Sneed-Reactivity/yara-mikesxrs/xanda/iframeRedKit.yar

24 lines
751 B
Text
Raw Permalink Normal View History

rule iframeRedKit
{
meta:
author = "adnan.shukor@gmail.com"
description = "Detection rule to detect compromised page injected with invisible iframe of Redkit redirector"
ref = "http://blog.xanda.org/2013/02/15/redkit-redirector-injected-into-legitimate-javascript-code/"
cve = "NA"
version = "1.2"
impact = 4
hide = false
strings:
$iRedKit_1 = /name\=['"]?Twitter['"]?/
$iRedKit_2 = /scrolling\=['"]?auto['"]?/
$iRedKit_3 = /frameborder\=['"]?no['"]?/
$iRedKit_4 = /align\=['"]?center['"]?/
$iRedKit_5 = /height\=['"]?2['"]?/
$iRedKit_6 = /width\=['"]?2['"]?/
$iRedKit_7 = /src\=['"]?http:\/\/[\w\.\-]{4,}\/(([a-z]{4}\.html?(\?[hij]=\d{7})?)|([a-z]{4,}\.php\?[a-z]{4,}\=[a-f0-9]{16}))['"]?/
condition:
all of them
}