[Snort-sigs] Zyns iframer

ILLG, FREDERICK C fi763c at ...4234...
Wed Feb 22 21:05:14 EST 2017


Please remove me from the snort email distros.

Thank you!

Frederick Illg
Senior Specialist, Technology Security
Global Emerging Services - Security & Advanced Applications
AT&T Services, Inc.



From: Tyler Montier [mailto:tmontier at ...435...]
Sent: Monday, February 20, 2017 4:42 PM
To: Y M <snort at ...3751...>
Cc: snort-sigs <snort-sigs at lists.sourceforge.net>
Subject: Re: [Snort-sigs] Zyns iframer

Yaser,

Thanks for your submission. We will review the rules and get back to you when they're finished.

Sincerely,

Tyler Montier
Cisco Talos

On Mon, Feb 20, 2017 at 2:50 PM, Y M <snort at ...3751...<mailto:snort at ...3751...>> wrote:
Hello,

The below signatures are derived from the analysis in the reference. While the EKs pushed by the iframer may be already detected by dedicated/existing signatures, the article also mentions that the iframer has also been used in malversting, hence the signatures below. The article also mentions a 2016 network traffic from the malware-traffic-analysis website. I used that pcap to test the "/linkx.php" detection and things seem to be function as expected.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request"; flow:to_server,established; urilen:14; content:"GET"; http_method; content:"/out.php?sid="; fast_pattern:only; http_uri; pcre:"/\/out\.php\x3fsid\x3d[0-9]$/imU"; content:"Referer"; http_header; flowbits:set,zyns.iframer; metadata:ruleset community, service http; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.malwarebytes.com_threat-2Danalysis_2017_01_a-2Dlook-2Dback-2Dat-2Dthe-2Dzyns-2Diframer-2Dcampaign_&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=hKGDkvqEYkJrpFArX3nBWtKBdN-v6S6_cwXzqX0YLsQ&e=>; classtype:trojan-activity; sid:1000856; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request"; flow:to_server,established; urilen:9<>10; content:"GET"; http_method; content:"/link"; fast_pattern:only; http_uri; pcre:"/\/link[a-z]{0,1}\.php$/imU"; content:"Referer"; http_header; flowbits:set,zyns.iframer; metadata:ruleset community, service http; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.malwarebytes.com_threat-2Danalysis_2017_01_a-2Dlook-2Dback-2Dat-2Dthe-2Dzyns-2Diframer-2Dcampaign_&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=hKGDkvqEYkJrpFArX3nBWtKBdN-v6S6_cwXzqX0YLsQ&e=>; classtype:trojan-activity; sid:1000857; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Zyns iframer redirector gate response"; flow:to_client,established; flowbits:isset,zyns.iframer; content:"200"; http_stat_code; content:" (@RELEASE@)|0D 0A|"; http_header; content:"X-Powered-By|3A 20|PHP/"; http_header; file_data; content:"|3C|iframe src=|22|"; content:"width=|22|468|22| height=|22|60|22|"; within:500; content:"style=|22|position:absolute|3B|left:-10000px|3B 22|"; distance:0; metadata:ruleset community, service http; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.malwarebytes.com_threat-2Danalysis_2017_01_a-2Dlook-2Dback-2Dat-2Dthe-2Dzyns-2Diframer-2Dcampaign_&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=hKGDkvqEYkJrpFArX3nBWtKBdN-v6S6_cwXzqX0YLsQ&e=>; classtype:trojan-activity; sid:1000858; rev:1;)

Thank you.
YM


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot<https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=pMmgjZl8iMw2zK63seEXYvCT4HC2axP4DndVZoS_t1s&e=>
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_snort-2Dsigs&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=Pz0D9DiyrZt2hqpwdrM-XUyZtS3V3RW5QRHyRs3wSVI&e=>

http://www.snort.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.snort.org&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=gzGfR0wh3bT8Lj9ZsJw7L5BVYxx7LH2oM3FKSP1fpyU&e=>

Please visit http://blog.snort.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.snort.org&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=tDAmuWWrcKlurq9E9sreJ_TFXD7MTiV3v-C3JfL47cs&e=> for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads<https://urldefense.proofpoint.com/v2/url?u=https-3A__snort.org_downloads_-23rule-2Ddownloads&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=6fCvEsnt95DkiqGmsbNKzsmJCDjOnS0-x_7LYcrTuQo&e=>">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170223/7167807f/attachment.html>


More information about the Snort-sigs mailing list