Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Update Details

Security Intelligence Center
Print

Update #2764 (08/02/2016)

20 new signatures:

HIGHTROJAN:GABOC-CHECKINTROJAN: Gaboc Checkin was detected
HIGHTROJAN:BACKDOOR:WIN-WEKBY-TORNTROJAN: Win.Backdoor.Wekby Torn Variant Outbound Connection Detected
HIGHSSL:MICROFOCUS-NETIQ-DIRSSL: Micro Focus NetIQ Sentinel Server ReportViewServlet Directory Traversal
HIGHTROJAN:XYLIGAN-CHECKINTROJAN: Xyligan Checkin detected
MEDIUMHTTP:JAVA-UNCOMP-JARHTTP: Suspicious Traffic with Uncompressed Jar/Class.
HIGHTROJAN:DOWNLOAD-SETUP-EXETROJAN: Suspicious Download Setup_ exe
MEDIUMTROJAN:RESLURP-CNC-CONTACTTROJAN: Reslurp.D.Client CnC Server Contact
HIGHHTTP:SUSPICIOUS-EXE-DOWNLOADHTTP: Suspicious exe file download detected
HIGHTROJAN:ANCHOR-PANDATROJAN: ANCHOR PANDA Torn RAT Beacon Message Detected
HIGHTROJAN:BACKDOOR:PCRAT-GHOST-CNCTROJAN: Backdoor family PCRat/Gh0st CnC Traffic (OUTBOUND) 45
HIGHTROJAN:WIN-NEUREVTTROJAN: Win32 Neurevt Check-in
HIGHTROJAN:MISC:MULTI-TROJ-CHECKINTROJAN: Multiple Trojan Checkin Traffic Detection
HIGHHTTP:STC:DOUBLE-ENC-DEAN-EDWHTTP: Dean Edwards Packed JavaScripts detected
MEDIUMHTTP:SCRIPT-INJ-EXP-108HTTP:SCRIPT-INJ Infection-108
HIGHTROJAN:BACKDOOR:PCRAT-CNC-TRFCTROJAN: PCRat Ghost CnC Traffic
HIGHTROJAN:BACKDOOR:WIN-RAMNITTROJAN: Win.Trojan.Ramnit Variant Outbound Detected
HIGHHTTP:WECON-LEVISTUDIO-BOHTTP: WECON LeviStudio Multiple Buffer Overflow
HIGHTROJAN:WIN32-RAMNIT-CHECKINTROJAN: Win32/Ramnit Checkin
HIGHTROJAN:WIN-TROJ-GRAFTOR-CONNTROJAN: Win.Trojan.Graftor Outbound Connection Detected
HIGHHTTP:STC:FOXIT-GOTOR-BOHTTP: Foxit Reader GoToR Action Stack Buffer Overflow

10 updated signatures:

MEDIUMHTTP:SUSP-HDR-REDRCT-EXP-107HTTP:SUSP-HDR-REDRCT Infection-107
HIGHHTTP:REDKIT-EK-JAVACLASS-REQHTTP: Redkit Exploit Kit Java Exploit Request To .class File
CRITICALHTTP:STC:DL:MAL-WIN-BRIEFCASE-2HTTP: Windows Briefcase Integer Underflow Vulnerability (2)
CRITICALHTTP:STC:CANVAS-BABYBOTTLE-GZIPHTTP: Canvas Babybottle gzip
HIGHHTTP:STC:DL:SANDWORM-RCEHTTP: Microsoft Office SandWorm Remote Code Execution
HIGHHTTP:STC:ADOBE:CVE-2009-1862-CEHTTP: Adobe Flash Player CVE-2009-1862 Remote Code Execution
HIGHHTTP:STC:APPLE-QTIME-DREF-BOHTTP: Apple QuickTime Alis Volume Name Parsing Stack Buffer Overflow
CRITICALDB:MYSQL:MOF-EXECDB: Oracle MySQL MOF Execution
HIGHHTTP:UNIX-CMD:UNIX-GCC1HTTP: Unix-Command gcc1
HIGHHTTP:MISC:CHASYS-BOHTTP: Chasys Draw IES Buffer Overflow


Details of the signatures included within this bulletin:

