VRT Rules 2014-09-30
This release adds and modifies rules in several categories.

The VRT has added and modified multiple rules in the blacklist, browser-other, exploit-kit, file-flash, file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2014-09-30 14:12:56 UTC

Sourcefire VRT Rules Update

Date: 2014-09-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2956.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32040 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Ganiw variant outbound connection attempt (malware-cnc.rules)
 * 1:32022 <-> ENABLED <-> FILE-PDF Adobe Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules)
 * 1:32020 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Krompt variant outbound connection attempt (malware-cnc.rules)
 * 1:32021 <-> ENABLED <-> FILE-PDF Adobe Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules)
 * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection attempt (malware-cnc.rules)
 * 1:32017 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Memlog SMB file transfer (malware-cnc.rules)
 * 1:32015 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zeus variant outbound connection attempt (malware-cnc.rules)
 * 1:32043 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32028 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Klabcon variant outbound connection attempt (malware-cnc.rules)
 * 1:32041 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32039 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32014 <-> DISABLED <-> SERVER-WEBAPP GetSimpleCMS arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:32013 <-> ENABLED <-> MALWARE-CNC Linux.Worm.Darlloz variant outbound connection attempt (malware-cnc.rules)
 * 1:32012 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Bipamid variant outbound connection attempt (malware-cnc.rules)
 * 1:32016 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Menteni variant outbound connectiont attempt (malware-cnc.rules)
 * 1:32019 <-> ENABLED <-> BLACKLIST DNS request for known malware domain internetexplorers.org (blacklist.rules)
 * 1:32023 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sinpid variant outbound connection attempt (malware-cnc.rules)
 * 1:32024 <-> ENABLED <-> FILE-FLASH Adobe Flash Player unsupported bitmapFormat value memory disclosure attempt (file-flash.rules)
 * 1:32025 <-> ENABLED <-> FILE-FLASH Adobe Flash Player unsupported bitmapFormat value memory disclosure attempt (file-flash.rules)
 * 1:32026 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid TRCK frame attempt (file-flash.rules)
 * 1:32027 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid TRCK frame attempt (file-flash.rules)
 * 1:32029 <-> DISABLED <-> BROWSER-OTHER Android WebView same origin policy bypass attempt (browser-other.rules)
 * 1:32030 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Decibal - Win.Trojan.Decibal (blacklist.rules)
 * 1:32031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Decibal variant outbound connection (malware-cnc.rules)
 * 1:32032 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cinebergen.nl - Win.Trojan.Larosden (blacklist.rules)
 * 1:32034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Larefervt variant outbound connection attempt (malware-cnc.rules)
 * 1:32035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boleteiro variant outbound connection attempt (malware-cnc.rules)
 * 1:32033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Larosden variant outbound connection (malware-cnc.rules)
 * 1:32037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload.awt variant outbound connection attempt (malware-cnc.rules)
 * 1:32042 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Somoca vaniant outbound connection attempt (malware-cnc.rules)
 * 1:32038 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)

Modified Rules:


 * 1:7002 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel url unicode overflow attempt (file-office.rules)
 * 1:31915 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Ziyazo variant outbound connection (malware-cnc.rules)
 * 1:27705 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit Java exploit requested (exploit-kit.rules)
 * 1:26319 <-> DISABLED <-> MALWARE-CNC file path used as User-Agent - potential Trojan (malware-cnc.rules)
 * 1:27704 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit Java exploit requested (exploit-kit.rules)

2014-09-30 14:12:56 UTC

Sourcefire VRT Rules Update

Date: 2014-09-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2961.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32013 <-> ENABLED <-> MALWARE-CNC Linux.Worm.Darlloz variant outbound connection attempt (malware-cnc.rules)
 * 1:32015 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zeus variant outbound connection attempt (malware-cnc.rules)
 * 1:32016 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Menteni variant outbound connectiont attempt (malware-cnc.rules)
 * 1:32017 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Memlog SMB file transfer (malware-cnc.rules)
 * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection attempt (malware-cnc.rules)
 * 1:32019 <-> ENABLED <-> BLACKLIST DNS request for known malware domain internetexplorers.org (blacklist.rules)
 * 1:32020 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Krompt variant outbound connection attempt (malware-cnc.rules)
 * 1:32021 <-> ENABLED <-> FILE-PDF Adobe Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules)
 * 1:32022 <-> ENABLED <-> FILE-PDF Adobe Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules)
 * 1:32023 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sinpid variant outbound connection attempt (malware-cnc.rules)
 * 1:32024 <-> ENABLED <-> FILE-FLASH Adobe Flash Player unsupported bitmapFormat value memory disclosure attempt (file-flash.rules)
 * 1:32025 <-> ENABLED <-> FILE-FLASH Adobe Flash Player unsupported bitmapFormat value memory disclosure attempt (file-flash.rules)
 * 1:32026 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid TRCK frame attempt (file-flash.rules)
 * 1:32027 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid TRCK frame attempt (file-flash.rules)
 * 1:32028 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Klabcon variant outbound connection attempt (malware-cnc.rules)
 * 1:32029 <-> DISABLED <-> BROWSER-OTHER Android WebView same origin policy bypass attempt (browser-other.rules)
 * 1:32030 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Decibal - Win.Trojan.Decibal (blacklist.rules)
 * 1:32031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Decibal variant outbound connection (malware-cnc.rules)
 * 1:32032 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cinebergen.nl - Win.Trojan.Larosden (blacklist.rules)
 * 1:32033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Larosden variant outbound connection (malware-cnc.rules)
 * 1:32034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Larefervt variant outbound connection attempt (malware-cnc.rules)
 * 1:32035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boleteiro variant outbound connection attempt (malware-cnc.rules)
 * 1:32012 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Bipamid variant outbound connection attempt (malware-cnc.rules)
 * 1:32043 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32042 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32014 <-> DISABLED <-> SERVER-WEBAPP GetSimpleCMS arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:32041 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32040 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Ganiw variant outbound connection attempt (malware-cnc.rules)
 * 1:32038 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32039 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload.awt variant outbound connection attempt (malware-cnc.rules)
 * 1:32036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Somoca vaniant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:27704 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit Java exploit requested (exploit-kit.rules)
 * 1:26319 <-> DISABLED <-> MALWARE-CNC file path used as User-Agent - potential Trojan (malware-cnc.rules)
 * 1:27705 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit Java exploit requested (exploit-kit.rules)
 * 1:31915 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Ziyazo variant outbound connection (malware-cnc.rules)
 * 1:7002 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel url unicode overflow attempt (file-office.rules)

