Experts predicted that there would be a rise in the number of mobile threats in 2009 and it seems the creators of SymbOS.Exy.A and SymbOS.Exy.B are out to prove the predication right. They have resurfaced again with yet another signed Symbian malware, SymbOS.Exy.C.
Previous certificates used with SymbOS.Exy.A/B
Circulating with the name of “Sexy Space”, SymbOS.Exy.C is very similar to the original SymbOS.Exy.A threat. Not only does it reuse some of the same code that was used in the original threat, it’s even using the same method of propagation.
It appears that the creators of the SymbOS.Exy.A/B threats have found the perfect loop-hole for distribution and have decided to stick to it for SymbOS.Exy.C: good old-fashioned social engineering mixed with SMS spam. Going by names such as “Sexy View” or “Sexy Girl” and now “Sexy Space” the threat propagates through suggestive SMS messages which direct message recipients to download the threat from an external URL.
Taking advantage of signed secured status, the malware attempts to hide its traces by running under the process name of “AcsServer.exe”, a slight variation on the name of a legitimate application. It also installs itself in the hidden c:\sysbin folder, in addition to dropping another file “kel.sisx” (also Symbian signed) in the path C:\data\. The threat has the ability to access content to which unsigned or self-signed legitimate applications do not have access. The following hex dump shows the logging capabilities of the malware (note the “mr.log” name used in both the threats)
When active, SymbOS.Exy.C also has a defense mechanism; it looks for any of the following programs: