Talos Rules 2016-01-28
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the blacklist, exploit-kit, file-pdf and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-01-28 15:37:18 UTC

Snort Subscriber Rules Update

Date: 2016-01-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37468 <-> DISABLED <-> SERVER-WEBAPP InterWoven WorkDocs XSS attempt (server-webapp.rules)
 * 1:37490 <-> ENABLED <-> BLACKLIST DNS request for known malware domain yamakdc.duckdns.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37489 <-> ENABLED <-> BLACKLIST DNS request for known malware domain trojandobyel.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vawtrak variant outbound connection (malware-cnc.rules)
 * 1:37491 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hefromefro.zapto.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37488 <-> ENABLED <-> BLACKLIST DNS request for known malware domain supercold1.ddns.net - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackmoon outbound connection (malware-cnc.rules)
 * 1:37469 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader null pointer dereference attempt (file-pdf.rules)
 * 1:37470 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader null pointer dereference attempt (file-pdf.rules)
 * 1:37471 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)
 * 1:37472 <-> ENABLED <-> BLACKLIST DNS request for known malware domain akaros79.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37473 <-> ENABLED <-> BLACKLIST DNS request for known malware domain alohamoneydrop.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37474 <-> ENABLED <-> BLACKLIST DNS request for known malware domain althaman123.ohost.de - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37475 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cleintten.duckdns.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37476 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cleintten1.ddns.net - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37477 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cleintten101.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37478 <-> ENABLED <-> BLACKLIST DNS request for known malware domain clientten1.ddns.net - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37479 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eduardodeath.no-ip.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37480 <-> ENABLED <-> BLACKLIST DNS request for known malware domain faceebook.servehttp.com - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37481 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hawleryhacker.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37482 <-> ENABLED <-> BLACKLIST DNS request for known malware domain malouzimbra.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37483 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mathew79.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37484 <-> ENABLED <-> BLACKLIST DNS request for known malware domain miserablelyles.no-ip.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37487 <-> ENABLED <-> BLACKLIST DNS request for known malware domain spyware-dns.zapto.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37485 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oiraqo.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37486 <-> ENABLED <-> BLACKLIST DNS request for known malware domain queenbeez.zapto.org - Win.Trojan.Nancrat (blacklist.rules)
 * 3:37492 <-> ENABLED <-> SERVER-WEBAPP Cisco RV220 platform.cgi SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37355 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page detected (exploit-kit.rules)
 * 1:20726 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)

2016-01-28 15:37:18 UTC

Snort Subscriber Rules Update

Date: 2016-01-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37469 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader null pointer dereference attempt (file-pdf.rules)
 * 1:37466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackmoon outbound connection (malware-cnc.rules)
 * 1:37468 <-> DISABLED <-> SERVER-WEBAPP InterWoven WorkDocs XSS attempt (server-webapp.rules)
 * 1:37467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vawtrak variant outbound connection (malware-cnc.rules)
 * 1:37470 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader null pointer dereference attempt (file-pdf.rules)
 * 1:37471 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)
 * 1:37472 <-> ENABLED <-> BLACKLIST DNS request for known malware domain akaros79.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37473 <-> ENABLED <-> BLACKLIST DNS request for known malware domain alohamoneydrop.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37474 <-> ENABLED <-> BLACKLIST DNS request for known malware domain althaman123.ohost.de - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37475 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cleintten.duckdns.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37476 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cleintten1.ddns.net - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37477 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cleintten101.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37478 <-> ENABLED <-> BLACKLIST DNS request for known malware domain clientten1.ddns.net - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37479 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eduardodeath.no-ip.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37480 <-> ENABLED <-> BLACKLIST DNS request for known malware domain faceebook.servehttp.com - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37481 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hawleryhacker.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37482 <-> ENABLED <-> BLACKLIST DNS request for known malware domain malouzimbra.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37483 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mathew79.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37484 <-> ENABLED <-> BLACKLIST DNS request for known malware domain miserablelyles.no-ip.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37485 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oiraqo.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37491 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hefromefro.zapto.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37488 <-> ENABLED <-> BLACKLIST DNS request for known malware domain supercold1.ddns.net - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37489 <-> ENABLED <-> BLACKLIST DNS request for known malware domain trojandobyel.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37490 <-> ENABLED <-> BLACKLIST DNS request for known malware domain yamakdc.duckdns.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37486 <-> ENABLED <-> BLACKLIST DNS request for known malware domain queenbeez.zapto.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37487 <-> ENABLED <-> BLACKLIST DNS request for known malware domain spyware-dns.zapto.org - Win.Trojan.Nancrat (blacklist.rules)
 * 3:37492 <-> ENABLED <-> SERVER-WEBAPP Cisco RV220 platform.cgi SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:37355 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page detected (exploit-kit.rules)
 * 1:20726 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)

