VRT Rules 2015-04-07
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, file-flash, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-04-07 14:19:40 UTC

Sourcefire VRT Rules Update

Date: 2015-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34043 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cybercrime.rocks - Win.Trojan.Exacrytion (blacklist.rules)
 * 1:34046 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expilan variant outbound connection (malware-cnc.rules)
 * 1:34031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34044 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Exacrytion variant outbound connection (malware-cnc.rules)
 * 1:34036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34024 <-> DISABLED <-> POLICY-OTHER ManageEngine Desktop Central insecure admin password reset attempt (policy-other.rules)
 * 1:34045 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eitenckay initial outbound connection attempt (malware-cnc.rules)
 * 1:34032 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34038 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34029 <-> ENABLED <-> MALWARE-CNC Win.Worm.Tuscas variant outbound connection attempt (malware-cnc.rules)
 * 1:34028 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bruecimig variant outbound connection (malware-cnc.rules)
 * 1:34035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34030 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34040 <-> ENABLED <-> BLACKLIST DNS request for known malware domain s12.site90.net - Win.Backdoor.Igliveforg (blacklist.rules)
 * 1:34039 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banklaed variant outbound connection (malware-cnc.rules)
 * 1:34041 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Igliveforg variant initial outbound connection (malware-cnc.rules)
 * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules)
 * 1:34025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Endstar variant outbound connection attempt (malware-cnc.rules)
 * 1:34026 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Endstar variant outbound connection attempt (malware-cnc.rules)
 * 1:34042 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Igliveforg variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:29283 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:16195 <-> DISABLED <-> SERVER-WEBAPP HTTP request content-length heap buffer overflow attempt (server-webapp.rules)
 * 1:33539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Decompressed File object type confusion attempt (file-flash.rules)
 * 1:33540 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Decompressed File object type confusion attempt (file-flash.rules)
 * 1:29281 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:31255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules)

2015-04-07 14:19:40 UTC

Sourcefire VRT Rules Update

Date: 2015-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34041 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Igliveforg variant initial outbound connection (malware-cnc.rules)
 * 1:34038 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34039 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banklaed variant outbound connection (malware-cnc.rules)
 * 1:34036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34026 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Endstar variant outbound connection attempt (malware-cnc.rules)
 * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules)
 * 1:34028 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bruecimig variant outbound connection (malware-cnc.rules)
 * 1:34032 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34040 <-> ENABLED <-> BLACKLIST DNS request for known malware domain s12.site90.net - Win.Backdoor.Igliveforg (blacklist.rules)
 * 1:34024 <-> DISABLED <-> POLICY-OTHER ManageEngine Desktop Central insecure admin password reset attempt (policy-other.rules)
 * 1:34046 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expilan variant outbound connection (malware-cnc.rules)
 * 1:34029 <-> ENABLED <-> MALWARE-CNC Win.Worm.Tuscas variant outbound connection attempt (malware-cnc.rules)
 * 1:34030 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34045 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eitenckay initial outbound connection attempt (malware-cnc.rules)
 * 1:34044 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Exacrytion variant outbound connection (malware-cnc.rules)
 * 1:34043 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cybercrime.rocks - Win.Trojan.Exacrytion (blacklist.rules)
 * 1:34025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Endstar variant outbound connection attempt (malware-cnc.rules)
 * 1:34042 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Igliveforg variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:33540 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Decompressed File object type confusion attempt (file-flash.rules)
 * 1:31255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules)
 * 1:33539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Decompressed File object type confusion attempt (file-flash.rules)
 * 1:29283 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:29281 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:16195 <-> DISABLED <-> SERVER-WEBAPP HTTP request content-length heap buffer overflow attempt (server-webapp.rules)

2015-04-07 14:19:40 UTC

Sourcefire VRT Rules Update

Date: 2015-04-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34046 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Expilan variant outbound connection (malware-cnc.rules)
 * 1:34045 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Eitenckay initial outbound connection attempt (malware-cnc.rules)
 * 1:34044 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Exacrytion variant outbound connection (malware-cnc.rules)
 * 1:34043 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cybercrime.rocks - Win.Trojan.Exacrytion (blacklist.rules)
 * 1:34042 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Igliveforg variant outbound connection (malware-cnc.rules)
 * 1:34041 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Igliveforg variant initial outbound connection (malware-cnc.rules)
 * 1:34040 <-> ENABLED <-> BLACKLIST DNS request for known malware domain s12.site90.net - Win.Backdoor.Igliveforg (blacklist.rules)
 * 1:34039 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banklaed variant outbound connection (malware-cnc.rules)
 * 1:34038 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34032 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34030 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex4 initial outbound communication attempt (malware-cnc.rules)
 * 1:34029 <-> ENABLED <-> MALWARE-CNC Win.Worm.Tuscas variant outbound connection attempt (malware-cnc.rules)
 * 1:34028 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Bruecimig variant outbound connection (malware-cnc.rules)
 * 1:34027 <-> DISABLED <-> SERVER-OTHER PHP 4 unserialize ZVAL Reference Counter Overflow attempt (server-other.rules)
 * 1:34026 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Endstar variant outbound connection attempt (malware-cnc.rules)
 * 1:34025 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Endstar variant outbound connection attempt (malware-cnc.rules)
 * 1:34024 <-> DISABLED <-> POLICY-OTHER ManageEngine Desktop Central insecure admin password reset attempt (policy-other.rules)

Modified Rules:


 * 1:16195 <-> DISABLED <-> SERVER-WEBAPP HTTP request content-length heap buffer overflow attempt (server-webapp.rules)
 * 1:29281 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:29283 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sharable ByteArray code execution attempt (file-flash.rules)
 * 1:31255 <-> ENABLED <-> MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection (malware-cnc.rules)
 * 1:33539 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Decompressed File object type confusion attempt (file-flash.rules)
 * 1:33540 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Decompressed File object type confusion attempt (file-flash.rules)