129 lines
53 KiB
Plaintext
129 lines
53 KiB
Plaintext
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#-----------------
|
|
# OS-MOBILE RULES
|
|
#-----------------
|
|
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Kindle User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"kindle"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*kindle/iH"; metadata:ruleset community, service http; classtype:policy-violation; sid:25524; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Samsung User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"Samsung"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*samsung/iH"; metadata:ruleset community, service http; classtype:policy-violation; sid:25523; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Nokia User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"nokia"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*nokia/iH"; metadata:ruleset community, service http; classtype:policy-violation; sid:25522; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"android"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*android/iH"; metadata:ruleset community, service http; classtype:policy-violation; sid:25521; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPhone User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"iPhone"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]*iPhone/H"; metadata:ruleset community, service http; classtype:policy-violation; sid:25520; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPad User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"iPad"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]*iPad/H"; metadata:ruleset community, service http; classtype:policy-violation; sid:25519; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPod User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"iPod"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]*iPod/H"; metadata:ruleset community, service http; classtype:policy-violation; sid:25518; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Apple iOS 6.x jailbreak download attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"evasi0n-win-"; fast_pattern:only; content:"evasi0n.exe"; nocase; metadata:service smtp; reference:url,evasi0n.com/; classtype:attempted-admin; sid:25616; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Apple iOS 6.x jailbreak download attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"evasi0n-win-"; fast_pattern:only; content:"evasi0n.exe"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,evasi0n.com/; classtype:attempted-admin; sid:25615; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Apple iOS 4.3.3 jailbreak for iPad download attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|28 69 90 CC 10 42 88 0A D9 21 25 52 F6 DE 23 23|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,jailbreakzone.com/2011/07/02/jailbreakme-3-0-leaked-try-it-out-now/; classtype:attempted-admin; sid:19417; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Apple iOS 4.3.3 jailbreak for iPad download attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|78 DA ED DD 07 5C 8E FB E3 3F FE 86 8C 86 A2 A1 41 32 22 69 A7 52 69 A2 D2 56 89 64 A5 BD 35 35|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,jailbreakzone.com/2011/07/02/jailbreakme-3-0-leaked-try-it-out-now/; classtype:attempted-admin; sid:19416; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Apple iOS 4.3.3 jailbreak for iPod download attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|78 DA ED DD 07 3C 97 FB FF 3F 7E 23 0D 23 CA C8 28 69 90 64 13 21 44 85 B2 0A 91 68 C8 DE 5B 46|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,jailbreakzone.com/2011/07/02/jailbreakme-3-0-leaked-try-it-out-now/; classtype:attempted-admin; sid:19419; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Apple iOS 4.3.3 jailbreak for iPhone download attempt"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"|78 DA ED DD 07 3C D7 7B FF 3F 7E 2A 29 15 1A 94 64 A5 32 B2 25 45 94 0A 89 22 85 64 25 7B CB DE|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,jailbreakzone.com/2011/07/02/jailbreakme-3-0-leaked-try-it-out-now/; classtype:attempted-admin; sid:19418; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Gmaster device information send"; flow:to_server,established; content:"uid="; nocase; http_client_body; content:"imei="; nocase; http_client_body; content:"simNum="; nocase; http_client_body; content:"telNum="; nocase; http_client_body; content:"imsi="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-082404-5049-99&tabid=2; classtype:trojan-activity; sid:26026; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Tetus device information leakage variant"; flow:to_server, established; content:"User-Agent: Dalvik"; fast_pattern:only; http_header; content:"imei="; nocase; http_uri; content:"referrer="; nocase; http_uri; content:"pid="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/855332267ffd1fb671d916822ea2929bef8974441a34cb4d9eb9c9b60ba6481f/analysis/; classtype:trojan-activity; sid:26939; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Tetus device information leakage"; flow:to_server, established; content:"User-Agent: Dalvik"; fast_pattern:only; http_header; content:"imei="; nocase; http_uri; content:"lpn="; nocase; http_uri; content:"vd="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/855332267ffd1fb671d916822ea2929bef8974441a34cb4d9eb9c9b60ba6481f/analysis/; classtype:trojan-activity; sid:26938; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR.Trojan.Opfake