A few days ago we encountered a new variant of the Symbian worm, Yxes, that we named SymbOS/Yxes.H!worm. This worm contacts malicious remote servers, which host Java Server Pages, and propagates by sending ‘attractive’ SMS messages. For instance, this new variant sends an SMS with an URL promising private information concerning a Chinese actress. Globally, the logic (and much of the code) is the same as in previous variants. Yet, there are a few updates, one of the main ones being the use of new remote malicious Java Server Pages.

I guess every analyst has noticed this variant of the malware contacts the following URLs:

http://XXXX/Jump.jsp?Version=2.0&PhoneType=...&PhoneImei=...&PhoneImsi=...&Source=...
http://XXXX/Kernel.jsp?Version=2.0&PhoneType=...&PhoneImei=...&PhoneImsi=...&Source=...
http://XXXX/KernelPara.jsp?Version=2.0&PhoneType=...&PhoneImei=...&PhoneImsi=...&Source=...

The PhoneType argument contains the model of the infected phone (e.g nokia3250, nokian95…), while the PhoneImei and PhoneImsi arguments respectively contain the phone’s IMEI and IMSI. The Source argument is new to this variant, and its use has not been reversed yet. It could possibly contain the name of the malicious website used to infect the phone.

The first of those JSP pages, Jump.jsp, redirects the user to a Chinese mobile social networking site (3g.kaixin001.com then wap.kaixin001.com). Actually, we had already noticed this behaviour in at least 2 former JSP pages used by previous versions.

The second JSP page, Kernel.jsp, actually replies the following string (host name removed):

http://XXXX/download/root/plugucsrv.sisx

And, from this location, we get a new minor variant of Yxes.D. This is a consistent behavior in Yxes: the worm indeed often works in pairs (e.g variants A, B, D or E download variants C, D or F). In this case, variant H silently downloads and installs a remotely hosted new version of variant D.

Its certificate says:

Serial Number:
 2a:2f:00:01:00:23:37:98:0c:73:b2:c7:69:17
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GB, O=Symbian Limited, CN=Symbian CA I
Validity
 Not Before: Jan 23 17:55:42 2010 GMT
 Not After : Jan 24 17:55:42 2020 GMT
Subject: C=CN, ST=Fujian, L=XiaMen, O=Xiamen Jindoucheng Tech Co. Ltd.,
OU=plugucsrv  2.1.0, OU=Symbian Signed ContentID,
CN=Xiamen Jindoucheng Tech Co. Ltd.

A notification has been sent to Symbian, who tells us the certificate should soon be revoked. Meanwhile, be cautious if you encounter a file named plugucsrv.sisx that installs as a ‘Setting Wizard’.

That variant D then actually does most of the malicious work: collect data on the phone, report it back to the malicious web servers and send SMS messages. The URLs it contacts are:

http://XXXX/bs.jsp?Version=2.1&PhoneType=...&PhoneImei=...&PhoneImsi=...
&PhoneNumber=...&Succeed=...&Fail=...&Source=... &Time=...&Component=...

http://XXXX/index.jsp?Version=2.1&PhoneType=...&PhoneImei=...&PhoneImsi=...
&PhoneNumber=...&Succeed=...&Fail=...&Source=... &Time=...&Component=...

http://XXXX/number.jsp?Version=2.1&PhoneType=...&PhoneImei=...&PhoneImsi=...
&PhoneNumber=...&Succeed=...&Fail=...&Source=... &Time=...

The PhoneNumber, Succeed, Fail and Time arguments are obviously used to report contacts listed on the phone. The Succeed and Fail arguments are followed by an integer, probably the number of times that phone number has successfully been called or not.

Quite interestingly, if we try to get http://XXXX/bs.jsp, using a credible user agent (the malicious websites are known to check user agents – in particular, if it detects Internet Explorer, it responds “404 Not Found”):

SUCCESS reponse: 200 OK
http://hew1ett-packard.com/bs.jsp?

Notice the letter L of Hewlett has been replaced the number 1 (one).

So, the first malicious web server redirects the requests to another malicious web server, whose name is obviously intentionally crafted to fool the end-user. The URL does not respond any longer. Note that the Yxes worm is already known to use such mispellings:

• www.megac1jck.com
• www.mozi11a.com
• www.makt00b.com
• www.mediafir8.com
• www.megaup10ad.com

The third JSP, KernelPara.jsp, is still a mystery we have to work on. It returns a file named encrypt_Kernel_Para.txt. If its name is meaningful, it is likely to be an encrypted version of a file named Kernel_Para.txt (the worm already uses files with similar names: Local_Para.txt and Remote_Para.txt). In our case, its content is fixed and 32-byte long. It is not an XOR encrypted URL.

