We have been in contact with one of the German’s Crime Investigating Authorities (LKA). This is a case when a malicious program running on mobile phones was making unauthorised calls. All these calls were connecting to one and the same SMS number which is used to top-up the amount of virtual money for one of the online games. A scheme to top-up in-game cash via SMS messages is frequently used by online game vendors.

This is a really interesting twist because in the past malware writers simply programmed malware (either on a desktop or on a mobile device) to call a premium phone number (one where the cost of a call is high). Of course, with this old method it is easier to trace the destination of funds because for each such call real money is transferred from a phone company to the owner of the premium number. So the principle “follow the money” to track the perpetrators usually works.

This new and indirect way of laundering money through an online game makes it significantly more difficult to track the destination - several in-game assets’ transfers can be made before the money is taken out of the game through real-money trading (RMT - it is a bannable offence in most online games but some games allow that - for example, Second Life).

Our advice is not to use programs for mobile phones that come from untrusted sources (like game forums, Internet newsgroups, Emails, P2P networks, blogs, etc.)

Avertlabs would kindly ask all mobile phone users to be vigilant and submit suspicious programs for our analysis - the easiest way is to use our online Webimmune service www.webimmune.net.

Some helpful soul has decided there isn’t enough Symbian spyware in the world. A Russian malware author has released a prototype of SMS forwarding spyware, SymbOS/Htool-SMSSender.A.intd. He’s included the source code to aid in modification.

The author, let’s call him Scripty, says that SymbOS/Htool-SMSSender.A.intd can:

• Hide from the user
• Load on startup
• Copy the text of the last SMS you received
• Send that text in a new SMS to the author

SymbOS/Htool-SMSSender.A.intd performs the first three steps well, but it fails to do the last. Looking at the source code, it appears Scripty didn’t write the SMS sending code. Scripty, though apparently unskilled, believes the source code will be useful to other malware authors for constructing their own SMS spyware.

Only last week we saw signs of malware authors integrating commercial spyware into their creations. This week we’ve run across the first evidence that malware writers are actively working on developing their own spyware.

We’ve received a sample of a new mobile malware in the MultiDropper family, variant CG. MultiDroppers are like a collection of top 10 hit songs, a ‘hits CD’. They also require about as much creativity. Take a successful hit like SymbOS/Cabir or SymbOS/Commwarrior, mix in a SymbOS/Appdisabler or SymbOS/Skulls.

The trouble with hits CDs is that you probably already own all the albums containing the hits. Maybe you get a bonus song now and then. In the same manner we already detect most of the malware in most mobile MultiDroppers. Every so often we do get the bonus unseen or rare single (malware).

MultiDropper.CG is the first in the series to include spyware, SymbOS/Mobispy.A.

SymbOS/Mobispy.A is based on an early version of commercial call and SMS recording software. SymbOS/Mobispy.A installs on a phone and records incoming and outgoing SMS messages. It also tracks the phone numbers of all dialed and received calls. The purchaser of the software gets an account on a central server. SymbOS/Mobispy. A sends all the data it’s captured to that account.

Considering that data-stealing and other for-profit malware have made their entrance on mobile phones, it is worrisome to see spyware make its debut. Around eight months ago a commercial remote phone monitoring application was released. There was much speculation on how much time it would take for malware authors to integrate it into their own malware. We have seen malware authors create custom prototype code to implement new attacks but it is interesting to see them purchase commercial spyware to do their job for them.

It would appear that the SymbOS/MultiDropper.CG author has made a wise choice in using commercial products, avoiding the hassle and expense of creating a new hit single by using an existing one. There are two things though that complicate the picture:

• The software is licensed for only one phone ID(IMEI). As soon as the monitoring account on the central server receives logs from an unregistered IMEI it’s expected to be shut down.
• It is unlikely that the author of SymbOS/MultiDropper.CG is the original purchaser of this copy of the software. Only the original purchaser would have access to the results of SymbOS/Mobispy.A’s spying.

Although SymbOS/MultiDropper.CG does not appear likely to be a winner, it does signify a probable switch in malware authors’ goals. Rather than destroying your data and information, they’re stealing it for profit.

Today, Avert Labs announced the availability of its podcast on the “Top Ten Security Trends in 2007”.

As part of this podcast, McAfee will identify those threats it believes businesses and consumers will face in 2007 as computer criminals become more organized and professional in their approach.

Download the podcast

Recently one of our researchers, David Rayhawk, gave an interview to Fox news on mobile malware and smishing.

Fox News 35 has the video on their site. There is also a mirror on Google video. The interview covered topics such as data destroying malware and the advent of smishing and for-profit malware. We have covered these topics in earlier posts.

While the current threats are not very widespread, the samples we’re seeing indicate that the capability for greater trouble is approaching.

