Dial/SmsBox!java - Released Feb 10, 2010 - Last Updated Mar 02, 2010
|
Alias/esTrojan-SMS.J2ME.Swapi.au (KAV) |
Detection Availability
|
Visible SymptomsThe phone attempts to send an SMS to a short code such as 1141.
|
Detailed AnalysisDial/SmsBox is Java ME midlet meant to send anonymous SMS messages or SMS templates for special occasions.
The end-user writes the SMS he/she wishes to send (or selects a template), sets the recipient's phone number and the name the SMS must appear to originate from. Thus, the SMS can be anonymous.
Then, the midlet sends two SMS messages to a premium phone number (the end-user will be charged accordingly) and finally sends the end-user's SMS message. In some variants, the end-user's SMS is sent via SMS. In other variants, it is sent to an SMS Web service.
This midlet is a borderline application that administrators may wish to block because:
- Sending anonymous SMS messages may be prohibited.
- The midlet contacts a premium phone number which may result in unwanted costs.
- With variants sending the SMS over the web, there is no guarantee the end-user's message will actually make it to the appropriate recipient (for example, the service may be closed). Moreover, there is a risk the web server stores/sells phone numbers for other uses.
It is advertised as an application to send anonymous SMS (the recipient does not know who is the sender) or "ready" SMS, i.e SMS templates for special occasions to select and send.
This description lures the end-user so that he/she accepts to send SMS to premium phone numbers (for which he/she will be charged).
This malware is a Java ME midlet. It runs on mobile Java platform, so on any phone supporting Java.
This malware is typically written in Russian.
See below two screenshots of the malware. Figure 1 shows the main menu of the malware. Figure 2 shows a screenshot of an end-user filling up an anonymous SMS.
 |
 |
| Figure 1. Russian main menu of Java/SmsBoxer.AU!tr. Choose between anonymous SMS, ready 'SMS', information and exit |
Figure 2. Send an anonmous main menu. Set fields "from", "to" and "message" |
Technical Details
The malware consists of the following files:
- a main class named SmsBox.class
- Thumb.db: a base64 encoded data file.
- several other classes and icons
The main class decodes the name of the data resources it uses (Thumb.db), then reads the resource, and finally decodes (base64) its content. As it is typical for the SmsBoxer malware family, the decoded data contains two tags (SMSNum and SMSText) with their corresponding values:
SMSNum-1: 1141
SMSText-1: 85boks
In that case, the malware sends SMS messages to the short number 1141, with the text '85boks'.
Variants we have analyzed target Russian end-users.
Recommended ActionFortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
|
Reference: ID - 1522508
|
