Re: Zyns iframer

[Tyler Montier <tmontier () sourcefire com>]

Yaser,

Thanks for your submission. We will review the rules and get back to you
when they're finished.

Sincerely,

Tyler Montier
Cisco Talos

On Mon, Feb 20, 2017 at 2:50 PM, Y M <snort () outlook com> wrote:

> Hello,
>
> The below signatures are derived from the analysis in the reference. While
> the EKs pushed by the iframer may be already detected by dedicated/existing
> signatures, the article also mentions that the iframer has also been used
> in malversting, hence the signatures below. The article also mentions a
> 2016 network traffic from the malware-traffic-analysis website. I used that
> pcap to test the "/linkx.php" detection and things seem to be function as
> expected.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request";
> flow:to_server,established; urilen:14; content:"GET"; http_method;
> content:"/out.php?sid="; fast_pattern:only; http_uri;
> pcre:"/\/out\.php\x3fsid\x3d[0-9]$/imU"; content:"Referer"; http_header;
> flowbits:set,zyns.iframer; metadata:ruleset community, service http;
> reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-
> at-the-zyns-iframer-campaign/; classtype:trojan-activity; sid:1000856;
> rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request";
> flow:to_server,established; urilen:9<>10; content:"GET"; http_method;
> content:"/link"; fast_pattern:only; http_uri; pcre:"/\/link[a-z]{0,1}\.php$/imU";
> content:"Referer"; http_header; flowbits:set,zyns.iframer; metadata:ruleset
> community, service http; reference:url,blog.malwarebytes.com/threat-
> analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/;
> classtype:trojan-activity; sid:1000857; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"INDICATOR-COMPROMISE Zyns iframer redirector gate response";
> flow:to_client,established; flowbits:isset,zyns.iframer; content:"200";
> http_stat_code; content:" (@RELEASE@)|0D 0A|"; http_header;
> content:"X-Powered-By|3A 20|PHP/"; http_header; file_data;
> content:"|3C|iframe src=|22|"; content:"width=|22|468|22|
> height=|22|60|22|"; within:500; content:"style=|22|position:absolute|3B|left:-10000px|3B
> 22|"; distance:0; metadata:ruleset community, service http; reference:url,
> blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-
> at-the-zyns-iframer-campaign/; classtype:trojan-activity; sid:1000858;
> rev:1;)
>
> Thank you.
> YM
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!