Daily Ruleset Update Summary 2017/11/28

[***]            Summary:            [***]

18 new Open, 20 new Pro (2 + 18). Win32/Ropest.H, Win32/DarkNeuron, Various Mobile.

Thanks: @AttackDetection

[+++]          Added rules:          [+++]

Open:

2025064 - ET CURRENT_EVENTS Possible Neutrino EK Landing Landing URI Struct (fb set) (current_events.rules)
2025065 - ET TROJAN Backdoor.Perl.Shellbot.cd IRC Bot that have DoS/DDoS functions (trojan.rules)
2025066 - ET CHAT IRC USER Likely bot with 0 0 colon checkin (chat.rules)
2025067 - ET CHAT IRC USER Off-port Likely bot with 0 0 colon checkin (chat.rules)
2025068 - ET TROJAN Win32/Ropest.H CnC - INBOUND set (trojan.rules)
2025069 - ET TROJAN Win32/Ropest.H CnC - INBOUND (trojan.rules)
2025070 - ET TROJAN Possible Win32/Atraps Receiving Config via Image File (steganography) (trojan.rules)
2025071 - ET CURRENT_EVENTS Bingo Exploit Kit Landing May 082017 (current_events.rules)
2025072 - ET TROJAN Patchwork DNS Tunneling (nsn1.winodwsupdates .me) (trojan.rules)
2025073 - ET TROJAN Patchwork Domain (randreports .org in DNS Lookup) (trojan.rules)
2025074 - ET TROJAN [PTsecurity] Bladabindi/njRAT (HAMAD versions) (trojan.rules)
2025075 - ET TROJAN Brazilian Banker SSL Cert (trojan.rules)
2025076 - ET TROJAN Brazilian Banker SSL Cert (trojan.rules)
2025077 - ET TROJAN [PTsecurity] Bladabindi/njRAT (Dd19271927) (trojan.rules)
2025078 - ET TROJAN Mirai Variant Domain (bigboatreps .pw in DNS Lookup) (trojan.rules)
2025079 - ET TROJAN Mirai Variant Domain (blacklister .nl in DNS Lookup) (trojan.rules)
2025080 - ET EXPLOIT Actiontec C1000A backdoor account M1 (exploit.rules)
2025081 - ET TROJAN Patchwork Domain (rannd .org in DNS Lookup) (trojan.rules)

Pro:

2828711 - ETPRO TROJAN Win32/DarkNeuron POST Request to CnC (trojan.rules)
2828712 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Agent.ck Checkin (mobile_malware.rules)

[///]     Modified active rules:     [///]

2017946 - ET TROJAN Agent.BAAB Checkin (trojan.rules)
2020747 - ET TROJAN Win32.Chroject.B Requesting ClickFraud Commands from CnC (trojan.rules)
2020837 - ET CURRENT_EVENTS Malicious Doc Download EXE Primer (flowbits set) (current_events.rules)
2020838 - ET CURRENT_EVENTS Malicious Doc Downloading EXE (current_events.rules)
2024980 - ET EXPLOIT Actiontec C1000A backdoor account M2 (exploit.rules)
2025063 - ET EXPLOIT Exim4 UAF Attempt (BDAT with non-printable chars) (exploit.rules)
2801301 - ETPRO USER_AGENTS Select Rebates Spyware UA Detected (user_agents.rules)
2805218 - ETPRO TROJAN Rogue.Win32/Winwebsec Install 3 (trojan.rules)
2809579 - ETPRO TROJAN Win32/Sality.AT Checkin (trojan.rules)
2810678 - ETPRO MALWARE Win32/4Shared Variant CnC Beacon (malware.rules)
2820270 - ETPRO TROJAN Win32.Floxif.A Checkin (trojan.rules)
2821948 - ETPRO TROJAN Trojan.MSIL.Ranos.A Bot USER Command (trojan.rules)

[///]    Modified inactive rules:    [///]

2820646 - ETPRO NETBIOS Tree Connect AndX Request IPC$ Unicode (netbios.rules)

[---]         Disabled rules:        [---]

