Summary
ThreatDV - Malware Filter Package #1433 November 7, 2017
Details
| Thank you for subscribing to Threat Digital Vaccine updates brought to you by Trend Micro™ TippingPoint DVLabs. New content is now available at the Threat Management Center (TMC):https://tmc.tippingpoint.com To learn more about the capabilities of this new filter set, please reference: TippingPoint Deployment Note: Threat Digital Vaccine (ThreatDV). SMS customers can update the malware filter set through the SMS client. Go to SMS > Profile > Auxiliary DVs > Download to detect and load the latest update. |
| System Requirements |
| The malware filter package requires TOS v3.7.0.4200, NGFW v1.1.1.4200, TPS v4.0.0.4300, vTPS v4.0.1.4300 and higher. This filter package is supported only on the N and NX Platform IPS, NGFW, TPS and vTPS systems licensed for the ThreatDV (formerly ReputationDV) service. |
| The Malware Filter Package can also be manually downloaded from the following URL: https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=malware&contentId=Malware_3.7.0_1433.pkg |
Update Details
Table of Contents
--------------------------
Filters
New Filters
Modified Filters (logic changes)
Modified Filters (metadata changes only)
Removed Filters
Filters
----------------
New Filters:
29881: HTTP: CoinHive Cryptocurrency Miner Detection
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Virus
- Severity: Low
- Description: This filter is deployed in the Malware Filter Package.
- Deployment: Not enabled by default in any deployment.
29890: HTTP: JS_NETREPSER.A Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Virus
- Severity: High
- Description: This filter is deployed in the Malware Filter Package.
- Deployment: Not enabled by default in any deployment.
29893: HTTP: Silence Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Virus
- Severity: High
- Description: This filter is deployed in the Malware Filter Package.
- Deployment: Not enabled by default in any deployment.
Modified Filters (logic changes):
* = Enabled in Default deployments
* 15519: HTTP: W32/MoonLight.worm User-Agent (HellSpawn)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Detection logic updated.
- Deployments updated and are now:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
* 18319: HTTP: Win32.Dizkatun Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Detection logic updated.
- Deployments updated and are now:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
* 23624: TCP: DDoS.Win32/Flusihoc.A Server Response
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Detection logic updated.
- Deployments updated and are now:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
* 25703: HTTP: Win32/Kanav Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Detection logic updated.
- Deployments updated and are now:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
Modified Filters (metadata changes only):
* = Enabled in Default deployments
15114: HTTP: Pagesinxt Malicious Redirect
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15345: HTTP: RogueAntiSpyware Install
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15382: HTTP: BHO.Win32.Zwangi!IK Install
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15418: HTTP: Win32/Adware.WindowsLiveProtect.A Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15451: HTTP: User-Agent (GPRemove)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15456: HTTP: Rogue.Win32/Onescan Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15457: HTTP: Rogue.Win32/Onescan User-Agent (fileboan_install)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15548: HTTP: Win32/Spy.Banker.TXN Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15549: HTTP: Win32/VBInject.QW User-Agent (Sek8War)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15551: HTTP: Trojan.Mosucker-60 Checkin 2
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15554: TCP: Tongjii/Linezing Related Trojan Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15561: HTTP: Win32/Vwealer.BQ Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15565: HTTP: Trojan.Win32.VBKrypt.cugq Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15566: HTTP: Trojan-Dropper.Win32.Daws.atjm Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15571: HTTP: Backdoor.Win32/Optix.W Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15572: HTTP: Win32/Rochap.A Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15575: HTTP: Unknown dnsd.me Related Trojan Checkin a
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15576: TCP: IEXPL0RE RAT Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15590: HTTP: Trojan.Win32.Pasta!IK Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15591: HTTP: Win32/Teazodo.A!dll Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15592: TCP: Trojan.Win32.Genome Checkin 1
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15596: HTTP: Trojan-Dropper.Win32.Smiscer.hf Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
15597: HTTP: W32/Agent.SUTT!tr Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
* 15788: HTTP: TrojanDownloader Win32/Frethog.E (mactj.asp)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Deployments updated and are now:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
16360: TLS: Upatre SSL Cert May 20 2014
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
16382: HTTP: Win32/Opachki.I Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
17565: HTTP: Likely Redirect to Exploit Pack
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
17568: HTTP: Trojan.Win32.SharkQWT.A Checkin 1
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Miscellaneous modification.
17625: HTTP: Trojan.Win32.Workir.yf Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
17627: HTTP: W32/Jorik_Steckt.N!tr Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
17629: HTTP: Win32/FakePlus Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
17630: HTTP: Variant.Barys.4238 User-Agent
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
17631: HTTP: W32/DragonEye.C Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
20207: HTTP: W32/Sogu Remote Access Trojan Social Media Embedded CnC Channel
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
20226: HTTP: Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Miscellaneous modification.
21371: HTTP: /test.dll Access Possible Trojan.Win32.Sasfis.bqgl
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
21470: HTTP: TR/Pasta.A.152 Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
21475: TCP: Win32/Pangu.A Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
21476: HTTP: Win32/Wadolin.A Checkin 2
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
21477: UDP: Dadobra.flw/Malagent UDP Response from CnC
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
21478: TLS: Backdoor.Juasek Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
21487: HTTP: Win32/Busky.gen Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
21687: TCP: Linux/ShellshockCampaign.DDOSBot Scanner CnC Server Message
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Miscellaneous modification.
* 22066: UDP: Sality Variant UDP CnC Beacon Response
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Deployments updated and are now:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
22228: TCP: Linux/ShellshockCampaign.DDOSBot Terminate Process CnC Server Message
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Miscellaneous modification.
* 22333: TCP: Win32/Beaugrit.gen!AAA Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Deployments updated and are now:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
23024: TCP: Win32/Fragat.A Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
23026: TCP: PSW.Banker6.AFNY Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
23030: TCP: Win32/Wemosis.C CnC Response
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
23489: SMTP: Trojan-Spy.AndroidOS.SmForw.gz Checkin via SMTP
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Miscellaneous modification.
* 23623: TCP: DDoS.Win32/Flusihoc.A Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Deployments updated and are now:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
24192: HTTP: CVE-2014-6332 Sep 01 2016 (HFS Actor) M1
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Miscellaneous modification.
* 25048: TCP: ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Sinkhole)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Deployments updated and are now:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
27854: HTTP: Android/SLocker.AC Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
28044: HTTP: Terror EK CVE-2016-0189 Exploit M2
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Miscellaneous modification.
28146: DNS: DNS Query to Cerber Domain (56185u . top)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
28765: TCP: MSIL/Snow RAT / Rurktar CnC (Update)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "28765: TCP: MSIL/Snow RAT CnC (Update)".
- Description updated.
28766: TCP: MSIL/Snow RAT / Rurktar CnC (ID)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "28766: TCP: MSIL/Snow RAT CnC (ID)".
- Description updated.
28767: TCP: MSIL/Snow RAT / Rurktar CnC (LS)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "28767: TCP: MSIL/Snow RAT CnC (LS)".
- Description updated.
37539: HTTP: Win32.Rorpian.A Checkin 1
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
39192: HTTP: Troj/Mdrop-DXT checkin 1
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
39193: HTTP: Win32/Banbot.A Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
39194: HTTP: W32/Yakes.AP!tr Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
39196: HTTP: Sality.IK!/Tedroo.AE Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
39197: HTTP: Downloader.MSIL.Tiny.bs Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
Removed Filters: None
Top of the Page