device information disclosure attempt"; flow:to_server,established; content:"/q.php"; nocase; http_uri; content:"Apache-HttpClient/UNAVAILABLE (java 1."; fast_pattern:only; http_header; content:"log"; depth:3; nocase; http_client_body; content:"Executing"; distance:0; nocase; http_client_body; content:"sendSMS"; distance:0; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,blog.avast.com/2012/10/31/double-trouble/; classtype:trojan-activity; sid:26827; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR.Trojan.Opfake credential theft attempt"; flow:to_server,established; content:"/login.php"; nocase; http_uri; content:"|28|Linux|3B| U|3B| Android 2."; fast_pattern:only; http_header; content:"user_id="; nocase; http_client_body; content:"&password="; distance:0; nocase; http_client_body; content:"&submit="; distance:0; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,blog.avast.com/2012/10/31/double-trouble/; classtype:trojan-activity; sid:26826; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.ZertSecurity apk download"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00|.|00|c|00|e|00|a|00|n|00|d|00|r|00|o|00|i|00|d|00|.|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|.|00|z|00|e|00|r|00|t"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,blog.lookout.com/blog/2013/05/06/zertsecurity; classtype:trojan-activity; sid:26795; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.Opfake APK file download"; flow:to_client,established; file_data; flowbits:isset,file.apk; content:"n|00|g|00|j|00|v|00|n|00|p|00|s|00|l|00|n|00|p|00|.|00|i|00|p|00|l|00|h|00|m|00|k"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/f2648dc7bc964dc7690c60575ad526ba5b23a0f09312fd7ebf4fa65a379919ca/analysis/; classtype:trojan-activity; sid:26783; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Fakedoc device information leakage"; flow:to_server, established; content:"&locale_source_term_network_sim="; fast_pattern:only; http_uri; content:"network="; nocase; http_uri; content:"&did="; nocase; http_uri; content:"&model="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/85c4f3066b76671aab7148b98766e6b904c83cd0920187ec4bbd5af8c9e9c970/analysis/; classtype:trojan-activity; sid:26768; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Fakeinst device information leakage"; flow:to_server, established; content:"User-Agent: Dalvik/"; fast_pattern:only; http_header; content:"imei="; nocase; http_uri; content:"imsi="; nocase; http_uri; content:"phone="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/0a77e1aac4720037e2946edf84d957616e564bd525e444cf3994f5ae4b9374ab/analysis/; classtype:trojan-activity; sid:26760; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Ewalls device information exfiltration"; flow:to_server, established; content:"uniquely_code="; fast_pattern:only; http_client_body; content:"imsi_mcc"; nocase; http_client_body; content:"build_model"; nocase; http_client_body; content:"line1_number"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/1318b052ac129baf53b004e2e4a7002f4bf8654c1dd9381c4cbf7a535b5c5106/analysis/; classtype:trojan-activity; sid:26705; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Antammi device information exfiltration"; flow:to_server,established; content:"network_mcc"; fast_pattern:only; http_client_body; content:"imsi="; nocase; http_client_body; content:"phone_number="; nocase; http_client_body; content:"sim_id="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/10e2d89226c48d0d9fc08168cc5e508cd9afc6d08c262e70f02b7de607ef548a/analysis/; classtype:trojan-activity; sid:26693; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Denofow phone information exfiltration"; flow:to_server,established; content:"SOAPAction: "; fast_pattern:only; http_header; content:"</opname>"; nocase; http_client_body; content:"</cell>"; nocase; http_client_body; content:"</openmic>"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/fc0417fd719f457f172a5c3fbb8fc155a04f2376b2ca4155395e01a028908038/analysis/; classtype:trojan-activity; sid:26689; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 30125 (msg:"OS-MOBILE Android MDK encrypted information leak"; flow:to_server,established; content:"Host: app.looking3g.com"; nocase; content:"/serv?"; nocase; content:"User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)"; fast_pattern:only; metadata:impact_flag red, service http; reference:url,androidmalwaredump.blogspot.com/2013/01/androidtrojmdk-aka-androidksapp.html; classtype:trojan-activity; sid:26443; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android MDK encrypted information leak"; flow:to_server,established; content:"Host: wap.juliu.net"; nocase; http_header; content:"/control.html?"; nocase; http_uri; content:"User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,androidmalwaredump.blogspot.com/2013/01/androidtrojmdk-aka-androidksapp.html; classtype:trojan-activity; sid:26442; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android Stels server response"; flow:to_client,established; file_data; content:"{|22|removeAllSmsFilters|22|:"; fast_pattern:only; content:",|22|wait|22|:"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/03c1b44c94c86c3137862c20f9f745e0f89ce2cdb778dc6466a06a65b7a591ae/analysis/; classtype:trojan-activity; sid:26388; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Stels initial server