Sunday, September 2, 2012

Investigation behind Malaysian SMS spam with .jar attachment (0195451395).

I constantly received SMS spam message with .jar as an attachment. This is happened several times within 3 months. So, I decided to make some digging on who is the person behind this activity.


The phone number used by the spammer:
+6019-5451395 (Can be several other phone numbers)

The SMS message contain a URL which is will redirect to another server that provide a download link:
hxxp://bit.ly/RuMmBi ---> hxxp://203.223.148.215/R340.jar

The .jar file look suspicious and inappropriate way to promote sometime with such attachment. Lets try to access on IP 203.223.148.215 with browser.


The IP 203.223.148.215 is resolved to domain name www.smsgateway.cc . Seem like it's running with IIS on Windows machine. Now lets NMAP it.

Host is up (0.011s latency).
Not shown: 979 closed ports
PORT      STATE    SERVICE        VERSION
21/tcp    open     ftp            Microsoft ftpd
25/tcp    filtered smtp
80/tcp    open     http           Microsoft IIS httpd 7.5
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: 403 - Forbidden: Access is denied.
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
593/tcp   filtered http-rpc-epmap
1026/tcp  filtered LSA-or-nterm
1027/tcp  filtered IIS
1433/tcp  open     ms-sql-s       Microsoft SQL Server 2008
2383/tcp  open     ms-olap4?
3389/tcp  open     microsoft-rdp  Microsoft Terminal Service
4444/tcp  filtered krb524
6129/tcp  filtered unknown
6667/tcp  filtered irc
49152/tcp open     msrpc          Microsoft Windows RPC
49153/tcp open     msrpc          Microsoft Windows RPC
49154/tcp open     msrpc          Microsoft Windows RPC
49155/tcp open     msrpc          Microsoft Windows RPC
49160/tcp open     msrpc          Microsoft Windows RPC
49161/tcp open     msrpc          Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servi
t.cgi :
SF-Port1433-TCP:V=5.51%I=7%D=9/1%Time=50421EB0%P=i686-pc-windows-windows%r
SF:(ms-sql-s,25,"\x04\x01\0%\0\0\x01\0\0\0\x15\0\x06\x01\0\x1b\0\x01\x02\0
SF:\x1c\0\x01\x03\0\x1d\0\0\xff\n2\x06@\0\0\0\0");
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|7|Vista (94%), FreeBSD 6.X (86%)
Aggressive OS guesses: Microsoft Windows Server 2008 SP2 (94%), Microsoft Windows 7 (94%), Microsoft Windows Vista SP0 or SP1, Server 2008 SP1, or Windows 7 (94
oft Windows Server 2008 (94%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows 7 Professional (93%), Microsoft Windows Server 2008 Beta 3 (93%), Micro
ws 7 Ultimate (92%), Microsoft Windows Vista Business SP1 (91%), Microsoft Windows Vista Home Premium SP1 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 6 hops
Service Info: OS: Windows

TRACEROUTE (using port 8888/tcp)
HOP RTT      ADDRESS
1   8.00 ms  60.53.173.202
2   5.00 ms  115.132.110.213
3   5.00 ms  115.132.110.213
4   8.00 ms  10.55.36.118
5   12.00 ms ge-0-1.edge-gw-1-kul-sip.my.globaltransit.net (61.11.210.174)
6   11.00 ms 203.223.148.215

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.76 seconds


Well, the following is the only port that can be accesses by public:
21/tcp    Microsoft ftpd
80/tcp    Microsoft IIS httpd 7.5
1433/tcp  Microsoft SQL Server 2008
2383/tcp  ms-olap4?
3389/tcp  microsoft-rdp  Microsoft Terminal Service
49152/tcp Microsoft Windows RPC
49153/tcp Microsoft Windows RPC
49154/tcp Microsoft Windows RPC
49155/tcp Microsoft Windows RPC
49160/tcp Microsoft Windows RPC
49161/tcp Microsoft Windows RPC

Now we need to take a look on the .jar file. First of all let see how it's look like when running on the phone. In this case I use Nokia Emulator.


Once victim user run the spam app it will instantly popup a message to send a message to the 33375 number. If user click/tap on Yes button it will automatically subscribe RM3.00 for another spam data. Your credit will be 'stolen' for RM3.00 monthly.


As the details SMS traffic shown on the image above. Let's take a look on .jar source code below:


The variables paramString1 and paramString3 will corresponds to the manisfest file.

If we take a look on 'c' class on the source code there is another shorten link which is will redirect to their Terms and Conditions web page.


The shortened link will be redirect as the following:
hxxp://bit.ly/Mubvpe ---> hxxp://progain.smsgateway.cc/tnc.html


Based on their TnC, it seem that Million Progain Sdn Bhd (916763-X) is responsible for receiving payment from the user. Several TnC also has been violated by this company. I'll keep the details about this company because it seem lead to more abusive services.