2017296 - ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack Jar Download (current_events.rules)
2017297 - ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download (current_events.rules)
2017300 - ET CURRENT_EVENTS Rawin -TDS - POST w/Java Version (current_events.rules)
2017301 - ET CURRENT_EVENTS Fake Trojan Dropper purporting to be missing application page landing (current_events.rules)
2017302 - ET CURRENT_EVENTS Fake Trojan Dropper purporting to be missing application - findloader (current_events.rules)
2017306 - ET CURRENT_EVENTS 0f2490 Hacked Site Response (Inbound) (current_events.rules)
2017307 - ET CURRENT_EVENTS 0f2490 Hacked Site Response (Outbound) (current_events.rules)
2017328 - ET CURRENT_EVENTS Unknown EK setSecurityManager hex August 142013 (current_events.rules)
2017333 - ET CURRENT_EVENTS Styx EK - /jvvn.html (current_events.rules)
2017370 - ET CURRENT_EVENTS AutoIT C&C Check-In2013-08-23 URL (current_events.rules)
2017387 - ET CURRENT_EVENTS Unknown EK Landing Aug 272013 (current_events.rules)
2017388 - ET CURRENT_EVENTS Possible Sweet Orange Payload Download Aug 282013 (current_events.rules)
2017435 - ET CURRENT_EVENTS Unknown Bleeding EK Variant Landing JAR Sep 062013 (current_events.rules)
2017450 - ET CURRENT_EVENTS Sakura Sep 102013 (current_events.rules)
2017467 - ET CURRENT_EVENTS CottonCastle EK Java Jar (current_events.rules)
2017469 - ET CURRENT_EVENTS Possible SNET EK VBS Download (current_events.rules)
2017473 - ET CURRENT_EVENTS Possible CoolEK Variant Payload Download Sep 162013 (current_events.rules)
2017483 - ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass (current_events.rules)
2017484 - ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass (current_events.rules)
2017485 - ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass (current_events.rules)
2017486 - ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass (current_events.rules)
2017488 - ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass (current_events.rules)
2017497 - ET CURRENT_EVENTS Rawin EK - Java Exploit - bona.jar (current_events.rules)
2017503 - ET CURRENT_EVENTS Unknown EK Used in various watering hole attacks (current_events.rules)
2017506 - ET CURRENT_EVENTS Sakura - Java Exploit Recieved - Atomic (current_events.rules)
2017507 - ET CURRENT_EVENTS Cushion Redirection (current_events.rules)
2017509 - ET CURRENT_EVENTS Possible J7u21 click2play bypass (current_events.rules)
2017529 - ET CURRENT_EVENTS LightsOut EK Payload Download (current_events.rules)
2017530 - ET CURRENT_EVENTS Possible LightsOut EK info3i.html (current_events.rules)
2017531 - ET CURRENT_EVENTS Possible LightsOut EK info3i.php (current_events.rules)
2017532 - ET CURRENT_EVENTS Possible LightsOut EK inden2i.html (current_events.rules)
2017534 - ET CURRENT_EVENTS Possible LightsOut EK leks.html (current_events.rules)
2017535 - ET CURRENT_EVENTS Possible LightsOut EK negc.html (current_events.rules)
2017536 - ET CURRENT_EVENTS Possible LightsOut EK negq.html (current_events.rules)
2017537 - ET CURRENT_EVENTS Possible LightsOut EK leks.jar (current_events.rules)
2017538 - ET CURRENT_EVENTS Possible LightsOut EK start.jar (current_events.rules)
2017539 - ET CURRENT_EVENTS Possible LightsOut EK stoq.jar (current_events.rules)
2017540 - ET CURRENT_EVENTS Possible LightsOut EK erno_rfq.html (current_events.rules)
2017541 - ET CURRENT_EVENTS Possible LightsOut EK inden2i.php (current_events.rules)
2017542 - ET CURRENT_EVENTS Possible LightsOut EK gami.html (current_events.rules)
2017543 - ET CURRENT_EVENTS Possible LightsOut EK gami.jar (current_events.rules)
2017546 - ET CURRENT_EVENTS Possible FortDisco POP3 Site list download (current_events.rules)
2017547 - ET CURRENT_EVENTS CoolEK Jar Download Sep 302013 (current_events.rules)
2017553 - ET CURRENT_EVENTS HiMan EK Reporting Host/Exploit Info (current_events.rules)
2017564 - ET CURRENT_EVENTS Unknown EK Landing (current_events.rules)
2017576 - ET CURRENT_EVENTS Styx EK jply.html (current_events.rules)
2017577 - ET CURRENT_EVENTS Fiesta EK Landing Oct 092013 (current_events.rules)
