NEWS FROM THE LAB - Thursday, October 27, 2011

Trojan:SymbOS/OpFake.A Posted by ThreatResearch @ 17:35 GMT

Here's the technical analysis related to yesterday's post on Trojan:SymbOS/OpFake.A.

OpFake.A arrives as a supposed Opera Mini updater using file names such as OperaUpdater.sisx and Update6.1.sisx. The malware installer adds an Opera icon to the application menu. When run, it will show a menu and a fake download progress bar.

Opera Updater 56%
Progress bar displayed… even though this installer was run inside of a Faraday room.

The malware also has a "license" which can be displayed. When the trojan is started, and before the victim advances through any of the menus, the trojan is already sending text messages to Russian premium rate numbers. The numbers and the content of the messages come from an encrypted configuration file (sms.xml).

The Symbian version of OpFake.A will also monitor SMS messages for the short while it is active and deletes incoming messages and messages moved to the sent messages folder based on the phone numbers and content of the messages. The code that handles the interception of incoming SMS messages is largely identical to that in Trojan:SymbOS/Spitmo.A. That part of OpFAke.A clearly shares source code with Spitmo.A.

OpFake.A tracks whether it has been run before and won't do anything except for the first time it is executed.

OpFake trojans have been self-signed using a certificate created by the attackers themselves. The owner of the certificate is JoeBloggs and the company is acme. Because these names were used as an example on a website for creating certificates, there are also non-malicious files signed with certificates that have the same owner name and company.

There are numerous variants of the installer in different paths on OpFake's host server using different file names (OperaUpdater.sisx, Update6.1.sisx, jimm.sisx). One example path is [IP Address]/builder/build/gen48BF.tmp/OperaUpdater.sisx. The varying part of the path are the 4 characters between gen and .tmp.

There is also a Windows Mobile version of the malware on the same server under a different path, for example: [IP Address]/wm/build/gen7E38.tmp/setup.CAB. Again there are numerous version under different random paths. Currently there are over 5000 folders with random names under wm/build.

Below are two examples of decrypted configuration files, the first one is for a Symbian variant and the second one for a Windows Mobile variant. The entries with "number" and "text" signify the phone number where a message is sent to and the content of the message.

OpFake configguration files

SHA-1: 2518a8bb0419bd28499b41fad2089dd7555e50c8