Daily Ruleset Update Summary 2018/01/09

[***]            Summary:            [***]

7 Open, 18 new Pro (7 + 11). Spectre Exploit Javascript, Win32/CoinMiner.AQL, MAPP, Various Phishing.

January MAPP Coverage: CVE-2018-0762 -> 2829230

[+++]          Added rules:          [+++]

Open:

 2025188 - ET WEB_CLIENT Spectre Exploit Javascript (web_client.rules)
 2025189 - ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.ml) (info.rules)
 2025190 - ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.gdn) (info.rules)
 2025191 - ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.gq) (info.rules)
 2025192 - ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.ga) (info.rules)
 2025193 - ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.cf) (info.rules)
 2025194 - ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz) (info.rules)

Pro:

 2829220 - ETPRO CURRENT_EVENTS Successful Paypal Phish 2018-01-09 (current_events.rules)
 2829221 - ETPRO CURRENT_EVENTS MalDoc Retrieving EXE Payload 2018-01-09 (current_events.rules)
 2829222 - ETPRO TROJAN Observed Malicious SSL Cert (MalDoc DL) (trojan.rules)
 2829223 - ETPRO TROJAN Win32/CoinMiner.AQL Checkin Observed (trojan.rules)
 2829224 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-09 1) (trojan.rules)
 2829225 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-09 2) (trojan.rules)
 2829226 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-09 3) (trojan.rules)
 2829227 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-09 4) (trojan.rules)
 2829228 - ETPRO TROJAN Observed Malicious SSL Cert (Dridex CnC) (trojan.rules)
 2829229 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-09 5) (trojan.rules)
 2829230 - ETPRO WEB_CLIENT MS IE 11 Type Confusion RCE (CVE-2018-0762) (web_client.rules)

[///]     Modified active rules:     [///]

 2010001 - ET EXPLOIT xp_enumerrorlogs access (exploit.rules)
 2010002 - ET EXPLOIT xp_readerrorlogs access (exploit.rules)
 2010003 - ET EXPLOIT xp_enumdsn access (exploit.rules)
 2014726 - ET POLICY Outdated Flash Version M1 (policy.rules)
 2021659 - ET TROJAN APT Cheshire Cat DNS Lookup (groupdive. com) (trojan.rules)
 2024379 - ET POLICY Outdated Flash Version M2 (policy.rules)

[///]    Modified inactive rules:    [///]

 2000419 - ET POLICY PE EXE or DLL Windows file download Non-HTTP (policy.rules)

[---]         Disabled rules:        [---]

