InformIT

Summer Brings Mosquito-Borne Malware (Part 3 of 3)

Date: Aug 6, 2004

Return to the article

Concluding their discussion of the spread of viruses to handheld devices, Cyrus Peikari, Seth Fogie, Jonathan Read, and David Hettel analyze a brand-new bug: the first Trojan in the wild written specifically to infect cellular phones.

The summer of 2003 brought a new wave of a deadly, mosquito-borne viruses. This summer, a new Mosquito-borne infection arrived. But it didn't attack humans. Rather, it infected cellular phones.

The Symbian operating system powers many cellular phones, and also supports a wide range of third-party applications—including games. Unfortunately, one popular game turned out to have a "cracked" version that was secretly infected with a Trojan horse. The Mosquito dialer Trojan infects the popular game Mosquito with code that secretly messages pay-per-call numbers.

What Is a Dialer Trojan?

A dialer Trojan is malware coded to secretly dial phone numbers, leaving the infected victim with a large phone bill. There are two reasons why someone might code and spread a dialer Trojan. The first reason is destructive, perhaps as tool of revenge. The second reason is for financial gain. Simply set up a premium 900 number and charge $5.99 a minute. Then, all the malicious coder needs is a few hundred infected victims to make a decent amount of money.

As a desktop analogy, many free porn web sites use browser-based exploits to infect PC users with dialer Trojans. This is a classic example of dialer Trojans being used for financial gain. Dialer Trojans have been around on PCs for many years. Traditional PC dialer Trojans rely on the infected computer having a working modem, and the modem needs to be connected to a wall socket. It was only a matter of time before someone realized that coding dialer malware for computers that mostly rely on broadband was a waste of time. Such malware coders have now moved to cellular phones.

Symbian-based cellular phones offer the ability to run far more code than earlier cell phones. Cellular phones can now be used to play games, surf the Internet, and perform many other activities traditionally done from a desktop computer. While these features are useful for consumers, it also means that malware coders have an increasing scope in which to apply malicious code. Code that once worked only on desktop computers can now be ported easily to work on handheld devices running the Symbian OS.

Mosquito, the Game That Plays the Player

We first heard of the Mosquito dialer Trojan while researching online. Various web forum users were complaining that they had installed a game and now their phones were sending text messages to the number 87140 (see Figure 1). But some users hadn't noticed this problem, so it was evident that there were at least two discrete versions of this game in circulation—and that at least one of these versions was malware.

Figure 1Figure 1 Screenshot related to the first known mention of an infected Mosquito game.

The game that the infected users had installed was called Mosquito v2.0. The game is unique in that it uses the phone's built-in camera. The user walks around shooting mosquitoes in a virtual reality–like atmosphere. This game appeared to be a "cracked" version that appeared on the many cell phone warez and p2p networks that plague the Internet underground. It appeared that 87140 was a UK number costing a hefty £1.50 per text message.

Detecting the Malicious Version of Mosquitoes v2

Cellular phone malware is a relatively new phenomenon. There were no clear instructions that we knew of for dissecting Symbian malware, and we had no prior experience with this platform. But we've developed a successful antivirus scanner for a similar platform (Windows Mobile/Pocket PC), and we've written some papers on ARM-based reverse engineering. So, out of curiosity, we decided to download the infected warez and see if we could take a look under the hood. Hopefully, by reporting our findings here, we'll inspire others to take the analysis further.

Finding the Suspicious File

For every instance of this Trojan that we've encountered, the file is packed as a .sis file type. Specific tools are needed to view the contents of such a .sis file on a PC. Most of the tools are freeware and are easily available. Here are a couple of favorites:

Using UnMakeSIS on the Mosquito file, we can see that this file contains a reference to Mosquitos.app (see Figure 2).

Figure 2Figure 2 Using UnMakeSIS to extract the Mosquitos.app file.

Viewing the Code

Extracting the Mosquitos.app file onto your computer allows you to view the code of this file, using the following two basic techniques.

The first technique used to view the file is hex editing. Using a simple hex editor (see Figure 3) allows you to access written comments and hex code contained in the file.

Figure 3Figure 3 Selected hex dump of Mosquitos.app, showing what appears to be the name of the malware author.