TROJAN:GABOC-CHECKIN - TROJAN: Gaboc Checkin was detected

Severity: HIGH

Description:

This signature detects the connection from malicious TROJAN Gaboc.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

HTTP:STC:DL:MAL-WIN-BRIEFCASE-2 - HTTP: Windows Briefcase Integer Underflow Vulnerability (2)

Severity: CRITICAL

Description:

This signature detects attempts to exploit a know problem in Windows Briefcase. Windows Briefcase is a feature that will synchronize the contents of two folders. A successful exploit can lead to arbitrary code execution in the security context of the affected user.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

References:

  • cve: CVE-2012-1528

Affected Products:

  • microsoft windows_xp - (sp2:x64)
  • microsoft windows_8 - (-:x86)
  • microsoft windows_server_2008 (sp2:x64)
  • microsoft windows_8 - (-:x64)
  • microsoft windows_xp (sp3)
  • microsoft windows_server_2003 (sp2:x64)
  • microsoft windows_server_2012 -
  • microsoft windows_7 (:x86)
  • microsoft windows_7 (sp1:x64)
  • microsoft windows_7 (:x64)
  • microsoft windows_vista (sp2:x64)
  • microsoft windows_server_2008 (r2:x64)
  • microsoft windows_server_2008 r2 (sp1:x64)
  • microsoft windows_7 (sp1:x86)
  • microsoft windows_server_2008 (sp2:x86)
  • microsoft windows_server_2003 (sp2:itanium)

HTTP:REDKIT-EK-JAVACLASS-REQ - HTTP: Redkit Exploit Kit Java Exploit Request To .class File

Severity: HIGH

Description:

This signature detects an attempt to download exploits from malicious exploit kits that may compromise a computer through various vendor vulnerabilities. Exploit kits are very specific type of toolkits which are being used by cybercriminals to deliver other pieces of malware.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

TROJAN:ANCHOR-PANDA - TROJAN: ANCHOR PANDA Torn RAT Beacon Message Detected

Severity: HIGH

Description:

This siganture detects trojan anchor panda.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

HTTP:STC:CANVAS-BABYBOTTLE-GZIP - HTTP: Canvas Babybottle gzip

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability using an attack from the Canvas framework known as babybottle. A successful attack can lead to arbitrary remote code execution. This exploit is related to vulnerability MS06-014.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

References:

  • cve: CVE-2006-0003
  • url: http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx
  • bugtraq: 17462

Affected Products:

  • Microsoft Data Access Components (MDAC) 2.7
  • Microsoft Data Access Components (MDAC) 2.8
  • Hitachi HITSENSER5 01-00
  • Hitachi HITSENSER5 01-10
  • Hitachi HITSENSER5 02-80
  • Hitachi DBPARTNER ODBC 01-00
  • Hitachi DBPARTNER ODBC 01-11
  • Hitachi DBPARTNER ODBC 01-06
  • Hitachi DBPARTNER ODBC 01-03
  • Hitachi DA Broker for ODBC 01-00
  • Hitachi DA Broker for ODBC 01-02
  • Hitachi DBPARTNER2 Client 01-05
  • Hitachi DBPARTNER2 Client 01-12
  • Hitachi DBPARTNER2 Client 01-00
  • Microsoft Data Access Components (MDAC) 2.5 SP3
  • Microsoft Data Access Components (MDAC) 2.7 SP1
  • Microsoft Data Access Components (MDAC) 2.8 SP1
  • Microsoft Data Access Components (MDAC) 2.8 SP2

TROJAN:RESLURP-CNC-CONTACT - TROJAN: Reslurp.D.Client CnC Server Contact

Severity: MEDIUM

Description:

This signature detects malware Reslurp.D.Client CnC Server acknowledgement on successful connection. It is highly recommended to quarantine machine and follow Incident response process.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

TROJAN:BACKDOOR:PCRAT-GHOST-CNC - TROJAN: Backdoor family PCRat/Gh0st CnC Traffic (OUTBOUND) 45

Severity: HIGH

Description:

This signature attempts to detect TROJAN Backdoor family PCRat/Gh0st CnC traffic.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

