Daily Ruleset Update Summary 2017/11/01

[***]            Summary:            [***]

1 new Open, 9 new Pro (1 + 8). Oracle Identity Manager Attempt, Win32/LockeR, Various Phishing, Various Mobile.

[+++]          Added rules:          [+++]

Open:

2024941 - ET EXPLOIT Possible Oracle Identity Manager Attempt to Logon with default account (exploit.rules)

Pro:

2828482 - ETPRO TROJAN Win32/LockeR Ransomware CnC Activity (trojan.rules)
2828483 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 241 (mobile_malware.rules)
2828484 - ETPRO CURRENT_EVENTS Successful Spotify Phish M1 Nov 01 2017 (current_events.rules)
2828485 - ETPRO CURRENT_EVENTS Successful Spotify Phish M2 Nov 01 2017 (current_events.rules)
2828486 - ETPRO CURRENT_EVENTS Successful Generic Mailbox Phish Nov 01 2017 (current_events.rules)
2828488 - ETPRO POLICY External IP Lookup Domain (iplogger .com in TLS SNI) (policy.rules)
2828489 - ETPRO TROJAN Win32.Trojan.hh CnC Activity (trojan.rules)
2828490 - ETPRO TROJAN Meterpreter SSL Certificate (trojan.rules)

[///]     Modified active rules:     [///]

2011456 - ET WEB_CLIENT PROPFIND Flowbit Set (web_client.rules)
2011457 - ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share Possible DLL Preloading Exploit Attempt (web_client.rules)
2016530 - ET TROJAN W32/Asprox.FakeAV Affiliate Second Stage Download Location Request (trojan.rules)
2016531 - ET TROJAN W32/Asprox.FakeAV Affiliate Download Location Response - Likely Pay-Per-Install For W32/Papras.Spy or W32/ZeroAccess (trojan.rules)
2024937 - ET TROJAN Downeks/Quasar DNS Lookup (cloudns .club) (trojan.rules)
2024938 - ET TROJAN Downeks/Quasar DNS Lookup (topsite .life) (trojan.rules)
2024939 - ET TROJAN Downeks/Quasar DNS Lookup (updatesforme .club) (trojan.rules)
2816609 - ETPRO CURRENT_EVENTS Successful Free.fr Phish Mar 10 2016 (current_events.rules)
2826070 - ETPRO TROJAN Silence Downloader Dropped by CVE-2017-0199 (trojan.rules)
2826518 - ETPRO TROJAN DNS Query matching Cerber Domain Format (.top TLD) (trojan.rules)
2827133 - ETPRO POLICY Observed DNS Request to iplogger.com for External IP Address Lookup (policy.rules)
2827246 - ETPRO TROJAN DNS Query matching Cerber Domain Format (.bid TLD) (trojan.rules)

[///]    Modified inactive rules:    [///]

2800656 - ETPRO DOS Microsoft Windows Active Directory LDAP SearchRequest Denial of Service Attempt 2 (dos.rules)

[---]  Disabled and modified rules:  [---]

2003479 - ET POLICY Radmin Remote Control Session Setup Initiate (policy.rules)
2013936 - ET POLICY SSH banner detected on TCP 443 likely proxy evasion (policy.rules)
2021307 - ET CURRENT_EVENTS CottonCastle/Niteris EK Exploit URI Struct June 19 2015 (current_events.rules)
2021309 - ET CURRENT_EVENTS CottonCastle/Niteris EK Flash Exploit URI Struct June 19 2015 (current_events.rules)
2023017 - ET TELNET SUSPICIOUS busybox shell (telnet.rules)
2023018 - ET TELNET SUSPICIOUS busybox enable (telnet.rules)
2800654 - ETPRO DOS Microsoft Windows Active Directory LDAP SearchRequest Denial of Service Attempt Flowbit Set (dos.rules)
2800701 - ETPRO EXPLOIT Nullsoft Winamp Midi File Header Handling Buffer Overflow (exploit.rules)
2802960 - ETPRO TROJAN Win32.SpyEye.cuk Checkin flowbit SET (trojan.rules)
2803427 - ETPRO TROJAN Common Trojan Header Pattern Accept with double slash (trojan.rules)
2804964 - ETPRO TROJAN Win32.Nitol.B/Ahea.gen Checkin (trojan.rules)
2816338 - ETPRO CURRENT_EVENTS Possible Angler EK SilverLight Exploit Feb 22 M1 (current_events.rules)
2821706 - ETPRO CURRENT_EVENTS Docusign Phishing Landing Aug 17 2016 (current_events.rules)
2823170 - ETPRO CURRENT_EVENTS MalDoc Requesting Payload Nov 08 (current_events.rules)
2823253 - ETPRO CURRENT_EVENTS MalDoc Requesting Payload Nov 14 2016 (current_events.rules)
2823861 - ETPRO CURRENT_EVENTS Successful Captcha Entered Leading to Ursnif Download Dec 13 2016 (current_events.rules)
2823894 - ETPRO CURRENT_EVENTS Magnitude EK Landing Dec 14 2016 (current_events.rules)

