There has been a lot of confusion lately concerning the SymbOS/Yxes worm. Among those, it has now dawned on me the so-called Transmitter.C reported in numerous articles on the net (for instance, here and here), is not sexySpace.sisx (detected as SymbOS/Yxes.E!worm): those are two different malware.

Why ? As a matter of fact, several issues startled me (ordered from weakest to strongest point):

1. Transmitter.C is reported to send a massive amount of SMS messages (they are talking about 500 SMS). If Transmitter.C is Yxes.E, it is surprising because I cannot see any loop in the code indicating numerous copies of SMS are sent out, but of course, that would depend on the amount of contacts and SMS stored in the infected phone. Strange though. In Yxes.E, I do see the piece of code that sends SMS messages (see picture below), but I haven’t spotted any function calling it yet. The malicious code might be bugged. And, as a matter of fact, on the Nokia N95 I tried it on, Yxes.E did not succeed to send any SMS at all.

Figure 1. Assembly routine sending an SMS – disassembled with IDA Pro. The routine connects to the SendAs server. Then it creates a message object, sets the recipient (“to”) and finally the message body.

2. The screenshot of the SMS message mentions the string “A very sexy girl, Try it now!” with a link to a website hosting sexySpace.sisx. But, quite strangely, this string is nowhere to be found in the executable inside sexySpace.sisx (AcsServer.exe) nor in other resources. No, it is definetely not in Yxes.E. Of course, it could be dynamically decrypted from data in the executable, but then, why are similar strings in cleartext in Yxes.D (“A very interesting sexy game!try it soon!”) ?

3. Last but not least, Transmitter.C is said to spread as a trojaned version of a legitimate application named ‘Advanced Device Locks’, but sexySpace.sisx does not install as ‘Advanced Device Locks’ at all: it installs under the name ‘Sexy Space’ and does not include any part of the Advanced Device Locks application. That does not sound like the right sample at all.

To my opinion, Transmitter.C is not sexySpace.sisx, and thus not SymbOS/Yxes.E!worm. In that case, the SMS screenshot should probably be credited to Transmitter.C (and not SymbOS/Yxes.E!worm), which is interesting, because it includes a link to a website hosting sexySpace.sisx. This means Transmitter.C can be seen as a kind of dropper that tries to spread SymbOS/Yxes.E!worm.

– The Crypto Girl.

PS. By the way, if you encounter a sample of Transmitter.C please be forward it to submitvirus (at) fortinet.com.

With February’s Threat Landscape Report out, it’s time to highlight some of the most interesting movement happening from late January 2009 to now:

New vulnerabilities (NVC) were up nearly three fold, with 117 posted in comparison to 43 from January’s edition; 25.6% of these new vulnerabilities were detected to be actively exploited. Two new high-profile zero-day exploits (CVE-2009-0238 and CVE-2009-0658) affecting MS Excel (XLS) and Adobe Reader (PDF) have since been disclosed. Given these facts, and Conficker’s success, there is no better time than now to underscore patch management and effective security to battle these threats.

Conficker is still running strong. Our systems showed exploitation of the well known MS08-067 vulnerability displayed the highest recorded activity to date on February 14th, 2009. As of writing, volume levels are still quite high; a new variant has been discovered in the wild that allows malicious payload transfers through a backdoor port opened on an infected machine – without relying on the domain generation algorithm. Since the algorithm that generates the list of domains Conficker contacts to download code has been reversed/put in the spotlight, this latest functionality can be seen as a counter move by Conficker’s authors.

Waledac, a relatively new botnet in town, went on a long run using a Valentine’s Day campaign to dupe users into downloading a malicious executable which was, to no surprise, a copy of the Waledac trojan. The campaign used a variety of domain/sub domain names, safe-haven registrars, and fast flux. As a result, the domains are still resolving to malicious servers hosting the sites and executables. Sadly, this proves how durable and effective such campaigns can still be using not-so-new methodologies such as fast flux. As of writing, the campaign is still alive but is using a different theme dubbed as the ‘Couponizer’. This social engineering hook offers online “coupons” to the victim. One thing we noticed with Waledac is that, aside from coming in the usual shifting variants (server side polymorphic), the served malicious executable’s filename shifted frequently as well. Names such as ‘reader.exe’, ‘start.exe’, and ‘lovekit.exe’ were used.

Movement on the mobile front: After new variants of Flocker surfaced in January, targeting accounts with Indonesian operators, we reported on Yxes.A in February — the latest and greatest SymbianOS threat — aka “Sexy View”. While mobile threats are certainly low profile in terms of prevalence (compared to non-mobile threats), this is an area to keep a close eye on. The biggest threat posed by SymbOS/Yxes.A is its ground-breaking propagation function; with the capability to spread through SMS by providing malicious URLs, a bridge is created from mobile telecommunications to the the Internet as we know it. In turn, this opens up a range of possibilities, effectively allowing the authors more control over their creation. With more control and functionality added, Yxes.A proved that we may not be far away from a mobile botnet.

Spam levels remained consistent after crawling back from a sharp decrease late 2008 thanks, largely in part, to the McColo take-down in November 2008.  Phishing and scam emails are popular as ever in play with the economic crisis, as our spam traps harvested loan and job scams showing up in localized languages to various regions.