[Snort-sigs] Zyns iframer

Hamer, Cyprille cyprille.hamer at ...4239...
Thu Feb 23 02:58:15 EST 2017


Hello,

Please remove me from the distribution list as well.

Thanks,

Regards

Cyprille

From: ted.r.tesoro at ...4236... [mailto:ted.r.tesoro at ...4236...]
Sent: Thursday, February 23, 2017 3:20 AM
To: fi763c at ...4234...; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Zyns iframer

Hello,
Please remove me from the distribution list as well.

Thanks,
Ted.

From: ILLG, FREDERICK C [mailto:fi763c at ...4234...]
Sent: February 22, 2017 9:12 PM
To: snort-sigs <snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>>
Subject: Re: [Snort-sigs] Zyns iframer

Please remove me from the snort email distros.

Thank you!

Frederick Illg
Senior Specialist, Technology Security
Global Emerging Services - Security & Advanced Applications
AT&T Services, Inc.



From: Tyler Montier [mailto:tmontier at ...435...]
Sent: Monday, February 20, 2017 4:42 PM
To: Y M <snort at ...3751...<mailto:snort at ...3751...>>
Cc: snort-sigs <snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>>
Subject: Re: [Snort-sigs] Zyns iframer

Yaser,

Thanks for your submission. We will review the rules and get back to you when they're finished.

Sincerely,

Tyler Montier
Cisco Talos

On Mon, Feb 20, 2017 at 2:50 PM, Y M <snort at ...3751...<mailto:snort at ...3751...>> wrote:
Hello,

The below signatures are derived from the analysis in the reference. While the EKs pushed by the iframer may be already detected by dedicated/existing signatures, the article also mentions that the iframer has also been used in malversting, hence the signatures below. The article also mentions a 2016 network traffic from the malware-traffic-analysis website. I used that pcap to test the "/linkx.php" detection and things seem to be function as expected.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request"; flow:to_server,established; urilen:14; content:"GET"; http_method; content:"/out.php?sid="; fast_pattern:only; http_uri; pcre:"/\/out\.php\x3fsid\x3d[0-9]$/imU"; content:"Referer"; http_header; flowbits:set,zyns.iframer; metadata:ruleset community, service http; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.malwarebytes.com_threat-2Danalysis_2017_01_a-2Dlook-2Dback-2Dat-2Dthe-2Dzyns-2Diframer-2Dcampaign_&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=hKGDkvqEYkJrpFArX3nBWtKBdN-v6S6_cwXzqX0YLsQ&e=>; classtype:trojan-activity; sid:1000856; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request"; flow:to_server,established; urilen:9<>10; content:"GET"; http_method; content:"/link"; fast_pattern:only; http_uri; pcre:"/\/link[a-z]{0,1}\.php$/imU"; content:"Referer"; http_header; flowbits:set,zyns.iframer; metadata:ruleset community, service http; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.malwarebytes.com_threat-2Danalysis_2017_01_a-2Dlook-2Dback-2Dat-2Dthe-2Dzyns-2Diframer-2Dcampaign_&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=hKGDkvqEYkJrpFArX3nBWtKBdN-v6S6_cwXzqX0YLsQ&e=>; classtype:trojan-activity; sid:1000857; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Zyns iframer redirector gate response"; flow:to_client,established; flowbits:isset,zyns.iframer; content:"200"; http_stat_code; content:" (@RELEASE@)|0D 0A|"; http_header; content:"X-Powered-By|3A 20|PHP/"; http_header; file_data; content:"|3C|iframe src=|22|"; content:"width=|22|468|22| height=|22|60|22|"; within:500; content:"style=|22|position:absolute|3B|left:-10000px|3B 22|"; distance:0; metadata:ruleset community, service http; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.malwarebytes.com_threat-2Danalysis_2017_01_a-2Dlook-2Dback-2Dat-2Dthe-2Dzyns-2Diframer-2Dcampaign_&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=hKGDkvqEYkJrpFArX3nBWtKBdN-v6S6_cwXzqX0YLsQ&e=>; classtype:trojan-activity; sid:1000858; rev:1;)

Thank you.
YM


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot<https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=pMmgjZl8iMw2zK63seEXYvCT4HC2axP4DndVZoS_t1s&e=>
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_snort-2Dsigs&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=Pz0D9DiyrZt2hqpwdrM-XUyZtS3V3RW5QRHyRs3wSVI&e=>

http://www.snort.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.snort.org&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=gzGfR0wh3bT8Lj9ZsJw7L5BVYxx7LH2oM3FKSP1fpyU&e=>

Please visit http://blog.snort.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.snort.org&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=tDAmuWWrcKlurq9E9sreJ_TFXD7MTiV3v-C3JfL47cs&e=> for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads<https://urldefense.proofpoint.com/v2/url?u=https-3A__snort.org_downloads_-23rule-2Ddownloads&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=6fCvEsnt95DkiqGmsbNKzsmJCDjOnS0-x_7LYcrTuQo&e=>">emerging threats</a>!


________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________

www.accenture.com<http://www.accenture.com>

<html><head></head><body><font color="black" face="arial" size="2">
The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. Access to this e-mail by anyone else is unauthorised.
If you are not the intended recipient, please notify Airbus immediately and delete this e-mail.
Airbus cannot accept any responsibility for the accuracy or completeness of this e-mail as it has been sent over public networks. If you have any concerns over the content of this message or its Accuracy or Integrity, please contact Airbus immediately.
All outgoing e-mails from Airbus are checked using regularly updated virus scanning software but you should take whatever measures you deem to be appropriate to ensure that this message and any attachments are virus free.
</font>
</body>
</html>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170223/2736cdfd/attachment.html>


More information about the Snort-sigs mailing list