This application requires Javascript for optimal performance.

HackerTool/BtTerror!SymbOS - Released Jul 13, 2010 - Last Updated Jul 26, 2010

Alias/es

BtTerror.A (NetQin)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

Rapid battery loss due to Bluetooth device scanning and file sending.

Detailed Analysis

HackerTool/BtTerror!SymbOS is a hacking tool.
Installed on an attacker's phone (running Symbian), it repeatedly sends a file to other bluetooth devices it sees next to it (victim devices).
The file is sent forcefully to the victim: the victim cannot deny/cancel file transfer (apart from making his device invisible to other Bluetooth devices, or disabling Bluetooth altogether).



Technical Details


HackerTool/BtTerror!SymbOS is written in Python. It is packaged in a SIS file for installation on Symbian phones. To run correctly, it however requires the Python environment to be installed on the mobile phone.
Once installed, the tool lets the attacker select the file he wishes to send. Then, the tool scans for visible bluetooth devices, asks the attacker to select a target and repeatedly sends that file via OBEX.

Figure 1. Welcome text of HackerTool/BtTerror!SymbOS
On the attacker's device, installed files are listed below:
  • !:\system\libs\lite_fm.pyc: legitimate light file manager python library
  • !:\system\libs\bt_teror.pyc: malicious bluetooth library. Some samples contain the uncompiled version (.py), others the compiled code (.pyc)
  • !:\system\apps\bt_terror\default.py: main malicious entry point that calls the bluetooth library
  • !:\system\apps\bt_terror\bt_terror.rsc
  • !:\system\apps\bt_terror\bt_terror.app
  • !:\system\apps\bt_terror\bt_terror.aif
  • popup0.txt: installation message

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 1926414