TROJAN:MISC:MULTI-TROJ-CHECKIN - TROJAN: Multiple Trojan Checkin Traffic Detection

Severity: HIGH

Description:

This signature detects the Command and Control traffic for the various trojan. The source IP host is infected and should be removed from the network for analysis.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

TROJAN:BACKDOOR:PCRAT-CNC-TRFC - TROJAN: PCRat Ghost CnC Traffic

Severity: HIGH

Description:

This signature attempts to detect TROJAN Backdoor family PCRat/Gh0st CnC traffic.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

HTTP:SCRIPT-INJ-EXP-108 - HTTP:SCRIPT-INJ Infection-108

Severity: MEDIUM

Description:

This signature detects an attempt to download exploits from malicious exploit kits that may compromise a computer through various vendor vulnerabilities. Exploit kits are very specific type of toolkits which are being used by cybercriminals to deliver other pieces of malware.

Supported On:

srx-12.1

HTTP:WECON-LEVISTUDIO-BO - HTTP: WECON LeviStudio Multiple Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the WECON LeviStudio. Successful exploitation could allow the attacker to execute arbitrary code under the security context of the user process.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

DB:MYSQL:MOF-EXEC - DB: Oracle MySQL MOF Execution

Severity: CRITICAL

Description:

This signature detects attempts to exploit a known vulnerability in Oracle MySQL database server. A successful attack could allow the attacker to execute arbitrary code on the targeted system. Failed exploit attempts could result in a denial of service condition.

Supported On:

idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

References:

  • cve: CVE-2012-5613

Affected Products:

  • mariadb 5.5.28a
  • oracle mysql 5.5.19

HTTP:STC:APPLE-QTIME-DREF-BO - HTTP: Apple QuickTime Alis Volume Name Parsing Stack Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in the Apple QuickTime. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the user.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

References:

  • cve: CVE-2013-1017

Affected Products:

  • apple quicktime 5.0
  • apple quicktime 7.0.1
  • apple quicktime 6.5.2
  • apple quicktime 7.1.5
  • apple quicktime 6.0
  • apple quicktime 7.1.4
  • apple quicktime 7.0.0
  • apple quicktime 3.0
  • apple quicktime 7.4.0
  • apple quicktime 7.6.0
  • apple quicktime 7.2.1
  • apple quicktime 6.0.1
  • apple quicktime 7.4.1
  • apple quicktime 6.1.1
  • apple quicktime 7.6.1
  • apple quicktime 6.5
  • apple quicktime 7.6.5
  • apple quicktime 6.1.0
  • apple quicktime 7.7.2
  • apple quicktime 7.7.1
  • apple quicktime 6.1
  • apple quicktime 6.0.2
  • apple quicktime 7.1.0
  • apple quicktime 5.0.1
  • apple quicktime 7.5.0
  • apple quicktime 7.2.0
  • apple quicktime 7.0.4
  • apple quicktime 7.4.5
  • apple quicktime 7.7.0
  • apple quicktime 7.6.6
  • apple quicktime 6.0.0
  • apple quicktime 7.0.2
  • apple quicktime 7.3.1
  • apple quicktime 7.6.7
  • apple quicktime 7.0.3
  • apple quicktime 7.6.8
  • apple quicktime 6.5.0
  • apple quicktime 7.6.2
  • apple quicktime 7.3.0
  • apple quicktime 6.5.1
  • apple quicktime 5.0.2
  • apple quicktime 7.1.3
  • apple quicktime 7.1.2
  • apple quicktime 7.1.1
  • apple quicktime 6.2.0
  • apple quicktime 7.5.5
  • apple quicktime 6.4.0
  • apple quicktime 4.1.2
  • apple quicktime 7.6.9
  • apple quicktime 6.3.0
  • apple quicktime up to 7.7.3
  • apple quicktime 7.1.6

HTTP:SUSP-HDR-REDRCT-EXP-107 - HTTP:SUSP-HDR-REDRCT Infection-107

Severity: MEDIUM

Description:

This signature detects an attempt to download exploits from malicious exploit kits that may compromise a computer through various vendor vulnerabilities. Exploit kits are very specific type of toolkits which are being used by cybercriminals to deliver other pieces of malware.