contact"; flow:to_server,established; content:"--AaB03x"; nocase; http_client_body; content:"Content-Disposition"; fast_pattern:only; http_client_body; content:"botId"; nocase; http_client_body; content:"imsi"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/03c1b44c94c86c3137862c20f9f745e0f89ce2cdb778dc6466a06a65b7a591ae/analysis/; classtype:trojan-activity; sid:26387; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"OS-MOBILE Android Ksapp device registration"; flow:to_server,established; content:"/kspp/do?imei="; fast_pattern:only; http_uri; content:"&wid="; nocase; http_uri; content:"&type=&step=0"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-091722-4052-99; classtype:trojan-activity; sid:26291; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR.Trojan.RootSmart outbound communication attempt"; flow:to_server,established; content:"c:root="; fast_pattern:only; http_client_body; content:"/androidService/services/AndroidService"; http_client_body; content:"IMEI"; distance:0; http_client_body; content:"&|3B|IMSI"; within:9; distance:16; http_client_body; content:"&|3B|TYPE_TEL"; within:18; distance:16; http_client_body; content:"INSTALL_TYPE"; distance:0; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/8cb40e8dce05482907ff83b39911831daf20e4a69ee63a6cff523c880eed1acf/analysis/; classtype:trojan-activity; sid:26290; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android ANDR.Trojan.Chuli APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"h|00|t|00|t|00|p|00|:|00|/|00|/|00|6|00|4|00 2E 00|7|00|8|00 2E 00|1|00|6|00|1|00 2E 00|1|00|3|00|3"; fast_pattern:only; metadata:impact_flag red, service smtp; reference:url,www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack; classtype:trojan-activity; sid:26273; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.Chuli APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"h|00|t|00|t|00|p|00|:|00|/|00|/|00|6|00|4|00 2E 00|7|00|8|00 2E 00|1|00|6|00|1|00 2E 00|1|00|3|00|3"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.securelist.com/en/blog/208194186/Android_Trojan_Found_in_Targeted_Attack; classtype:trojan-activity; sid:26272; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR-WIN.MSIL variant PC-USB Malicious executable file download"; flow:to_server,established; pcre:"/\x2f[^\x26\x2f\x3f]+?\x2e(exe|zip)$/iU"; content:"Host|3A| claco."; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.securelist.com/en/blog/805/Mobile_attacks; classtype:trojan-activity; sid:26257; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android ANDR.Trojan.PremiumSMS APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00|.|00|z|00|w|00|x|00|.|00|f|00|l|00|y|00|a|00|p|00|p"; fast_pattern:only; metadata:impact_flag red, service smtp; reference:url,blog.trustgo.com/trojanextension-a-complex-malware-escapes-av-detection/; classtype:trojan-activity; sid:26247; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.PremiumSMS APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00|.|00|z|00|w|00|x|00|.|00|f|00|l|00|y|00|a|00|p|00|p"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,blog.trustgo.com/trojanextension-a-complex-malware-escapes-av-detection/; classtype:trojan-activity; sid:26246; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Fakenetflix email password upload"; flow:to_server,established; content:"Host|3A| erofolio.no-ip.biz"; fast_pattern:only; http_header; content:"email="; nocase; http_client_body; content:"&pass="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-101105-0518-99&tabid=2; classtype:trojan-activity; sid:26205; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android CruseWind imei leakage"; flow:to_server,established; content:"/flash/test.xml?imei="; fast_pattern:only; http_uri; content:"&time="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-070301-5702-99&tabid=2; classtype:trojan-activity; sid:26192; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android YZHC device registration"; flow:to_server,established; content:"action=domregbycode&"; fast_pattern:only; http_uri; content:"channe="; http_uri; content:"imsi="; http_uri; content:"code="; http_uri; metadata:impact_flag red, service http; reference:url,www.csc.ncsu.edu/faculty/jiang/YZHCSMS/; classtype:trojan-activity; sid:26190; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 9888 (msg:"OS-MOBILE Android YZHC device registration"; flow:to_server,established; content:"networklocale="; fast_pattern:only; content:"networkname="; content:"networkcode="; content:"register?imei="; metadata:impact_flag red, service http; reference:url,www.csc.ncsu.edu/faculty/jiang/YZHCSMS/; classtype:trojan-activity; sid:26189; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Zitmo trojan intercepted sms upload"; flow:to_server,established; content:"/security.jsp"; nocase; http_uri; content:"f0="; nocase; http_client_body; content:"&b0="; nocase; http_client_body; content:"&pid="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:trojan-activity; sid:26114; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android KMin imei imsi leakage"; flow:to_server,established; content:"/portal/m/c"; nocase; http_uri; content:".ashx?"; nocase; http_uri; content:"&nt2="; nocase; http_uri; content:"&tp=2"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99&tabid=2; classtype:trojan-activity; sid:26104; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android GoldDream device registration"; flow:to_server,established; content:"/zj/RegistUid.aspx?pid="; nocase; http_uri; content:"&imsi="; nocase; http_uri; content:"&imei="; nocase; http_uri; content:"&sim="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.cs.ncsu.edu/faculty/jiang/GoldDream/; classtype:trojan-activity; sid:26102; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android