by RSS Axelle Apvrille  |  May 17, 2010  |  Filed in: Security Research

Some time ago, we came across a new Windows Mobile Trojan dialer named WinCE/Terdial!tr.dial. Under the cover of a FPS game (Antiterrorist 3D) or a Windows Mobile codec package (codecpack.cab), this Trojan actually has the victim's phone call international premium rate phone numbers (IPRN), i.e phone numbers for which a given service is provided and, of course, higher prices are charged ;). More information is available in our Virus Encyclopedia, or just search the web for numerous alerts on the matter.

On my side, I have been playing Sherlock Holmes trying to understand how the authors potentially made business out of it. I end up with at least one belief: tracking is so complex, the authors are close to impunity!

Part of the complexity comes from the way IPRNs are handled. As a matter of fact, IPRNs do not exist as such. They are virtually created from special ranges offered by large telecom carriers and for which they agree to share part of their revenue. The telecom carriers provide those numbers to big companies, who in turn resell them to medium-sized reseller, who resell it to small resellers etc down to people connected with the malware authors. There are several consequences to this method of distribution:

1- Geographic (dis)location: Numbers are no longer attached to a given geographic location. For example, the number +17675033611 is located as originating from Dominica. This does not mean the authors of the malware live in Dominica or have connections there, but simply that this IPRN number is taken from an unused range of Dominican phones managed by Marpin Telecom.

dg28pjdb_84r8qpz4dk_b Fig 1. +17675033611 is taken from an unused range of phone numbers in Dominica

2- Unlimited costs: there is no regulation for IPRNs (contrary to domestic numbers who must comply to national rules), so operators can charge customers nearly any ("reasonable") price they wish to access those numbers. For the victim, the cost is all the more obscure, and depends on several parameters such as his operator, the roaming network he uses and how much benefit each reseller makes out of the call. For example, numbers in the range of +88234 (used by the malware) have been known to be charged to the victim up to 5 euros per minute!

3- Accessibility: in theory, IPRN are accessible from anywhere. In practice, it is difficult to know which IPRN is accessible from where and at which time. Resellers are consequently used to providing a "test number" within each range they offer, for customers to try for their own if the number is accessible in their personal case. Accessibility issues happen for several reasons. First, because telecom carriers may chose to modify the IPRN ranges they provide at any time. Second, because it's up to operators to decide whether a given range is accessible or not on his network. And finally, because resellers may actually re-assign numbers they sold to other customers. For example, a reseller manages a given range of numbers. All numbers in that range are assigned to customers. One day, a new customer asks for a number. As there are none left, the reseller parses his numbers and looks for those who are no longer used, takes them away and re-assigns them to the new customer. The good point about those accessibility issues is that it makes it difficult for cyber-criminals to plan which numbers should actually show the highest profits. For example, in the case of WinCE/Terdial, the number +8823460777 (one of the 6 numbers the malware uses) generated a disappointing traffic of only 900 minutes, which would approximately mean a revenue of 180 euros. Had the number been more accessible, even with less payout per call, the revenue might have turned out to be more substantial. Note however that 6 times 180 euros (assuming the 5 other numbers ended up with approximately the same revenue) is still a nice salary for 44 lines of code ;).

4- Anonymity: there are so many resellers that the malware authors are close to a guaranteed anonymity (and impunity). This is emphasized by the fact that small resellers do not ask their customers for credentials. Sometimes, a bank account isn't even necessary, because the resellers pays the customer via online services such as Western Union.

The map below tracks all entities involved in the use of IPRN number +8823460777. The +88234 range is initially assigned by the ITU to a research station in Antarctica, and handled by a Swiss company named Global Networks. This company resells the number to a reseller located in Cyprus, who resells it to a customer in New Zealand, who resells it to an unknown reseller, who finally sold it to the malware author. Our intelligence research on the malware author seems to indicate he lives in Ukraine, aged 34, although this has yet to be confirmed.

dg28pjdb_85hddfn2c9_b

  • The Crypto Girl
by RSS Axelle Apvrille  |  May 17, 2010  |  Filed in: Security Research