NEWS FROM THE LAB - Wednesday, October 26, 2011

OpFake: Premium Rate SMS Trojan That Shares Code w/ Spitmo Posted by Sean @ 17:10 GMT

One of the more interesting cases we've analyzed this year is Spitmo, short for SpyEye in the mobile.

When some versions of SpyEye, an infamous banking trojan, encounter mTANs, a mobile-based defense against computer-based man-in-the-browser attacks, a counteroffensive is offered: Spitmo, a mobile trojan that circumvents the authentication process.

It's a rather interesting crossover attack which uses clever techniques and code.

So naturally, when a couple of our analysts recently fired up some new Symbian automation they've developed, one of the first things they did was to feed it Spitmo. And the results were quite surprising!

Our new system discovered 54 samples that share code with Spitmo — but that aren't Spitmo. These "cousins" of Spitmo are premium rate SMS trojans that target Russian mobile phone users (using Russian SMS short codes). We've named these trojans OpFake because the installer claims to be Opera Mini (OperaUpdater.sisx).

But that's just a part of our story.

Our analysis of the OpFake Symbian binaries uncovered an IP address, and a search for that IP address found a server online from which Windows Mobile versions of OpFake can also be accessed via a publicly available folder containing over 5,000 sub-folders. Each sub-folder contains a unique and encrypted configuration file. We suspect these folders are visible due to a configuration error as the Symbian folders are inaccessible.

OpFake: use of Spitmo components, Symbian, Windows Mobile, (perhaps other OS?), premium rate SMS messages… somebody is running quite a developed operation from their server in Saint Petersburg.

The server's IP address has been reported to CERT-FI.

Technical analysis of the OpFake binaries and details of the server's folder structure will be posted tomorrow.