GoneIn60Seconds data upload"; flow:to_server,established; content:"data="; nocase; http_client_body; content:"contacts%22%3a"; nocase; http_client_body; content:"sms%22%3a"; nocase; http_client_body; content:"recent%22%3a"; nocase; http_client_body; content:"url%22%3a"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99&tabid=2; classtype:trojan-activity; sid:26087; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android GGTracker installation call out"; flow:to_server,established; content:"/SM"; nocase; http_uri; content:"|3F|device_id="; nocase; http_uri; content:"|26|adv_sub="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,blog.lookout.com/blog/2011/06/20/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/; classtype:trojan-activity; sid:26018; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android GGTracker leak of device phone number"; flow:to_server,established; content:"notif.php?phone="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,blog.lookout.com/blog/2011/06/20/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/; classtype:trojan-activity; sid:26017; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android GGTracker server communication"; flow:to_server,established; content:"number="; nocase; http_client_body; content:"carrier="; nocase; http_client_body; content:"message="; nocase; http_client_body; content:"sdk="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,blog.lookout.com/blog/2011/06/20/security-alert-android-trojan-ggtracker-charges-victims-premium-rate-sms-messages/; classtype:trojan-activity; sid:26016; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Lovetrap initial connection"; flow:to_server,established; content:"positionrecorder.asmx"; nocase; http_uri; content:"imsi="; nocase; http_uri; content:"appid="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99&tabid=2; classtype:trojan-activity; sid:26015; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ADRD encrypted information leak"; flow:to_server,established; content:".aspx?im="; nocase; http_uri; content:"User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)"; fast_pattern:only; http_header; content:"Accept-Language: zh-CN, en-US"; nocase; http_header; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99&tabid=2; classtype:trojan-activity; sid:25999; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ADRD encrypted information leak"; flow:to_server,established; content:".aspx?im="; nocase; http_uri; content:"User-Agent: J2ME/UCWEB7.4.0.57"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99&tabid=2; classtype:trojan-activity; sid:25998; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android jSMSHider initial encrypted device info send"; flow:to_server,established; content:"svs="; nocase; http_client_body; content:"sid="; nocase; http_client_body; content:"ssd="; nocase; http_client_body; content:"sta="; nocase; http_client_body; content:"sac="; nocase; http_client_body; content:"sci="; nocase; http_client_body; content:"sch="; nocase; http_client_body; content:"stp="; nocase; http_client_body; content:"svr="; nocase; http_client_body; content:"sig="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,blog.lookout.com/blog/2011/06/15/security-alert-malware-found-targeting-custom-roms-jsmshider/; classtype:trojan-activity; sid:25997; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android.Trojan.Rus.SMS outbound communication attempt"; flow:established,to_server; content:"imei="; depth:5; http_client_body; content:"&time="; within:6; distance:15; http_client_body; content:"&os="; distance:0; http_client_body; content:"&imsi="; distance:0; http_client_body; content:"&v="; within:3; distance:15; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/664725869278f478e5a50a5e359dc6d5cf4f2a7019d0c122e2fa1e318f19636b/analysis/; classtype:trojan-activity; sid:25868; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android AngryBirdsRioUnlocker initial device info send"; flow:to_server,established; content:"|22|userId|22 3A 22|NOT IN USE!!!|22|"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.geek.com/articles/mobile/google-removes-malicious-angry-birds-apps-from-android-market-20110614/; classtype:trojan-activity; sid:25864; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR.Trojan.SMSsend variant outbound connection"; flow:established,to_server; content:"/rq.php"; http_uri; content:"Apache-HttpClient/UNAVAILABLE (java 1."; fast_pattern:only; http_header; content:"name="; depth:5; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/2076cb718edae12fa641a6b28cc53aee8d9d495518836bcc24e8e8bd1172f892/analysis/; classtype:trojan-activity; sid:25512; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android/Fakelash.A!tr.spy trojan command and control channel traffic"; flow:to_server,established; content:"/data.php?action="; nocase; http_uri; content:"&m="; distance:0; nocase; http_uri; content:"&p="; distance:0; nocase; http_uri; content:"&n="; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:24251; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android SMSZombie APK file download"; flow:to_client,established; file_data; content:"assets/a33.jpg"; fast_pattern:only; flowbits:set,file.smszombie; flowbits:noalert; metadata:service ftp-data, service http, service imap, service pop3; reference:url,blog.trustgo.com/SMSZombie/; classtype:trojan-activity; sid:23969; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android SMSZombie APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; flowbits:isset,file.smszombie; file_data; content:"b|00|a|00|o|00|x|00|i|00|a|00|n|00|_|00|z|00|h|00|u|00|s|00|h|00|o|00|u"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,blog.trustgo.com/SMSZombie/; classtype:trojan-activity; sid:23954; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Zitmo trojan command and control channel traffic"; flow:to_server,established; content:"/update/biwdr.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.securelist.com/en/blog/208193604/Android_Security_Suite_Premium_New_ZitMo; classtype:trojan-activity; sid:23173; rev:5;)