Supported On:

srx-12.1

TROJAN:BACKDOOR:WIN-WEKBY-TORN - TROJAN: Win.Backdoor.Wekby Torn Variant Outbound Connection Detected

Severity: HIGH

Description:

This signature detects Win.Backdoor.Wekby Torn variant outbound connection.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

SSL:MICROFOCUS-NETIQ-DIR - SSL: Micro Focus NetIQ Sentinel Server ReportViewServlet Directory Traversal

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Micro Focus NetIQ Sentinel Server. A successful exploitation allows the attacker to read the content of arbitrary files from the system.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

References:

  • cve: CVE-2016-1605

TROJAN:XYLIGAN-CHECKIN - TROJAN: Xyligan Checkin detected

Severity: HIGH

Description:

This signature detects the connection from malicious TROJAN Xyligan.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

HTTP:JAVA-UNCOMP-JAR - HTTP: Suspicious Traffic with Uncompressed Jar/Class.

Severity: MEDIUM

Description:

This signature detects traffic containing suspicious Java Request with uncompressed JAR/Class.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

TROJAN:DOWNLOAD-SETUP-EXE - TROJAN: Suspicious Download Setup_ exe

Severity: HIGH

Description:

This signature attempts to detect Suspicious exe download.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

HTTP:STC:DL:SANDWORM-RCE - HTTP: Microsoft Office SandWorm Remote Code Execution

Severity: HIGH

Description:

This signature detects an attempt to exploit a known vulnerability against Microsoft Office PowerPoint presentation show based files. Successful exploitation could allow an attacker to execute arbitrary commands into the context of the running application.

Supported On:

srx-branch-11.4, mx-11.4, idp-4.1.0, mx-9.4, srx-9.2, srx-branch-9.4, j-series-9.5, srx-12.1, srx-branch-12.1, srx-10.0, srx-branch-10.0, vsrx-12.1, vsrx-15.1, idp-5.1.110160603, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, srx-11.4

References:

  • cve: CVE-2014-6352
  • cve: CVE-2014-4114

Affected Products:

  • microsoft windows_server_2008
  • microsoft windows_rt_8.1 -
  • microsoft windows_rt -
  • microsoft windows_8 -
  • microsoft windows_8.1 -
  • microsoft windows_server_2008 r2
  • microsoft windows_vista
  • microsoft windows_server_2012 -
  • microsoft windows_7 -
  • microsoft windows_server_2012 r2

HTTP:STC:ADOBE:CVE-2009-1862-CE - HTTP: Adobe Flash Player CVE-2009-1862 Remote Code Execution

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Adobe Acrobat and Reader. A successful attack can lead to arbitrary code execution.

Supported On:

srx-branch-11.4, mx-11.4, idp-4.1.0, mx-9.4, srx-9.2, srx-branch-9.4, j-series-9.5, srx-12.1, srx-branch-12.1, srx-10.0, srx-branch-10.0, vsrx-12.1, vsrx-15.1, idp-5.1.110160603, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, srx-11.4

References:

  • cve: CVE-2009-1862

Affected Products:

  • adobe flash_player 9.0.16
  • adobe acrobat 9.1.1
  • adobe flash_player 10.0.22.87
  • adobe flash_player 10.0.12.36
  • adobe acrobat 9.1.2
  • adobe acrobat_reader 9.1
  • adobe flash_player 9.0.20.0
  • adobe acrobat_reader 9.0
  • adobe flash_player 9.0.114.0
  • adobe flash_player 10.0.12.10
  • adobe flash_player 10.0.0.584
  • adobe flash_player 9.0.28
  • adobe flash_player 9.0.45.0
  • adobe flash_player 9.0.124.0
  • adobe flash_player 9.0.18d60
  • adobe flash_player 9.125.0
  • adobe flash_player 9.0.48.0
  • adobe flash_player 9.0.115.0
  • adobe flash_player 9.0.155.0
  • adobe acrobat_reader 9.1.1
  • adobe flash_player 9.0.47.0
  • adobe acrobat_reader 9.1.2
  • adobe flash_player 9.0.20
  • adobe flash_player 9.0.31.0
  • adobe acrobat 9.0
  • adobe flash_player 9.0.112.0
  • adobe acrobat 9.1
  • adobe flash_player 9.0.31
  • adobe flash_player 9.0.28.0
  • adobe flash_player 9.0.159.0

