NEWS FROM THE LAB - Friday, November 18, 2011

Another Cousin of Spitmo: SymbOS/ConBot Posted by ThreatResearch @ 14:14 GMT

Analysts on our Threat Research team recently discovered OpFake, a premium rate SMS trojan that shares code with Spitmo. And this week, our automation flagged a new sample. The guys have completed their analysis and it appears that we've discovered yet another "cousin" of Spitmo. Only, this trojan doesn't pretend to be an Opera update.

Also: SymbOS/ConBot has bot characteristics.

Analysts' notes follows:

Trojan:SymbOS/ConBot.A is based on the Spitmo source code. The only known instance of ConBot.A was downloaded from [removed].ru/mms.sis.

ConBot.A contains a package called SystemService that, in turn, contains an embedded package called AppBoot.

SystemService package contents:

  •  c:\Private\EE1DCDAA\first
  •  c:\Private\EE1DCDAA\start.xml
  •  c:\sys\bin\SystemService.exe
  •  c:\System\AppBoot\SystemService.boot

Embedded package AppBoot

  •  c:\sys\bin\AppBoot.exe
  •  c:\private\101f875a\import\[2005A60D].rsc

Unlike OpFake, ConBot does not add an icon to the applications menu. Once the installation is finished it does not notify the user of its existence in any way. (Perhaps it is promoted as a "security certificate update" as is Spitmo.)

Just like OpFake.A, ConBot.A is self-signed with a certificate by "JoeBloggs" from "Acme" but the certificate itself is not the same that was used for OpFake.

AppBoot.exe is automatically started every time the phone starts because of the [2005A60D].rsc file. AppBoot.exe then decrypts the SystemService.boot file.

The decryption algorithm is the same that Trojan:SymbOS/OpFake.A uses to decrypt its configuration file (sms.xml). The decrypted content of SystemService.boot turns out to be the path to c:\sys\bin\SystemService.exe. AppBoot.exe runs whatever files the decrypted .boot files point to.

SystemService.exe contains the actual payload of ConBot.

The first time SystemService.exe is run it collects mobile phone numbers from the contacts stored on the phone and saves them temporarily to c:\Private\EE1DCDAA\contacts.xml. The trojan the contacts [removed].ru/connect.php and sends the contacts.xml and IMEI of the phone to the remote server. Periodic connections are made to the same server with the IMEI, time, date, and operating system version (hard-coded to Symbian9). As a reply the trojan should receive an XML-file that contains instructions on where to send SMS-messages. There is also another URL hard-coded into the trojan ([removed].ru/connect.php), but it is overridden by the address from start.xml.

ConBot.A also monitors new incoming SMS messages as well as messages that are moved from the Outbox to the Sent folder. If certain conditions are met, the trojan deletes the SMS messages it intercepts. The function that handles messaging events notifying of new created messages is again largely identical to that of Spitmo.A and OpFake.A. It is not the only identical part in the code of the three families.

Updating the C&C:

An interesting feature in the SMS monitoring is the trojan's ability to update the C&C server URL via a text message. If ConBot.A notices an incoming SMS message that begins with zlhd[removed] it extracts the rest of the message and stores it to settings.dat replacing the old URL. The authors have apparently decided they don't want their mobile botnet crippled simply by taking down the C&C server.

ConBot code

SHA1 for the full installer: 83fc407f77ee56ab7269d8bea4a290714c65bbe1