|
|
# alert tcp $EXTERNAL_NET 2018 -> $HOME_NET any (msg:"OS-MOBILE Android/Nickispy.D sms logging response detection"; flow:to_client,established; content:"|00 00 00 27 00 80 00 05 80|"; depth:9; metadata:impact_flag red; reference:url,www.virustotal.com/#/file/57f771d7809aa35599f81de9ea0120d3/detection; classtype:trojan-activity; sid:21598; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 2018 (msg:"OS-MOBILE Android/Nickispy.D sms logging request detection"; flow:to_server,established; content:"|00 00 00 05 80|"; depth:5; offset:4; metadata:impact_flag red; reference:url,www.virustotal.com/#/file/57f771d7809aa35599f81de9ea0120d3/detection; classtype:trojan-activity; sid:21597; rev:5;)
|
|
# alert tcp $EXTERNAL_NET 2018 -> $HOME_NET any (msg:"OS-MOBILE Android/Nickispy.D initialization response detection"; flow:to_client,established; content:"|00 00 00 27 00 80 00 09 80|"; depth:9; metadata:impact_flag red; reference:url,www.virustotal.com/#/file/57f771d7809aa35599f81de9ea0120d3/detection; classtype:trojan-activity; sid:21596; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 2018 (msg:"OS-MOBILE Android/Nickispy.D initialization request detection"; flow:to_server,established; content:"|00 00 00 27 00 00 00 09 80|"; depth:9; metadata:impact_flag red; reference:url,www.virustotal.com/#/file/57f771d7809aa35599f81de9ea0120d3/detection; classtype:trojan-activity; sid:21595; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR.Trojan.SMSSilence device information disclosure attempt"; flow:to_server,established; content:"/Android_SMS/installing.php"; nocase; http_uri; content:"|28|Linux|3B| U|3B| Android 2."; fast_pattern:only; http_header; content:"Content-Length: 18"; nocase; http_header; content:"mobile="; depth:7; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/d36afc56bffe3716565bd9a7a82e3bb80dfd67eb5267ee531d19ba85b37916de/analysis/; classtype:trojan-activity; sid:27099; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR.Trojan.SMSSilence unsolicited sms attempt"; flow:to_server,established; content:"/Android_SMS/receiving.php"; nocase; http_uri; content:"|28|Linux|3B| U|3B| Android 2."; fast_pattern:only; http_header; content:"mobile="; depth:7; nocase; http_client_body; content:"&revsms="; within:8; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/d36afc56bffe3716565bd9a7a82e3bb80dfd67eb5267ee531d19ba85b37916de/analysis/; classtype:trojan-activity; sid:27098; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.SMSSilence APK file download attempt"; flow:to_client,established; file_data; flowbits:isset,file.apk; content:"c|00|o|00|m|00|.|00|v|00|e|00|r|00|t|00|u|00|."; fast_pattern:only; content:"dat.dat"; nocase; content:"dat0.dat"; within:200; nocase; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/d36afc56bffe3716565bd9a7a82e3bb80dfd67eb5267ee531d19ba85b37916de/analysis/; classtype:trojan-activity; sid:27097; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.FakeToken APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"OriginalDocumentID=|22|uuid:053FFFFBB1EEE0119F83A87C5C1D6A29"; fast_pattern:only; content:"xmp.iid:601E7F76F132E1118DA2D9C4A1B3D877"; nocase; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/f7c36355c706fc9dd8954c096825e0613807e0da4bd7f3de97de0aec0be23b79/analysis/; classtype:trojan-activity; sid:27095; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR.Trojan.FakeToken information disclosure attempt"; flow:to_server,established; content:"/cp/server.php"; nocase; http_uri; content:"|28|Linux|3B| U|3B| Android 2."; fast_pattern:only; http_header; content:"imei"; nocase; http_client_body; content:"sid_1"; distance:0; nocase; http_client_body; content:"smsResults"; distance:0; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/f7c36355c706fc9dd8954c096825e0613807e0da4bd7f3de97de0aec0be23b79/analysis/; classtype:trojan-activity; sid:27094; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 7766 (msg:"OS-MOBILE Android Spy2Mobile device information leakage"; flow:to_server, established; content:"|22|protocol_ver|22|:"; fast_pattern:only; content:"|22|imei|22|:"; nocase; content:"|22|version|22|:"; nocase; content:"|22|packet|22|:"; nocase; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/35f87a74a89a6ef69a68e8387671a36e26afd2df68136feac4be6c381d049005/analysis/; classtype:trojan-activity; sid:27064; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Vidro / EClips device information leakage"; flow:to_server, established; content:"|22|messagingqueue_size|22|"; fast_pattern:only; http_client_body; content:"|22|sim_msisdn|22|"; nocase; http_client_body; content:"|22|device_imei|22|"; nocase; http_client_body; content:"|22|sim_imsi|22|"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/67e5c171463284894e4521fe9d255bd29e16ed4936d972392d180e207f05daba/analysis/; classtype:trojan-activity; sid:27038; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android Vidro / EClips