July 15, 2010 at 1:16 pm
The more I analyze the SymbOS/Album malware, the more it scares me.
The main malicious executable, Album.exe, is actually capable of processing incoming commands included in SMS messages sent by the value-added service provider number 106650xxx. Typical commands are: download and install software, get phone information or update software. Now, that starts to look like a botnet, even though it isn’t (yet?) a very scalable way to communicate with bots because the bot master must send an SMS to each bot it manages.
More in details, the Album executable creates a global message queue (RMsgQueueBase::CreateGlobal), named ‘my_pf_queue_1′. It is notified as soon as a message arrives in the queue (RMsgQueueBase::NotifyDataAvailable), retrieves the message (RMsgQueueBase::Receive) and processes its command.
The command parser looks for command strings such as [!@#] or [%@#] in the service provider’s SMS and triggers the corresponding command. 4 different commands have been identified:
- DoCmdSPOrder: sends a given number of SMS and logs the command in a file (c:\private\2002A22C\init_sp_order.txt)
- DoCmdDlAndInstall: downloads a given software package and installs it. We will discuss that one further.
- DoCmdGetPhoneInfo: gets phone’s model, IMEI and IMSI, and subsequently send 2 SMS.
- StartUpdatePolicy: modifies the update time and interval with the service provider. Information is logged in c:\private\2002A22C\frame_update_date.txt and c:\private\2002A22C\frame_update_interval.txt respectively.
In the case of the download and install command, the Base Command Parser DLL calls a function of the Frame HTTP DLL (FrameHttpEngine.dll). This module implements a web client with a download manager. The URI is added to a queue of URI to download, and the HTTP engine periodically checks this queue and downloads the requested URIs. The downloaded URI is dumped on the mobile phone in a file named c:\data\1.sisx. Then, as in SymbOS/Yxes, SymbOS/Album uses the SW Installer Launcher API to silently install the package on the mobile phone (RSWInstSilentLauncher::SilentInstall). The end-user sees no popup at all and cannot accept/decline this installation.
Finally, for those with doubts, it is true a value-added service provider (VASP) might be expected to implement some kind of communication protocol between their server and the end-user’s mobile phone. But a legitimate VASP would make its activity and induced costs (SMS sending, WAP connections) explicit, and only install with user’s full consent. On the contrary, a Trojan would certainly use unexplicit names such as “Phone Framework” or “MMS Album” and care to hide its SMS and the installation of downloaded software.
– the Crypto Girl