HTTP:MISC:CHASYS-BO - HTTP: Chasys Draw IES Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability in Chasys Draw application. A successful attack can lead to a buffer overflow and arbitrary remote code execution within the context of the application.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

References:

  • cve: CVE-2013-3928
  • bugtraq: 61463

TROJAN:WIN-NEUREVT - TROJAN: Win32 Neurevt Check-in

Severity: HIGH

Description:

This signature attempts to detect page trojan Win32/Neurevt Check-in.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

HTTP:STC:DOUBLE-ENC-DEAN-EDW - HTTP: Dean Edwards Packed JavaScripts detected

Severity: HIGH

Description:

This signature will detect the Double-Encoded Reverse Base64/Dean Edwards Packed JavaScripts in some unknown exploit kits.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

HTTP:UNIX-CMD:UNIX-GCC1 - HTTP: Unix-Command gcc1

Severity: HIGH

Description:

This signature detects the string "gcc" sent in a URI. This is a strong indication that an attacker is attempting to gain access to the system.

Supported On:

srx-branch-11.4, mx-11.4, mx-9.4, srx-9.2, srx-branch-9.4, j-series-9.5, srx-12.1, srx-branch-12.1, srx-10.0, srx-branch-10.0, vsrx-12.1, vsrx-15.1, idp-5.1.110160603, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, srx-11.4

TROJAN:BACKDOOR:WIN-RAMNIT - TROJAN: Win.Trojan.Ramnit Variant Outbound Detected

Severity: HIGH

Description:

This signature attempts to detect Win.Trojan.Ramnit trojan.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

TROJAN:WIN-TROJ-GRAFTOR-CONN - TROJAN: Win.Trojan.Graftor Outbound Connection Detected

Severity: HIGH

Description:

This signature detects Win.Trojan.Graftor outbound connection.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

TROJAN:WIN32-RAMNIT-CHECKIN - TROJAN: Win32/Ramnit Checkin

Severity: HIGH

Description:

This signature detects the Command and Control traffic for Win32/Ramnit Malware. The source IP host is infected and should be removed from the network for analysis.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

HTTP:SUSPICIOUS-EXE-DOWNLOAD - HTTP: Suspicious exe file download detected

Severity: HIGH

Description:

This signature will block some suspicious exe file in URI probably a Process Dump/Trojan Download.

Supported On:

idp-4.0.0, idp-4.0.110090709, idp-4.0.110090831, idp-4.1.0, idp-4.2.0, idp-5.0.0, mx-9.4, isg-3.0.0, isg-3.1.134269, isg-3.1.135801, isg-3.4.0, isg-3.5.0, srx-9.2, srx-branch-9.4, j-series-9.5, idp-4.2.110100823, srx-10.0, srx-branch-10.0, idp-4.2.110101203, idp-5.1.0, idp-4.1.110110609, srx-11.4, srx-branch-11.4, idp-4.1.110110719, mx-11.4, isg-3.4.139899, idp-5.0.110121210, srx-12.1, srx-branch-12.1, isg-3.4.140032, idp-5.0.110130325, vsrx-12.1, vsrx-15.1, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, idp-5.1.110160603

HTTP:STC:FOXIT-GOTOR-BO - HTTP: Foxit Reader GoToR Action Stack Buffer Overflow

Severity: HIGH

Description:

This signature detects attempts to exploit a known vulnerability against Foxit Reader. A successful attack can lead to arbitrary code execution.

Supported On:

srx-branch-11.4, mx-11.4, idp-4.1.0, mx-9.4, srx-9.2, srx-branch-9.4, j-series-9.5, srx-12.1, srx-branch-12.1, srx-10.0, srx-branch-10.0, vsrx-12.1, vsrx-15.1, idp-5.1.110160603, isg-3.5.141455, idp-5.1.110151117, isg-3.5.141597, srx-11.4

References:

  • url: https://www.foxitsoftware.com/support/security-bulletins.php
Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out