sms send instructions"; flow:to_client, established; file_data; content:"|22|messaging_update_interval|22|"; fast_pattern:only; content:"|22|short_code|22|"; nocase; content:"|22|send_sms|22|"; nocase; content:"|22|messaging_intents|22|"; nocase; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/67e5c171463284894e4521fe9d255bd29e16ed4936d972392d180e207f05daba/analysis/; classtype:trojan-activity; sid:27037; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Walkinwat / Wandt information leakage generic"; flow:to_server, established; content:"SECOND_TABLE="; fast_pattern:only; http_client_body; content:"imei="; nocase; http_client_body; content:"phone"; nocase; http_client_body; content:"wat.php"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/c6eb43f2b7071bbfe893fc78419286c3cb7c83ce56517bd281db5e7478caf995/analysis/; classtype:trojan-activity; sid:27032; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Satfi device information leakage"; flow:to_server, established; content:"confabcode="; http_uri; content:"msisdn="; distance:0; nocase; http_uri; content:"imsi="; distance:0; nocase; http_uri; content:"operator="; distance:0; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/C149AC741A3A1336193D355A7F59A4911D9B6FC8F88307F8EC86C85C10C9059A/analysis/; classtype:trojan-activity; sid:27031; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android AnserverBot initial contact"; flow:to_server,established; content:"/jk.action?a="; fast_pattern:only; http_uri; content:"&key="; nocase; http_uri; content:"&g1="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.csc.ncsu.edu/faculty/jiang/AnserverBot/; classtype:trojan-activity; sid:27016; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"OS-MOBILE Android Androrat contact list leakage"; flow:to_server, established; content:"sr|00 13|java.util.Arraylist"; fast_pattern:only; content:"sr|00 0D|utils.Contact"; content:"times_contacted"; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/1af93c9fafdd21a33d647a79d1c36f5591432cb005edb3070768ddb1f333345a/analysis/; classtype:trojan-activity; sid:27118; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"OS-MOBILE Android Androrat sms message leakage"; flow:to_server, established; content:"sr|00 13|java.util.Arraylist"; fast_pattern:only; content:"sr|00 10|Packet.SMSPacket"; content:"person"; content:"thread_id"; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/1af93c9fafdd21a33d647a79d1c36f5591432cb005edb3070768ddb1f333345a/analysis/; classtype:trojan-activity; sid:27117; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"OS-MOBILE Android Androrat device information leakage"; flow:to_server, established; content:"sr|00 13|java.util.Hashtable"; fast_pattern:only; content:"PhoneNumber"; content:"SimOperator"; content:"IMEI"; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/1af93c9fafdd21a33d647a79d1c36f5591432cb005edb3070768ddb1f333345a/analysis/; classtype:trojan-activity; sid:27116; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android Exploit Extra_Field APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"PK|03 04|"; content:"|00 00|"; within:2; distance:4; byte_test:2, >, 0x7FFF, 18, relative, little; content:"classes.dex"; within:11; distance:20; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:27552; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"OS-MOBILE Android SMSAgent.C outbound SMTP communication"; flow:to_server,established; content:"18765435554=E5=AE=89=E8=A3=85=E6=88=90=E5=8A=9F----18765435554=E5=AE=89=E8="; fast_pattern:only; metadata:service smtp; reference:url,www.f-secure.com/weblog/archives/00002594.html; reference:url,www.virustotal.com/en/file/fdc4983bdaaf97146caa84fe2c7ffdf8b3eb78bde8b828203a2c757e2506e865/analysis/; classtype:trojan-activity; sid:27725; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android ANDR.Trojan.FakeAV APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00 00 00|e|00|x|00|a|00|m|00|p|00|l|00|e|00 00 00|a|00|n|00|d|00|r|00|o|00|i|00|d|00|d|00|e|00|f|00|e|00|n|00|d|00|e|00|r|00|2"; fast_pattern:only; metadata:impact_flag red, service smtp; reference:url,www.virustotal.com/en/file/5f96e12b035ee083f11f0e121352258c2bc86132e13d95811ffc2f4d3304a74e/analysis/1380055877/; classtype:trojan-activity; sid:28057; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.FakeAV APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00 2E 00|e|00|x|00|a|00|m|00|p|00|l|00|e|00 2E 00|a|00|n|00|d|00|r|00|o|00|i|00|d|00|d|00|e|00|f|00|e|00|n|00|d|00|e|00|r|00|2"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/5f96e12b035ee083f11f0e121352258c2bc86132e13d95811ffc2f4d3304a74e/analysis/1380055877/; classtype:trojan-activity; sid:28056; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android ANDR.Trojan.FakeAV outbound communication attempt"; flow:to_server,established; content:"User-Agent|3A 20|android|0D 0A|"; fast_pattern; http_header; content:"Content-Type|3A| text|2F|plain|3B| charset|3D|utf-8"; http_header; content:"&affid="; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/5f96e12b035ee083f11f0e121352258c2bc86132e13d95811ffc2f4d3304a74e/analysis/1380055877/; classtype:trojan-activity; sid:28055; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android fake iMessage app download"; flow:to_client,established; flowbits:isset,file.apk; content:"HuLuWa Team"; nocase; content:"Android version of iMessage"; within:50; metadata:service http; reference:url,plus.google.com/u/0/116098411511850876544/posts/UkgaXa1oa6M; reference:url,www.engadget.com/2013/09/24/imessage-for-android-app-risk/; classtype:trojan-activity; sid:28046; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android