This week we received a sample of a variant of W32/Backdoor-DJC.

W32/Backdoor-DJC is a standard targeted backdoor trojan. It steals information from your computer and sends it back the attacker. Instead of using email to send back the stolen data, this variant uses SMS.

Using SMS to transfer stolen information. Malware authors are branching out in their communication methods. Not really innovation. System administrators have been able to monitor their machines via SMS for quite a while. This is more an example of malware authors turning legitimate methods and tools to their purposes.

Previously we've seen similar information stealing trojans on mobile phones. SymbOS/Pbsender swipes your phone and contact info and sends it out via Bluetooth.

Bluetooth is not as effective as email or SMS for sending information. Consider some of the difficulties involved:

• receiving anything requires user interaction, you can't let it sit in your inbox
• you need to be within range, if you're not there you don't get the message

On the other hand with SMS:

• your messages end up in the inbox
• range is not an issue, you can even be in a different country
• your phone does not even have to be on

Once a tool or communication method has been proven effective legitimately it is common for us to see them integrated into malware. So it's no surprise that SMS has now reached this stage.

Just last month we received our first live example of SMiShing. This month we've received evidence that the author of VBS/Eliles.A has taken umbrage at the AV industry's naming conventions. Specifically rule #1: We never name malware after the author's suggested or intended name. This is to discourage people from writng new malware in order to gain notoriety.

The Eliles author, let's call him Eli, is not taking this sitting down. One of our contacts in Asia sent us a sample of Eli's latest attempt at fame, VBS/Eliles.B. Eli left some parts of his worm intact.

Like his first try, VBS/Eliles.B also:

• Hides Drives,disables Registry editing and generally makes removing it a pain.
• Tries to disable your antivirus software
• Sends itself via email to any address it can find
• Attempts a SMiShing attack against customers of two mobile phone companies based in Spain

VBS/Eliles.B additionally:

• Runs a script that types Eli's complaints on our naming and the occasional insult in the current window
• Tries to disable your firewall software

VBS/Eliles.B really brings nothing new to the table. Aside from the SMiShing routines, Eli hasn't created anything new. All the other routines appear to have been created with various ready-made malware toolkits.

Considering that only the text and the download link have been changed in the SMiShing message, it is also doubtful that Eli had a hand in creating that routine. Eli is very likely a script kiddie, a relatively unskilled malware author. More of a mugger than a criminal mastermind.

VBS/Eliles.A & B are not large threats. The disturbing part is that while the SMiShing routines are targeted locally to a specific country in Europe, VBS/Eliles.B has made it to another country in Asia.

VBS scripts are distributed as plain text. Within 2 minutes, using a text editor, a malware author can cut and paste a few strings to generate a new SMiShing attack. Fortunately, Eli is not following the for-profit trend of his more skilled colleagues. Unfortunately, it looks like SMiShing source code is now available to more malware writers.

Today's minor threat can become a component of tomorrow's devastating attack.

For-profit malware has been increasing on the PC side for quite a few years now. Viruses that hold your files hostage, trojans that steal banking information and adware that floods your computer with popup ads. Malware writers have shifted their goals from gaining notoriety or personal satisfaction from the spread of their creations to the goal of filling their wallets.

Recently though, McAfee Avert Labs has begun to see a similar trend in mobile malware. Most of the mobile malware that we’ve run across has been relatively harmless trojan horses. A few files have been replaced, or the phone fails to start when reboot. A hard reset to clear the phone memory and you’re back to normal, minus your stored phone numbers and calendar information. You might have lost any time spent adding new software or saved documents, but at least none of your private information has been stolen. J2ME/Redbrowser changed the entire situation.

Redbrowser tells the user that it’s a mobile web browser that works over SMS. Instead of browsing to the address that the user wants, Redbrowser actually sends SMS messages to a Premium Rate number. On certain phones, the Java runtime will prevent Redbrowser from sending SMS messages without your permission. Redbrowser’s creator has gone to some length to social engineer you into saying yes when it asks to send the SMSes.

Stealing money in real life ranges from corporate embezzling to the common mugging. Where Redbrowser falls somewhere in between the two, J2ME/Wesber is closer to a mugging.

Like Redbrowser, Wesber also sends out SMS messages to premium number. It just doesn’t do it with as much style. Wesber has no user interface, so if the Java runtime doesn’t give a warning you would have no idea that you’ve just been charged roughly $15.

Wesber is found in a file named “pomoshnik.jar”. Pomoshnik is Russian and translates to “assistant”. It certainly assists its author in getting your money.

With the recent SMiShing incidents, the rise in for-profit mobile malware is definitely troubling.

McAfee Avert Labs has been getting a lot of questions about the dangers of data-retention on cell phones. There’s an article covering the concept here.

