Daily Ruleset Update Summary 2017/10/25

[***]            Summary:            [***]

19 new Open, 32 new Pro (19 + 13). BadRabbit Driveby, AVTECH Vulns, Various Phishing, Various Mobile.

Thanks: @AttackDetection, @Antelox, @MichalPurzynski

[+++]          Added rules:          [+++]

Open:

2024911 - ET CURRENT_EVENTS Possible BadRabbit Driveby Download M1 Oct 24 2017 (current_events.rules)
2024912 - ET CURRENT_EVENTS Possible BadRabbit Driveby Download M2 Oct 24 2017 (current_events.rules)
2024913 - ET EXPLOIT D-Link 850L Password Extract Attempt (exploit.rules)
2024914 - ET EXPLOIT Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution (exploit.rules)
2024915 - ET EXPLOIT Possible Vacron NVR Remote Command Execution (exploit.rules)
2024916 - ET EXPLOIT Netgear DGN Remote Command Execution (exploit.rules)
2024917 - ET EXPLOIT AVTECH Unauthenticated Command Injection in DVR Devices (exploit.rules)
2024918 - ET EXPLOIT AVTECH Authenticated Command Injection in CloudSetup.cgi (exploit.rules)
2024919 - ET EXPLOIT AVTECH Authenticated Command Injection in adcommand.cgi (exploit.rules)
2024920 - ET EXPLOIT AVTECH Authenticated Command Injection in PwdGrp.cgi (exploit.rules)
2024921 - ET TROJAN IoT_reaper DNS Lookup M1 (trojan.rules)
2024922 - ET TROJAN IoT_reaper DNS Lookup M2 (trojan.rules)
2024923 - ET TROJAN IoT_reaper DNS Lookup M3 (trojan.rules)
2024924 - ET TROJAN Possible IoT_reaper ELF Binary Request M1 (set) (trojan.rules)
2024925 - ET TROJAN Possible IoT_reaper ELF Binary Request M2 (set) (trojan.rules)
2024926 - ET TROJAN Possible IoT_reaper ELF Binary Request M3 (set) (trojan.rules)
2024927 - ET TROJAN Possible IoT_reaper ELF Binary Request M4 (set) (trojan.rules)
2024928 - ET TROJAN Possible IoT_reaper ELF Binary Request M5 (set) (trojan.rules)
2024929 - ET TROJAN Possible IoT_reaper ELF Binary Download (trojan.rules)

Pro:

2828414 - ETPRO CURRENT_EVENTS Successful Yahoo Phish M1 Oct 25 2017 (current_events.rules)
2828415 - ETPRO CURRENT_EVENTS Successful Yahoo Phish M2 Oct 25 2017 (current_events.rules)
2828416 - ETPRO CURRENT_EVENTS Successful Impots.gouv.fr Phish Oct 25 2017 (current_events.rules)
2828417 - ETPRO CURRENT_EVENTS Successful Stripe Phish Oct 25 2017 (current_events.rules)
2828418 - ETPRO CURRENT_EVENTS Successful EDF (FR) Phish Oct 25 2017 (current_events.rules)
2828419 - ETPRO CURRENT_EVENTS Successful Mercado Livre Phish Oct 25 2017 (current_events.rules)
2828420 - ETPRO CURRENT_EVENTS Successful Netease Phish Oct 25 2017 (current_events.rules)
2828421 - ETPRO CURRENT_EVENTS Successful Paypal Phish Oct 25 2017 (current_events.rules)
2828422 - ETPRO CURRENT_EVENTS Successful Docusign Phish Oct 25 2017 (current_events.rules)
2828423 - ETPRO CURRENT_EVENTS Successful Santander Phish M1 Oct 25 2017 (current_events.rules)
2828424 - ETPRO CURRENT_EVENTS Successful Santander Phish M2 Oct 25 2017 (current_events.rules)
2828425 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.iz Contact Exfil via SMTP 29 (mobile_malware.rules)
2828426 - ETPRO CURRENT_EVENTS JS/Locky Downloader Checkin (current_events.rules)

[///]     Modified active rules:     [///]

2013508 - ET TROJAN Downloader User-Agent HTTPGET (trojan.rules)
2020215 - ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 5 (trojan.rules)
2024888 - ET TROJAN OSX/Proton.C/D Domain (eltima .in in DNS Lookup) (trojan.rules)
2024889 - ET TROJAN OSX/Proton.C/D Domain (eltima .in in TLS SNI) (trojan.rules)
2024890 - ET TROJAN OSX/Proton.C/D Domain (handbrakestore .com in DNS Lookup) (trojan.rules)
2024891 - ET TROJAN OSX/Proton.C/D Domain (handbrakestore .com in TLS SNI) (trojan.rules)
2024892 - ET TROJAN OSX/Proton.C/D Domain (handbrake .cc in DNS Lookup) (trojan.rules)
2024893 - ET TROJAN OSX/Proton.C/D Domain (handbrake .cc in TLS SNI) (trojan.rules)
2810290 - ETPRO TROJAN NanoCore RAT Keepalive Response 1 (trojan.rules)
2810291 - ETPRO TROJAN NanoCore RAT Keepalive Response 2 (trojan.rules)
2812901 - ETPRO CURRENT_EVENTS Successful Telstra Phish M2 Sep 04 2015 (current_events.rules)
2814915 - ETPRO CURRENT_EVENTS Adobe Shared Document Phish Landing Nov 13 2015 (current_events.rules)
2820666 - ETPRO CURRENT_EVENTS Successful Yahoo Phish M1 Jun 15 2016 (current_events.rules)
2823937 - ETPRO CURRENT_EVENTS Successful Generic Phish (302) Dec 16 2016 (current_events.rules)
2828399 - ETPRO TROJAN NanoCore RAT Keepalive Response 5 (trojan.rules)

[---]  Disabled and modified rules:  [---]

2024864 - ET TROJAN Possible Winnti-related Destination (trojan.rules)

Date: 
Wednesday, October 25, 2017 - 00:00