2016-01-28 15:37:18 UTC

Snort Subscriber Rules Update

Date: 2016-01-28

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37491 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hefromefro.zapto.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37490 <-> ENABLED <-> BLACKLIST DNS request for known malware domain yamakdc.duckdns.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37489 <-> ENABLED <-> BLACKLIST DNS request for known malware domain trojandobyel.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37488 <-> ENABLED <-> BLACKLIST DNS request for known malware domain supercold1.ddns.net - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37487 <-> ENABLED <-> BLACKLIST DNS request for known malware domain spyware-dns.zapto.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37486 <-> ENABLED <-> BLACKLIST DNS request for known malware domain queenbeez.zapto.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37485 <-> ENABLED <-> BLACKLIST DNS request for known malware domain oiraqo.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37484 <-> ENABLED <-> BLACKLIST DNS request for known malware domain miserablelyles.no-ip.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37483 <-> ENABLED <-> BLACKLIST DNS request for known malware domain mathew79.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37482 <-> ENABLED <-> BLACKLIST DNS request for known malware domain malouzimbra.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37481 <-> ENABLED <-> BLACKLIST DNS request for known malware domain hawleryhacker.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37480 <-> ENABLED <-> BLACKLIST DNS request for known malware domain faceebook.servehttp.com - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37479 <-> ENABLED <-> BLACKLIST DNS request for known malware domain eduardodeath.no-ip.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37478 <-> ENABLED <-> BLACKLIST DNS request for known malware domain clientten1.ddns.net - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37477 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cleintten101.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37476 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cleintten1.ddns.net - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37475 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cleintten.duckdns.org - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37474 <-> ENABLED <-> BLACKLIST DNS request for known malware domain althaman123.ohost.de - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37473 <-> ENABLED <-> BLACKLIST DNS request for known malware domain alohamoneydrop.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37472 <-> ENABLED <-> BLACKLIST DNS request for known malware domain akaros79.no-ip.biz - Win.Trojan.Nancrat (blacklist.rules)
 * 1:37471 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)
 * 1:37470 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader null pointer dereference attempt (file-pdf.rules)
 * 1:37469 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader null pointer dereference attempt (file-pdf.rules)
 * 1:37468 <-> DISABLED <-> SERVER-WEBAPP InterWoven WorkDocs XSS attempt (server-webapp.rules)
 * 1:37467 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vawtrak variant outbound connection (malware-cnc.rules)
 * 1:37466 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackmoon outbound connection (malware-cnc.rules)
 * 3:37492 <-> ENABLED <-> SERVER-WEBAPP Cisco RV220 platform.cgi SQL injection attempt (server-webapp.rules)

Modified Rules:


 * 1:20726 <-> DISABLED <-> SERVER-WEBAPP F-Secure web console username overflow attempt (server-webapp.rules)
 * 1:37355 <-> DISABLED <-> EXPLOIT-KIT Sweet Orange exploit kit landing page detected (exploit-kit.rules)