[Emerging-Sigs] FP FIX: ET MOBILE_MALWARE XML Style POST Of IMSI International Mobile Subscriber Identity

Kevin Ross kevross33 at googlemail.com
Fri Oct 21 07:07:38 EDT 2011


It seems blackberry devices POST an XML with some information about the
device to a URI of preAuth. I propose just simply negating the blackberry
website to make sure it isn't this.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE
XML Style POST Of IMSI International Mobile Subscriber Identity";
flow:established,to_server; content:"POST"; http_method; content:!"
blackberry.com"; nocase; http_header; nocase; content:"<IMSI>";
http_client_body; nocase; content:"<|2F|IMSI"; nocase; http_client_body;
distance:0; reference:url,
www.learntelecom.com/telephony/gsm/international-mobile-subscriber-identity-imsi;
classtype:trojan-activity; sid:2013139; rev:3;)

Regards, Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111021/ce0b76ca/attachment-0001.html


More information about the Emerging-sigs mailing list