VRT Rules 2015-04-21
Talos is aware of a vulnerability affecting products from Microsoft Corporation and Adobe.

Microsoft Security Advisory: A publicly exploited vulnerability exists in Adobe Flash Player affecting Microsoft Windows versions prior to Windows 8.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 34178 through 34179.

Talos has added and modified multiple rules in the browser-ie, browser-other, file-flash, file-pdf, malware-cnc, os-other, os-windows, pua-adware and server-other rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2015-04-21 19:26:45 UTC

Snort Subscriber Rules Update

Date: 2015-04-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34137 <-> DISABLED <-> PUA-ADWARE User-Agent SearchProtect (pua-adware.rules)
 * 1:34143 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Crypvault outbound connection (malware-cnc.rules)
 * 1:34144 <-> DISABLED <-> PUA-ADWARE SuperOptimizer installation status (pua-adware.rules)
 * 1:34140 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dyre publickey outbound connection attempt (malware-cnc.rules)
 * 1:34142 <-> ENABLED <-> SERVER-OTHER Oracle CorelDRAW file parser heap buffer overflow attempt (server-other.rules)
 * 1:34139 <-> DISABLED <-> SERVER-OTHER Novell ZenWorks configuration management file upload directory traversal attempt (server-other.rules)
 * 1:34175 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField filter use-after-free attempt (file-flash.rules)
 * 1:34177 <-> DISABLED <-> FILE-FLASH Adobe Flash Player domain security bypass attempt (file-flash.rules)
 * 1:34172 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField filter use-after-free attempt (file-flash.rules)
 * 1:34174 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField filter use-after-free attempt (file-flash.rules)
 * 1:34173 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField filter use-after-free attempt (file-flash.rules)
 * 1:34138 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Netkrypt inbound response (malware-cnc.rules)
 * 1:34141 <-> ENABLED <-> SERVER-OTHER Oracle CorelDRAW file parser heap buffer overflow attempt (server-other.rules)
 * 1:34145 <-> DISABLED <-> PUA-ADWARE SuperOptimizer encrypted data transmission (pua-adware.rules)
 * 1:34146 <-> DISABLED <-> PUA-ADWARE SuperOptimizer geolocation request (pua-adware.rules)
 * 1:34147 <-> ENABLED <-> FILE-FLASH Adobe Flash Payer ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34148 <-> ENABLED <-> FILE-FLASH Adobe Flash Payer ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34149 <-> ENABLED <-> FILE-FLASH Adobe Flash Payer ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34150 <-> ENABLED <-> FILE-FLASH Adobe Flash Payer ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34151 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sound class type confusion attempt (file-flash.rules)
 * 1:34152 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sound class type confusion attempt (file-flash.rules)
 * 1:34153 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sound class type confusion attempt (file-flash.rules)
 * 1:34154 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sound class type confusion attempt (file-flash.rules)
 * 1:34155 <-> ENABLED <-> MALWARE-CNC MacOS.Backdoor.Xslcmd outbound connection attempt (malware-cnc.rules)
 * 1:34156 <-> ENABLED <-> FILE-FLASH Adobe Flash Player EAC3 memory corruption attempt (file-flash.rules)
 * 1:34157 <-> ENABLED <-> FILE-FLASH Adobe Flash Player EAC3 memory corruption attempt (file-flash.rules)
 * 1:34158 <-> ENABLED <-> FILE-FLASH Adobe Flash Player EAC3 memory corruption attempt (file-flash.rules)
 * 1:34159 <-> ENABLED <-> FILE-FLASH Adobe Flash Player EAC3 memory corruption attempt (file-flash.rules)
 * 1:34179 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt (os-windows.rules)
 * 1:34161 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Punkey outbound connection (malware-cnc.rules)
 * 1:34162 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp zero length assertion heap overflow attempt (file-flash.rules)
 * 1:34163 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp zero length assertion heap overflow attempt (file-flash.rules)
 * 1:34164 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp zero length assertion heap overflow attempt (file-flash.rules)
 * 1:34165 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp zero length assertion heap overflow attempt (file-flash.rules)
 * 1:34178 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt (os-windows.rules)
 * 1:34166 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array double free attempt (file-flash.rules)
 * 1:34167 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array double free attempt (file-flash.rules)
 * 1:34169 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array double free attempt (file-flash.rules)
 * 1:34168 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array double free attempt (file-flash.rules)
 * 1:34160 <-> DISABLED <-> SERVER-OTHER Oracle Outside In Paradox database denial of service attempt (server-other.rules)
 * 1:34176 <-> DISABLED <-> FILE-FLASH Adobe Flash Player domain security bypass attempt (file-flash.rules)
 * 1:34170 <-> DISABLED <-> BROWSER-OTHER Opera SVG use after free memory corruption attempt (browser-other.rules)
 * 1:34171 <-> DISABLED <-> BROWSER-OTHER Opera SVG use after free memory corruption attempt (browser-other.rules)
 * 3:34180 <-> ENABLED <-> OS-OTHER Cisco Secure Desktop Applet command execution attempt (os-other.rules)

