Fortinet Investigates a New SMS Mobile Worm: Yxes.A
The FortiGuard Global Security Research Team has investigated the case of a new mobile worm resorting to a breakthrough propagation strategy, which leverages SMS messages and Internet access.
This new worm, deemed SymbOS/Yxes.A!worm (also known as "Sexy View"), is targeting mobile devices running SymbianOS S60 3rd Edition (eg: Nokia 3250), but may run on a wider range of devices, as it has been reported to function on phones operating SymbianOS S60 3rd edition FP 1 (eg: Nokia N73). It bears a valid certificate signed by Symbian, and installs as a valid application on factory mobile devices running S60 3rd Edition.
It gathers phone numbers from the infected device's file system, and repeatedly attempts to send SMS messages to those. The messages feature a malicious Web address (URL); upon "clicking" on the address in the received message, the recipients will download a copy of the worm (provided their phones/subscriptions allow for internet browsing).
Beyond propagating to as many users as possible via the strategy mentioned above, the worm's aim is to gather intelligence on the infected victim (such as serial number of the phone, subscription number) and post it to a remote server likely controlled by cyber criminals. Whatever the latter may do with such information is unknown as of writing.
It must be noted that due to its propagation strategy relying on the worm copy being hosted on a web server, the worm can mutate easily. According to Guillaume Lovet, senior manager of Fortinet's Threat Research Team, "As far as our analysis goes, the worm currently does not take commands from the remote servers it contacts. However, since the copies hosted on the malicious servers are controlled by the cyber criminals, they may update them whenever they want, thereby effectively mutating the worm, adding or removing functionality. We're really at the edge of a mobile botnet here."
The Yxes mobile worm is reported to be currently spreading in the wild. It is recommended for mobile users to have a valid security solution in place, such as Fortinet's FortiClient Mobile, to protect against threats. Caution should always be taken when opening attachments and following URL's received through messages (SMS/MMS). In the case of an infection, please contact your service provider.
Update:
Our investigation confirms that the worm functions on Nokia 3250 handsets, but again is likely not limited to this. Once installed, no program icon or related information could be found in the system menu. On launch, the worm executes as the process "EConServer.exe", which is likely meant to camouflage alongside the existing legitimate system process "EComServer.exe". The worm will also automatically run every time the device is rebooted / power cycled. Further, it bears a destructive nature and will kill certain processes such as the application manager (AppMgr). The following is a list of processes sought to destroy: AppMgr, TaskSpy, Y-Tasks, ActiveFile and TaskMan. Fortinet's FortiGuard Global Security Research Team protects against additional variants of SymbOS/Yxes.A, namely B, C, and D. Subscribers to Fortinet's FortiClient Mobile should be protected against these variants.
Action:
•Fortinet's FortiGuard Antivirus Definitions protecting against Yxes have been available since February 8, 2009
•Fortinet's FortiGuard Global Security Research Team collaborates with carriers to provide additional protection against mobile threats
•Symbian's SDN has been notified
•Registrars of domains hosting copies of the worm have been notified
Disclaimer:
Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.
About Fortinet ( www.fortinet.com ):
Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.
This new worm, deemed SymbOS/Yxes.A!worm (also known as "Sexy View"), is targeting mobile devices running SymbianOS S60 3rd Edition (eg: Nokia 3250), but may run on a wider range of devices, as it has been reported to function on phones operating SymbianOS S60 3rd edition FP 1 (eg: Nokia N73). It bears a valid certificate signed by Symbian, and installs as a valid application on factory mobile devices running S60 3rd Edition.
It gathers phone numbers from the infected device's file system, and repeatedly attempts to send SMS messages to those. The messages feature a malicious Web address (URL); upon "clicking" on the address in the received message, the recipients will download a copy of the worm (provided their phones/subscriptions allow for internet browsing).
Beyond propagating to as many users as possible via the strategy mentioned above, the worm's aim is to gather intelligence on the infected victim (such as serial number of the phone, subscription number) and post it to a remote server likely controlled by cyber criminals. Whatever the latter may do with such information is unknown as of writing.
It must be noted that due to its propagation strategy relying on the worm copy being hosted on a web server, the worm can mutate easily. According to Guillaume Lovet, senior manager of Fortinet's Threat Research Team, "As far as our analysis goes, the worm currently does not take commands from the remote servers it contacts. However, since the copies hosted on the malicious servers are controlled by the cyber criminals, they may update them whenever they want, thereby effectively mutating the worm, adding or removing functionality. We're really at the edge of a mobile botnet here."
The Yxes mobile worm is reported to be currently spreading in the wild. It is recommended for mobile users to have a valid security solution in place, such as Fortinet's FortiClient Mobile, to protect against threats. Caution should always be taken when opening attachments and following URL's received through messages (SMS/MMS). In the case of an infection, please contact your service provider.
Update:
Our investigation confirms that the worm functions on Nokia 3250 handsets, but again is likely not limited to this. Once installed, no program icon or related information could be found in the system menu. On launch, the worm executes as the process "EConServer.exe", which is likely meant to camouflage alongside the existing legitimate system process "EComServer.exe". The worm will also automatically run every time the device is rebooted / power cycled. Further, it bears a destructive nature and will kill certain processes such as the application manager (AppMgr). The following is a list of processes sought to destroy: AppMgr, TaskSpy, Y-Tasks, ActiveFile and TaskMan. Fortinet's FortiGuard Global Security Research Team protects against additional variants of SymbOS/Yxes.A, namely B, C, and D. Subscribers to Fortinet's FortiClient Mobile should be protected against these variants.
Action:
•Fortinet's FortiGuard Antivirus Definitions protecting against Yxes have been available since February 8, 2009
•Fortinet's FortiGuard Global Security Research Team collaborates with carriers to provide additional protection against mobile threats
•Symbian's SDN has been notified
•Registrars of domains hosting copies of the worm have been notified
Disclaimer:
Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.
About Fortinet ( www.fortinet.com ):
Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.
Posts
No comments: