Abstract
In 2009, a new Symbian malware named SymbOS/Yxes was detected and quickly hit the headlines as one of the first malware for Symbian OS 9 and above all as the foretaste of a mobile botnet. Yet, detailed analysis of the malware were still missing. This paper addresses this issue and details how the malware silently connects to the Internet, installs new malware or spreads to other victims. Each of these points are illustrated with commented assembly code taken from the malware or re-generated Symbian API calls. Besides those implementation aspects, the paper also provides a global overview of Yxes’s behaviour. It explains how malicious remote servers participate in the configuration and propagation of the malware, including Yxes’s similarities with a botnet. It also tries to shed light on some incomplete or misleading statements in prior press articles. Those statements are corrected, based on the reverse engineering evidence previously. Finally, the paper concludes on Yxes’s importance and the lack of security on mobile phones. It also indicates several aspects future work should focus on such as communication decryption, tools to analyze embedded malware or cybercriminals motivations.
Similar content being viewed by others
References
29a.: Dr. Strangelove or: how I started to like the pocket PC virus idea. http://www.fnop.org/public/download/29A/wince_dust.txt (2004)
Apvrille, A.: Symbian certificates or how SymbOS/Yxes got signed. http://blog.fortinet.com/symbian-certificates-or-how-symbosyxes-got-signed/ (2009a)
Apvrille, A.: SymbOS/Yxes or downloading customized content. http://blog.fortinet.com/symbosyxes-or-downloading-customized-malware/ (2009b)
Apvrille, A.: Transmitter.C is not Yxes.E. http://blog.fortinet.com/transmitter-c-is-not-yxes-e/ (2009c)
Asrar, I.: Could sexy space be the birth of the SMS botnet? http://www.symantec.com/connect/blogs/could-sexy-space-be-birth-sms-botnet (2009)
BiNPDA.: SecMan security manager v1.1. http://free-mobile-software.mobilclub.org/software/QuickHackKit.php (2008)
Campbell, I.: Symbian OS Communications Programming. 2nd edn. Wiley, Chichester. http://www.amazon.com/Symbian-OS-Communications-Programming-Press/dp/0470512288
Castillo, C.: Sexy View: El Inicio de las Botnets para Dispositivos Moviles. (in Spanish) (2009)
Constantin, L.: New mobile worm for symbian S60 3rd edition phones. http://news.softpedia.com/news/New-Mobile-Worm-for-Symbian-S60-3rd-Edition-Phones-105100.shtml (2009)
Cyberinsecure.: Mobile malware transmitter.c spreading in the wild. http://cyberinsecure.com/mobile-malware-transmitterc-spreading-in-the-wild/ (2009)
Danchev, D.: New symbian-based mobile worm circulating in the wild. http://blogs.zdnet.com/security/?p=2617 (2009)
Economou, N., Ortega, A.: Smartphones (in)security. In: 5th Ekoparty Security Conference (2008)
Fortiguard advisory FGA-2009-07.: http://www.fortiguard.com/advisory/FGA-2009-07.html (2009)
Gostev, A.: Malware evolution: January–March 2008. http://www.viruslist.com/en/analysis?pubid=204792002#l5 (2008)
de. Haas, J.: Mobile security: SMS and WAP. In: Blackhat Europe 2001 (2001)
Hypponen, M.: Mobile malware. In: 16th Usenix Security Symposium. (Invited talk) (2007)
Java/RedBrowser.A!tr.: Fortiguard center, virus encyclopedia http://www.fortiguard.com/encyclopedia/virus/java_redbrowser.a!tr.html (2006)
Moscaritolo, A.: New symbian Mmobile malware in the wild. http://www.scmagazineuk.com/New-Symbian-mobile-malware-in-the-wild/article/127704/ (2009)
Mulliner, C.: Exploiting Symbian. In: 25th Chaos Communication Congress (25c3). http://www.mulliner.org/symbian/feed/CollinMulliner_ExploitingSymbian_25C3.pdf (2008)
Nokia.: TRK for Symbian OS (2008)
Oxygen. (n.d.): Oxygen Forensic Suite. http://www.oxygen-forensic.com
Paraben. (n.d.): Device Seizure. http://www.paraben.com
PETran. (n.d.): https://developer.symbian.com/wiki/display/pub/Unsupported+developer+tools
Sales, J.: Symbian OS Internals, Real-time Kernel Programming. Wiley, Chichester. http://www.developer.nokia.com/Community/Wiki/Symbian_OS_Internals (2005)
Shub-Nigurrath.: Primer in reversing symbian S60 applications. (Version 1.4) (2007)
SISContents—Unpacking, editing and signing of symbian SIS packages. (n.d.): http://cdtools.net/symbiandev/home.html
Solutions mobiles (in French). (n.d.): http://www.ocito.com/solutions-mobiles-25.html
Symbian OS v9.x SIS File Format Specification (2006)
SymbOS.Exy.A.: Symantec, Security Response, Threats and Risks. http://www.symantec.com/security_response/writeup.jsp?docid=2009-022010-4100-99 (2009)
SymbOS/Fwdsms.D!tr.spy.: Fortiguard center, virus encyclopedia. http://www.fortiguard.com/encyclopedia/virus/symbos_fwdsms.d!tr.spy.html (2009a)
SymbOS/Trapsms.A!tr.spy.: Fortiguard center, virus encyclopedia. http://www.fortiguard.com/encyclopedia/virus/symbos_trapsms.a!tr.spy.html (2009b)
SymbOS/Yxes.A!worm.: Fortiguard center, virus encyclopedia. http://www.fortiguard.com/encyclopedia/virus/symbos_yxes.a!worm.html (2009c)
SymbOS/Yxes.E!worm.: Fortiguard center, virus encyclopedia. http://www.fortiguard.com/encyclopedia/virus/symbos_yxes.e!worm.html (2009d)
SymbOS/Yxes.F!tr.: Fortiguard center, virus encyclopedia. http://www.fortiguard.com/encyclopedia/virus/symbos_yxes.f!tr.html (2009e)
Tan, A. (n.d.): Active file manager. http://alietan.com/
Transmitter.C.: http://www.netqin.com/en/virus/virusinfo_1326_1.html (2009)
Trojan:SymbOS/Yxe.: F-Secure, security lab, virus descriptions. http://www.f-secure.com/v-descs/trojan_symbos_yxe.shtml (2009)
Wikipedia.: Smartphone. http://en.wikipedia.org/wiki/Smartphone (2008)
Winder, D.: Could Sexy View SMS worm build the first mobile botnet? http://www.itwire.com/content/view/23383/1231/ (2009)
Zhang, J.: Find out the ‘Bad guys’ on the Symbian. In: Association of Anti Virus Asia Researchers Conference (2007)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Apvrille, A. Symbian worm Yxes: towards mobile botnets?. J Comput Virol 8, 117–131 (2012). https://doi.org/10.1007/s11416-012-0163-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-012-0163-2