Modified Rules:


 * 1:29902 <-> ENABLED <-> FILE-PDF Adobe Reader invalid JPEG stream double free attempt (file-pdf.rules)
 * 1:31196 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode onmousemove use-after-free attempt (browser-ie.rules)
 * 1:34061 <-> DISABLED <-> SERVER-IIS Microsoft IIS Range header integer overflow attempt (server-iis.rules)
 * 1:31197 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode onmousemove use-after-free attempt (browser-ie.rules)
 * 1:29903 <-> ENABLED <-> FILE-PDF Adobe Reader invalid JPEG stream double free attempt (file-pdf.rules)

2015-04-21 19:26:45 UTC

Snort Subscriber Rules Update

Date: 2015-04-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2970.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34143 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Crypvault outbound connection (malware-cnc.rules)
 * 1:34144 <-> DISABLED <-> PUA-ADWARE SuperOptimizer installation status (pua-adware.rules)
 * 1:34140 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dyre publickey outbound connection attempt (malware-cnc.rules)
 * 1:34142 <-> ENABLED <-> SERVER-OTHER Oracle CorelDRAW file parser heap buffer overflow attempt (server-other.rules)
 * 1:34139 <-> DISABLED <-> SERVER-OTHER Novell ZenWorks configuration management file upload directory traversal attempt (server-other.rules)
 * 1:34137 <-> DISABLED <-> PUA-ADWARE User-Agent SearchProtect (pua-adware.rules)
 * 1:34138 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Netkrypt inbound response (malware-cnc.rules)
 * 1:34141 <-> ENABLED <-> SERVER-OTHER Oracle CorelDRAW file parser heap buffer overflow attempt (server-other.rules)
 * 1:34145 <-> DISABLED <-> PUA-ADWARE SuperOptimizer encrypted data transmission (pua-adware.rules)
 * 1:34146 <-> DISABLED <-> PUA-ADWARE SuperOptimizer geolocation request (pua-adware.rules)
 * 1:34147 <-> ENABLED <-> FILE-FLASH Adobe Flash Payer ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34148 <-> ENABLED <-> FILE-FLASH Adobe Flash Payer ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34149 <-> ENABLED <-> FILE-FLASH Adobe Flash Payer ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34150 <-> ENABLED <-> FILE-FLASH Adobe Flash Payer ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34151 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sound class type confusion attempt (file-flash.rules)
 * 1:34152 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sound class type confusion attempt (file-flash.rules)
 * 1:34153 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sound class type confusion attempt (file-flash.rules)
 * 1:34154 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sound class type confusion attempt (file-flash.rules)
 * 1:34155 <-> ENABLED <-> MALWARE-CNC MacOS.Backdoor.Xslcmd outbound connection attempt (malware-cnc.rules)
 * 1:34156 <-> ENABLED <-> FILE-FLASH Adobe Flash Player EAC3 memory corruption attempt (file-flash.rules)
 * 1:34157 <-> ENABLED <-> FILE-FLASH Adobe Flash Player EAC3 memory corruption attempt (file-flash.rules)
 * 1:34158 <-> ENABLED <-> FILE-FLASH Adobe Flash Player EAC3 memory corruption attempt (file-flash.rules)
 * 1:34159 <-> ENABLED <-> FILE-FLASH Adobe Flash Player EAC3 memory corruption attempt (file-flash.rules)
 * 1:34160 <-> DISABLED <-> SERVER-OTHER Oracle Outside In Paradox database denial of service attempt (server-other.rules)
 * 1:34161 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Punkey outbound connection (malware-cnc.rules)
 * 1:34162 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp zero length assertion heap overflow attempt (file-flash.rules)
 * 1:34163 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp zero length assertion heap overflow attempt (file-flash.rules)
 * 1:34164 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp zero length assertion heap overflow attempt (file-flash.rules)
 * 1:34165 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp zero length assertion heap overflow attempt (file-flash.rules)
 * 1:34166 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array double free attempt (file-flash.rules)
 * 1:34167 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array double free attempt (file-flash.rules)
 * 1:34168 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array double free attempt (file-flash.rules)
 * 1:34169 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array double free attempt (file-flash.rules)
 * 1:34179 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt (os-windows.rules)
 * 1:34178 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt (os-windows.rules)
 * 1:34177 <-> DISABLED <-> FILE-FLASH Adobe Flash Player domain security bypass attempt (file-flash.rules)
 * 1:34176 <-> DISABLED <-> FILE-FLASH Adobe Flash Player domain security bypass attempt (file-flash.rules)
 * 1:34175 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField filter use-after-free attempt (file-flash.rules)
 * 1:34174 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField filter use-after-free attempt (file-flash.rules)
 * 1:34173 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField filter use-after-free attempt (file-flash.rules)
 * 1:34172 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField filter use-after-free attempt (file-flash.rules)
 * 1:34171 <-> DISABLED <-> BROWSER-OTHER Opera SVG use after free memory corruption attempt (browser-other.rules)
 * 1:34170 <-> DISABLED <-> BROWSER-OTHER Opera SVG use after free memory corruption attempt (browser-other.rules)
 * 3:34180 <-> ENABLED <-> OS-OTHER Cisco Secure Desktop Applet command execution attempt (os-other.rules)