2017578 - ET CURRENT_EVENTS Fake MS Security Update EK (Payload Download) (current_events.rules)
2017580 - ET CURRENT_EVENTS DotkaChef Payload October 09 (current_events.rules)
2017589 - ET CURRENT_EVENTS Unknown EK Initial Payload Internet Connectivity Check (current_events.rules)
2017590 - ET CURRENT_EVENTS D-LINK Router Backdoor via Specific UA (current_events.rules)
2017591 - ET CURRENT_EVENTS Unknown Malvertising Related EK Landing Oct 142013 (current_events.rules)
2017592 - ET CURRENT_EVENTS Unknown Malvertising Related EK Redirect Oct 142013 (current_events.rules)
2017593 - ET CURRENT_EVENTS Neutrino EK Landing URI Format Oct 152013 (current_events.rules)
2017602 - ET CURRENT_EVENTS Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 162013 (current_events.rules)
2017621 - ET CURRENT_EVENTS Possible Cutwail Redirect to Magnitude EK (current_events.rules)
2017623 - ET CURRENT_EVENTS Tenda Router Backdoor 1 (current_events.rules)
2017624 - ET CURRENT_EVENTS Tenda Router Backdoor 2 (current_events.rules)
2017625 - ET CURRENT_EVENTS 81a338 Hacked Site Response (Outbound) (current_events.rules)
2017626 - ET CURRENT_EVENTS 81a338 Hacked Site Response (Inbound) (current_events.rules)
2017628 - ET CURRENT_EVENTS Possible Sakura Jar Download Oct 222013 (current_events.rules)
2017629 - ET CURRENT_EVENTS FlashPack Oct 232013 (current_events.rules)
2017631 - ET CURRENT_EVENTS Netgear WNDR4700 Auth Bypass (current_events.rules)
2017632 - ET CURRENT_EVENTS Netgear WNDR3700 Auth Bypass (current_events.rules)
2017638 - ET CURRENT_EVENTS Alpha Networks ADSL2/2+ router remote administration password disclosure (current_events.rules)
2017644 - ET CURRENT_EVENTS Host Domain .bit (current_events.rules)
2017652 - ET CURRENT_EVENTS Possible Neutrino EK Landing URI Format Nov 12013 (current_events.rules)
2017660 - ET CURRENT_EVENTS Malicious Cookie Set By Flash Malvertising (current_events.rules)
2017663 - ET CURRENT_EVENTS Fredcot campaign php5-cgi initial exploit (current_events.rules)
2017664 - ET CURRENT_EVENTS Fredcot campaign payload download (current_events.rules)
2017665 - ET CURRENT_EVENTS Fredcot campaign IRC CnC (current_events.rules)
2017696 - ET CURRENT_EVENTS FaceBook IM & Web Driven Facebook Trojan Download (current_events.rules)
2017698 - ET CURRENT_EVENTS Magnitude Landing Nov 112013 (current_events.rules)
2017711 - ET CURRENT_EVENTS Possible Fake Codec Download (current_events.rules)
2017735 - ET CURRENT_EVENTS WhiteLotus EK PluginDetect Nov 202013 (current_events.rules)
2017739 - ET CURRENT_EVENTS Possible WhiteLotus Java Payload (current_events.rules)
2017744 - ET CURRENT_EVENTS StyX EK Payload Cookie (current_events.rules)
2017745 - ET CURRENT_EVENTS Fake Media Player malware binary requested (current_events.rules)
2017786 - ET CURRENT_EVENTS SNET EK Activity Nov 272013 (current_events.rules)
2017789 - ET CURRENT_EVENTS JJEncode Encoded Script Inside of PDF Likely Evil (current_events.rules)
2017791 - ET CURRENT_EVENTS Polling/Check-in/Compromise from fake DHL mailing campaign (current_events.rules)
2017792 - ET CURRENT_EVENTS Hostile fake DHL mailing campaign (current_events.rules)
2017794 - ET CURRENT_EVENTS HiMan EK - Flash Exploit (current_events.rules)
2017796 - ET CURRENT_EVENTS HiMan EK - Landing Page (current_events.rules)
2017797 - ET CURRENT_EVENTS HiMan EK - TDS - POST hyt= (current_events.rules)
2017813 - ET CURRENT_EVENTS Safe/CritX/FlashPack Payload (current_events.rules)
2017815 - ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Edwards Packed PluginDetect (current_events.rules)
2017819 - ET CURRENT_EVENTS Styx EK iexp.html (current_events.rules)
2017826 - ET CURRENT_EVENTS SPL2 EK Landing Dec 092013 (current_events.rules)
2017827 - ET CURRENT_EVENTS SPL2 EK Dec 092013 Java Request (current_events.rules)
2017840 - ET CURRENT_EVENTS Styx Exploit Kit - JAR Exploit (current_events.rules)
2017844 - ET CURRENT_EVENTS Styx Exploit Kit - EOT Exploit (current_events.rules)
2017847 - ET CURRENT_EVENTS Browlock Landing Page URI Struct (current_events.rules)
2017848 - ET CURRENT_EVENTS SPL2 EK SilverLight (current_events.rules)
