Et rule 2023501 - Magic-SigExplorer

""ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 2""

SID: 2023501

Revision: 1

Class Type: trojan-activity

Metadata: affected_product iOS, attack_target Mobile_Client, created_at 2016_11_11, deployment Perimeter, updated_at 2016_11_11

Reference:

Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,from_server

Contents:

Value: "URL=tel|3a|"
Value: "itms-apps|3a|"
Value: "setTimeout"
Value: "window"
Value: "for"

Within:

PCRE: "/^\s?(\s?(?P[^\x3d\x3b)\s]+)\s?=\s?0\s?\x3b\s?(?P=var)\s?\<\s?(?:0x)?\d{4,}\s?\x3b\s?(?P=var)++\s?)\s?\x7b\s?(?P[^\x3d\x3b)\s]+)\s?=\s?(?P=var2)\s?+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"

Special Options:

file_data
nocase
fast_pattern
nocase
nocase
nocase
nocase

source