2014-09-30 14:12:56 UTC

Sourcefire VRT Rules Update

Date: 2014-09-30

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:32043 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32042 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32041 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32040 <-> ENABLED <-> MALWARE-CNC Linux.Backdoor.Ganiw variant outbound connection attempt (malware-cnc.rules)
 * 1:32039 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32038 <-> ENABLED <-> OS-OTHER Bash environment variable injection attempt (os-other.rules)
 * 1:32037 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload.awt variant outbound connection attempt (malware-cnc.rules)
 * 1:32036 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Somoca vaniant outbound connection attempt (malware-cnc.rules)
 * 1:32035 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Boleteiro variant outbound connection attempt (malware-cnc.rules)
 * 1:32034 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Larefervt variant outbound connection attempt (malware-cnc.rules)
 * 1:32033 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Larosden variant outbound connection (malware-cnc.rules)
 * 1:32032 <-> ENABLED <-> BLACKLIST DNS request for known malware domain cinebergen.nl - Win.Trojan.Larosden (blacklist.rules)
 * 1:32031 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Decibal variant outbound connection (malware-cnc.rules)
 * 1:32030 <-> ENABLED <-> BLACKLIST User-Agent known malicious user-agent string Decibal - Win.Trojan.Decibal (blacklist.rules)
 * 1:32029 <-> DISABLED <-> BROWSER-OTHER Android WebView same origin policy bypass attempt (browser-other.rules)
 * 1:32028 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Klabcon variant outbound connection attempt (malware-cnc.rules)
 * 1:32027 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid TRCK frame attempt (file-flash.rules)
 * 1:32026 <-> DISABLED <-> FILE-FLASH Adobe Flash Player invalid TRCK frame attempt (file-flash.rules)
 * 1:32025 <-> ENABLED <-> FILE-FLASH Adobe Flash Player unsupported bitmapFormat value memory disclosure attempt (file-flash.rules)
 * 1:32024 <-> ENABLED <-> FILE-FLASH Adobe Flash Player unsupported bitmapFormat value memory disclosure attempt (file-flash.rules)
 * 1:32023 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Sinpid variant outbound connection attempt (malware-cnc.rules)
 * 1:32022 <-> ENABLED <-> FILE-PDF Adobe Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules)
 * 1:32021 <-> ENABLED <-> FILE-PDF Adobe Reader U3D format Line Set Continuation out-of-bounds memory access attempt (file-pdf.rules)
 * 1:32020 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Krompt variant outbound connection attempt (malware-cnc.rules)
 * 1:32019 <-> ENABLED <-> BLACKLIST DNS request for known malware domain internetexplorers.org (blacklist.rules)
 * 1:32018 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection attempt (malware-cnc.rules)
 * 1:32017 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Memlog SMB file transfer (malware-cnc.rules)
 * 1:32016 <-> ENABLED <-> MALWARE-CNC Win.Trojan.MSIL.Menteni variant outbound connectiont attempt (malware-cnc.rules)
 * 1:32015 <-> ENABLED <-> MALWARE-CNC Win.Backdoor.Zeus variant outbound connection attempt (malware-cnc.rules)
 * 1:32014 <-> DISABLED <-> SERVER-WEBAPP GetSimpleCMS arbitrary PHP code execution attempt (server-webapp.rules)
 * 1:32013 <-> ENABLED <-> MALWARE-CNC Linux.Worm.Darlloz variant outbound connection attempt (malware-cnc.rules)
 * 1:32012 <-> ENABLED <-> MALWARE-CNC Win.Trojan-Downloader.Bipamid variant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:26319 <-> DISABLED <-> MALWARE-CNC file path used as User-Agent - potential Trojan (malware-cnc.rules)
 * 1:27704 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit Java exploit requested (exploit-kit.rules)
 * 1:27705 <-> ENABLED <-> EXPLOIT-KIT Gong Da exploit kit Java exploit requested (exploit-kit.rules)
 * 1:31915 <-> ENABLED <-> MALWARE-CNC WIN.Trojan.Ziyazo variant outbound connection (malware-cnc.rules)
 * 1:7002 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel url unicode overflow attempt (file-office.rules)