[---]         Disabled rules:        [---]

2002850 - ET FTP USER login flowbit (ftp.rules)
2010647 - ET TROJAN Lethic Spambot CnC Initial Connect Bot Response (trojan.rules)
2011241 - ET EXPLOIT M3U File Request Flowbit Set (exploit.rules)
2018855 - ET TROJAN Possible ClickFraud Trojan Socks5 Connection (trojan.rules)
2021630 - ET TROJAN MS Terminal Server Single Character Login possible Morto inbound (trojan.rules)
2800615 - ETPRO EXPLOIT MailEnable IMAP Service Name Buffer Overflow (exploit.rules)
2800710 - ETPRO WEB_CLIENT Apple QuickTime RTSP URL Buffer Overflow (web_client.rules)
2802909 - ETPRO TROJAN Backdoor.Win32.Dorkbot.B IRC Login (trojan.rules)
2802912 - ETPRO TROJAN Backdoor.Nervos.A Checkin to Server (trojan.rules)
2803051 - ETPRO NETBIOS Microsoft Windows OLE Automation Remote Code Execution SMB-DS Unicode (netbios.rules)
2803052 - ETPRO NETBIOS Microsoft Windows OLE Automation Remote Code Execution SMB-DS ASCII (netbios.rules)
2803054 - ETPRO NETBIOS Microsoft Windows OLE Automation Remote Code Execution SET (netbios.rules)
2803209 - ETPRO TROJAN Trojan.Win32.Orsam Checkin Flowbit Set (trojan.rules)
2803384 - ETPRO EXPLOIT Sybase Open Server Null Byte Stack Memory Corruption - SET (exploit.rules)
2803403 - ETPRO WORM Worm.Win32.Autorun.hi Checkin - SET (worm.rules)
2803453 - ETPRO TROJAN PSWTool.Win32.PassView.b FTP Push of User Data Flowbit SET (trojan.rules)
2803563 - ETPRO WORM Worm.Win32.Morto.A Propagating via Windows Remote Desktop Protocol Flowbit Set (worm.rules)
2803603 - ETPRO TROJAN Trojan.Win32.Agent.dcir Checkin (trojan.rules)
2803617 - ETPRO TROJAN Trojan.Win32.Buzus.hond Checkin 2 - SET (trojan.rules)
2803781 - ETPRO TROJAN Trojan-Spy.W32/Banker.JGT Checkin - SET (trojan.rules)
2803950 - ETPRO TROJAN Trojan.Win32.Jorik.IRCbot.ddj Joining IRC channel - SET (trojan.rules)
2803964 - ETPRO SCADA IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS - SET (scada.rules)
2803992 - ETPRO TROJAN Backdoor.Win32/Rbot.gen Joining IRC channel - SET (trojan.rules)
2804019 - ETPRO TROJAN Trojan-Downloader.Win32.Generic Install - SET (trojan.rules)
2804041 - ETPRO TROJAN PSW.Banker6.KTO Checkin - SET (trojan.rules)
2804534 - ETPRO TROJAN worm.win32/duptwux.a Checkin - SET (trojan.rules)
2804583 - ETPRO MALWARE Generic AdClicker.p Install - SET (malware.rules)
2804839 - ETPRO TROJAN Trojan-Dropper.Win32.Injector.dvnk Checkin - SET (trojan.rules)
2804912 - ETPRO WEB_CLIENT RTMPmsg Traffic (web_client.rules)
2804913 - ETPRO WEB_CLIENT RTMPmsg Traffic 2 (web_client.rules)
2805016 - ETPRO TROJAN Unknown Chinese Malware getting config INSTALL (trojan.rules)
2805142 - ETPRO CURRENT_EVENTS Possible WORM W32.Printlove spreading via cve 2010-2729 (SPOOLSS StartDocPrinter request SET) (current_events.rules)
2805363 - ETPRO TROJAN DATCK/BYCC DDOS bot Checkin - SET (trojan.rules)
2807198 - ETPRO WEB_CLIENT SUSPICIOUS WordPerfect Document with .doc extension 1 (web_client.rules)
2807199 - ETPRO WEB_CLIENT SUSPICIOUS WordPerfect Document with .doc extension 2 (web_client.rules)
2807719 - ETPRO TROJAN PSW.Win32.Agent.afag Checkin (trojan.rules)
2825622 - ETPRO WEB_SERVER JexBoss Common URI struct Observed 3 (INBOUND) (web_server.rules)
2825623 - ETPRO WEB_SERVER JexBoss Common URI struct Observed 4 (INBOUND) (web_server.rules)
2826174 - ETPRO TROJAN Possible Hajime Beacon (set) (trojan.rules)

Date: 
Wednesday, November 1, 2017 - 00:00