Our analyst, Ruchna Nigam, had been analyzing a sample of SymbOS/InSpirit.A!tr. SMS dropped in the victim's inbox by SymbOS/InSpirit.A!tr A couple of months ago, this malware received some attention in China (for example see here - use translation if you do not speak Chinese) because it was phishing an area bank. The malware simply added a new SMS in the victim's inbox, apparently coming from the bank's service hotline phone number, and telling the victim he/she had entered a bad password and needed to follow a given (malicious) link to guarantee... [Read More]
by RSS Axelle Apvrille  |  Jan 12, 2011  |  Filed in: Security Research
An Internet Access Point, shortened IAP, is a "a collection of settings that define how a connection to a particular network is made" [1]. For example, it stores the Access Point Name (APN) for GPRS networks, the SSID for Wifi etc. On Symbian mobile phones, IAPs are stored in a table of the Communication Database. In the SymbOS/Yxes worm (2009 / 2010), we had already seen the worm search through available IAPs on the mobile phone, select all outgoing WCDMA entries, add them to a list and silently use one of those to connect to Internet [2]. Since... [Read More]
by RSS Axelle Apvrille  |  Nov 04, 2010  |  Filed in: Security Research
I had already seen mobile malware SMS messages with a malicious URL inside (e.g SymbOS/Yxes), or MMS messages (e.g SymbOS/Album.A!tr, SymbOS/Beselo!worm...) with a malicious attachment. However I had never noticed a mobile malware piece sending a WAP Push SMS (special SMS messages typically used to send ringtones, wallpapers, OTA provisioning etc). The recent SymbOS/NMPlugin.A!tr does all three ! It sends: an MMS, whose title is “Hello Skuller”, and contains an attachment named Sunset.jpg a SMS containing a short message and a malicious... [Read More]
by RSS Axelle Apvrille  |  Aug 03, 2010  |  Filed in: Security Research
Lately, I have been analyzing a sample of SymbOS/Album.A!tr, another advanced malware targeting mobile phones running Symbian OS 9 and greater. First of all, once more, like SymbOS/Yxes, this malware was "legitimately" signed by Symbian's Express Signed program. The certificate is now revoked: Serial Number: c8:8e:00:01:00:23:db:45:38:bc:e7:2a:d3:03 Signature Algorithm: sha1WithRSAEncryption Issuer: C=GB, O=Symbian Limited, CN=Symbian CA I Validity Not Before: Nov 20 05:00:02 2009 GMT Not After : Nov 21 05:00:02 2019 GMT Subject: C=CN,... [Read More]
by RSS Axelle Apvrille  |  Jul 08, 2010  |  Filed in: Security Research
A few days ago we encountered a new variant of the Symbian worm, Yxes, that we named SymbOS/Yxes.H!worm. This worm contacts malicious remote servers, which host Java Server Pages, and propagates by sending 'attractive' SMS messages. For instance, this new variant sends an SMS with an URL promising private information concerning a Chinese actress. Globally, the logic (and much of the code) is the same as in previous variants. Yet, there are a few updates, one of the main ones being the use of new remote malicious Java Server Pages. I guess every... [Read More]
by RSS Axelle Apvrille  |  Mar 04, 2010  |  Filed in: Security Research
Lately, we've been fed with H1N1 flu security measures, with recommendations regarding how to clean our hands, sneeze or cough. I just wonder if we'd be so obedient if the same recommendations were issued for our computers or phones. Have a look at the advice below: on the left are CDC's recommendations against H1N1. On the right... Fortinet's recommendations against SymbOS/Yxes. Convinced? Will you follow them? [Read More]
by RSS Axelle Apvrille  |  Oct 13, 2009  |  Filed in: Security Research
There has been a lot of confusion lately concerning the SymbOS/Yxes worm. Among those, it has now dawned on me the so-called Transmitter.C reported in numerous articles on the net (for instance, here and here), is not sexySpace.sisx (detected as SymbOS/Yxes.E!worm): those are two different malware. Why ? As a matter of fact, several issues startled me (ordered from weakest to strongest point): Transmitter.C is reported to send a massive amount of SMS messages (they are talking about 500 SMS). If Transmitter.C is Yxes.E, it is surprising because... [Read More]
by RSS Axelle Apvrille  |  Aug 26, 2009  |  Filed in: Security Research
In case you are not familiar with the Symbian development process, application development features two major security meatures in Symbian OS 9.1 and greater. First, applications must specify their capabilities, i.e if an application uses Bluetooth connection, it must have the Symbian LocalServices capability. A few other interesting capabilities for malware are: NetworkServices: required to make a call, send HTTP requests etc. ReadUserData/WriteUserData: required to read/write user's contacts. UserEnvironment: to use the camera. Location: particularly... [Read More]
by RSS Axelle Apvrille  |  Aug 04, 2009  |  Filed in: Security Research
Many threat trends have continued as we head into August 2009. I have highlighted notable items below from our July 2009 Threat Landscape report, which can be found on Fortinet's FortiGuard Center. Mobile threat development continues: In July we saw the emergence of SymbOS/Yxes.E and SymbOS/Yxes.F, the latest updated variants of Yxes that we first reported on in February. For further details, check out this blog post that is well worth the read: in particular, Yxes' served up dynamic content via JSP indeed shows the beginning steps as to how cyber... [Read More]
by RSS Derek Manky  |  Jul 27, 2009  |  Filed in: Security Research
The Symbian malware Yxes is (nearly) keeping me awake these days. Among other functionalities, it sends HTTP requests to a remote web server. The URLs it gets are the following: - Yxes.A: http://[REMOVED]/Kernel?Version= - Yxes.B or Yxes.E: http://[REMOVED]/Kernel.jsp?Version=&PhoneType= - Yxes.C: no similar URL - Yxes.D: this one issues two different requests: http://[REMOVED]/bs?Version=&PhoneImei=&PhoneImsi=&PhoneType= http://[REMOVED]/number/?PhoneType= http://[REMOVED]/index.jsp?PhoneType= - Yxes.F: http://[REMOVED]/PbkInfo.jsp?PhoneType=&PhoneImei=&PhoneImsi= TYPE... [Read More]
by RSS Axelle Apvrille  |  Jul 21, 2009  |  Filed in: Security Research