Looking at the code closely, we find the following line:

Free Version cracked by SODDOM BIN LOADER

Finding the SMS Call Routine in the Mosquitos.app File

Using a hex editor gives us some preliminary information on the file, but it doesn't give us enough information to prove that this file is a malicious dialer. What we need is a more complex debugging tool. The tool we highly recommend is IDA Pro.

IDA comes up with the following SMS call routines:

..text:1000B8CC
..text:1000B8CC loc_1000B8CC              ; CODE XREF:
sub_1000049C+11Cp
..text:1000B8CC         LDR   R12, =NewL__13CSmsRecipient
..text:1000B8D0         LDR   R12, [R12]
..text:1000B8D4         BX   R12
..text:1000B8D4 ;
---------------------------------------------------------------------------
..text:1000B8D8 off_1000B8D8  DCD NewL__13CSmsRecipient ; DATA XREF:
..text:1000B8CCr
..text:1000B8D8                     ;
CSmsRecipient::NewL(void)
..text:1000B8DC ;
---------------------------------------------------------------------------
..text:1000B8DC
..text:1000B8DC loc_1000B8DC              ; CODE XREF:
sub_1000049C+124p
..text:1000B8DC         LDR   R12,
=NewL__10CSmsHeaderQ211CSmsMessage11TSmsMsgTypeR10CPlainText
..text:1000B8E0         LDR   R12, [R12]
..text:1000B8E4         BX   R12
..text:1000B8E4 ;
---------------------------------------------------------------------------
..text:1000B8E8 off_1000B8E8  DCD
NewL__10CSmsHeaderQ211CSmsMessage11TSmsMsgTypeR10CPlainText
..text:1000B8E8                     ; DATA XREF:
..text:1000B8DCr
..text:1000B8E8                     ;
CSmsHeader::NewL(CSmsMessage::TSmsMsgType,CPlainText &)
..text:1000B8EC ;

NOTE

These are just a few selected examples; the SMS routines make up five pages of data, which are too large to post here.

The malicious game uses SMS routines. That makes it one of the first documented Trojans written specifically for cellular phones. At the least, it's the first Symbian-based cellular phone dialer Trojan we've found.

Looking further at the following code snippet, the phone number 87140 is clearly visible, along with other numbers that may also be SMS text targets:

a9222         1000BA84
a4636         1000BA90
a87140         1000BA9C
a33333         1000BAA8

There's no need for this game to use SMS routines. When combined with multiple user reports of surreptitious, paid text messages, it appears to be a legitimate threat.

Protection and Prevention

You should never install anything from someone you don't trust. However, following this banal rule isn't always enough; some vulnerabilities are a result of programming errors within the device itself.

The first protection is to be a cautious user. Antivirus products often are there just to protect users from themselves. However, at times new viruses are created that break through traditional protections. For example, many users might forget to suspect a Bluetooth virus, simply because it's not yet a common form of infection. Your best defense is to maintain a high index of suspicion at all times.

In addition, it's best to keep the OS software current on your mobile device. This practice can help eliminate the same kind of risks that Windows XP users face. Unfortunately, updating a mobile device often requires a complete loss of data and can be a technically challenging project (for example, reflashing the ROM). Plus, even if it's easy, as is the case with Windows XP, most users simply ignore or don't know about patches and updates. In other words, if a user can't keep his desktop updated, he probably won't update his mobile phone or PDA.

With Windows-based PCs, patches are more or less homogeneous to the device. Not so in the mobile world. There are many flavors of embedded operating systems. For example, Platform Builder allows any manufacturer to compile its own, custom OEM version of Windows Mobile operating system. There are as many flavors of Windows Mobile as there are OEMs. In this case, a uniform security patch from Microsoft could break millions of devices—even if the patch worked correctly, which hasn't always been the case lately. Thus, there are even more challenges when dealing with mobile device security.

This concludes our brief analysis of the Mosquito Trojan. We welcome input from others who may have more experience in embedded reverse engineering. For those looking to enter research in this field, the References section lists other books and articles that we've written on ARM-based reverse engineering.

Although the Mosquito Trojan is more of an annoyance than a real threat, it demonstrates that cell phone malware is a growing problem. As we've seen, the 911 virus in Tokyo knocked out the city's public emergency services number. With a growing variety of malware attacking a growing number of mobile devices, future attacks could be worse.

References

800 East 96th Street, Indianapolis, Indiana 46240