WebKit Java reflection command execution attempt"; flow:to_client,established; file_data; content:".getClass|28 29|.forName|28|"; nocase; content:".getMethod"; within:200; content:".invoke|28|null|2C|"; within:150; metadata:service http; reference:cve,2014-0514; reference:url,blogs.avg.com/mobile-2/analyzing-android-webview-exploit/; reference:url,helpx.adobe.com/security/products/reader-mobile/apsb14-12.html; reference:url,labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/; classtype:attempted-user; sid:28043; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.SmsSpy APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"com.android|00 00 00 00 00 00 02 1C 01 04 0A 00 00 7F 00 00 00|c|00|o|00|m|00 2E 00|C|00|o|00|p|00|o|00|n"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/0F540A52242E6D97E12AD9D85E8523F9AEE788AC8566284055E91155568DA714/analysis/; classtype:trojan-activity; sid:28087; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android ANDR.Trojan.SmsSpy APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"com.android|00 00 00 00 00 00 02 1C 01 04 0A 00 00 7F 00 00 00|c|00|o|00|m|00 2E 00|C|00|o|00|p|00|o|00|n"; fast_pattern:only; metadata:impact_flag red, service smtp; reference:url,www.virustotal.com/en/file/0F540A52242E6D97E12AD9D85E8523F9AEE788AC8566284055E91155568DA714/analysis/; classtype:trojan-activity; sid:28086; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ANDR.Trojan.Malapp APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00 2E 00|a|00|p|00|p|00 2E 00|l|00|o|00|t|00|t|00|e|00 2E 00|a|00|u|00|t|00|h"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/d95d7d2b6e3f73e83d93ec4df4afb681db93697e100011f6486fdfc44fbead34/analysis/; classtype:trojan-activity; sid:28082; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android ANDR.Trojan.Malapp APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"c|00|o|00|m|00 2E 00|a|00|p|00|p|00 2E 00|l|00|o|00|t|00|t|00|e|00 2E 00|a|00|u|00|t|00|h"; fast_pattern:only; metadata:impact_flag red, service smtp; reference:url,www.virustotal.com/en/file/d95d7d2b6e3f73e83d93ec4df4afb681db93697e100011f6486fdfc44fbead34/analysis/; classtype:trojan-activity; sid:28081; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Andr.Trojan.MobileTx information disclosure attempt"; flow:to_server,established; content:"|28|Linux|3B| U|3B| Android 2."; fast_pattern:only; http_header; content:"/client/reg.do"; nocase; http_uri; content:"Content-Length|3A| 20"; nocase; http_header; content:"imsi="; depth:5; nocase; http_client_body; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/a3ffa998c7865f2bf49fd148e7b56547e24eb95c/analysis/; classtype:trojan-activity; sid:28403; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android Andr.Trojan.MobileTx APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"assets/txconfig/splashimg.jsonPK"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/a3ffa998c7865f2bf49fd148e7b56547e24eb95c/analysis/; classtype:trojan-activity; sid:28402; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android Andr.Trojan.MobileTx APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"assets/txconfig/splashimg.jsonPK"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/a3ffa998c7865f2bf49fd148e7b56547e24eb95c/analysis/; classtype:trojan-activity; sid:28401; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android Goodix gt915 touchscreen driver improper bounds-check privileged access attempt"; flow:to_server,established; file_data; content:"create_proc_entry|28|procname|2C| 0666|2C| NULL|29|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,63661; reference:cve,2013-4740; reference:cve,2013-6122; reference:url,www.codeaurora.org/projects/security-advisories/multiple-memory-corruption-issues-and-race-condition-goodix-gt915-touchscreen-driver-procfs-handler; classtype:attempted-user; sid:29438; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android Goodix gt915 touchscreen driver improper bounds-check privileged access attempt"; flow:to_client,established; file_data; content:"create_proc_entry|28|procname|2C| 0666|2C| NULL|29|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,63661; reference:cve,2013-4740; reference:cve,2013-6122; reference:url,www.codeaurora.org/projects/security-advisories/multiple-memory-corruption-issues-and-race-condition-goodix-gt915-touchscreen-driver-procfs-handler; classtype:attempted-user; sid:29437; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android signature validation bypass APK file download attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"PK|03 04|"; byte_test:2,>,0x500,22,relative,little; metadata:impact_flag red, service smtp; reference:bugtraq,64529; reference:cve,2013-6792; reference:url,android.googlesource.com/platform/libcore/+/2da1bf57a6631f1cbd47cdd7692ba8743c993ad9%5E!; classtype:trojan-activity; sid:29419; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android signature validation bypass APK file download attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"PK|03 04|"; byte_test:2,>,0x500,22,relative,little; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:bugtraq,64529; reference:cve,2013-6792; reference:url,android.googlesource.com/platform/libcore/+/2da1bf57a6631f1cbd47cdd7692ba8743c993ad9%5E!; classtype:trojan-activity; sid:29418; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Andr.Trojan.Waller information disclosure