Talos Rules 2015-07-07
Talos is aware of vulnerabilities exposed by a widely available leak of the firm "Hacking Team".

Adobe Flash Player Vulnerability: Adobe Flash Player suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 35086 through 35089.

iOS Lockdown Vulnerability: A programming error exists in iOS Lockdown service that may lead to remote code execution.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 35090 through 35091.

Talos has also added and modified multiple rules in the blacklist, browser-firefox, exploit-kit, file-flash, malware-cnc, os-mobile and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-07-07 19:29:49 UTC

Snort Subscriber Rules Update

Date: 2015-07-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35066 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection  (malware-cnc.rules)
 * 1:35071 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength replaceItem use after free (browser-firefox.rules)
 * 1:35069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dino variant outbound connection (malware-cnc.rules)
 * 1:35064 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)
 * 1:35065 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)
 * 1:35063 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)
 * 1:35062 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)
 * 1:35090 <-> ENABLED <-> OS-MOBILE iOS lockdownd plist object buffer overflow attempt (os-mobile.rules)
 * 1:35088 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35089 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35087 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35067 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection  (malware-cnc.rules)
 * 1:35068 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tooti15.no-ip.biz - Win.Trojan.AutoIt (blacklist.rules)
 * 1:35070 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength insertItemBefore use after free (browser-firefox.rules)
 * 1:35072 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength initialize use after free (browser-firefox.rules)
 * 1:35073 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength insertItemBefore use after free (browser-firefox.rules)
 * 1:35074 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength replaceItem use after free (browser-firefox.rules)
 * 1:35075 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength initialize use after free (browser-firefox.rules)
 * 1:35076 <-> ENABLED <-> MALWARE-CNC Win.Zusy variant outbound connection (malware-cnc.rules)
 * 1:35077 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules)
 * 1:35078 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules)
 * 1:35091 <-> ENABLED <-> OS-MOBILE iOS lockdownd plist object buffer overflow attempt (os-mobile.rules)
 * 1:35079 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules)
 * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection  (malware-cnc.rules)
 * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection  (malware-cnc.rules)
 * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection  (malware-cnc.rules)
 * 1:35083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regiskazi outbound connection  (malware-cnc.rules)
 * 1:35086 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35084 <-> DISABLED <-> EXPLOIT-KIT Null Hole exploit kit binary download request (exploit-kit.rules)
 * 1:35085 <-> DISABLED <-> EXPLOIT-KIT Null Hole exploit kit malicious swf request (exploit-kit.rules)

Modified Rules:


 * 1:33681 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak connection to server (malware-cnc.rules)
 * 1:34761 <-> DISABLED <-> OS-WINDOWS Microsoft Windows clipboard null pointer dereference privilege escalation attempt (os-windows.rules)
 * 1:34762 <-> DISABLED <-> OS-WINDOWS Microsoft Windows clipboard null pointer dereference privilege escalation attempt (os-windows.rules)
 * 1:35005 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vcaredrix variant outbound connection (malware-cnc.rules)

2015-07-07 19:29:49 UTC

Snort Subscriber Rules Update

Date: 2015-07-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35062 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)
 * 1:35063 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)
 * 1:35064 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)
 * 1:35065 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)
 * 1:35066 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection  (malware-cnc.rules)
 * 1:35067 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection  (malware-cnc.rules)
 * 1:35068 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tooti15.no-ip.biz - Win.Trojan.AutoIt (blacklist.rules)
 * 1:35069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dino variant outbound connection (malware-cnc.rules)
 * 1:35070 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength insertItemBefore use after free (browser-firefox.rules)
 * 1:35071 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength replaceItem use after free (browser-firefox.rules)
 * 1:35072 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength initialize use after free (browser-firefox.rules)
 * 1:35073 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength insertItemBefore use after free (browser-firefox.rules)
 * 1:35074 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength replaceItem use after free (browser-firefox.rules)
 * 1:35075 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength initialize use after free (browser-firefox.rules)
 * 1:35076 <-> ENABLED <-> MALWARE-CNC Win.Zusy variant outbound connection (malware-cnc.rules)
 * 1:35077 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules)
 * 1:35078 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules)
 * 1:35079 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules)
 * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection  (malware-cnc.rules)
 * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection  (malware-cnc.rules)
 * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection  (malware-cnc.rules)
 * 1:35083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regiskazi outbound connection  (malware-cnc.rules)
 * 1:35084 <-> DISABLED <-> EXPLOIT-KIT Null Hole exploit kit binary download request (exploit-kit.rules)
 * 1:35091 <-> ENABLED <-> OS-MOBILE iOS lockdownd plist object buffer overflow attempt (os-mobile.rules)
 * 1:35090 <-> ENABLED <-> OS-MOBILE iOS lockdownd plist object buffer overflow attempt (os-mobile.rules)
 * 1:35087 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35088 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35089 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35086 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35085 <-> DISABLED <-> EXPLOIT-KIT Null Hole exploit kit malicious swf request (exploit-kit.rules)