Finally, to evaluate the worm’s authors progress, it is interesting to follow the dates and versions of samples. The dates are taken from the first validity date in the X.509 certificate used to sign the sample, and the version numbers are included either in the main executable of the sample or in the certificate.

Apart from a sporadic ‘accident’ end of June 2009 where a version 1.0 goes in the wild (probably an error in versioning), we see the worm authors are continuously working on Yxes since the end of 2008. So my first prediction for 2010 was nearly bound to be true…

– The Crypto Girl

It had been a while since we’d last seen a malware transferring credits to pre-paid phone cards. Our last encounter dated back to SymbOS/Flocker!tr.python early January 2009. It is happening again, with Java/GameSat.A!tr, a Java ME midlet which is currently in the wild.

Indosat, an Indonesian telecom operator, offers IM3 (Indosat Multimedia 3) customers the ability to transfer (small) funds between two accounts. This is known as ‘pulse transfer’ or ‘M3-Transfer’ and it works by … SMS, without PIN nor registration ! The money is transferred from one IM3 account to another IM3 account (a transfer fee is charged to the sender).

This sounds quite handy, but… absolutely anything but secure, so it comes as no surprise cyber-delinquents make use of it.

In Flocker, from 5000 to 10000 Indonesian rupees (0.45 – 0.90 USD) were transferred to IM3 accounts controlled by the malware author.

Now, Java/GameSat.A!tr typically gets onto your mobile phone as a ‘modification to Opera Mini’. Of course, it does not modify Opera Mini at all. Instead, it uses IM3 fund transfer to access non-free on-line divination, chat or dating services. The end-user gets charged up to 20000 Rp (1.8 USD) – not mentioning the transfer fee – each time he/she opens the application or tries to access the non-free services.

I could make up my own divination service on that matter, and tell end-users they are probably about to lose roughly two dollars, get plenty of SMS spam and absolutely no advice or dates whatsoever.

– The Crypto Girl

AV Lab’s honeypots have just started catching new malware seeding campaigns leveraging vaccination profiles for the H1N1 virus.

The message is sent as a notification from the “Centers for Disease Control and Prevention (CDC)”. Because the sender’s email is spoofed and because the URL leading to the rogue website contains a “gov” subdomain, which can be mistaken for the top-level domain, the message may seem plausible to many people.

Here is what the email looks like:

	From: "Centers for Disease Control and Prevention (CDC)" <info-mess-id:01203428med@cdcmails.gov>
	Sent: Tue, 1 Dec 2009 23:37:46 +0800
	To: [removed]@fortinet.com
	Subject: Creation of your personal Vaccination Profile

	You have received this e-mail because of the launching of State Vaccination H1N1 Program.

	You need to create your personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website.
        The Vaccination is not obligatory, but every person that has reached the age of 18 has to have
        his personal Vaccination Profile on the cdc.gov site. This profile has to be created both for
        the vaccinated people and the not-vaccinated ones. This profile is used for the registering system
        of vaccinated and not-vaccinated people.

	Create your Personal H1N1 Vaccination Profile using the link:

	Create Personal Profile (link to http://online.cdc.gov.yhnbad.[removed])

And here is a screenshot of the rogue site:

Of course, the “Archive” (see “Download Archive” link) is in fact a Trojan horse.

Pay attention to those ever-going social-engineering attempts leveraging news items. Of course, this one is easily defeated by the fact the “vaccination profile” is an executable file, which is unlikely for an archive (although possible), especially sent by an official organization.

But when the malicious bits are embedded in actual documents (.pdf, .doc, .xls, etc.), it can sometimes be challenging to separate the wheat from the chaff…

Fortinet detects the downloaded file as W32/Vacc.A!tr

There has been a lot of confusion lately concerning the SymbOS/Yxes worm. Among those, it has now dawned on me the so-called Transmitter.C reported in numerous articles on the net (for instance, here and here), is not sexySpace.sisx (detected as SymbOS/Yxes.E!worm): those are two different malware.

Why ? As a matter of fact, several issues startled me (ordered from weakest to strongest point):

1. Transmitter.C is reported to send a massive amount of SMS messages (they are talking about 500 SMS). If Transmitter.C is Yxes.E, it is surprising because I cannot see any loop in the code indicating numerous copies of SMS are sent out, but of course, that would depend on the amount of contacts and SMS stored in the infected phone. Strange though. In Yxes.E, I do see the piece of code that sends SMS messages (see picture below), but I haven’t spotted any function calling it yet. The malicious code might be bugged. And, as a matter of fact, on the Nokia N95 I tried it on, Yxes.E did not succeed to send any SMS at all.

