Trojan SymbOS/MerogoSMS Worms

Known as Trojan SymbOS/MerogoSMS worms are currently attempting to spread on Symbian Series 60 3rd Edition devices. Symbian is the most common smartphone operating system in use.

They spread by sending text messages to other phones. The SMS contains a variable message in Chinese with a link to a web site. If  followed the user is prompted to install an application thereby infecting the phone and restarting the whole process of propagation via SMS. These worms appear to have the capability of sending messages to expensive premium-rate numbers.

Here’s the Clever Bit

As unsigned software can not be directly installed on Symbian Series 60 3rd Edition devices by default the installation package for this worm has indeed gone through the Symbian Signing process. According to sources they were submitted using Symbians express signing mechanism. The signed installation files contain additional unsigned SISX files which the host installer deploys. this type of mechanism makes it hard for certification systems to get a complete understanding of what the program being signed really does.

Does Symbian Revoking the Publisher ID Fix the Problem for Everyone?

Symbian Foundation has revoked the publisher ID that was allocated for these packages. But does that automatically fix the problem? No. Another step is needed.

Usually S60 phones are not configured by default to check for certification revocation. This is understandable. If hardware vendors were configuring phones to make data connections by default it would customer service nightmares for the carriers. Hardware vendors just can’t assume that customers will buy data plans so the certification check is off by default.

If you have an S60 phone and a data plan then you should adjust your Application Manager settings as shown below.

Analysis of the iKee.B (Duh) iPhone Botnet

An excellent technical report on the Ikee.B botnet that replicates on jailbroken iPhone devices has been put out by SRI International.

The following is an abstract of the report,

We present an analysis of the iKee.B (duh) Apple iPhone bot client, captured on 25 November 2009. The bot client was released throughout several countries in Europe, with the initial purpose of coordinating its infected iPhones via a Lithuanian botnet server.  This report details the logic and function of iKee’s scripts, its configuration files, and its two binary executables, which we have reverse engineered to an approximation of their C source code implementation.  The iKee bot is one of the latest offerings in smartphone malware, in this case targeting jailbroken iPhones. While its implementation is simple in comparison to the latest generation of PC-based malware, its implications demonstrate the potential extension of crimeware to this valuable new frontier of handheld consumer devices.

Click here to view the full report

InformationWeek Have Posted an Excellent Article Titled “Strong Authentication Not Strong Enough”

I was browsing through my RSS feeds this morning and came across an excellent article from InformationWeek.

The contents of the article give a clear indication that the normal internet based channels currently used for internet banking on PC’s and more commonly on mobile devices just don’t hack it when it comes to the overall security model. I’m thinking strongly that an implementation that includes SecureSMS as both authentication and content delivery mechanisms might prove to be the best way to go.

Here is a brief excerpt from the article,

Two-factor authentication — used to protect online bank accounts with both a password and a computer-generated one-time passcode — is supposed to be more secure than relying on a single password.

But Gartner Research VP Avivah Litan warns that cyber criminals have had success defeating two-factor authentication systems in Web browsing sessions using Trojan-based man-in-the-middle attacks.

To view the full article as posted by InformationWeek click here.

Brand New iPhone Worm – This One Attempts to Steal Information from the Mobile Device

There’s another new worm with botnet functionality hunting for jailbroken iPhones.

This new worm only affects Jailbroken iPhones that have SSH installed and who’s owners have not yet changed the iPhone default password. This worm connects via a web based command & control center at 92.61.38.16, somewhere in deepest darkest Lithuania.

Fortunately at this point in time the worm is not widespread. It is however much more serious than the first iPhone worm. This new iPhone worm attempts to steal information from the mobile devices.

New Symbian trojan that drops Commwarrior.B and disables the phone

Another article from the security pros at F-Secure outlines another Symbian trojan, Doomboot.A. Doomboot.A pretends to be a pirate copied Symbian game. People who don’t download and install pirate copied games or applications are safe from nasty surprises, but lots of people do.
Read more

Symbian trojan that locks your mobile phones MMC card

F-Secure have a post that goes back nearly four years outlining the first known trojan to attack phones MMC card. SymbOS/Cardblock.A is a Symbian trojan that used a phones MMC card in trying to get users PC infected with Win32 malware, but Cardblock.A is the first one that actually attacks the MMC card itself.
Read more