2017851 - ET CURRENT_EVENTS HiMan EK Exploit URI Struct (current_events.rules)
2017852 - ET CURRENT_EVENTS HiMan EK Secondary Landing (current_events.rules)
2017874 - ET CURRENT_EVENTS W32/BitCoinMiner Fake Flash Player Distribution Campaign - December2013 (current_events.rules)
2017905 - ET CURRENT_EVENTS SofosFO/GrandSoft PDF (current_events.rules)
2017906 - ET CURRENT_EVENTS TDS Unknown_.aso - URI - IP.aso (current_events.rules)
2017907 - ET CURRENT_EVENTS GoonEK Landing with CVE-2013-2551 Dec 292013 (current_events.rules)
2017957 - ET CURRENT_EVENTS GoonEK Landing Jan 102014 (current_events.rules)
2017958 - ET CURRENT_EVENTS Possible Neutrino EK SilverLight Exploit Jan 112014 (current_events.rules)
2017987 - ET CURRENT_EVENTS Upatre SSL Compromised site appsredeeem (current_events.rules)
2017995 - ET CURRENT_EVENTS GoonEK Landing Jan 212013 SilverLight 1 (current_events.rules)
2017996 - ET CURRENT_EVENTS GoonEK Landing Jan 212013 SilverLight 2 (current_events.rules)
2017997 - ET CURRENT_EVENTS GoonEK Landing Jan 212013 SilverLight 3 (current_events.rules)
2018011 - ET CURRENT_EVENTS Fiesta EK Landing Jan 242013 (current_events.rules)
2018029 - ET CURRENT_EVENTS ehow/livestrong Malicious Flash 10/11 (current_events.rules)
2018035 - ET CURRENT_EVENTS StyX Landing Jan 292014 (current_events.rules)
2018041 - ET CURRENT_EVENTS Current Asprox Spam Campaign (current_events.rules)
2018127 - ET CURRENT_EVENTS Goon EK Java JNLP URI Struct Feb 122014 (current_events.rules)
2018135 - ET CURRENT_EVENTS Current Asprox Spam Campaign 2 (current_events.rules)
2018161 - ET CURRENT_EVENTS Possible GoonEK Landing Feb 192014 1 (current_events.rules)
2018162 - ET CURRENT_EVENTS Malicious Redirect Evernote Spam Campaign Feb 192014 (current_events.rules)
2018163 - ET CURRENT_EVENTS GoonEK Landing Feb 192014 2 (current_events.rules)
2018177 - ET CURRENT_EVENTS OnClick Anti-BOT TDS POST Feb 252014 (current_events.rules)
2018178 - ET CURRENT_EVENTS OnClick Anti-BOT TDS Hidden Form Feb 252014 (current_events.rules)
2018190 - ET CURRENT_EVENTS Possible FakeAV .exe.vbe HTTP Content-Disposition (current_events.rules)
2018196 - ET CURRENT_EVENTS Malicious Spam Redirection Feb 282014 (current_events.rules)
2018206 - ET CURRENT_EVENTS Hello/LightsOut EK Secondary Landing (current_events.rules)
2018207 - ET CURRENT_EVENTS LightsOut EK Exploit/Payload Request (current_events.rules)
2018209 - ET CURRENT_EVENTS Rawin EK Java fakav.jar (current_events.rules)
2018227 - ET CURRENT_EVENTS Rawin Flash Landing URI Struct March 052014 (current_events.rules)
2018235 - ET CURRENT_EVENTS CritX/SafePack/FlashPack CVE-2013-2551 (current_events.rules)
2018236 - ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight Secondary Landing (current_events.rules)
2018237 - ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight file as eot (current_events.rules)
2018238 - ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javadb.php (current_events.rules)
2018239 - ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javaim.php (current_events.rules)
2018240 - ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javarh.php (current_events.rules)
2018298 - ET CURRENT_EVENTS GoonEK Landing Mar 202014 (current_events.rules)
2018348 - ET CURRENT_EVENTS Possible Deep Panda WateringHole Related URI Struct (current_events.rules)
2018352 - ET CURRENT_EVENTS Possible FakeAV binary download (setup) (current_events.rules)
2018357 - ET CURRENT_EVENTS EvilTDS Redirection (current_events.rules)
2018408 - ET CURRENT_EVENTS Fiesta PDF Exploit Download (current_events.rules)
2018410 - ET CURRENT_EVENTS Fiesta Flash Exploit Download (current_events.rules)
2018439 - ET CURRENT_EVENTS Common Bad Actor Indicators Used in Various Targeted 0-day Attacks (current_events.rules)
2802583 - ETPRO TROJAN Backdoor.Win32.Qakbot.E (Backdoor Communication) (trojan.rules)
2804838 - ETPRO TROJAN Savit.A Checkin (trojan.rules)
2809257 - ETPRO EXPLOIT SChannel Possible Heap Overflow CVE-2014-6321 TLSv1.1 (exploit.rules)
2809922 - ETPRO EXPLOIT Samba >= 3.5 CVE2015-0240 Request (exploit.rules)
2814971 - ETPRO TROJAN Liudoor Handshake Init (trojan.rules)