attempt"; flow:to_server,established; content:"/farm.php?imei="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/8ea8ce79404dc6ba06fae16add7bc7859f23c70dbea601cad178dd4180e83299/analysis/; classtype:trojan-activity; sid:30880; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Apple iOS 8.x jailbreak download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Pangu_Main_Frame"; fast_pattern:only; content:"sys.page.jbreak"; nocase; content:"iOS 8.x"; nocase; metadata:service smtp; reference:url,pangu.io/; classtype:attempted-admin; sid:32275; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Apple iOS 8.x jailbreak download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Pangu_Main_Frame"; fast_pattern:only; content:"sys.page.jbreak"; nocase; content:"iOS 8.x"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,pangu.io/; classtype:attempted-admin; sid:32274; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android ObjectInputStream privilege escalation attempt"; flow:to_server,established; flowbits:isset,file.apk; file_data; content:"|93 68 3F 0F FA 59 D0 0B C0 97 81 C7 81 A5 98 E7 29 D0 B7 80 77 81 5F 03 3A 6C 79 10 C3 7E 20 08 D4 00 38 16|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,71176; reference:cve,2014-7911; classtype:attempted-user; sid:32975; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android ObjectInputStream privilege escalation attempt"; flow:to_client,established; flowbits:isset,file.apk; file_data; content:"|93 68 3F 0F FA 59 D0 0B C0 97 81 C7 81 A5 98 E7 29 D0 B7 80 77 81 5F 03 3A 6C 79 10 C3 7E 20 08 D4 00 38 16|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,71176; reference:cve,2014-7911; classtype:attempted-user; sid:32974; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android Fakeinst device information leakage"; flow:to_server, established; content:"Apache-HttpClient/UNAVAILABLE (java 1.4)|0D 0A|"; fast_pattern:only; http_header; content:"imei="; nocase; http_client_body; content:"imsi="; nocase; http_client_body; content:"msisdn="; nocase; http_client_body; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:url,www.virustotal.com/en/file/0a77e1aac4720037e2946edf84d957616e564bd525e444cf3994f5ae4b9374ab/analysis/; classtype:trojan-activity; sid:26761; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"OS-MOBILE iOS lockdownd plist object buffer overflow attempt"; flow:to_server, established; file_data; content:"|C7 04 24 D4 74 0E 33 E8 16 FB FF FF 89 45 D4 8B 45 D4 01 45 DC 8B 45 DC 89 44 24 04 C7 04 24 43 43 43 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-admin; sid:35091; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE iOS lockdownd plist object buffer overflow attempt"; flow:to_client, established; file_data; content:"|C7 04 24 D4 74 0E 33 E8 16 FB FF FF 89 45 D4 8B 45 D4 01 45 DC 8B 45 DC 89 44 24 04 C7 04 24 43 43 43 43|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-admin; sid:35090; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android Stagefright MP4 buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.mp4; file_data; content:"covr"; byte_test:4,<,16,-8,relative; metadata:service smtp; reference:cve,2015-1538; reference:cve,2015-1539; reference:cve,2015-3824; reference:cve,2015-3826; reference:cve,2015-3827; reference:cve,2015-3828; reference:cve,2015-3829; classtype:attempted-admin; sid:35435; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android Stagefright MP4 buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.mp4; file_data; content:"covr"; byte_test:4,<,16,-8,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2015-1538; reference:cve,2015-1539; reference:cve,2015-3824; reference:cve,2015-3826; reference:cve,2015-3827; reference:cve,2015-3828; reference:cve,2015-3829; classtype:attempted-admin; sid:35434; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-MOBILE Android WebKit Java reflection command execution attempt"; flow:to_client,established; file_data; content:"|38 A6 DA 62 78 91 83 45 A1 C1 C1 42 7F 1F D1 3B 85 FA AF 9B BF 50 A6 DE CE D3 93 CC B9 9E 41 FC|"; fast_pattern:only; metadata:service http; reference:cve,2014-0514; reference:url,blogs.avg.com/mobile-2/analyzing-android-webview-exploit/; reference:url,helpx.adobe.com/security/products/reader-mobile/apsb14-12.html; reference:url,labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/; classtype:attempted-user; sid:36362; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android WebKit Java reflection command execution attempt"; flow:to_server,established; file_data; content:"|38 A6 DA 62 78 91 83 45 A1 C1 C1 42 7F 1F D1 3B 85 FA AF 9B BF 50 A6 DE CE D3 93 CC B9 9E 41 FC|"; fast_pattern:only; metadata:service smtp; reference:cve,2014-0514; reference:url,blogs.avg.com/mobile-2/analyzing-android-webview-exploit/; reference:url,helpx.adobe.com/security/products/reader-mobile/apsb14-12.html; reference:url,labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/; classtype:attempted-user; sid:36361; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-MOBILE Android WebKit Java reflection command execution attempt"; flow:to_server,established; file_data; content:".getClass|28 29|.forName|28|"; nocase; content:".getMethod"; within:200; content:".invoke|28|null|2C|"; within:150; metadata:service smtp; reference:cve,2014-0514; reference:url,blogs.avg.com/mobile-2/analyzing-android-webview-exploit/; reference:url,helpx.adobe.com/security/products/reader-mobile/apsb14-12.html; reference:url,labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/; classtype:attempted-user; sid:36360; rev:1;)
|