 2011511 - ET DOS ntop Basic-Auth DOS inbound (dos.rules)
 2011512 - ET DOS ntop Basic-Auth DOS outbound (dos.rules)
 2012938 - ET DOS IBM Tivoli Endpoint Buffer Overflow Attempt (dos.rules)
 2013462 - ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt (dos.rules)
 2013463 - ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt Format String Function Call (dos.rules)
 2014384 - ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt (dos.rules)
 2014430 - ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt Negative INT (dos.rules)
 2014431 - ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt (dos.rules)
 2014662 - ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Integer indef DoS Attempt (dos.rules)
 2014663 - ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Negative Integer indef DoS Attempt (dos.rules)
 2015793 - ET CURRENT_EVENTS Scalaxy Java Exploit 10/11/12 (current_events.rules)
 2015812 - ET CURRENT_EVENTS SofosFO Jar file 10/17/12 (current_events.rules)
 2015840 - ET CURRENT_EVENTS Unknown Exploit Kit Landing Page (current_events.rules)
 2015841 - ET CURRENT_EVENTS Unknown Exploit Kit Landing Page (current_events.rules)
 2015866 - ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow (current_events.rules)
 2015867 - ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow (current_events.rules)
 2015876 - ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12 (current_events.rules)
 2015883 - ET CURRENT_EVENTS Java Exploit Campaign SetAttribute Java Applet (current_events.rules)
 2015921 - ET CURRENT_EVENTS Spam Campaign JPG CnC Link (current_events.rules)
 2015955 - ET CURRENT_EVENTS PDF /FlateDecode and PDF version 1.1 (seen in pamdql EK) (current_events.rules)
 2015997 - ET CURRENT_EVENTS Fake Google Chrome Update/Install (current_events.rules)
 2016001 - ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs) (current_events.rules)
 2016022 - ET CURRENT_EVENTS MALVERTISING FlashPost - Redirection IFRAME (current_events.rules)
 2016098 - ET CURRENT_EVENTS Drupal Mass Injection Campaign Inbound (current_events.rules)
 2016099 - ET CURRENT_EVENTS Drupal Mass Injection Campaign Outbound (current_events.rules)
 2100261 - GPL DNS named overflow attempt (dns.rules)
 2100315 - GPL EXPLOIT x86 Linux mountd overflow (exploit.rules)
 2100319 - GPL EXPLOIT bootp x86 linux overflow (exploit.rules)
 2100571 - GPL EXPLOIT ttdbserv Solaris overflow (exploit.rules)
 2101261 - GPL EXPLOIT AIX pdnsd overflow (exploit.rules)
 2101327 - GPL EXPLOIT ssh CRC32 overflow (exploit.rules)
 2101751 - GPL EXPLOIT cachefsd buffer overflow attempt (exploit.rules)
 2101900 - GPL EXPLOIT successful kadmind buffer overflow attempt (exploit.rules)
 2101901 - GPL EXPLOIT successful kadmind buffer overflow attempt (exploit.rules)
 2102318 - GPL EXPLOIT CVS non-relative path access attempt (exploit.rules)
 2800002 - ETPRO EXPLOIT CVS Entry Line Flag Remote Heap Overflow (exploit.rules)
 2800003 - ETPRO EXPLOIT CVS Entry Line Flag Remote Heap Overflow (exploit.rules)
 2800611 - ETPRO EXPLOIT Windows Oracle Application Server Forms Arbitrary System Command Execution (exploit.rules)
 2800614 - ETPRO EXPLOIT Ipswitch WS_FTP Server FTP Commands Buffer Overflow(XSHA1) (exploit.rules)
 2800629 - ETPRO EXPLOIT 3Com TFTP Server Transporting Mode Remote Buffer Overflow Generic Exploit Detected (exploit.rules)
 2800630 - ETPRO EXPLOIT WEB_SERVER McAfee Multiple Products HTTP Server Header Processing Buffer Overflow (exploit.rules)
 2800639 - ETPRO EXPLOIT Cisco IOS HTTP Service HTML Injection Vulnerability (Published Exploit) (exploit.rules)
 2800646 - ETPRO EXPLOIT Microsoft Word TextBox Sub-document Memory Corruption CVE-2007-1910 (exploit.rules)
 2801212 - ETPRO DOS iCal Null pointer de-reference Count Variable (dos.rules)
 2801213 - ETPRO DOS iCal Null pointer de-reference Trigger Variable (dos.rules)
 2801214 - ETPRO DOS iCal improper resource liberation (dos.rules)
 2801241 - ETPRO DOS HP Data Protector Manager RDS Denial of Service (dos.rules)
 2802958 - ETPRO DOS Microsoft Host Integration Server snabase.exe Infinite Loop Denial of Service (Exploit Specific) (dos.rules)
 2805325 - ETPRO DOS Microsoft Remote Desktop Protocol (RDP) DoS 1 (dos.rules)
 2805326 - ETPRO DOS Microsoft Remote Desktop Protocol (RDP) DoS 2 (dos.rules)
 2805327 - ETPRO DOS Microsoft Remote Desktop Protocol (RDP) DoS 3 (dos.rules)

Date: 
Tuesday, January 9, 2018 - 00:00