Fortinet Blog | News and Threat Research

The more I analyze the SymbOS/Album malware, the more it scares me.

The main malicious executable, Album.exe, is actually capable of processing incoming commands included in SMS messages sent by the value-added service provider number 106650xxx. Typical commands are: download and install software, get phone information or update software. Now, that starts to look  like a botnet, even though it isn’t (yet?) a very scalable way to communicate with bots because the bot master must send an SMS to each bot it manages.

More in details, the Album executable creates a global message queue (RMsgQueueBase::CreateGlobal), named ‘my_pf_queue_1’. It is notified as soon as a message arrives in the queue (RMsgQueueBase::NotifyDataAvailable), retrieves the message (RMsgQueueBase::Receive) and processes its command.

Figure 1. Disassembly of the function reading a message from the message queue.

The command parser looks for command strings such as !@# or %@# in the service provider’s SMS and triggers the corresponding command. 4 different commands have been identified:

* DoCmdSPOrder: sends a given number of SMS and logs the command in a file (c:\private\2002A22C\init_sp_order.txt)

* DoCmdDlAndInstall: downloads a given software package and installs it. We will discuss that one further.

* DoCmdGetPhoneInfo: gets phone’s model, IMEI and IMSI, and subsequently send 2 SMS.

* StartUpdatePolicy: modifies the update time and interval with the service provider. Information is logged in c:\private\2002A22C\frame_update_date.txt and c:\private\2002A22C\frame_update_interval.txt respectively.

Figure 2. Disassembly of the Base Command Parser DLL. Shows different types of commands.

In the case of the download and install command, the Base Command Parser DLL calls a function of the Frame HTTP DLL (FrameHttpEngine.dll). This module implements a web client with a download manager. The URI is added to a queue of URI to download, and the HTTP engine periodically checks this queue and downloads the requested URIs. The downloaded URI is dumped on the mobile phone in a file named c:\data\1.sisx. Then, as in SymbOS/Yxes, SymbOS/Album uses the SW Installer Launcher API to silently install the package on the mobile phone (RSWInstSilentLauncher::SilentInstall). The end-user sees no popup at all and cannot accept/decline this installation.

Figure 3. Once the URI is successfully downloaded, call the function that installs the package

Finally, for those with doubts, it is true a value-added service provider (VASP) might be expected to implement some kind of communication protocol between their server and the end-user’s mobile phone. But a legitimate VASP would make its activity and induced costs (SMS sending, WAP connections) explicit, and only install with user’s full consent. On the contrary, a Trojan would certainly use unexplicit names such as “Phone Framework” or “MMS Album” and care to hide its SMS and the installation of downloaded software.

– the Crypto Girl