SYMBOS_FLOCK.I – Where Does It Come From?

Yesterday we blogged about a new piece of Symbian malware, which we detected as SYMBOS_FLOCK.I. This malware targets users of older Series 60 devices.

 

Overall, the malware itself is very simple in its operation. It first prompts the user to install an application called ZvirOK 5.2!. The name here suggested there are previous versions of this malware in existence (that, or it took the malware writer at least 5 attempts to get it right). Alternatively, the malware author wanted us to think that this is a legitimate application, and added the version number to make it appear as such.

 

Another interesting fact here is that the word Zvirok (Зверёк) roughly translates from Russian as “small animal”, which can sometimes be used as a nickname—indicating that this malware is of Russian origin. However, the Symbian Installer package (the .SIS file) specified the language of the application as PRC Chinese, which leads to confusion from where this malware really came from.

 

After installation, the malware executes a very simple Python script which uses some of Nokia Python libraries to send an SMS containing the text mumym xxx joker90 to the number 7205. The number 7205 is what is known as an SMS Short Code, a special shortened phone number for SMS or MMS messages that is normally used for competitions and marketing and can often be quite expensive to use. The malware does not spread itself in any way.

The number of digits in SMS shortcodes varies from country to country – for example in the US it is normally 5 or 6 digits, whereas in the UK it is fixed at 5 digits and begins with either a 6 or 8. Unfortunately both China and Russia both use 4 digit SMS shortcodes – so there is no further hint here on the origin of this malware.

 

The last clue perhaps is in the SMS content itself. Its highly likely that the phrase Joker90 refers to a particular model of scooter from Honda. Perhaps this SMS shortcode is used to enter a competion to win one of these scooters. If that is the case, I’m leaning towards China as the source of this malware, as scooters are more popular in China than in Russia, generally speaking.

 

Regardless of the source however, this will not be the last of these types of malware that we see in the future. Creating these malware is fairly trivial, and there is also a modest amount of money to be made. It is doubtful that any major cybercriminal will be packing up their botnets and moving to mobile malware anytime soon, but it continues to be used as an introduction to crime for the attackers on the first steps of the cybercrime ladder.

 

Backdoors in Twitter, Now in Arabic

Twitter is becoming a common medium to spread spam, malware and all kinds of badness. Just a few weeks ago, we wrote about FIFA and the Gaza attacks being used as social engineering leverage by Trojan creators, and there are no signs of them stopping any time soon.

 

Over the past two weeks, several Twitter accounts were created for the sole purpose of tweeting Poison Ivy or Bifrost download links. Both Poison Ivy and Bifrost are backdoors, malicious programs that allows an unauthorized user access to the infected machine. Interestingly, these backdoor programs are uploaded at either freewebtown.com or leadhoster.com, both free web hosting sites.

 

For some of our readers, these things aren’t new, but what caught my eye are these tweets written in Arabic:

 

Cybercrime groups it seems, are broadening the scope of their social engineering by employing localization techniques. Quite clever huh?

 

Lastly, these rogue Twitter accounts either have very few or no followers and following, which means the only way for potential victims to see the backdoor URL is to do a Twitter Search with the appropriate keywords. Hmmm… blackhat SEO Twitter style anyone?

 

Malware Sales Through Social Networks

Social media has affected business organizations in many different ways through the years and these effects caused the development of a rather complicated relationship between the two.

 

Social media has proven to be an effective marketing tool for businesses. Data collected last year from Fortune’s Global 100 revealed that more than 50 percent of the said companies have Twitter, Facebook, and YouTube accounts. On the other hand, social media tools such as social networks have been reported to affect office productivity and also serve as popular media for online threats.

 

In the same way that businesses use social media, cybercriminals do as well. Just recently, we saw an advertisement for fake point-of-sale (POS) devices in an underground forum where the seller offered a fake POS device for 1,000 EUR.

 

This time, we found an advertisement for a malicious tool, in a more “mainstream” channel.

 

 

 

 

The YouTube video above is actually an advertisement for a distributed denial-of-service (DDoS) tool. A screenshot of the tool is shown on the video while features and other details such as the price and the URL where to purchase the tool are indicated in the details. (It has since been taken down by YouTube.)