Here’s our take on the situation: modern cell phones (”smartphones”) are miniature, portable computers-and they will bring along all the same problems with them as the technology matures: Virus, spam, phishing (or smishing), and people stealing data from lost, stolen, recycled, or resold devices.

“But I deleted those messages?!?! How can someone get it back?!?”
I think this is best explained by an analogy: think of your device (phone, computer, etc) data as being a textbook: Table of Contents in the front, informational pages towards the back. You write a document and you add pages to the book. The computer, when asked for a document, will look in the table of contents to figure out what page to read.

Makes sense so far, but when you remove a file, the computer doesn’t erase the pages in back-it removes the entry from the table of contents, so that it no longer knows or cares where the information is. “Why?!?” you may ask . . . well, in a nut-shell computers are lazy (i.e., efficient) and this is the fastest way to “remove” the file from the system. Heck, those pages may be overwritten some day . . . .

But, this introduces a problem: someone could manually search for the pages (skim the book, if you will) and then find and reconstruct the documents (until the page is recycled at least).

This is the problem that many people who have sold their cell phones are finding, those who have purchased them have (or are at least are able to) retrieve their deleted files-files that contain personal messages, email, address books, and worse.

If you are going to dispose of your phone, please contact the manufacturer or your carrier and ask them how to do a “low level” or “zero level” wipe. This is analogous to going through the book with an eraser and scrubbing out each and every letter so that the pages are blank. This makes is quite difficult for the data to ever be retrieved.

This is, of course, exactly what you should do with your computer’s hard drive if you dispose of it.

I can’t say it enough: your smartphone is a computer; you need to treat it as such and exercise the same level of caution you would give to your traditional PC.

Only a little while ago we were discussing the possibility of someone taking the techniques of phishing by email and porting them to SMS. SMiShing instead of phishing.

While the name is catchy, don’t be misled, it’s actually based on a real event. A number of SMS messages were sent out to users in Iceland and Australia telling them they would be charged $2 a day for membership on a dating website. Victims attempting to “unsubscribe” from the site and daily charge get their computers infected with a backdoor trojan. The South Australia Office of Consumer and Business Affairs (OCBA) even put out a warning to consumers about the scam.

Considering that this Smishing event occurred a few months ago with nothing since, one might reasonably relax. We at McAfee Avert Labs would agree with you except that we’ve just received a sample of a mass-mailing worm that performs a Smishing attack. VBS/Eliles.A.

This is a standard VBS worm that skips the loading of a backdoor trojan and simply opens a backdoor on the victims system. Most of the code is in Spanish, with a few comments in German. That incongruence along with variations in coding style of the various internal functions implies that this worm is composed from disparate sources. Very script kiddie.

The interesting part is that it includes a routine to send Smishing messages to users of two Mobile Phone providers in Spain. Rather than calculating random IP addresses to send messages, this worm generates phone numbers within the ranges used by mobile phones. Eliles.A sends its smish message free of charge through the mobile phone providers’ SMS-email gateways.

Unlike the previous smishing episode, Eliles.A does not use the error in billing ploy. Instead this worm tries to be helpful by offering the victim free “antivirus” software for their phone, supposedly from their mobile phone provider. The smishing message specifically targets Nokia Series 60 phones. Users that download and install the software from the link in the SMS find themselves infected with malware. Fortunately, the download link is now dead.

We were startled to see a smishing attack turn up in a simple mass mailing worm. A malware writer who spends time researching a new attack will usually write custom code for it rather than reuse someone else’s code. Over time the attack gets packaged into standard routines and eventually included in the script kiddie’s toolbox. The transition from brand new to script kiddie use can take months. This is the malware equivalent of finding a machine gun in the stone age.

The genie is out of the bottle with regard to smishing. Now that the script kiddies are involved, we’re bound to see a rise in the numbers of smishing attempts in the coming months. So much for relaxation.

Some cell phone users have started receiving SMS messages along these lines: “We’re confirming you’ve signed up for our dating service. You will be charged $2/day unless you cancel your order: www.smishinglink.com“. (This is an example and was not a real url at the time of writing)
This phenomena, which we at McAfee Avert Labs are dubbing “SMiShing” (phishing via SMS), is yet another indicator that cell phones and mobile devices are becoming increasingly used by perpetrators of malware, viruses and scams.

While some might recognize this as a scam, many unsuspecting users would not. Fearful of incurring premium rates on their cell phone bill, they visit the Web site highlighted in the message. Once they arrive at the URL, they are prompted to download a program which is actually a Trojan horse that turns the computer into a zombie, allowing it to be controlled by hackers. The computer then becomes part of a bot network, which can then be used to launch denial of service attacks, install keylogging software and steal personal account information and other malicious activities. Because monitoring botnet activity is complex, it is challeging to know the current scope of the problem.

