UA WordPress probable DDOS-Attack (web_server.rules)
2018247 - ET TROJAN Snake rootkit usermode-centric client request (trojan.rules)
2018248 - ET TROJAN Snake rootkit usermode-centric encrypted command from server (trojan.rules)
2018872 - ET TROJAN Tor based locker .onion Proxy domain in SNI July 31 2014 (trojan.rules)
2018874 - ET TROJAN Tor based locker .onion Proxy DNS lookup July 31 2014 (trojan.rules)
2018877 - ET TROJAN Tor based locker knowledgewiki.info in SNI July 31 2014 (trojan.rules)
2018892 - ET TROJAN Zbot .onion Proxy domain in SNI Aug 04 2014 (trojan.rules)
2018893 - ET TROJAN Zbot .onion Proxy DNS lookup July 31 2014 (trojan.rules)
2019606 - ET TROJAN Poweliks Abnormal HTTP Headers high likelihood of Poweliks infection (trojan.rules)
2021630 - ET TROJAN MS Terminal Server Single Character Login possible Morto inbound (trojan.rules)
2808735 - ETPRO TROJAN Backdoor.Backtor DNS lookup Sep 03 2014 (trojan.rules)
2809169 - ETPRO TROJAN PE downloaded with malicious APT OPH certificate (CallTogether Inc.) (trojan.rules)
2815959 - ETPRO TROJAN APT Related DNS Lookup (PlugX Gh0st Bergard) (trojan.rules)
2816780 - ETPRO TROJAN Likely CN-APT (Gh0st PlugX or other implant) DNS Lookup (trojan.rules)
2816781 - ETPRO TROJAN Likely CN-APT (Gh0st PlugX or other implant) DNS Lookup (trojan.rules)
2816782 - ETPRO TROJAN Likely CN-APT (Gh0st PlugX or other implant) DNS Lookup (trojan.rules)
2816783 - ETPRO TROJAN Likely CN-APT (Gh0st PlugX or other implant) DNS Lookup (trojan.rules)
2816784 - ETPRO TROJAN Likely CN-APT (Gh0st PlugX or other implant) DNS Lookup (trojan.rules)
2816785 - ETPRO TROJAN Likely CN-APT (Gh0st PlugX or other implant) DNS Lookup (trojan.rules)
2821738 - ETPRO TROJAN Babylon RAT C2 Server Response (trojan.rules)
2822485 - ETPRO TROJAN Automated Tor EXE Download Possibly Raum Trojan (trojan.rules)

[///]    Modified inactive rules:    [///]

2001539 - ET MALWARE Spyspotter.com Access Likely Spyware (malware.rules)
 

Date: 
Friday, May 12, 2017 - 00:00