Snort mailing list archives
Re: Zyns iframer
From: "ILLG, FREDERICK C" <fi763c () att com>
Date: Thu, 23 Feb 2017 02:11:31 +0000
Please remove me from the snort email distros. Thank you! Frederick Illg Senior Specialist, Technology Security Global Emerging Services - Security & Advanced Applications AT&T Services, Inc. From: Tyler Montier [mailto:tmontier () sourcefire com] Sent: Monday, February 20, 2017 4:42 PM To: Y M <snort () outlook com> Cc: snort-sigs <snort-sigs () lists sourceforge net> Subject: Re: [Snort-sigs] Zyns iframer Yaser, Thanks for your submission. We will review the rules and get back to you when they're finished. Sincerely, Tyler Montier Cisco Talos On Mon, Feb 20, 2017 at 2:50 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote: Hello, The below signatures are derived from the analysis in the reference. While the EKs pushed by the iframer may be already detected by dedicated/existing signatures, the article also mentions that the iframer has also been used in malversting, hence the signatures below. The article also mentions a 2016 network traffic from the malware-traffic-analysis website. I used that pcap to test the "/linkx.php" detection and things seem to be function as expected. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request"; flow:to_server,established; urilen:14; content:"GET"; http_method; content:"/out.php?sid="; fast_pattern:only; http_uri; pcre:"/\/out\.php\x3fsid\x3d[0-9]$/imU"; content:"Referer"; http_header; flowbits:set,zyns.iframer; metadata:ruleset community, service http; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.malwarebytes.com_threat-2Danalysis_2017_01_a-2Dlook-2Dback-2Dat-2Dthe-2Dzyns-2Diframer-2Dcampaign_&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=hKGDkvqEYkJrpFArX3nBWtKBdN-v6S6_cwXzqX0YLsQ&e=>; classtype:trojan-activity; sid:1000856; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request"; flow:to_server,established; urilen:9<>10; content:"GET"; http_method; content:"/link"; fast_pattern:only; http_uri; pcre:"/\/link[a-z]{0,1}\.php$/imU"; content:"Referer"; http_header; flowbits:set,zyns.iframer; metadata:ruleset community, service http; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.malwarebytes.com_threat-2Danalysis_2017_01_a-2Dlook-2Dback-2Dat-2Dthe-2Dzyns-2Diframer-2Dcampaign_&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=hKGDkvqEYkJrpFArX3nBWtKBdN-v6S6_cwXzqX0YLsQ&e=>; classtype:trojan-activity; sid:1000857; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Zyns iframer redirector gate response"; flow:to_client,established; flowbits:isset,zyns.iframer; content:"200"; http_stat_code; content:" (@RELEASE@)|0D 0A|"; http_header; content:"X-Powered-By|3A 20|PHP/"; http_header; file_data; content:"|3C|iframe src=|22|"; content:"width=|22|468|22| height=|22|60|22|"; within:500; content:"style=|22|position:absolute|3B|left:-10000px|3B 22|"; distance:0; metadata:ruleset community, service http; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.malwarebytes.com_threat-2Danalysis_2017_01_a-2Dlook-2Dback-2Dat-2Dthe-2Dzyns-2Diframer-2Dcampaign_&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=hKGDkvqEYkJrpFArX3nBWtKBdN-v6S6_cwXzqX0YLsQ&e=>; classtype:trojan-activity; sid:1000858; rev:1;) Thank you. YM ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot<https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=pMmgjZl8iMw2zK63seEXYvCT4HC2axP4DndVZoS_t1s&e=> _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_snort-2Dsigs&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=Pz0D9DiyrZt2hqpwdrM-XUyZtS3V3RW5QRHyRs3wSVI&e=> http://www.snort.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.snort.org&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=gzGfR0wh3bT8Lj9ZsJw7L5BVYxx7LH2oM3FKSP1fpyU&e=> Please visit http://blog.snort.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.snort.org&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=tDAmuWWrcKlurq9E9sreJ_TFXD7MTiV3v-C3JfL47cs&e=> for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads<https://urldefense.proofpoint.com/v2/url?u=https-3A__snort.org_downloads_-23rule-2Ddownloads&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=6fCvEsnt95DkiqGmsbNKzsmJCDjOnS0-x_7LYcrTuQo&e=>">emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Zyns iframer Y M (Feb 20)
- Re: Zyns iframer Tyler Montier (Feb 20)
- Re: Zyns iframer ILLG, FREDERICK C (Feb 22)
- Re: Zyns iframer ILLG, FREDERICK C (Feb 22)
- Re: Zyns iframer Al Lewis (allewi) (Feb 22)
- Re: Zyns iframer ted.r.tesoro (Feb 22)
- Message not available
- Re: Zyns iframer Hamer, Cyprille (Feb 23)
- Re: Zyns iframer Tyler Montier (Feb 20)