Microsoft Security Bulletin MS15-116 (CVE-2015-6123): A coding deficiency exists in Microsoft Office for Mac that may lead to url redirection.
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 36766 through 36767.
Talos has added and modified multiple rules in the blacklist, exploit-kit and malware-cnc rule sets to provide coverage for emerging threats from these technologies.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36769 <-> ENABLED <-> BLACKLIST DNS request for known malware domain webdelphi.ru - Win.Trojan.Redcontrole (blacklist.rules) * 1:36770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redcontrole variant outbound connection (malware-cnc.rules) * 1:36767 <-> DISABLED <-> FILE-OTHER Microsoft Outlook for Mac EML file http-equiv refresh url attempt (file-other.rules) * 1:36768 <-> ENABLED <-> BLACKLIST DNS request for known malware domain razercommns.com - Win.Trojan.Redcontrole (blacklist.rules) * 1:36766 <-> DISABLED <-> FILE-OTHER Microsoft Outlook for Mac EML file http-equiv refresh url attempt (file-other.rules) * 1:36771 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36766 <-> DISABLED <-> FILE-OTHER Microsoft Outlook for Mac EML file http-equiv refresh url attempt (file-other.rules) * 1:36767 <-> DISABLED <-> FILE-OTHER Microsoft Outlook for Mac EML file http-equiv refresh url attempt (file-other.rules) * 1:36768 <-> ENABLED <-> BLACKLIST DNS request for known malware domain razercommns.com - Win.Trojan.Redcontrole (blacklist.rules) * 1:36769 <-> ENABLED <-> BLACKLIST DNS request for known malware domain webdelphi.ru - Win.Trojan.Redcontrole (blacklist.rules) * 1:36770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redcontrole variant outbound connection (malware-cnc.rules) * 1:36771 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules)
This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.
The format of the file is:
gid:sid <-> Default rule state <-> Message (rule group)
* 1:36771 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit viewforum uri request attempt (exploit-kit.rules) * 1:36770 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Redcontrole variant outbound connection (malware-cnc.rules) * 1:36769 <-> ENABLED <-> BLACKLIST DNS request for known malware domain webdelphi.ru - Win.Trojan.Redcontrole (blacklist.rules) * 1:36768 <-> ENABLED <-> BLACKLIST DNS request for known malware domain razercommns.com - Win.Trojan.Redcontrole (blacklist.rules) * 1:36767 <-> DISABLED <-> FILE-OTHER Microsoft Outlook for Mac EML file http-equiv refresh url attempt (file-other.rules) * 1:36766 <-> DISABLED <-> FILE-OTHER Microsoft Outlook for Mac EML file http-equiv refresh url attempt (file-other.rules)