Modified Rules:


 * 1:33681 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak connection to server (malware-cnc.rules)
 * 1:34761 <-> DISABLED <-> OS-WINDOWS Microsoft Windows clipboard null pointer dereference privilege escalation attempt (os-windows.rules)
 * 1:34762 <-> DISABLED <-> OS-WINDOWS Microsoft Windows clipboard null pointer dereference privilege escalation attempt (os-windows.rules)
 * 1:35005 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vcaredrix variant outbound connection (malware-cnc.rules)

2015-07-07 19:29:49 UTC

Snort Subscriber Rules Update

Date: 2015-07-07

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:35091 <-> ENABLED <-> OS-MOBILE iOS lockdownd plist object buffer overflow attempt (os-mobile.rules)
 * 1:35090 <-> ENABLED <-> OS-MOBILE iOS lockdownd plist object buffer overflow attempt (os-mobile.rules)
 * 1:35089 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35088 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35087 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35086 <-> DISABLED <-> FILE-FLASH Adobe Flash Player remote code execution attempt (file-flash.rules)
 * 1:35085 <-> DISABLED <-> EXPLOIT-KIT Null Hole exploit kit malicious swf request (exploit-kit.rules)
 * 1:35084 <-> DISABLED <-> EXPLOIT-KIT Null Hole exploit kit binary download request (exploit-kit.rules)
 * 1:35083 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Regiskazi outbound connection  (malware-cnc.rules)
 * 1:35082 <-> ENABLED <-> MALWARE-CNC Backdoor.Linux.Qenerek outbound connection  (malware-cnc.rules)
 * 1:35081 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection  (malware-cnc.rules)
 * 1:35080 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Tenbus outbound connection  (malware-cnc.rules)
 * 1:35079 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules)
 * 1:35078 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules)
 * 1:35077 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager getMGList groupId SQL injection attempt (server-webapp.rules)
 * 1:35076 <-> ENABLED <-> MALWARE-CNC Win.Zusy variant outbound connection (malware-cnc.rules)
 * 1:35075 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength initialize use after free (browser-firefox.rules)
 * 1:35074 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength replaceItem use after free (browser-firefox.rules)
 * 1:35073 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength insertItemBefore use after free (browser-firefox.rules)
 * 1:35072 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength initialize use after free (browser-firefox.rules)
 * 1:35071 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength replaceItem use after free (browser-firefox.rules)
 * 1:35070 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox DOMSVGLength insertItemBefore use after free (browser-firefox.rules)
 * 1:35069 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dino variant outbound connection (malware-cnc.rules)
 * 1:35068 <-> ENABLED <-> BLACKLIST DNS request for known malware domain tooti15.no-ip.biz - Win.Trojan.AutoIt (blacklist.rules)
 * 1:35067 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection  (malware-cnc.rules)
 * 1:35066 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection  (malware-cnc.rules)
 * 1:35065 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)
 * 1:35064 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)
 * 1:35063 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)
 * 1:35062 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection  (malware-cnc.rules)

Modified Rules:


 * 1:33681 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak connection to server (malware-cnc.rules)
 * 1:34761 <-> DISABLED <-> OS-WINDOWS Microsoft Windows clipboard null pointer dereference privilege escalation attempt (os-windows.rules)
 * 1:34762 <-> DISABLED <-> OS-WINDOWS Microsoft Windows clipboard null pointer dereference privilege escalation attempt (os-windows.rules)
 * 1:35005 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vcaredrix variant outbound connection (malware-cnc.rules)