SymbOS/Flocker.AB!tr.python - Released Jan 30, 2009 - Last Updated Feb 13, 2009
|
Alias/esTrojan-SMS.Python.Flocker.ab |
Visible SymptomsAbnormaly high phone bill.
Unexpected sending of SMS messages to phone number 151
Keypad locking repeatedly
Presence of any of the following files.
- %system%\apps\MyPro\Rizal2.exe
- %system%\apps\MyPro\MyPro.pyc
|
Detailed AnalysisThis Trojan Horse is a variant of SymbOS/Flocker.A!tr.python. It poses as an "SMS Bomber IM3" for an Indonesian mobile phone carrier. After installation by an unsuspecting user, it can be found in the menu like any legitimate application (Figure 1 below).
Figure 1: Menu icon as "SMS Bomber IM3"
|
Upon being run from the menu, it locks the keypad and attempts to send SMS messages to the short number "151". The payload carried by such messages is a command to generate micro-transfer of funds (typically under $1) between IM3 pre-paid card holders. Those funds are transferred to an IM3 pre-paid card, possibly held by the Trojan authors. They can be used to buy other IM3 services (call, send SMS/MMS/rings etc).
Figure 2: M3-Transfer functionality
|
This malware affects mobiles with Symbian OS versions prior to 9.
|
|
Technical details
|
This piece of malware comes in the form a SIS archive embedding a python script file, and as such, can effectively run solely on phones on which Python is installed.
It drops the following files:
- %system%\apps\MyPro\default.py
- %system%\apps\MyPro\MyPro.aif
- %system%\apps\MyPro\MyPro.app
- %system%\apps\MyPro\MyPro.pyc
- %system%\apps\MyPro\MyPro.rsc
- %system%\apps\MyPro\Rizal2.exe
- %system%\data\autorun.mdl
- %system%\data\mypro.flg
- %system%\libs\appswitch.pyd
- %system%\libs\messaging.py
- %system%\libs\pykeylock.py
- %system%\libs\_messaging.pyd
- %system%\libs\_pykeylock.pyd
- %system%\recogs\mypro.cfg
Files contained in %system%\apps\MyPro\ are the malware's main component files.
File %system%\data\autorun.mdl and %system%\data\mypro.flg and %system%\recogs\mypro.cfg primarily intends to give the malware autostart capability.
File appswitch.pyd is a legitimate application library used for switching, listing, ending, and killing running apps.
File %system%\libs\_messaging.pyd is an EPOC file while %system%\libs\messaging.py is a python script, they both contains SMS sending capabilities.
File %system%\libs\_pykeylock.pyd is an EPOC while %system%\libs\pykeylock.py is a python script, they both contain functions used for handset's keypad locking/unlocking.
When installed this malicious application shows up a splashscreen (Figure 3).
Figure 3: Splashscreen
|
Once the application is launched, its malicious activity consists in silently locking the keypad and sending an SMS. The malware continuously monitors the lock status of the keypad. As soon as the victim unlocks the phone, it re-locks it and sends another SMS. Thus, several SMS may be sent out without user's consent.
The SMS messages sent to "151" attempt to transfer Rp. 5000 to an IM3 pre-paid card holder. Their content is fixed (hard coded) for a given variant of the malware (but different for different variants). The fund transfer will only succeed if the victim also is an IM3 card holder and has initially more than Rp. 15500 on his/her account.
Note this Flocker variant shares with SymbOS/Flocker.A!tr.python similar Python mechanisms. Yet, the rest is completely different: different Trojan application, different SMS payload and number, different goals.
|
Recommended ActionFortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
|