Modified Rules:


 * 1:29902 <-> ENABLED <-> FILE-PDF Adobe Reader invalid JPEG stream double free attempt (file-pdf.rules)
 * 1:31196 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode onmousemove use-after-free attempt (browser-ie.rules)
 * 1:34061 <-> DISABLED <-> SERVER-IIS Microsoft IIS Range header integer overflow attempt (server-iis.rules)
 * 1:29903 <-> ENABLED <-> FILE-PDF Adobe Reader invalid JPEG stream double free attempt (file-pdf.rules)
 * 1:31197 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode onmousemove use-after-free attempt (browser-ie.rules)

2015-04-21 19:26:45 UTC

Snort Subscriber Rules Update

Date: 2015-04-21

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2972.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:34179 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt (os-windows.rules)
 * 1:34178 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateWindowEx privilege escalation attempt (os-windows.rules)
 * 1:34177 <-> DISABLED <-> FILE-FLASH Adobe Flash Player domain security bypass attempt (file-flash.rules)
 * 1:34176 <-> DISABLED <-> FILE-FLASH Adobe Flash Player domain security bypass attempt (file-flash.rules)
 * 1:34175 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField filter use-after-free attempt (file-flash.rules)
 * 1:34174 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField filter use-after-free attempt (file-flash.rules)
 * 1:34173 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField filter use-after-free attempt (file-flash.rules)
 * 1:34172 <-> ENABLED <-> FILE-FLASH Adobe Flash Player TextField filter use-after-free attempt (file-flash.rules)
 * 1:34171 <-> DISABLED <-> BROWSER-OTHER Opera SVG use after free memory corruption attempt (browser-other.rules)
 * 1:34170 <-> DISABLED <-> BROWSER-OTHER Opera SVG use after free memory corruption attempt (browser-other.rules)
 * 1:34169 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array double free attempt (file-flash.rules)
 * 1:34168 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array double free attempt (file-flash.rules)
 * 1:34167 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array double free attempt (file-flash.rules)
 * 1:34166 <-> ENABLED <-> FILE-FLASH Adobe Flash Player byte array double free attempt (file-flash.rules)
 * 1:34165 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp zero length assertion heap overflow attempt (file-flash.rules)
 * 1:34164 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp zero length assertion heap overflow attempt (file-flash.rules)
 * 1:34163 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp zero length assertion heap overflow attempt (file-flash.rules)
 * 1:34162 <-> ENABLED <-> FILE-FLASH Adobe Flash Player RegExp zero length assertion heap overflow attempt (file-flash.rules)
 * 1:34161 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Punkey outbound connection (malware-cnc.rules)
 * 1:34160 <-> DISABLED <-> SERVER-OTHER Oracle Outside In Paradox database denial of service attempt (server-other.rules)
 * 1:34159 <-> ENABLED <-> FILE-FLASH Adobe Flash Player EAC3 memory corruption attempt (file-flash.rules)
