[Snort-sigs] Zyns iframer

Y M snort at ...3751...
Mon Feb 20 14:50:36 EST 2017


Hello,

The below signatures are derived from the analysis in the reference. While the EKs pushed by the iframer may be already detected by dedicated/existing signatures, the article also mentions that the iframer has also been used in malversting, hence the signatures below. The article also mentions a 2016 network traffic from the malware-traffic-analysis website. I used that pcap to test the "/linkx.php" detection and things seem to be function as expected.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request"; flow:to_server,established; urilen:14; content:"GET"; http_method; content:"/out.php?sid="; fast_pattern:only; http_uri; pcre:"/\/out\.php\x3fsid\x3d[0-9]$/imU"; content:"Referer"; http_header; flowbits:set,zyns.iframer; metadata:ruleset community, service http; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/; classtype:trojan-activity; sid:1000856; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request"; flow:to_server,established; urilen:9<>10; content:"GET"; http_method; content:"/link"; fast_pattern:only; http_uri; pcre:"/\/link[a-z]{0,1}\.php$/imU"; content:"Referer"; http_header; flowbits:set,zyns.iframer; metadata:ruleset community, service http; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/; classtype:trojan-activity; sid:1000857; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Zyns iframer redirector gate response"; flow:to_client,established; flowbits:isset,zyns.iframer; content:"200"; http_stat_code; content:" (@RELEASE@)|0D 0A|"; http_header; content:"X-Powered-By|3A 20|PHP/"; http_header; file_data; content:"|3C|iframe src=|22|"; content:"width=|22|468|22| height=|22|60|22|"; within:500; content:"style=|22|position:absolute|3B|left:-10000px|3B 22|"; distance:0; metadata:ruleset community, service http; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/; classtype:trojan-activity; sid:1000858; rev:1;)

Thank you.
YM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170220/2e68548e/attachment.html>


More information about the Snort-sigs mailing list