Daily Ruleset Update Summary
Daily Ruleset Update Summary 2018/04/27

[***]            Summary:            [***]

2 new Open, 19 new Pro (2 + 17). DNN Cookie RCE, Troldesh/Maldoc SSL Certs, Win32/BlackMoon.A.

[+++]          Added rules:          [+++]

Open:

2021089 - ET POLICY WebRTC IP tracking Javascript (policy.rules)
2025545 - ET WEB_SPECIFIC_APPS DNN DNNPersonalization Cookie RCE Attempt (CVE-2017-9822) (web_specific_apps.rules)

Pro:

2830590 - ETPRO MALWARE PUP/WifiProtector CoinMiner Checkin (malware.rules)
2830591 - ETPRO MALWARE PUP/WifiProtector CoinMiner User-Agent (malware.rules)
2830592 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2018-04-27) (current_events.rules)
2830593 - ETPRO CURRENT_EVENTS Observed MalDoc DL 2018-04-27 Domain (fucloacking .ml in TLS SNI) (current_events.rules)
2830594 - ETPRO TROJAN Observed Malicious SSL Cert (SmokeLoader CnC) (trojan.rules)
2830595 - ETPRO TROJAN Observed Malicious SSL Cert (SmokeLoader CnC 2) (trojan.rules)
2830596 - ETPRO CURRENT_EVENTS Observed Malicious SSL Cert (MalDoc DL 2018-04-27 2) (current_events.rules)
2830597 - ETPRO CURRENT_EVENTS Observed MalDoc DL 2018-04-27 2 Domain (shzwnsarin .com in TLS SNI) (current_events.rules)
2830598 - ETPRO TROJAN Observed Malicious SSL Cert (W32/Troldesh CnC) (trojan.rules)
2830599 - ETPRO TROJAN W32/Troldesh CnC Domain in SNI (www .bwtyz456 .com) (trojan.rules)
2830600 - ETPRO MALWARE Win32/BlackMoon.A Checkin (malware.rules)
2830601 - ETPRO MALWARE Win32/BlackMoon.A Reporting Stats (malware.rules)
2830602 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-27 1) (trojan.rules)
2830603 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-27 2) (trojan.rules)
2830604 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-27 3) (trojan.rules)
2830605 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-27 4) (trojan.rules)
2830606 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-04-27 5) (trojan.rules)

[///]     Modified active rules:     [///]

2012149 - ET WEB_CLIENT MS10-090 IE CSS Exploit Metasploit POC Specific Unicoded (web_client.rules)
2828858 - ETPRO CURRENT_EVENTS Malicious VBScript Inbound (seen dropping Ursnif) (current_events.rules)

[---]         Disabled rules:        [---]