 * 1:34158 <-> ENABLED <-> FILE-FLASH Adobe Flash Player EAC3 memory corruption attempt (file-flash.rules)
 * 1:34157 <-> ENABLED <-> FILE-FLASH Adobe Flash Player EAC3 memory corruption attempt (file-flash.rules)
 * 1:34156 <-> ENABLED <-> FILE-FLASH Adobe Flash Player EAC3 memory corruption attempt (file-flash.rules)
 * 1:34155 <-> ENABLED <-> MALWARE-CNC MacOS.Backdoor.Xslcmd outbound connection attempt (malware-cnc.rules)
 * 1:34154 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sound class type confusion attempt (file-flash.rules)
 * 1:34153 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sound class type confusion attempt (file-flash.rules)
 * 1:34152 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sound class type confusion attempt (file-flash.rules)
 * 1:34151 <-> ENABLED <-> FILE-FLASH Adobe Flash Player sound class type confusion attempt (file-flash.rules)
 * 1:34150 <-> ENABLED <-> FILE-FLASH Adobe Flash Payer ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34149 <-> ENABLED <-> FILE-FLASH Adobe Flash Payer ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34148 <-> ENABLED <-> FILE-FLASH Adobe Flash Payer ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34147 <-> ENABLED <-> FILE-FLASH Adobe Flash Payer ConvolutionFilter heap information disclosure attempt (file-flash.rules)
 * 1:34146 <-> DISABLED <-> PUA-ADWARE SuperOptimizer geolocation request (pua-adware.rules)
 * 1:34145 <-> DISABLED <-> PUA-ADWARE SuperOptimizer encrypted data transmission (pua-adware.rules)
 * 1:34144 <-> DISABLED <-> PUA-ADWARE SuperOptimizer installation status (pua-adware.rules)
 * 1:34143 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Crypvault outbound connection (malware-cnc.rules)
 * 1:34142 <-> ENABLED <-> SERVER-OTHER Oracle CorelDRAW file parser heap buffer overflow attempt (server-other.rules)
 * 1:34141 <-> ENABLED <-> SERVER-OTHER Oracle CorelDRAW file parser heap buffer overflow attempt (server-other.rules)
 * 1:34140 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Dyre publickey outbound connection attempt (malware-cnc.rules)
 * 1:34139 <-> DISABLED <-> SERVER-OTHER Novell ZenWorks configuration management file upload directory traversal attempt (server-other.rules)
 * 1:34138 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Netkrypt inbound response (malware-cnc.rules)
 * 1:34137 <-> DISABLED <-> PUA-ADWARE User-Agent SearchProtect (pua-adware.rules)
 * 3:34180 <-> ENABLED <-> OS-OTHER Cisco Secure Desktop Applet command execution attempt (os-other.rules)

Modified Rules:


 * 1:29902 <-> ENABLED <-> FILE-PDF Adobe Reader invalid JPEG stream double free attempt (file-pdf.rules)
 * 1:31196 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode onmousemove use-after-free attempt (browser-ie.rules)
 * 1:34061 <-> DISABLED <-> SERVER-IIS Microsoft IIS Range header integer overflow attempt (server-iis.rules)
 * 1:31197 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreeNode onmousemove use-after-free attempt (browser-ie.rules)
 * 1:29903 <-> ENABLED <-> FILE-PDF Adobe Reader invalid JPEG stream double free attempt (file-pdf.rules)