Talos Rules 2016-05-02
Talos is aware of vulnerabilities affecting Apache Software Foundation.

CVE-2016-3081: A coding deficiency exists in Apache Struts that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 21072, 21656, and 23631.

Talos has added and modified multiple rules in the blacklist, browser-ie, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-05-02 21:37:19 UTC

Snort Subscriber Rules Update

Date: 2016-05-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38676 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BBSwift variant outbound connection (malware-cnc.rules)
 * 1:38675 <-> DISABLED <-> SERVER-WEBAPP Sefrengo CMS main.php SQL injection attempt (server-webapp.rules)
 * 1:38674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Koohipa outbound beacon attempt (malware-cnc.rules)
 * 1:38673 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet directory traversal attempt (server-webapp.rules)
 * 1:38670 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpropertychange use-after-free attempt (browser-ie.rules)
 * 1:38669 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpropertychange use-after-free attempt (browser-ie.rules)
 * 1:38668 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:26556 <-> ENABLED <-> BLACKLIST DNS request for known malware domain f.dailyradio.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26555 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xxxxxxxxxxxxxxx.kei.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26554 <-> ENABLED <-> BLACKLIST DNS request for known malware domain d1js21szq85hyn.cloudfront.net - Win.Adware.BProtector (blacklist.rules)
 * 1:26409 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ext.myshopers.com - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26408 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gigasphere.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26407 <-> ENABLED <-> BLACKLIST DNS request for known malware domain uranus.kei.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26406 <-> ENABLED <-> BLACKLIST DNS request for known malware domain photobeat.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26405 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xixbh.net - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26404 <-> ENABLED <-> BLACKLIST DNS request for known malware domain o.dailyradio.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26403 <-> ENABLED <-> BLACKLIST DNS request for known malware domain h.opennews.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26402 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xixbh.com - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26401 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gigasbh.org - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26400 <-> ENABLED <-> BLACKLIST DNS request for known malware domain s.richlab.pl - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:21072 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - GET parameter (server-apache.rules)
 * 1:26399 <-> ENABLED <-> BLACKLIST DNS request for known malware domain f.eastmoon.pl - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules)
 * 1:21656 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - GET parameter (server-apache.rules)

2016-05-02 21:37:19 UTC

Snort Subscriber Rules Update

Date: 2016-05-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38676 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BBSwift variant outbound connection (malware-cnc.rules)
 * 1:38674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Koohipa outbound beacon attempt (malware-cnc.rules)
 * 1:38675 <-> DISABLED <-> SERVER-WEBAPP Sefrengo CMS main.php SQL injection attempt (server-webapp.rules)
 * 1:38670 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpropertychange use-after-free attempt (browser-ie.rules)
 * 1:38673 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet directory traversal attempt (server-webapp.rules)
 * 1:38669 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpropertychange use-after-free attempt (browser-ie.rules)
 * 1:38668 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules)
 * 1:26402 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xixbh.com - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26556 <-> ENABLED <-> BLACKLIST DNS request for known malware domain f.dailyradio.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26555 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xxxxxxxxxxxxxxx.kei.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26399 <-> ENABLED <-> BLACKLIST DNS request for known malware domain f.eastmoon.pl - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26400 <-> ENABLED <-> BLACKLIST DNS request for known malware domain s.richlab.pl - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:21072 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - GET parameter (server-apache.rules)
 * 1:26401 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gigasbh.org - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26404 <-> ENABLED <-> BLACKLIST DNS request for known malware domain o.dailyradio.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26403 <-> ENABLED <-> BLACKLIST DNS request for known malware domain h.opennews.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26409 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ext.myshopers.com - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26405 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xixbh.net - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26406 <-> ENABLED <-> BLACKLIST DNS request for known malware domain photobeat.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26408 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gigasphere.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26407 <-> ENABLED <-> BLACKLIST DNS request for known malware domain uranus.kei.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26554 <-> ENABLED <-> BLACKLIST DNS request for known malware domain d1js21szq85hyn.cloudfront.net - Win.Adware.BProtector (blacklist.rules)
 * 1:21656 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - GET parameter (server-apache.rules)

2016-05-02 21:37:19 UTC

Snort Subscriber Rules Update

Date: 2016-05-02

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38668 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:38674 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Koohipa outbound beacon attempt (malware-cnc.rules)
 * 1:38676 <-> ENABLED <-> MALWARE-CNC Win.Trojan.BBSwift variant outbound connection (malware-cnc.rules)
 * 1:38675 <-> DISABLED <-> SERVER-WEBAPP Sefrengo CMS main.php SQL injection attempt (server-webapp.rules)
 * 1:38669 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpropertychange use-after-free attempt (browser-ie.rules)
 * 1:38670 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer onpropertychange use-after-free attempt (browser-ie.rules)
 * 1:38673 <-> DISABLED <-> SERVER-WEBAPP Oracle Application Testing Suite DownloadServlet directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 1:26409 <-> ENABLED <-> BLACKLIST DNS request for known malware domain ext.myshopers.com - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26402 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xixbh.com - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26407 <-> ENABLED <-> BLACKLIST DNS request for known malware domain uranus.kei.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26405 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xixbh.net - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26406 <-> ENABLED <-> BLACKLIST DNS request for known malware domain photobeat.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26404 <-> ENABLED <-> BLACKLIST DNS request for known malware domain o.dailyradio.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26399 <-> ENABLED <-> BLACKLIST DNS request for known malware domain f.eastmoon.pl - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26400 <-> ENABLED <-> BLACKLIST DNS request for known malware domain s.richlab.pl - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26556 <-> ENABLED <-> BLACKLIST DNS request for known malware domain f.dailyradio.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26555 <-> ENABLED <-> BLACKLIST DNS request for known malware domain xxxxxxxxxxxxxxx.kei.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26401 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gigasbh.org - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:26403 <-> ENABLED <-> BLACKLIST DNS request for known malware domain h.opennews.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:21072 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - GET parameter (server-apache.rules)
 * 1:26554 <-> ENABLED <-> BLACKLIST DNS request for known malware domain d1js21szq85hyn.cloudfront.net - Win.Adware.BProtector (blacklist.rules)
 * 1:26408 <-> ENABLED <-> BLACKLIST DNS request for known malware domain gigasphere.su - Win.Trojan.Dorkbot (blacklist.rules)
 * 1:23631 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - POST parameter (server-apache.rules)
 * 1:21656 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt - GET parameter (server-apache.rules)