Zyns iframer

[Y M <snort () outlook com>]

Hello,

The below signatures are derived from the analysis in the reference. While the EKs pushed by the iframer may be already 
detected by dedicated/existing signatures, the article also mentions that the iframer has also been used in 
malversting, hence the signatures below. The article also mentions a 2016 network traffic from the 
malware-traffic-analysis website. I used that pcap to test the "/linkx.php" detection and things seem to be function as 
expected.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request"; 
flow:to_server,established; urilen:14; content:"GET"; http_method; content:"/out.php?sid="; fast_pattern:only; 
http_uri; pcre:"/\/out\.php\x3fsid\x3d[0-9]$/imU"; content:"Referer"; http_header; flowbits:set,zyns.iframer; 
metadata:ruleset community, service http; 
reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/; 
classtype:trojan-activity; sid:1000856; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request"; 
flow:to_server,established; urilen:9<>10; content:"GET"; http_method; content:"/link"; fast_pattern:only; http_uri; 
pcre:"/\/link[a-z]{0,1}\.php$/imU"; content:"Referer"; http_header; flowbits:set,zyns.iframer; metadata:ruleset 
community, service http; 
reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/; 
classtype:trojan-activity; sid:1000857; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Zyns iframer redirector gate response"; 
flow:to_client,established; flowbits:isset,zyns.iframer; content:"200"; http_stat_code; content:" (@RELEASE@)|0D 0A|"; 
http_header; content:"X-Powered-By|3A 20|PHP/"; http_header; file_data; content:"|3C|iframe src=|22|"; 
content:"width=|22|468|22| height=|22|60|22|"; within:500; content:"style=|22|position:absolute|3B|left:-10000px|3B 
22|"; distance:0; metadata:ruleset community, service http; 
reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/; 
classtype:trojan-activity; sid:1000858; rev:1;)

Thank you.
YM

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!