Home > Articles > Home & Office Computing > Entertainment/Gaming/Gadgets

  • Print
  • + Share This

Detecting the Malicious Version of Mosquitoes v2

Cellular phone malware is a relatively new phenomenon. There were no clear instructions that we knew of for dissecting Symbian malware, and we had no prior experience with this platform. But we've developed a successful antivirus scanner for a similar platform (Windows Mobile/Pocket PC), and we've written some papers on ARM-based reverse engineering. So, out of curiosity, we decided to download the infected warez and see if we could take a look under the hood. Hopefully, by reporting our findings here, we'll inspire others to take the analysis further.

Finding the Suspicious File

For every instance of this Trojan that we've encountered, the file is packed as a .sis file type. Specific tools are needed to view the contents of such a .sis file on a PC. Most of the tools are freeware and are easily available. Here are a couple of favorites:

  • SisView is a freeware plug-in created for the shareware program Total Commander. This tool allows you to view the contents of any .sis file. System admins can view .sis files that are stored on their servers to see whether they have the .nfo files often associated with cracker group releases (pirated software). The malware version of the Mosquito game is cracked, so using this method could help in initial detection.

  • UnMakeSIS is a freeware tool for unpacking a Symbian .sis file. With UnMakeSIS, analyzing and extracting Symbian .sis files is relatively easy. When using UnMakeSIS, it's important to set your screen resolution to 1024x768; the program doesn't dynamically adjust to your screen size and you may find that you can't use the functions needed to extract the .sis file.

Using UnMakeSIS on the Mosquito file, we can see that this file contains a reference to Mosquitos.app (see Figure 2).

Figure 2Figure 2 Using UnMakeSIS to extract the Mosquitos.app file.

Viewing the Code

Extracting the Mosquitos.app file onto your computer allows you to view the code of this file, using the following two basic techniques.

The first technique used to view the file is hex editing. Using a simple hex editor (see Figure 3) allows you to access written comments and hex code contained in the file.

Figure 3Figure 3 Selected hex dump of Mosquitos.app, showing what appears to be the name of the malware author.

Looking at the code closely, we find the following line:

Free Version cracked by SODDOM BIN LOADER

Finding the SMS Call Routine in the Mosquitos.app File

Using a hex editor gives us some preliminary information on the file, but it doesn't give us enough information to prove that this file is a malicious dialer. What we need is a more complex debugging tool. The tool we highly recommend is IDA Pro.

IDA comes up with the following SMS call routines:

..text:1000B8CC
..text:1000B8CC loc_1000B8CC              ; CODE XREF:
sub_1000049C+11Cp
..text:1000B8CC         LDR   R12, =NewL__13CSmsRecipient
..text:1000B8D0         LDR   R12, [R12]
..text:1000B8D4         BX   R12
..text:1000B8D4 ;
---------------------------------------------------------------------------
..text:1000B8D8 off_1000B8D8  DCD NewL__13CSmsRecipient ; DATA XREF:
..text:1000B8CCr
..text:1000B8D8                     ;
CSmsRecipient::NewL(void)
..text:1000B8DC ;
---------------------------------------------------------------------------
..text:1000B8DC
..text:1000B8DC loc_1000B8DC              ; CODE XREF:
sub_1000049C+124p
..text:1000B8DC         LDR   R12,
=NewL__10CSmsHeaderQ211CSmsMessage11TSmsMsgTypeR10CPlainText
..text:1000B8E0         LDR   R12, [R12]
..text:1000B8E4         BX   R12
..text:1000B8E4 ;
---------------------------------------------------------------------------
..text:1000B8E8 off_1000B8E8  DCD
NewL__10CSmsHeaderQ211CSmsMessage11TSmsMsgTypeR10CPlainText
..text:1000B8E8                     ; DATA XREF:
..text:1000B8DCr
..text:1000B8E8                     ;
CSmsHeader::NewL(CSmsMessage::TSmsMsgType,CPlainText &)
..text:1000B8EC ;

NOTE

These are just a few selected examples; the SMS routines make up five pages of data, which are too large to post here.

The malicious game uses SMS routines. That makes it one of the first documented Trojans written specifically for cellular phones. At the least, it's the first Symbian-based cellular phone dialer Trojan we've found.

Looking further at the following code snippet, the phone number 87140 is clearly visible, along with other numbers that may also be SMS text targets:

a9222         1000BA84
a4636         1000BA90
a87140         1000BA9C
a33333         1000BAA8

There's no need for this game to use SMS routines. When combined with multiple user reports of surreptitious, paid text messages, it appears to be a legitimate threat.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.