Video Screencast Help
Security Response

Could Sexy Space be the Birth of the SMS Botnet?

Created: 13 Jul 2009 09:26:37 GMT • Updated: 23 Jan 2014 18:34:08 GMT
Irfan Asrar's picture
+3 3 Votes
Login to vote

Experts predicted that there would be a rise in the number of mobile threats in 2009 and it seems the creators of SymbOS.Exy.A and SymbOS.Exy.B are out to prove the predication right. They have resurfaced again with yet another signed Symbian malware, SymbOS.Exy.C.

New Certificate

imagebrowser image

Previous certificates used with SymbOS.Exy.A/B

imagebrowser image imagebrowser image imagebrowser image

Circulating with the name of “Sexy Space”, SymbOS.Exy.C is very similar to the original SymbOS.Exy.A threat. Not only does it reuse some of the same code that was used in the original threat, it’s even using the same method of propagation.

It appears that the creators of the SymbOS.Exy.A/B threats have found the perfect loop-hole for distribution and have decided to stick to it for SymbOS.Exy.C: good old-fashioned social engineering mixed with SMS spam. Going by names such as “Sexy View” or “Sexy Girl” and now “Sexy Space” the threat propagates through suggestive SMS messages which direct message recipients to download the threat from an external URL.

imagebrowser image imagebrowser image imagebrowser image

Taking advantage of signed secured status, the malware attempts to hide its traces by running under the process name of “AcsServer.exe”, a slight variation on the name of a legitimate application. It also installs itself in the hidden c:\sysbin folder, in addition to dropping another file “kel.sisx” (also Symbian signed) in the path C:\data\. The threat has the ability to access content to which unsigned or self-signed legitimate applications do not have access. The following hex dump shows the logging capabilities of the malware (note the “mr.log” name used in both the threats)

SymbOS.Exy.A

imagebrowser image

SymbOS.Exy.C

imagebrowser image

When active, SymbOS.Exy.C also has a defense mechanism; it looks for any of the following programs:

  • App.Manager
  • Task Spy
  • Y-Tasks
  • ActiveFile

It ends them if they are found, making it difficult for the user to attempt to manually end the threat. Just as the previous versions, it also attempts to make a silent HTTP connection to a malicious server, sending back information on phone type (if it’s unable to establish the model information, it responds back with Nokia 3250), IMEI, and IMSI. We are currently investigating the possible use of this information, such as whether it downloads additional files.

Even though for the most part SymbOS.Exy.A/B was targeting mobile phone users in China,

imagebrowser image

SymbOS.Exy.C is now being circulated in English, and was reported to have been discovered in the Middle East. Thank you globalization.

imagebrowser image

The threat does provide a language selection prompt on installation that offers the option to use UK English as the default language for the application.

imagebrowser image

What this threat currently does – gather information from the phone and send it to predetermined addresses in addition to spamming other phones (SMS) and propagating – is not solely what interests us. A more interesting question to ask is: what could future versions of this threat potentially do using these trusted privileges? Could this be the birth of the SMS Botnet?