2013187 - ET TROJAN Backdoor Win32/IRCbot.FJ Cnc connection dns lookup (trojan.rules)
2013189 - ET TROJAN Unknown Dropper HTTP POST Check-in (trojan.rules)
2013197 - ET TROJAN Win32.Genome Download.php HTTP Request (trojan.rules)
2013198 - ET TROJAN Trojan/Hacktool.Sniffer Initial Checkin (trojan.rules)
2013199 - ET TROJAN Trojan/Hacktool.Sniffer Successful Install Message (trojan.rules)
2013225 - ET TROJAN W32/IRCBrute Checkin 2 (trojan.rules)
2013259 - ET TROJAN Guagua Trojan Update Checkin (trojan.rules)
2013260 - ET TROJAN Win32/Nekill Checkin (trojan.rules)
2013291 - ET TROJAN Win32/Cycbot Pay-Per-Install Executable Download (trojan.rules)
2013292 - ET TROJAN Win32/Cycbot Initial Checkin to CnC (trojan.rules)
2013314 - ET TROJAN Phoenix Landing Page Obfuscated Javascript 2 (trojan.rules)
2013318 - ET TROJAN Google Warning Infected Local User (trojan.rules)
2013329 - ET TROJAN Ruskill CnC Download Command 1 (trojan.rules)
2013330 - ET TROJAN Ruskill CnC Download Command 2 (trojan.rules)
2013331 - ET TROJAN Ruskill Reporting on Local Scans (trojan.rules)
2013340 - ET TROJAN FakeAV/Application JPDesk/Delf checkin (trojan.rules)
2013346 - ET TROJAN PSW.Win32.Ruftar.lon File Stealer FTP File Upload (trojan.rules)
2013348 - ET TROJAN Zeus Bot Request to CnC 2 (trojan.rules)
2013349 - ET TROJAN Connectivity Check of Unknown Origin 1 (trojan.rules)
2013350 - ET TROJAN Connectivity Check of Unknown Origin 2 (trojan.rules)
2013351 - ET TROJAN Connectivity Check of Unknown Origin 3 (trojan.rules)
2013362 - ET TROJAN HTran/SensLiceld.A Checkin 2 (unicode) (trojan.rules)
2013364 - ET TROJAN windows_security_update Fake AV download (trojan.rules)
2013366 - ET TROJAN FakeAV Checkin (trojan.rules)
2013377 - ET TROJAN W32/Alunik User Agent Detected (trojan.rules)
2013383 - ET TROJAN Fakealert.Rena CnC Checkin 1 (trojan.rules)
2013384 - ET TROJAN W32/Siscos CnC Checkin (trojan.rules)
2013385 - ET TROJAN Accept-encode HTTP header with UA indicating infected host (trojan.rules)
2013390 - ET TROJAN Suspicious User Agent 3653Client (trojan.rules)
2013397 - ET TROJAN W32/Pandex Trojan Dropper Initial Checkin (trojan.rules)
2013404 - ET TROJAN Suspicious User Agent ksdl_1_0 (trojan.rules)
2013411 - ET TROJAN Bancos.DV MSSQL CnC Connection Outbound (trojan.rules)
2013413 - ET TROJAN FakeAV Landing Page Checking firewall status (trojan.rules)
2013420 - ET TROJAN FakeAV FakeAlertRena.n Checkin NO Response from Server (trojan.rules)
2013447 - ET TROJAN Win32/TrojanDownloader.Chekafe.D Initial Checkin (trojan.rules)
2013456 - ET TROJAN Win32/VB.HV Checkin (trojan.rules)
2013461 - ET TROJAN Win32/Wizpop Initial Checkin (trojan.rules)
2013489 - ET TROJAN Best Pack Exploit Pack Binary Load Request (trojan.rules)
2013502 - ET TROJAN Win32/Wizpop Checkin (trojan.rules)
2013513 - ET TROJAN W32/Bancos Reporting (trojan.rules)
2013521 - ET TROJAN Spyeye Data Exfiltration 0 (trojan.rules)
2013522 - ET TROJAN Spyeye Data Exfiltration 1 (trojan.rules)
2013523 - ET TROJAN Spyeye Data Exfiltration 2 (trojan.rules)
2013524 - ET TROJAN Spyeye Data Exfiltration 3 (trojan.rules)
2013525 - ET TROJAN Spyeye Data Exfiltration 4 (trojan.rules)
2013526 - ET TROJAN Spyeye Data Exfiltration 5 (trojan.rules)
2013527 - ET TROJAN Spyeye Data Exfiltration 6 (trojan.rules)
2013528 - ET TROJAN Spyeye Data Exfiltration 7 (trojan.rules)
2013529 - ET TROJAN Spyeye Data Exfiltration 8 (trojan.rules)
2013530 - ET TROJAN Spyeye Data Exfiltration 9 (trojan.rules)
2013532 - ET TROJAN Backdoor.Win32.Fynloski.A Command Request (trojan.rules)
2013544 - ET TROJAN TROJ_VB.FJP Generic Dowbnloader Connectivity Check to Google (trojan.rules)
2013547 - ET TROJAN Win32.Unknown.UDP.edsm CnC traffic (trojan.rules)
2013555 - ET TROJAN Fivfrom Downloader (Unitrix) (trojan.rules)