Figure 1. Assembly routine sending an SMS – disassembled with IDA Pro. The routine connects to the SendAs server. Then it creates a message object, sets the recipient (”to”) and finally the message body.

2. The screenshot of the SMS message mentions the string “A very sexy girl, Try it now!” with a link to a website hosting sexySpace.sisx. But, quite strangely, this string is nowhere to be found in the executable inside sexySpace.sisx (AcsServer.exe) nor in other resources. No, it is definetely not in Yxes.E. Of course, it could be dynamically decrypted from data in the executable, but then, why are similar strings in cleartext in Yxes.D (”A very interesting sexy game!try it soon!”) ?

3. Last but not least, Transmitter.C is said to spread as a trojaned version of a legitimate application named ‘Advanced Device Locks’, but sexySpace.sisx does not install as ‘Advanced Device Locks’ at all: it installs under the name ‘Sexy Space’ and does not include any part of the Advanced Device Locks application. That does not sound like the right sample at all.

To my opinion, Transmitter.C is not sexySpace.sisx, and thus not SymbOS/Yxes.E!worm. In that case, the SMS screenshot should probably be credited to Transmitter.C (and not SymbOS/Yxes.E!worm), which is interesting, because it includes a link to a website hosting sexySpace.sisx. This means Transmitter.C can be seen as a kind of dropper that tries to spread SymbOS/Yxes.E!worm.

– The Crypto Girl.

PS. By the way, if you encounter a sample of Transmitter.C please be forward it to submitvirus (at) fortinet.com.

There are days where I wonder if people really care about privacy (except for these people). Most people don’t see any problem in telling the entire world what they’re doing (Twitter), who they know or see (Facebook) or where they are: the kind of stuff teenagers hate to tell their parents.

Mobile phones are just the perfect platform for spying because they are portable (iPhones are such beauties one hates to leave them behind!) and seen as private devices (would you share your nice iPhone, huh?). Depending on functionalities, mobile spyware record and forward incoming and outgoing SMS, MMS, voice calls, geographic location etc.

Recently, I finally laid my hands on an iPhone spyware sample. Actually, it has probably been out for a while, but I was surprised to discover nobody seemed to detect it yet. The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware’s repository and then install the two spyware packages:

SmsTrapUI: a user interface package to assist the spy into installing the spyware. Once the spyware is configured, the spy can erase this package:

Std: the spyware daemon. It installs in /usr/sbin and does not display any new icon on the iPhone’s springboard. This daemon collects information on SMS (phone number, text, timestamp and incoming/outgoing indicator) and sends it to a SQL database of the spyware’s website.

Okay, so the spyware installs and works. As an antivirus analyst, my next task then consisted in getting original samples onto my work host (the host where I work out detections for malware). I could have connected onto the iPhone via SSH iPhone Tunnel Suite, but then I would have had to parse all directories the packages had installed files into, and retrieve them. I settled for a simpler solution: Cydia uses Debian-style repositories, so I directly downloaded the samples from there. Debian-style repositories typically include two files:

Release and Packages (or Packages.bz2). So, I first downloaded Release:
$ wget http://xxxxx/x/Release
$ cat Release
Origin: ST
Label: ST
Suite: stable
Version: 1.0
Codename: st
Architectures: iphoneos-arm
Components: main
Description: ST Main repository
248bf63c4e179ef82d4fe4ba86a42c03 547 main/binary-iphoneos-arm/Packages
3b6d6f28d5346f9d911a067fccb64f5f 335 main/binary-iphoneos-arm/Packages.bz2

The Release file mentions both Packages and Packages.bz2 exist, so I then downloaded Packages:
$ wget http://xxxxx/x/Packages
$ cat Packages
MD5Sum: 762bf733c5a9b03b787c23ffc64d63a7
Maintainer: ST Team
Description: ST Daemon.
Package: com.st.std
Section: Utilities
Author: ST Team
Filename: ./std-1.1-1_iphoneos-arm.deb
Version: 1.1-1
Architecture: iphoneos-arm
Size: 11634
Name: STD

MD5Sum: bed10acddc436a5dfdb77a35dc6e74ad
Maintainer: ST Team
Description: SmsTrap User Interface
Package: com.st.SmsTrapUI
Section: Utilities
Author: ST Team
Filename: ./SmsTrapUI-1.1-1_iphoneos-arm.deb
Depends: com.st.std, quickload
Version: 1.1-1
Architecture: iphoneos-arm
Size: 26184
Name: SmsTrap

The Packages file provides the name of the 2 packages:
$ wget http://xxxxx/x/SmsTrapUI-1.1-1_iphoneos-arm.deb
$ wget http://xxxxx/x/std-1.1-1_iphoneos-arm.deb

I can now unpack the .deb packages, and detect the relevant parts of the spyware.