Trao đổi với tôi

http://www.buidao.com

12/7/10

[Symbian] SymbOS/Album: One Step Closer To Mobile Botnets

by Axelle Apvrille
July 15, 2010 at 1:16 pm

The more I analyze the SymbOS/Album malware, the more it scares me.

The main malicious executable, Album.exe, is actually capable of processing incoming commands included in SMS messages sent by the value-added service provider number 106650xxx. Typical commands are: download and install software, get phone information or update software. Now, that starts to look like a botnet, even though it isn’t (yet?) a very scalable way to communicate with bots because the bot master must send an SMS to each bot it manages.

More in details, the Album executable creates a global message queue (RMsgQueueBase::CreateGlobal), named ‘my_pf_queue_1′. It is notified as soon as a message arrives in the queue (RMsgQueueBase::NotifyDataAvailable), retrieves the message (RMsgQueueBase::Receive) and processes its command.

Album-ReceiveMsg

Figure 1. Disassembly of the function reading a message from the message queue.

The command parser looks for command strings such as [!@#] or [%@#] in the service provider’s SMS and triggers the corresponding command. 4 different commands have been identified:

  • DoCmdSPOrder: sends a given number of SMS and logs the command in a file (c:\private\2002A22C\init_sp_order.txt)
  • DoCmdDlAndInstall: downloads a given software package and installs it. We will discuss that one further.
  • DoCmdGetPhoneInfo: gets phone’s model, IMEI and IMSI, and subsequently send 2 SMS.
  • StartUpdatePolicy: modifies the update time and interval with the service provider. Information is logged in c:\private\2002A22C\frame_update_date.txt and c:\private\2002A22C\frame_update_interval.txt respectively.
Album-Commands-highlight

Figure 2. Disassembly of the Base Command Parser DLL. Shows different types of commands.

In the case of the download and install command, the Base Command Parser DLL calls a function of the Frame HTTP DLL (FrameHttpEngine.dll). This module implements a web client with a download manager. The URI is added to a queue of URI to download, and the HTTP engine periodically checks this queue and downloads the requested URIs. The downloaded URI is dumped on the mobile phone in a file named c:\data\1.sisx. Then, as in SymbOS/Yxes, SymbOS/Album uses the SW Installer Launcher API to silently install the package on the mobile phone (RSWInstSilentLauncher::SilentInstall). The end-user sees no popup at all and cannot accept/decline this installation.

Album-SilentInstall

Figure 3. Once the URI is successfully downloaded, call the function that installs the package

Album-callswinst4-cut

Finally, for those with doubts, it is true a value-added service provider (VASP) might be expected to implement some kind of communication protocol between their server and the end-user’s mobile phone. But a legitimate VASP would make its activity and induced costs (SMS sending, WAP connections) explicit, and only install with user’s full consent. On the contrary, a Trojan would certainly use unexplicit names such as “Phone Framework” or “MMS Album” and care to hide its SMS and the installation of downloaded software.

– the Crypto Girl

reflink: http://blog.fortinet.com/tag/mobile-security/