Imagine the threat to enterprise networks once hackers learn how to fully exploit SMiShing techniques. Most large enterprises have thousands of employees, using a variety of devices to access their networks. Despite their best efforts to issue safety guidelines, IT security staff cannot control human behaviour-especially in light of the fact that mobile-users have not (yet) learned to treat their phones with the same level of concern that they apply to their laptops. Mobile devices present a serious challenge to data security, with the potential to infect both carrier and enterprise networks.

Enterprises would be wise to keep a close eye on this issue and think about policies for securing their mobile devices ahead of time, rather than playing catch up when it hits them, and begin to educate their employees about the potential risk now.

Rockets bursting in air, fireworks everywhere!  Thank you for helping mark the 200,000^th entry into the VirusScan malware (malevolent software) detection database.

But truly, this is not a moment to celebrate.  For, larger and larger numbers of malware is a plague, not a cause to celebrate.  Instead, we mark this moment simply as a milestone in our continual trip to fend off the bad stuff from everyone's machines.

It is alarming that we reach this milestone so soon after September 2004 when the count reached 100,000.  Eighteen years to reach 100,000.  Less than two years to double.  Looking ahead, our researchers expect yet another doubling in a similar timeframe.  So, 100,000 new threats in the past two years, 200,000 new threats to come in the next two years!

 Malware Count and Rate of Growth
 

The last two years have marked a tremendous increase in downloaders and bots, malware that has as its purpose to commandeer the target machine, to be used by the Command and Control machine.  Or rather, the person sitting behind that machine, who has as his motive, $$$$$$$.

In early 2004, a number of viruses like Netsky, Bagle, and Mydoom would infect multiple millions of machines with each release of a new variant.  Many millions of machines would be compromised in a short amount of time causing great financial strife and immediate reaction from IT personnel as well as law enforcement.  Soon, Sven Jaschan was arrested for the creation of the Netsky and Sasser families of viruses.  At about the same time, the author of Gaobot/Agobot and Phatbot was also arrested.  With these two events, we all hoped the arrests would stem the tide on malware.

Instead, malware distribution changed dramatically.  In the first half of 2004, 31 virus outbreaks were rated Medium and above.  The second half of 2004 saw 17 more.  That number fell to 12 for the whole of 2005.  And in 2006, there have been no outbreaks of similar severity!  Instead of huge virus events causing ire from all segments including law enforcement, the preferred method of malware distribution now involves the creation of many minor variants sent through controlled spam efforts.  Good family detection becomes crucial for a less worrisome experience on the Internet.

Another area of concern is the growth of malware targeting mobile telephony.  The numbers are still small, only near 300.  As a result, rates of growth are exaggerated.  However, it will grow.  The worry, as our past experience would show with other forms of malware, the growth will fashion similarly to the above graph.  Except, time will be compressed.  We are still in the era where malware targeting telephony is not yet purposefully stealing money.  And that is the concern.  When the phone becomes the standard means to transfer money, malware targeting telephony will truly explode, much as bots and other means to steal money over the Internet have consumed our energies these past two years.

And so, on this July 4^th, our thanks to the men and women who serve, so we can all enjoy our liberties and pursue happiness.  And thanks also to the cadre of dedicated anti-malware researchers who on this day added that 200,000^th malware detection entry, so we may pursue our enjoyment of the Internet experience with a little less worry.

It looks like mobile malware authors may be moving into the kernel.  Software that operates in the kernel has access to the entire system.  Hidden, undocumented functions can provide untraceable access to the filesystem.  Rootkits are generally used to hide the presence of other malicious software or activity.

Recently, an independent security research group released a number of ROM images(colloquially "ROMs") from various Symbian phones. Their goal was to encourage vulnerability research on mobile phones.

The risk is not that these researchers have published the ROMs. Any one who owns a Symbian phone can, with publicly available tools, extract their own ROM image. The real risk arises from the nearly 600 KB of analysis and research guidelines they have provided.

The current situation is that malware authors are limited to user space. All current mobile malware has been created either with the publicly available SDKs or cobbled together from other malware. Essentially, most of the trouble so far is caused by applications. Malicious applications, but still only applications not system software.

While the latest CommWarrior variants continues to entice mobile phone users into clicking "Yes" to grant it permission to install, Collin Mulliner published the first remote exploit for Windows Mobile phones using MMS as the attack vector, at the Defcon 14 conference in Las Vegas.

The vulnerabilities in question will only require the Windows Mobile 2003 (Windows CE 4.2) user to open a malformed MMS message to cause a buffer overflow in the Sychronized Multimedia Integration Language (SMIL) parser. When successful, the exploit can execute code on the targeted mobile phone to silently install malware. The "success rate" of the exploit varies, as according to Collin, the return address, like a "key" to execute malicious code is random and can vary across mobile phone makes and models. This makes it less likely a worm candidate.