Skip to main content
SpringerLink
Log in

Symbian worm Yxes: towards mobile botnets?

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

In 2009, a new Symbian malware named SymbOS/Yxes was detected and quickly hit the headlines as one of the first malware for Symbian OS 9 and above all as the foretaste of a mobile botnet. Yet, detailed analysis of the malware were still missing. This paper addresses this issue and details how the malware silently connects to the Internet, installs new malware or spreads to other victims. Each of these points are illustrated with commented assembly code taken from the malware or re-generated Symbian API calls. Besides those implementation aspects, the paper also provides a global overview of Yxes’s behaviour. It explains how malicious remote servers participate in the configuration and propagation of the malware, including Yxes’s similarities with a botnet. It also tries to shed light on some incomplete or misleading statements in prior press articles. Those statements are corrected, based on the reverse engineering evidence previously. Finally, the paper concludes on Yxes’s importance and the lack of security on mobile phones. It also indicates several aspects future work should focus on such as communication decryption, tools to analyze embedded malware or cybercriminals motivations.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. 29a.: Dr. Strangelove or: how I started to like the pocket PC virus idea. http://www.fnop.org/public/download/29A/wince_dust.txt (2004)

  2. Apvrille, A.: Symbian certificates or how SymbOS/Yxes got signed. http://blog.fortinet.com/symbian-certificates-or-how-symbosyxes-got-signed/ (2009a)

  3. Apvrille, A.: SymbOS/Yxes or downloading customized content. http://blog.fortinet.com/symbosyxes-or-downloading-customized-malware/ (2009b)

  4. Apvrille, A.: Transmitter.C is not Yxes.E. http://blog.fortinet.com/transmitter-c-is-not-yxes-e/ (2009c)

  5. Asrar, I.: Could sexy space be the birth of the SMS botnet? http://www.symantec.com/connect/blogs/could-sexy-space-be-birth-sms-botnet (2009)

  6. BiNPDA.: SecMan security manager v1.1. http://free-mobile-software.mobilclub.org/software/QuickHackKit.php (2008)

  7. Campbell, I.: Symbian OS Communications Programming. 2nd edn. Wiley, Chichester. http://www.amazon.com/Symbian-OS-Communications-Programming-Press/dp/0470512288

  8. Castillo, C.: Sexy View: El Inicio de las Botnets para Dispositivos Moviles. (in Spanish) (2009)

  9. Constantin, L.: New mobile worm for symbian S60 3rd edition phones. http://news.softpedia.com/news/New-Mobile-Worm-for-Symbian-S60-3rd-Edition-Phones-105100.shtml (2009)

  10. Cyberinsecure.: Mobile malware transmitter.c spreading in the wild. http://cyberinsecure.com/mobile-malware-transmitterc-spreading-in-the-wild/ (2009)

  11. Danchev, D.: New symbian-based mobile worm circulating in the wild. http://blogs.zdnet.com/security/?p=2617 (2009)

  12. Economou, N., Ortega, A.: Smartphones (in)security. In: 5th Ekoparty Security Conference (2008)

  13. Fortiguard advisory FGA-2009-07.: http://www.fortiguard.com/advisory/FGA-2009-07.html (2009)

  14. Gostev, A.: Malware evolution: January–March 2008. http://www.viruslist.com/en/analysis?pubid=204792002#l5 (2008)

  15. de. Haas, J.: Mobile security: SMS and WAP. In: Blackhat Europe 2001 (2001)

  16. Hypponen, M.: Mobile malware. In: 16th Usenix Security Symposium. (Invited talk) (2007)

  17. Java/RedBrowser.A!tr.: Fortiguard center, virus encyclopedia http://www.fortiguard.com/encyclopedia/virus/java_redbrowser.a!tr.html (2006)

  18. Moscaritolo, A.: New symbian Mmobile malware in the wild. http://www.scmagazineuk.com/New-Symbian-mobile-malware-in-the-wild/article/127704/ (2009)

  19. Mulliner, C.: Exploiting Symbian. In: 25th Chaos Communication Congress (25c3). http://www.mulliner.org/symbian/feed/CollinMulliner_ExploitingSymbian_25C3.pdf (2008)

  20. Nokia.: TRK for Symbian OS (2008)

  21. Oxygen. (n.d.): Oxygen Forensic Suite. http://www.oxygen-forensic.com

  22. Paraben. (n.d.): Device Seizure. http://www.paraben.com

  23. PETran. (n.d.): https://developer.symbian.com/wiki/display/pub/Unsupported+developer+tools

  24. Sales, J.: Symbian OS Internals, Real-time Kernel Programming. Wiley, Chichester. http://www.developer.nokia.com/Community/Wiki/Symbian_OS_Internals (2005)

  25. Shub-Nigurrath.: Primer in reversing symbian S60 applications. (Version 1.4) (2007)

  26. SISContents—Unpacking, editing and signing of symbian SIS packages. (n.d.): http://cdtools.net/symbiandev/home.html

  27. Solutions mobiles (in French). (n.d.): http://www.ocito.com/solutions-mobiles-25.html

  28. Symbian OS v9.x SIS File Format Specification (2006)

  29. SymbOS.Exy.A.: Symantec, Security Response, Threats and Risks. http://www.symantec.com/security_response/writeup.jsp?docid=2009-022010-4100-99 (2009)

  30. SymbOS/Fwdsms.D!tr.spy.: Fortiguard center, virus encyclopedia. http://www.fortiguard.com/encyclopedia/virus/symbos_fwdsms.d!tr.spy.html (2009a)

  31. SymbOS/Trapsms.A!tr.spy.: Fortiguard center, virus encyclopedia. http://www.fortiguard.com/encyclopedia/virus/symbos_trapsms.a!tr.spy.html (2009b)

  32. SymbOS/Yxes.A!worm.: Fortiguard center, virus encyclopedia. http://www.fortiguard.com/encyclopedia/virus/symbos_yxes.a!worm.html (2009c)

  33. SymbOS/Yxes.E!worm.: Fortiguard center, virus encyclopedia. http://www.fortiguard.com/encyclopedia/virus/symbos_yxes.e!worm.html (2009d)

  34. SymbOS/Yxes.F!tr.: Fortiguard center, virus encyclopedia. http://www.fortiguard.com/encyclopedia/virus/symbos_yxes.f!tr.html (2009e)

  35. Tan, A. (n.d.): Active file manager. http://alietan.com/

  36. Transmitter.C.: http://www.netqin.com/en/virus/virusinfo_1326_1.html (2009)

  37. Trojan:SymbOS/Yxe.: F-Secure, security lab, virus descriptions. http://www.f-secure.com/v-descs/trojan_symbos_yxe.shtml (2009)

  38. Wikipedia.: Smartphone. http://en.wikipedia.org/wiki/Smartphone (2008)

  39. Winder, D.: Could Sexy View SMS worm build the first mobile botnet? http://www.itwire.com/content/view/23383/1231/ (2009)

  40. Zhang, J.: Find out the ‘Bad guys’ on the Symbian. In: Association of Anti Virus Asia Researchers Conference (2007)

Download references

Author information

Authors and Affiliations

  1. Fortinet Technologies, EMEA AV Team, 120, rue Albert Caquot, 06410, Biot, France

    Axelle Apvrille

Authors
  1. Axelle Apvrille
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Axelle Apvrille.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Apvrille, A. Symbian worm Yxes: towards mobile botnets?. J Comput Virol 8, 117–131 (2012). https://doi.org/10.1007/s11416-012-0163-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-012-0163-2

Keywords

Search

Navigation