Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Zyns iframer

From: "Hamer, Cyprille" <cyprille.hamer () airbus com>
Date: Thu, 23 Feb 2017 07:58:15 +0000
Hello,

Please remove me from the distribution list as well.

Thanks,

Regards

Cyprille

From: ted.r.tesoro () accenture com [mailto:ted.r.tesoro () accenture com]
Sent: Thursday, February 23, 2017 3:20 AM
To: fi763c () att com; snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] Zyns iframer

Hello,
Please remove me from the distribution list as well.

Thanks,
Ted.

From: ILLG, FREDERICK C [mailto:fi763c () att com]
Sent: February 22, 2017 9:12 PM
To: snort-sigs <snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>>
Subject: Re: [Snort-sigs] Zyns iframer

Please remove me from the snort email distros.

Thank you!

Frederick Illg
Senior Specialist, Technology Security
Global Emerging Services - Security & Advanced Applications
AT&T Services, Inc.



From: Tyler Montier [mailto:tmontier () sourcefire com]
Sent: Monday, February 20, 2017 4:42 PM
To: Y M <snort () outlook com<mailto:snort () outlook com>>
Cc: snort-sigs <snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>>
Subject: Re: [Snort-sigs] Zyns iframer

Yaser,

Thanks for your submission. We will review the rules and get back to you when they're finished.

Sincerely,

Tyler Montier
Cisco Talos

On Mon, Feb 20, 2017 at 2:50 PM, Y M <snort () outlook com<mailto:snort () outlook com>> wrote:
Hello,

The below signatures are derived from the analysis in the reference. While the EKs pushed by the iframer may be already 
detected by dedicated/existing signatures, the article also mentions that the iframer has also been used in 
malversting, hence the signatures below. The article also mentions a 2016 network traffic from the 
malware-traffic-analysis website. I used that pcap to test the "/linkx.php" detection and things seem to be function as 
expected.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request"; 
flow:to_server,established; urilen:14; content:"GET"; http_method; content:"/out.php?sid="; fast_pattern:only; 
http_uri; pcre:"/\/out\.php\x3fsid\x3d[0-9]$/imU"; content:"Referer"; http_header; flowbits:set,zyns.iframer; 
metadata:ruleset community, service http; 
reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.malwarebytes.com_threat-2Danalysis_2017_01_a-2Dlook-2Dback-2Dat-2Dthe-2Dzyns-2Diframer-2Dcampaign_&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=hKGDkvqEYkJrpFArX3nBWtKBdN-v6S6_cwXzqX0YLsQ&e=>;
 classtype:trojan-activity; sid:1000856; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request"; 
flow:to_server,established; urilen:9<>10; content:"GET"; http_method; content:"/link"; fast_pattern:only; http_uri; 
pcre:"/\/link[a-z]{0,1}\.php$/imU"; content:"Referer"; http_header; flowbits:set,zyns.iframer; metadata:ruleset 
community, service http; 
reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.malwarebytes.com_threat-2Danalysis_2017_01_a-2Dlook-2Dback-2Dat-2Dthe-2Dzyns-2Diframer-2Dcampaign_&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=hKGDkvqEYkJrpFArX3nBWtKBdN-v6S6_cwXzqX0YLsQ&e=>;
 classtype:trojan-activity; sid:1000857; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Zyns iframer redirector gate response"; 
flow:to_client,established; flowbits:isset,zyns.iframer; content:"200"; http_stat_code; content:" (@RELEASE@)|0D 0A|"; 
http_header; content:"X-Powered-By|3A 20|PHP/"; http_header; file_data; content:"|3C|iframe src=|22|"; 
content:"width=|22|468|22| height=|22|60|22|"; within:500; content:"style=|22|position:absolute|3B|left:-10000px|3B 
22|"; distance:0; metadata:ruleset community, service http; 
reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.malwarebytes.com_threat-2Danalysis_2017_01_a-2Dlook-2Dback-2Dat-2Dthe-2Dzyns-2Diframer-2Dcampaign_&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=hKGDkvqEYkJrpFArX3nBWtKBdN-v6S6_cwXzqX0YLsQ&e=>;
 classtype:trojan-activity; sid:1000858; rev:1;)

Thank you.
YM


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! 
http://sdm.link/slashdot<https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=pMmgjZl8iMw2zK63seEXYvCT4HC2axP4DndVZoS_t1s&e=>
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_snort-2Dsigs&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=Pz0D9DiyrZt2hqpwdrM-XUyZtS3V3RW5QRHyRs3wSVI&e=>

http://www.snort.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.snort.org&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=gzGfR0wh3bT8Lj9ZsJw7L5BVYxx7LH2oM3FKSP1fpyU&e=>

Please visit 
http://blog.snort.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.snort.org&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=tDAmuWWrcKlurq9E9sreJ_TFXD7MTiV3v-C3JfL47cs&e=>
 for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" 
https://snort.org/downloads/#rule-downloads<https://urldefense.proofpoint.com/v2/url?u=https-3A__snort.org_downloads_-23rule-2Ddownloads&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=6fCvEsnt95DkiqGmsbNKzsmJCDjOnS0-x_7LYcrTuQo&e=>">emerging
 threats</a>!


________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential 
information. If you have received it in error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its 
affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________

www.accenture.com<http://www.accenture.com>

<html><head></head><body><font color="black" face="arial" size="2">
The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the 
addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public 
networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus 
immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take 
whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
</font>
</body>
</html>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: