Talos Rules 2015-09-15
Talos is aware of malware affecting products from Cisco Systems.

SYNful Knock Backdoor Connection Attempt: Routers have been discovered running malicious router images containing backdoors.

A rule to detect C&C traffic corresponding with this malware is included in this release and is identified with GID 1, SID 36054.

Talos has also added and modified multiple rules in the blacklist and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-09-15 14:56:47 UTC

Snort Subscriber Rules Update

Date: 2015-09-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36054 <-> ENABLED <-> MALWARE-CNC Ios.Backdoor.SYNful inbound connection attempt (malware-cnc.rules)
 * 1:36053 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA snmp JSON interface command injection attempt (server-webapp.rules)
 * 1:36052 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA JSON interface hidden credentials authentication attempt (server-webapp.rules)
 * 1:36051 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules)
 * 1:36050 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules)
 * 1:36049 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules)
 * 1:36048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:36047 <-> ENABLED <-> BLACKLIST DNS request for known malware domain movielibraryr.servemp3.com - Win.Trojan.Agent (blacklist.rules)
 * 1:36046 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kidneyjn.3utilities.com - Win.Trojan.Agent (blacklist.rules)
 * 1:36045 <-> ENABLED <-> BLACKLIST DNS request for known malware domain domainnc.myvnc.com - Win.Trojan.Agent (blacklist.rules)
 * 1:36044 <-> ENABLED <-> BLACKLIST DNS request for known malware domain checekhelp.serveblog.net - Win.Trojan.Agent (blacklist.rules)
 * 1:36043 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules)
 * 1:36042 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules)
 * 1:36041 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules)
 * 1:36040 <-> DISABLED <-> SERVER-WEBAPP Novell Zenworks Mobile Management cross site scripting attempt (server-webapp.rules)
 * 1:36039 <-> DISABLED <-> SERVER-WEBAPP Novell Zenworks Mobile Management cross site scripting attempt (server-webapp.rules)
 * 1:36038 <-> DISABLED <-> SERVER-WEBAPP Novell Zenworks Mobile Management cross site scripting attempt (server-webapp.rules)
 * 1:36037 <-> DISABLED <-> SERVER-WEBAPP Novell Zenworks Mobile Management cross site scripting attempt (server-webapp.rules)

Modified Rules:



2015-09-15 14:56:47 UTC

Snort Subscriber Rules Update

Date: 2015-09-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36052 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA JSON interface hidden credentials authentication attempt (server-webapp.rules)
 * 1:36046 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kidneyjn.3utilities.com - Win.Trojan.Agent (blacklist.rules)
 * 1:36047 <-> ENABLED <-> BLACKLIST DNS request for known malware domain movielibraryr.servemp3.com - Win.Trojan.Agent (blacklist.rules)
 * 1:36044 <-> ENABLED <-> BLACKLIST DNS request for known malware domain checekhelp.serveblog.net - Win.Trojan.Agent (blacklist.rules)
 * 1:36045 <-> ENABLED <-> BLACKLIST DNS request for known malware domain domainnc.myvnc.com - Win.Trojan.Agent (blacklist.rules)
 * 1:36042 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules)
 * 1:36043 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules)
 * 1:36040 <-> DISABLED <-> SERVER-WEBAPP Novell Zenworks Mobile Management cross site scripting attempt (server-webapp.rules)
 * 1:36041 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules)
 * 1:36038 <-> DISABLED <-> SERVER-WEBAPP Novell Zenworks Mobile Management cross site scripting attempt (server-webapp.rules)
 * 1:36039 <-> DISABLED <-> SERVER-WEBAPP Novell Zenworks Mobile Management cross site scripting attempt (server-webapp.rules)
 * 1:36037 <-> DISABLED <-> SERVER-WEBAPP Novell Zenworks Mobile Management cross site scripting attempt (server-webapp.rules)
 * 1:36054 <-> ENABLED <-> MALWARE-CNC Ios.Backdoor.SYNful inbound connection attempt (malware-cnc.rules)
 * 1:36048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:36049 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules)
 * 1:36053 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA snmp JSON interface command injection attempt (server-webapp.rules)
 * 1:36050 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules)
 * 1:36051 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules)

Modified Rules:



2015-09-15 14:56:47 UTC

Snort Subscriber Rules Update

Date: 2015-09-15

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36037 <-> DISABLED <-> SERVER-WEBAPP Novell Zenworks Mobile Management cross site scripting attempt (server-webapp.rules)
 * 1:36038 <-> DISABLED <-> SERVER-WEBAPP Novell Zenworks Mobile Management cross site scripting attempt (server-webapp.rules)
 * 1:36039 <-> DISABLED <-> SERVER-WEBAPP Novell Zenworks Mobile Management cross site scripting attempt (server-webapp.rules)
 * 1:36040 <-> DISABLED <-> SERVER-WEBAPP Novell Zenworks Mobile Management cross site scripting attempt (server-webapp.rules)
 * 1:36041 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules)
 * 1:36042 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules)
 * 1:36043 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station watchstatus.cgi SQL injection attempt (server-webapp.rules)
 * 1:36044 <-> ENABLED <-> BLACKLIST DNS request for known malware domain checekhelp.serveblog.net - Win.Trojan.Agent (blacklist.rules)
 * 1:36045 <-> ENABLED <-> BLACKLIST DNS request for known malware domain domainnc.myvnc.com - Win.Trojan.Agent (blacklist.rules)
 * 1:36046 <-> ENABLED <-> BLACKLIST DNS request for known malware domain kidneyjn.3utilities.com - Win.Trojan.Agent (blacklist.rules)
 * 1:36047 <-> ENABLED <-> BLACKLIST DNS request for known malware domain movielibraryr.servemp3.com - Win.Trojan.Agent (blacklist.rules)
 * 1:36048 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:36049 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules)
 * 1:36050 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules)
 * 1:36054 <-> ENABLED <-> MALWARE-CNC Ios.Backdoor.SYNful inbound connection attempt (malware-cnc.rules)
 * 1:36053 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA snmp JSON interface command injection attempt (server-webapp.rules)
 * 1:36051 <-> DISABLED <-> SERVER-WEBAPP Synology Video Station audiotrack.cgi SQL injection attempt (server-webapp.rules)
 * 1:36052 <-> DISABLED <-> SERVER-WEBAPP Silver Peak VXOA JSON interface hidden credentials authentication attempt (server-webapp.rules)

Modified Rules: