Summary
ThreatDV - Malware Filter Package #1624 July 2, 2019
Details
| Thank you for subscribing to Threat Digital Vaccine updates brought to you by Trend Micro™ TippingPoint DVLabs. New content is now available at the Threat Management Center (TMC): https://tmc.tippingpoint.com To learn more about the capabilities of this filter set, please reference: TippingPoint Deployment Note: Threat Digital Vaccine (ThreatDV). SMS customers can update the malware filter set through the SMS client. Go to Profiles > Auxiliary DVs > Download to detect and load the latest update. |
| System Requirements The malware filter package requires TOS v3.7.0.4200, NGFW v1.1.1.4200, TPS v4.0.0.4300, vTPS v4.0.1.4300 and higher. This filter package is supported only on the N and NX Platform IPS, NGFW, TPS and vTPS systems licensed for the ThreatDV (formerly ReputationDV) service. |
| The Malware Filter Package can also be manually downloaded from the following URL: https://tmc.tippingpoint.com/TMC/ViewPackage?parentFolderId=malware&contentId=Malware_3.7.0_1624.pkg |
Update Details
Table of Contents
--------------------------
Filters
New Filters - 10
Modified Filters (logic changes) - 4
Modified Filters (metadata changes only) - 21
Removed Filters - 3
Filters
----------------
New Filters:
35642: HTTP: Trojan-Downloader.VBS.Trickbodown.A Runtime Detection
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Virus
- Severity: High
- Description: This filter is deployed in the Malware Filter Package.
- Deployment: Not enabled by default in any deployment.
35643: HTTP: Trojan.Shell.Rennosmud.A Runtime Detection
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Virus
- Severity: High
- Description: This filter is deployed in the Malware Filter Package.
- Deployment: Not enabled by default in any deployment.
35644: HTTP: Trojan.MSIL.Jinegerro.A Runtime Detection
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Virus
- Severity: High
- Description: This filter is deployed in the Malware Filter Package.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
35645: UDP: Trojan.MSIL.Remeclrat.A Runtime Detection
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Virus
- Severity: High
- Description: This filter is deployed in the Malware Filter Package.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
35646: HTTP: Backdoor.MSIL.Lehskote.A Runtime Detection
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Virus
- Severity: High
- Description: This filter is deployed in the Malware Filter Package.
- Deployment: Not enabled by default in any deployment.
35647: HTTP: Trojan.Win32.Vools.A Runtime Detection
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Virus
- Severity: High
- Description: This filter is deployed in the Malware Filter Package.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
35648: HTTP: Backdoor.JS.Hoscriprat.A Runtime Detection
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Virus
- Severity: High
- Description: This filter is deployed in the Malware Filter Package.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
35649: HTTP: Backdoor.Shell.Sharpstats.A Runtime Detection
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Virus
- Severity: High
- Description: This filter is deployed in the Malware Filter Package.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
35650: HTTP: Trojan.Shell.Powerstats.A Runtime Detection
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Virus
- Severity: High
- Description: This filter is deployed in the Malware Filter Package.
- Deployment: Not enabled by default in any deployment.
35651: HTTP: Trojan-Downloader.MSIL.Vimihostan.A Runtime Detection
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Category: Virus
- Severity: High
- Description: This filter is deployed in the Malware Filter Package.
- Deployments:
- Deployment: Default (Block / Notify)
- Deployment: Performance-Optimized (Disabled)
Modified Filters (logic changes):
* = Enabled in Default deployments
24682: TCP: Sundown Exploit Kit Landing Page Detected
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "24682: TCP: Sundown/Xer EK Landing May 05 2016 (b641)".
- Description updated.
- Detection logic updated.
29345: HTTP: Terror Exploit Kit (Attempted Exploitation)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.0.0 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "29345: HTTP: Terror EK CVE-2016-0189 Exploit 3".
- Description updated.
- Detection logic updated.
* 34607: SMTP: Trojan.MSIL.Golroted.B Runtime Detection
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Detection logic updated.
43752: HTTP: Mage Core JavaScript Redirector
- IPS Version: 3.0.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "43752: HTTP: JavaScript Trojan Redirector".
