Talos Rules 2015-07-08
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

CVE-2015-2387: A coding deficiency exists in the Microsoft Windows ATMFD.dll font driver that may lead to remote code execution.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 35105 through 35108.

Talos has also added and modified multiple rules in the blacklist, file-flash, file-other, malware-cnc, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-07-08 21:22:22 UTC

Snort Subscriber Rules Update

Date: 2015-07-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35106 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD.dll open font type privilege escalation attempt (os-windows.rules)
 * 1:35101 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:35095 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35093 <-> DISABLED <-> SERVER-OTHER PHP core compressed file temp_len buffer overflow attempt (server-other.rules)
 * 1:35097 <-> DISABLED <-> POLICY-OTHER IPv6 neighbor solicitation - THC-IPv6 tool indicator attempt (policy-other.rules)
 * 1:35092 <-> DISABLED <-> SERVER-OTHER PHP core compressed file temp_len buffer overflow attempt (server-other.rules)
 * 1:35096 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35098 <-> DISABLED <-> POLICY-OTHER IPv6 neighbor solicitation - THC-IPv6 tool indicator attempt (policy-other.rules)
 * 1:35099 <-> ENABLED <-> BLACKLIST DNS request for known malware domain houseofsultan.co.uk - Win.Trojan.Dridex (blacklist.rules)
 * 1:35100 <-> ENABLED <-> BLACKLIST DNS request for known malware domain houstonsbackyard.com - Win.Trojan.Dridex (blacklist.rules)
 * 1:35102 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex Microsoft Word document dropper download attempt (malware-cnc.rules)
 * 1:35103 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex Microsoft Word document dropper download attempt (malware-cnc.rules)
 * 1:35104 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:35105 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD.dll open font type privilege escalation attempt (os-windows.rules)
 * 1:35108 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD.dll open font type privilege escalation attempt (os-windows.rules)
 * 1:35094 <-> DISABLED <-> FILE-OTHER Microsoft proxy autoconfig script system library import attempt (file-other.rules)
 * 1:35107 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD.dll open font type privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:35088 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35086 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35087 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35089 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:24652 <-> DISABLED <-> FILE-OTHER Microsoft proxy autoconfig script system library import attempt (file-other.rules)

2015-07-08 21:22:22 UTC

Snort Subscriber Rules Update

Date: 2015-07-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35104 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:35095 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35100 <-> ENABLED <-> BLACKLIST DNS request for known malware domain houstonsbackyard.com - Win.Trojan.Dridex (blacklist.rules)
 * 1:35099 <-> ENABLED <-> BLACKLIST DNS request for known malware domain houseofsultan.co.uk - Win.Trojan.Dridex (blacklist.rules)
 * 1:35093 <-> DISABLED <-> SERVER-OTHER PHP core compressed file temp_len buffer overflow attempt (server-other.rules)
 * 1:35097 <-> DISABLED <-> POLICY-OTHER IPv6 neighbor solicitation - THC-IPv6 tool indicator attempt (policy-other.rules)
 * 1:35098 <-> DISABLED <-> POLICY-OTHER IPv6 neighbor solicitation - THC-IPv6 tool indicator attempt (policy-other.rules)
 * 1:35101 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:35102 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex Microsoft Word document dropper download attempt (malware-cnc.rules)
 * 1:35103 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex Microsoft Word document dropper download attempt (malware-cnc.rules)
 * 1:35096 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35105 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD.dll open font type privilege escalation attempt (os-windows.rules)
 * 1:35094 <-> DISABLED <-> FILE-OTHER Microsoft proxy autoconfig script system library import attempt (file-other.rules)
 * 1:35108 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD.dll open font type privilege escalation attempt (os-windows.rules)
 * 1:35092 <-> DISABLED <-> SERVER-OTHER PHP core compressed file temp_len buffer overflow attempt (server-other.rules)
 * 1:35106 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD.dll open font type privilege escalation attempt (os-windows.rules)
 * 1:35107 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD.dll open font type privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:35089 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35087 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35088 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35086 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:24652 <-> DISABLED <-> FILE-OTHER Microsoft proxy autoconfig script system library import attempt (file-other.rules)

2015-07-08 21:22:22 UTC

Snort Subscriber Rules Update

Date: 2015-07-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35108 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD.dll open font type privilege escalation attempt (os-windows.rules)
 * 1:35107 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD.dll open font type privilege escalation attempt (os-windows.rules)
 * 1:35106 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD.dll open font type privilege escalation attempt (os-windows.rules)
 * 1:35105 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ATMFD.dll open font type privilege escalation attempt (os-windows.rules)
 * 1:35104 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:35103 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex Microsoft Word document dropper download attempt (malware-cnc.rules)
 * 1:35102 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex Microsoft Word document dropper download attempt (malware-cnc.rules)
 * 1:35101 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dridex variant outbound connection (malware-cnc.rules)
 * 1:35100 <-> ENABLED <-> BLACKLIST DNS request for known malware domain houstonsbackyard.com - Win.Trojan.Dridex (blacklist.rules)
 * 1:35099 <-> ENABLED <-> BLACKLIST DNS request for known malware domain houseofsultan.co.uk - Win.Trojan.Dridex (blacklist.rules)
 * 1:35098 <-> DISABLED <-> POLICY-OTHER IPv6 neighbor solicitation - THC-IPv6 tool indicator attempt (policy-other.rules)
 * 1:35097 <-> DISABLED <-> POLICY-OTHER IPv6 neighbor solicitation - THC-IPv6 tool indicator attempt (policy-other.rules)
 * 1:35096 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35095 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35094 <-> DISABLED <-> FILE-OTHER Microsoft proxy autoconfig script system library import attempt (file-other.rules)
 * 1:35093 <-> DISABLED <-> SERVER-OTHER PHP core compressed file temp_len buffer overflow attempt (server-other.rules)
 * 1:35092 <-> DISABLED <-> SERVER-OTHER PHP core compressed file temp_len buffer overflow attempt (server-other.rules)

Modified Rules:


 * 1:24652 <-> DISABLED <-> FILE-OTHER Microsoft proxy autoconfig script system library import attempt (file-other.rules)
 * 1:35086 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35087 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35088 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35089 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)