Ruleset Update Summary - 2025/11/11 - v11060

Summary:

13 new OPEN, 39 new PRO (13 + 26)

Added rules:

Open:

• 2065719 - ET INFO DYNAMIC_DNS Query to a *.itfiredup .com domain (info.rules)
• 2065720 - ET INFO DYNAMIC_DNS HTTP Request to a *.itfiredup .com domain (info.rules)
• 2065721 - ET WEB_SPECIFIC_APPS Centreon broker_reload_command Parameter Command Injection Attempt (CVE-2025-5946) (web_specific_apps.rules)
• 2065722 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (byspotikfy .com) (exploit_kit.rules)
• 2065723 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (flosinjs .com) (exploit_kit.rules)
• 2065724 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (byspotikfy .com) (exploit_kit.rules)
• 2065725 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (flosinjs .com) (exploit_kit.rules)
• 2065726 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (archives .kathmandutribune .com) (malware.rules)
• 2065727 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (archives .kathmandutribune .com) (malware.rules)
• 2065728 - ET MALWARE Observed DNS Query to Zloader Domain (dt1 .automotosport .net) (malware.rules)
• 2065729 - ET MALWARE Observed DNS Query to Zloader Domain (adsmarks .com) (malware.rules)
• 2065730 - ET MALWARE Zloader Domain (dt1 .automotosport .net in TLS SNI) (malware.rules)
• 2065731 - ET MALWARE Zloader Domain (adsmarks .com in TLS SNI) (malware.rules)

Pro:

• 2865140 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
• 2865141 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2865142 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
• 2865143 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
• 2865144 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
• 2865145 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
• 2865146 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
• 2865147 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
• 2865148 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
• 2865149 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2865150 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
• 2865151 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
• 2865152 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
• 2865153 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
• 2865154 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
• 2865155 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
• 2865156 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
• 2865157 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2865158 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
• 2865159 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
• 2865160 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
• 2865161 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
• 2865162 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
• 2865163 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
• 2865164 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
• 2865165 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Modified inactive rules:

• 2002301 - ET ADWARE_PUP Searchfeed.com Spyware 6 (adware_pup.rules)
• 2002919 - ET EXPLOIT VNC Good Authentication Reply (exploit.rules)
• 2003307 - ET ADWARE_PUP Comet Systems Spyware Cursor DL (adware_pup.rules)
• 2003537 - ET MALWARE Trojan.Duntek establishing remote connection (malware.rules)
• 2004569 - ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt – prodList.asp brand (web_specific_apps.rules)
• 2007932 - ET ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability (activex.rules)
• 2007940 - ET MALWARE Banker.ili HTTP Checkin (malware.rules)
• 2008000 - ET ADWARE_PUP Easydownloadsoft.com Fake Anti-Virus User-Agent (IM Downloader) (adware_pup.rules)
• 2010491 - ET DOS Possible MYSQL GeomFromWKB() function Denial Of Service Attempt (dos.rules)
• 2011367 - ET SCAN Malformed Packet SYN FIN (scan.rules)
• 2012048 - ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS (dos.rules)
• 2018726 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
• 2022276 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
• 2022445 - ET MALWARE Scarlet Mimic DNS Lookup 35 (malware.rules)
• 2022675 - ET MALWARE Ransomware/Coverton Onion Domain Lookup (malware.rules)
• 2022767 - ET MALWARE Retefe Banker .onion Domain (malware.rules)
• 2023321 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
• 2100405 - GPL ICMP_INFO Destination Unreachable Source Host Isolated (icmp_info.rules)
• 2102417 - GPL FTP format string attempt (ftp.rules)
• 2800145 - ETPRO RPC MIT Kerberos kadmind RPC Library RPCSEC_GSS Authentication Buffer Overflow (rpc.rules)
• 2801554 - ETPRO NETBIOS Microsoft Powerpoint msnsspc.dll Insecure Library - SMB Unicode (netbios.rules)
• 2801996 - ETPRO MALWARE Buzus/Bifrost Checkin Response (malware.rules)
• 2802889 - ETPRO WEB_SPECIFIC_APPS HP OpenView NNM nnmRptconfig.exe schdParams and nameParams Buffer Overflow (web_specific_apps.rules)
• 2803251 - ETPRO ADWARE_PUP Ticno Multibar Checkin (adware_pup.rules)
• 2803721 - ETPRO MALWARE Trojan/Downloader.Banload.kor Checkin (malware.rules)
• 2803879 - ETPRO MALWARE Trj/CI.A Checkin (malware.rules)
• 2804483 - ETPRO MALWARE PWS-Zbot.gen.di Connectivity Check (malware.rules)
• 2820382 - ETPRO MALWARE Hawkeye Keylogger SMTP Checkin M2 (malware.rules)
• 2820586 - ETPRO MALWARE Win32/TrojanDownloader.IndigoRose.R Checkin (malware.rules)