<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
span.hoenzb
        {mso-style-name:hoenzb;}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Please remove me from the snort email distros.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thank you!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#0568AE">Frederick Illg<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#0D0D0D">Senior Specialist, Technology Security<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#0D0D0D">Global Emerging Services - Security & Advanced Applications<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#0568AE">AT&T Services, Inc.<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Tyler Montier [mailto:tmontier@...435...]
<br>
<b>Sent:</b> Monday, February 20, 2017 4:42 PM<br>
<b>To:</b> Y M <snort@...3751...><br>
<b>Cc:</b> snort-sigs <snort-sigs@lists.sourceforge.net><br>
<b>Subject:</b> Re: [Snort-sigs] Zyns iframer<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">Yaser,</span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">Thanks for your submission. We will review the rules and get back to you when they're finished.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">Sincerely,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">Tyler Montier<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.5pt">Cisco Talos<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mon, Feb 20, 2017 at 2:50 PM, Y M <<a href="mailto:snort@...3751..." target="_blank">snort@...3751...</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div id="m_-4367895564206261362divtagdefaultwrapper">
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Hello,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">The below signatures are derived from the analysis in the reference. While the EKs pushed by the iframer may be already detected by dedicated/existing signatures, the article also
 mentions that the iframer has also been used in malversting, hence the signatures below. The article also mentions a 2016 network traffic from the malware-traffic-analysis website. I used that pcap to test the "/linkx.php" detection and things seem to be function
 as expected.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:black">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request"; flow:to_server,established; urilen:14; content:"GET"; http_method;
 content:"/out.php?sid="; fast_pattern:only; http_uri; pcre:"/\/out\.php\x3fsid\x3d[0-9]$/imU"; content:"Referer"; http_header; flowbits:set,zyns.iframer; metadata:ruleset community, service http; reference:url,<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.malwarebytes.com_threat-2Danalysis_2017_01_a-2Dlook-2Dback-2Dat-2Dthe-2Dzyns-2Diframer-2Dcampaign_&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=hKGDkvqEYkJrpFArX3nBWtKBdN-v6S6_cwXzqX0YLsQ&e=" target="_blank">blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/</a>;
 classtype:trojan-activity; sid:1000856; rev:1;)</span><span style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:black">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Zyns iframer rediector gate request"; flow:to_server,established; urilen:9<>10; content:"GET";
 http_method; content:"/link"; fast_pattern:only; http_uri; pcre:"/\/link[a-z]{0,1}\.php$/imU"; content:"Referer"; http_header; flowbits:set,zyns.iframer; metadata:ruleset community, service http; reference:url,<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.malwarebytes.com_threat-2Danalysis_2017_01_a-2Dlook-2Dback-2Dat-2Dthe-2Dzyns-2Diframer-2Dcampaign_&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=hKGDkvqEYkJrpFArX3nBWtKBdN-v6S6_cwXzqX0YLsQ&e=" target="_blank">blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/</a>;
 classtype:trojan-activity; sid:1000857; rev:1;)</span><span style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:Consolas;color:black">alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Zyns iframer redirector gate response"; flow:to_client,established; flowbits:isset,zyns.iframer;
 content:"200"; http_stat_code; content:" (@RELEASE@)|0D 0A|"; http_header; content:"X-Powered-By|3A 20|PHP/"; http_header; file_data; content:"|3C|iframe src=|22|"; content:"width=|22|468|22| height=|22|60|22|"; within:500; content:"style=|22|position:absolute|3B|left:-10000px|3B
 22|"; distance:0; metadata:ruleset community, service http; reference:url,<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.malwarebytes.com_threat-2Danalysis_2017_01_a-2Dlook-2Dback-2Dat-2Dthe-2Dzyns-2Diframer-2Dcampaign_&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=hKGDkvqEYkJrpFArX3nBWtKBdN-v6S6_cwXzqX0YLsQ&e=" target="_blank">blog.malwarebytes.com/threat-analysis/2017/01/a-look-back-at-the-zyns-iframer-campaign/</a>;
 classtype:trojan-activity; sid:1000858; rev:1;)</span><span style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:black">Thank you.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;color:#888888">YM<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span class="hoenzb"><o:p> </o:p></span></p>
</div>
</div>
<p class="MsoNormal"><br>
------------------------------------------------------------------------------<br>
Check out the vibrant tech community on one of the world's most<br>
engaging tech sites, SlashDot.org! <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=pMmgjZl8iMw2zK63seEXYvCT4HC2axP4DndVZoS_t1s&e=" target="_blank">
http://sdm.link/slashdot</a><br>
_______________________________________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@lists.sourceforge.net</a><br>
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_snort-2Dsigs&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=Pz0D9DiyrZt2hqpwdrM-XUyZtS3V3RW5QRHyRs3wSVI&e=" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br>
<br>
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.snort.org&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=gzGfR0wh3bT8Lj9ZsJw7L5BVYxx7LH2oM3FKSP1fpyU&e=" target="_blank">http://www.snort.org</a><br>
<br>
Please visit <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.snort.org&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=tDAmuWWrcKlurq9E9sreJ_TFXD7MTiV3v-C3JfL47cs&e=" target="_blank">
http://blog.snort.org</a> for the latest news about Snort!<br>
<br>
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href="
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__snort.org_downloads_-23rule-2Ddownloads&d=DQMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=fQWGiSBcXmVjKDEHrPupbQ&m=cTm-mT9REoK7_CHgZQ7zfhFddF3iZhTPbRIKTDOxa30&s=6fCvEsnt95DkiqGmsbNKzsmJCDjOnS0-x_7LYcrTuQo&e=" target="_blank">
https://snort.org/downloads/#rule-downloads</a>">emerging threats</a>!<o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>