- Detection logic updated.
Modified Filters (metadata changes only):
* = Enabled in Default deployments
15937: HTTP: Trojan.AndroidOS.SMSForward Checkin Request
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "15937: HTTP: Trojan-Spy.AndroidOS.SmForw.u Checkin".
- Description updated.
15992: HTTP: Malicious PDF Checkin Request
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "15992: HTTP: Trojan.Agent.29683 PDF Checkin".
- Description updated.
16375: HTTP: Trojan.Win32.AutoIt Downloader Checkin
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "16375: HTTP: Trojan.Autoit.F Checkin".
- Description updated.
17999: HTTP: Angler Exploit Kit Landing Page
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "17999: HTTP: Angler EK Landing M3 Dec 03".
- Description updated.
18195: HTTP: Dean Edwards Packed JavaScript Code Detected (WindowBase64.atob Function)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "18195: HTTP: WindowBase64.atob Function In Edwards Packed JavaScript - Possible iFrame Injection Detected".
- Description updated.
18302: HTTP: Trojan.AndroidOS.Mseg.B Checkin Request
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "18302: HTTP: Android/Mseg.B Checkin".
- Description updated.
20276: HTTP: Angler Exploit Kit Download Request
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "20276: HTTP: Angler EK Payload Download".
- Description updated.
20568: TLS: Malicious Certificate (Payload Dropped by Angler Exploit Kit)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "20568: TLS: Unknown Trojan Dropped by Angler Aug 29 2014".
- Description updated.
22379: HTTP: Angler Exploit Kit Relaying ScriptEngine Data
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "22379: HTTP: Possible Angler EK Sending ScriptEngine Info (Anti-Replay)".
- Vulnerability references updated.
22541: HTTP: Angler Exploit Kit Sending ScriptEngine Info
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "22541: HTTP: Possible Angler EK Sending ScriptEngine Info".
* 22692: TCP: Gh0st RAT (PCRat) Checkin Request
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "22692: TCP: Gh0st Remote Access Trojan Encrypted Session To CnC Server".
- Description updated.
24192: HTTP: Exploitation Attempt of CVE-2014-6332 (HFS Actor)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "24192: HTTP: CVE-2014-6332 Sep 01 2016 (HFS Actor) M1".
- Description updated.
28043: HTTP: Terror Exploit Kit (Attempted Exploitation 2)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "28043: HTTP: Terror EK CVE-2016-0189 Exploit".
- Description updated.
28044: HTTP: Terror Exploit Kit (Exploitation Payload)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "28044: HTTP: Terror EK CVE-2016-0189 Exploit M2".
- Description updated.
28049: HTTP: Terror Exploit Kit Request
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "28049: HTTP: Terror EK Payload Download".
- Description updated.
28085: HTTP: Kniaz Variant Detected
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "28085: HTTP: 2014-6332 Exploit (Kniaz Variant)".
- Description updated.
- Vulnerability references updated.
28144: TLS: Confucius Malicious Certificate Detected
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "28144: TLS: Win32/CONFUCIUS_B SSL Cert".
- Description updated.
28325: TLS: Vawtrak SSL Certificate Detected
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "28325: TLS: Malicious SSL Certificate Detected (Vawtrak CnC)".
- Description updated.
28829: HTTP: Bitterbug Checkin Request
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "28829: HTTP: BITTERBUG Checkin 2".
29436: DNS: Cerber Ransomware (Known Malicious Domain Name)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Name changed from "29436: DNS: DNS Query to Cerber Domain (158ugp . top)".
- Description updated.
* 34284: HTTP: Trojan.MSIL.DarkNeuron.A Runtime Detection
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
- Description updated.
Removed Filters:
24683: TCP: Sundown/Xer EK Landing May 05 2016 (b642)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
24684: TCP: Sundown/Xer EK Landing May 05 2016 (b642)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
24685: TCP: Sundown/Xer EK Landing May 05 2016 M2 (b641)
- IPS Version: 3.7.0 and after.
- NGFW Version: 1.1.1 and after.
- TPS Version: 4.0.0 and after.
- vTPS Version: 4.0.1 and after.
Top of the Page
Test Now