[---]         Removed rules:         [---]

2017701 - ET CURRENT_EVENTS webr00t WebShell Access (current_events.rules)
2017854 - ET CURRENT_EVENTS PHP script in OptimizePress Upload Directory Possible WebShell Access (current_events.rules)
2017969 - ET CURRENT_EVENTS Netgear passwordrecovered.cgi attempt (current_events.rules)
2018136 - ET CURRENT_EVENTS Linksys Router Returning Device Settings To External Source (current_events.rules)
2018232 - ET CURRENT_EVENTS Possible ZyXELs ZynOS Configuration Download Attempt (Contains Passwords) (current_events.rules)
2018279 - ET CURRENT_EVENTS MtGox Leak wallet stealer UA (current_events.rules)
2804958 - ETPRO TROJAN Backdoor.Perl.Shellbot.cd IRC Bot that have DoS/DDoS functions (trojan.rules)
2806660 - ETPRO CHAT IRC USER Likely bot with 0 0 colon checkin (chat.rules)
2806661 - ETPRO CHAT IRC USER Off-port Likely bot with 0 0 colon checkin (chat.rules)
2809094 - ETPRO TROJAN Win32/Ropest.H CnC - INBOUND set (trojan.rules)
2809095 - ETPRO TROJAN Win32/Ropest.H CnC - INBOUND (trojan.rules)
2816919 - ETPRO TROJAN Possible Win32/Atraps Receiving Config via Image File (steganography) (trojan.rules)
2820851 - ETPRO CURRENT_EVENTS Possible Neutrino EK Landing Landing URI Struct (fb set) (current_events.rules)
2826350 - ETPRO CURRENT_EVENTS Bingo Exploit Kit Landing May 082017 (current_events.rules)

Date: 
Tuesday, November 28, 2017 - 00:00