 

Notably, the video had more than 600 views. Though the number is relatively small, one can’t help but wonder how many of those viewers were enticed enough to visit the given site and to purchase the tool. After all, it’s only US$15.

 

The said post is just one of the many malware ads in social networks. If anything, the above-mentioned advertisement only goes to show that cybercriminals are using social networks the same way legitimate businesses do to gain “customers” even if the customers in question are other cybercriminals.

 

For best practices to follow in managing a social network account, you can check our white paper, “Security Guide to Social Networks.”

 

 

New Symbian Malware On The Scene

New versions of mobile operating like Apple’s iOS and Google’s Android may be in the news of late, but for all the publicity both receive older Symbian operating systems still make up around half of all smartphones sold in 2009. Advanced Threat Researcher Paul Ferguson came across a new suspicious application running on the S60 platform:

 

 

Calling itself ZvirOK, the application has one primary payload: to send a text message to the number 7250, with the text mumym xxx joker90. The intent behind this is unclear: perhaps it could be related to pay services frequently provided by mobile operators. This could cost the user money, particularly if these fees are high. Beyond that, however, no one can really say for sure.

 

Trend Micro products detect this malicious application as SYMBOS_FLOCK.I. The Python script responsible for sending the text message is detected as TROJ_FLOCK.I.

 

Tests Show Problems With AV Detections

Dateline: Moscow.

 

Here at a security press conference held by Kaspersky Lab, the company demonstrated how some malware detections are easily triggered by innocuous programs.

 

The problem arises when one vendor detects a threat. Samples are often passed on to other vendors, through multi-scanning services like VirusTotal. The fact that another vendor, particularly a respected one like Kaspersky, detects a threat is enough of a reason to take a serious look at the sample.

 

After suspecting such problems, Kaspersky created a test which demonstrated the phenomenon. They wrote a series of simple and innocuous programs, compiled them, created false detections for them in their engine, and then submitted the files to Virustotal. Only Kaspersky detected the files at this point.

 

But standard procedure with VirusTotal is that if at least one of the products detects a submitted sample, it is submitted to the others who didn’t detect it. The idea is that they can then analyze the file and create their own detection.

 

Instead, what they found was that other companies were creating detections for the false submissions from Kaspersky. The programs create some variables and perform simple mathematical operations on them. They don’t even touch the file system. Kaspersky provided me with the programs and the source code.

 

Click on these to see some of the detections:

• http://www.virustotal.com/analisis/5aee7…1264831301
• http://www.virustotal.com/analisis/0de6d…1264867956
• http://www.virustotal.com/analisis/b2a11…1264867934
• http://www.virustotal.com/analisis/7e79b…1264867923
• http://www.virustotal.com/analisis/0b974…1264831241
• http://www.virustotal.com/analisis/0b974…1264867640

 

But it turns out that the fact that Kaspersky was detecting the threats was not the only reason the others were. The real problems were the aggressive heuristics in the products and that fact that only a static scan was performed.

 

And there is something suspicious about a program that appears to do nothing and then exits. Other vendors I communicated with on the matter said that the behavior was not surprising and that a live on-access detection on a system with their product installed would not be the same. For instance, F-Secure said that “[o]n the end users Windows box, these alerts would show up as a prompt, asking the user whether he really trusts the program. In addition, we have massive whitelist databases in our back-ends, so such prompts would only appear from new, unknown applications.”

 

I suspected that the compiler used to generate the samples might itself be an issue, so I asked Kaspersky about it. They used the mingw crosscompiler, a gcc version for Linux that generates Win32 binaries. It’s possible that the same source code compiled with Microsoft Visual Studio would have generated a different reaction in the anti-malware products, not that it should make a difference. But Kaspersky then creates a “hello world” program with the same compiler and settings and uploaded it to VirusTotal; hours later, even though there were no Kaspersky detections, 2 other products called the sample “suspicious”.

 

This problem is not entirely new; Hispasec Sistemas Lab of Spain, the company that operates VirusTotal, wrote about it a few months ago (original Spanish, Google translation to English). As they point out, the volume of samples coming into company labs is so enormous that the vast majority has to be handled by automated analysis processes, and perhaps they are designed to be a little more paranoid than humans.

 

Kaspersky Lab has written an Analyst’s Diary entry on the issue as well.

 

By Larry Seltzer from PCMag.com