[Snort-sigs] Zyns iframer

Tyler Montier tmontier at ...435...
Mon Feb 20 16:41:40 EST 2017


Yaser,

Thanks for your submission. We will review the rules and get back to you
when they're finished.

Sincerely,

Tyler Montier
Cisco Talos

On Mon, Feb 20, 2017 at 2:50 PM, Y M <snort at ...3751...> wrote:

> Hello,
>
> The below signatures are derived from the analysis in the reference. While
> the EKs pushed by the iframer may be already detected by dedicated/existing
> signatures, the article also mentions that the iframer has also been used
> in malversting, hence the signatures below. The article also mentions a
> 2016 network traffic from the malware-traffic-analysis website. I used that
> pcap to test the "/linkx.php" detection and things seem to be function as
> expected.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request";
> flow:to_server,established; urilen:14; content:"GET"; http_method;
> content:"/out.php?sid="; fast_pattern:only; http_uri;
> pcre:"/\/out\.php\x3fsid\x3d[0-9]$/imU"; content:"Referer"; http_header;
> flowbits:set,zyns.iframer; metadata:ruleset community, service http;
> reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-
> at-the-zyns-iframer-campaign/; classtype:trojan-activity; sid:1000856;
> rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request";
> flow:to_server,established; urilen:9<>10; content:"GET"; http_method;
> content:"/link"; fast_pattern:only; http_uri; pcre:"/\/link[a-z]{0,1}\.php$/imU";
> content:"Referer"; http_header; flowbits:set,zyns.iframer; metadata:ruleset
> community, service http; reference:url,blog.malwarebytes.com/threat-
> analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/;
> classtype:trojan-activity; sid:1000857; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"INDICATOR-COMPROMISE Zyns iframer redirector gate response";
> flow:to_client,established; flowbits:isset,zyns.iframer; content:"200";
> http_stat_code; content:" (@RELEASE@)|0D 0A|"; http_header;
> content:"X-Powered-By|3A 20|PHP/"; http_header; file_data;
> content:"|3C|iframe src=|22|"; content:"width=|22|468|22|
> height=|22|60|22|"; within:500; content:"style=|22|position:absolute|3B|left:-10000px|3B
> 22|"; distance:0; metadata:ruleset community, service http; reference:url,
> blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-
> at-the-zyns-iframer-campaign/; classtype:trojan-activity; sid:1000858;
> rev:1;)
>
> Thank you.
> YM
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170220/78bdef43/attachment.html>


More information about the Snort-sigs mailing list