2013560 - ET TROJAN Potentially Unwanted Program Storm3-607.exe Download Reporting (trojan.rules)
2013663 - ET TROJAN Unknown Exploit Pack Binary Load Request (server_privileges.php) (trojan.rules)
2013686 - ET TROJAN ZeroAccess/Max++ Rootkit C&C Activity 2 (trojan.rules)
2013701 - ET TROJAN Agent-TMF Checkin (trojan.rules)
2013720 - ET TROJAN Win32/Wapomi.AD Variant Checkin (trojan.rules)
2013723 - ET TROJAN Win32/Daemonize Trojan Proxy Initial Checkin (trojan.rules)
2013740 - ET TROJAN Zeus/Aeausuc P2P Variant Retrieving Peers List (trojan.rules)
2013745 - ET TROJAN Double HTTP/1.1 Header Outbound - Likely Infected or Hostile Traffic (trojan.rules)
2013766 - ET TROJAN Win32.Swisyn Reporting (trojan.rules)
2013767 - ET TROJAN W32/Einstein CnC Checkin (trojan.rules)
2013768 - ET TROJAN Win32.Dropper.Wlock Checkin (trojan.rules)
2013769 - ET TROJAN Backdoor.Win32.Prosti Checkin (trojan.rules)
2013770 - ET TROJAN USPS Spam/Trojan Executable Download (trojan.rules)
2013781 - ET TROJAN Win32.Scar.dvov Searchstar.co.kr related Checkin (trojan.rules)
2013793 - ET TROJAN Dropper.Win32.Npkon Client Checkin (trojan.rules)
2013794 - ET TROJAN Dropper.Win32.Npkon Server Responce (trojan.rules)
2013799 - ET TROJAN Win32.Trojan.SuspectCRC FakeAV Checkin (trojan.rules)
2013821 - ET TROJAN Trojan.Kryptik/proscan.co.kr Checkin (trojan.rules)
2013826 - ET TROJAN SecurityDefender exe Download Likely FakeAV Install (trojan.rules)
2013868 - ET TROJAN Win32/Sefbov.E Reporting (trojan.rules)
2013890 - ET TROJAN W32/Koobface Variant Initial Checkin (trojan.rules)
2013892 - ET TROJAN Backdoor.Win32.Svlk Server Reply (trojan.rules)
2013893 - ET TROJAN Backdoor.Win32.Svlk Client Ping (trojan.rules)
2014003 - ET TROJAN VBKrypt.dytr Checkin (trojan.rules)
2014804 - ET TROJAN VBS/Wimmie.A Checkin (trojan.rules)
2016429 - ET TROJAN Shady Rat/HTran style HTTP Header Pattern Request UHCa and Google MSIE UA (trojan.rules)
2016908 - ET TROJAN Trojan.Win32.FresctSpy.A User-Agent (MBVDFRESCT) (trojan.rules)
2803113 - ETPRO TROJAN NSIS.Downloader-QF Checkin (trojan.rules)
2803140 - ETPRO TROJAN Backdoor.Win32.Quivoe.A Checkin (trojan.rules)
2803234 - ETPRO TROJAN Generic.5580844 Checkin (trojan.rules)
2803245 - ETPRO TROJAN Win32.Geral.rco Checkin (trojan.rules)
2803258 - ETPRO TROJAN Backdoor.Win32.RDPdoor.AE Checkin 3 (trojan.rules)
2803383 - ETPRO TROJAN Win32/Mocmex.gen!A Checkin (trojan.rules)
2803457 - ETPRO TROJAN Trojan.Win32.Zatvex.A Checkin 1 (trojan.rules)
2803501 - ETPRO TROJAN Trojan.Win32.Swisyn.pqr Checkin (trojan.rules)
2803504 - ETPRO TROJAN Backdoor.Win32.Agobot.ast Checkin 1 (trojan.rules)
2803505 - ETPRO TROJAN Backdoor.Win32.Agobot.ast Checkin 2 (trojan.rules)
2803512 - ETPRO TROJAN Win32/Agent.QU Checkin (trojan.rules)
2803538 - ETPRO TROJAN Generic.4803182 Checkin (trojan.rules)
2803631 - ETPRO TROJAN Win32/Httpbot.A Checkin (trojan.rules)
2803705 - ETPRO TROJAN Trojan.Win32.ToriaSpy.A Checkin (trojan.rules)
2803721 - ETPRO TROJAN Trojan/Downloader.Banload.kor Checkin (trojan.rules)
2803741 - ETPRO TROJAN Backdoor.Win32.Dekara.A Checkin (trojan.rules)
2803742 - ETPRO TROJAN Trojan.Win32.Payazol.B Checkin (trojan.rules)
2803807 - ETPRO TROJAN Win32/Sefnit.O Checkin (trojan.rules)
2803812 - ETPRO TROJAN Win32/Sefnit.K Checkin (trojan.rules)
2803826 - ETPRO TROJAN Application.Generic.379873 Checkin (trojan.rules)
2803837 - ETPRO TROJAN Win32.Cycbot-MM Checkin 2 (trojan.rules)
2803957 - ETPRO TROJAN Trojan.Win32.Scar.ekzu Checkin (trojan.rules)

[---]         Removed rules:         [---]

2021089 - ET CURRENT_EVENTS WebRTC IP tracker Observed in DNSChanger EK May 12 2015 (current_events.rules)

Date:
Summary title:
2 new Open, 19 new Pro (2 + 17). DNN Cookie RCE, Troldesh/Maldoc SSL Certs, Win32/BlackMoon.A.