Subscribe
About

McAfee mobile security: smishing

Only on Friday McAfee Avert Labs warned of a new mobile security threat called smishing (phishing via SMS). See http://www.avertlabs.com/research/blog/?p=74 for more information.

Within hours of this post, McAfee Avert Labs received a sample of a mass-mailing worm that performs a smishing attack - <VBS/Eliles.A.>

The key aspects of this new mobile threat are as follows:

* It starts as a simple mass mailing worm before turning into a smishing attack.
* The threat targets two major mobile phone operators in Spain, sending smish messages free of charge through the operators` SMS gateways.
* The smishing message specifically targets Nokia Series 60 phones.
* It attempts to trick the victim into downloading free anti-virus software from the operator. Users that download and install the software from the link will find themselves infected with malware.
* The evidence suggests that this threat was created using existing code from a variety of disparate sources - script kiddies. Most of the code is in Spanish with some German comments.

The interesting/important elements of this threat are:

* This is the first example of a threat moving from the PC environment into the mobile space - a smishing attack turning up in a simple mass mailing worm.
* It is the first example of a smishing attack created by script kiddies using code assembled from a variety of sources available on the Internet. The ease with which this threat was assembled suggests we`ll be seeing a rise in smishing attacks in the coming months.
* The targeting of an operator`s SMS gateway enables smish messages to be sent for free. Information on how to access an operator`s SMS gateway is freely available over the Internet: http://hiptools.net/sms/.
* The threat targets Symbian OS devices (eg, Nokia Series 60).

Detailed threat description:

A mass mailing worm

<VBS/Eliles.A.> is a standard VBS worm that skips the loading of a backdoor Trojan and simply opens a backdoor on the victim`s system. It has been programmed in Visual Basic Script and reaches computers in e-mail messages with the Spanish subject "Curriculum Vitae para posible vacante" and the following text body (also in Spanish):

"Adjunto Currilum Vitae, por estar interesado en alg'un puesto vacante en su empresa,me encantaria que lo tuviera en cuenta, ya que estoy buscando trabajo por esa zona. Sin m'as, reciba un cordial Saludo."

Once installed on the victim`s PC, the worm copies itself to the computer under the name C.Vitae.zip, and sends itself out to all the e-mail addresses it finds on the system. It also disables some anti-virus programs that could be installed on the computer and inserts entries in the Windows registry to ensure it is run on every system start-up.

The mobile element

Finally, the worm tries to send messages to users of two mobile phone providers in Spain. Rather than calculating random IP addresses to which to send messages, this worm generates phone numbers within the ranges used by mobile phones. <Eliles> sends its smish message free of charge through the mobile phone providers` SMS e-mail gateways.

Unlike the previous smishing episode, <Eliles> does not use the error in billing ploy. Instead this worm tries to be helpful by offering the victim free "anti-virus" software for their phone, supposedly from their mobile phone provider. The smishing message specifically targets Nokia Series 60 phones. Users that download and install the software from the link in the SMS find themselves infected with malware. Fortunately, the download link is now dead.

The SMS has the following characteristics:

Sender: The e-mail address of the affected user.
Recipient: It consists of the recipient`s telephone number and one of the following domains:
@[operatorname].es
@[operatorname].es
Subject: "Msj Operador: Proteja su movil"
Message: "Descarguese gratis el Antivirus para Nokias Series 60.
(6630,6680,7610,7650,N70,N90), totalmente gratuito.
http://f1.grp.ya<blocked>r8GMzmLAO7taS5yJIVcWx2F_6NWlo_LBonXVhAfgMBbxzzC4LoS8XSwl_-YO7ZMH01Sw/Antivirus.sis

Source details

Most of the code is in Spanish, with a few comments in German. That incongruence along with variations in coding style of the various internal functions implies that this worm is composed from disparate sources and therefore created by a script kiddie.

It is very unusual to see a smishing attack turn up in a simple mass mailing worm. A malware writer who spends time researching a new attack will usually write custom code for it rather than reuse someone else`s code. Over time the attack gets packaged into standard routines and eventually included in the script kiddie`s toolbox. The transition from brand new to script kiddie use can take months.

Now that the script kiddies are involved, we`re bound to see a rise in the numbers of smishing attempts in the coming months.

Share