Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog

 
Archive

<< 2010  
Jan Feb  
     
     
     
About Diary's Authors
About Diary's Authors

The Analyst's Diary is a weblog maintained by virus analysts from Kaspersky Lab headed by Eugene Kaspersky. Find out more about the authors of this weblog.
Securelist Polls
How would you prefer to pay for your antivirus solution?
Using a prepay card
Via your mobile (SMS)
Via the Internet using a debit\ credit card
Using cash\ credit\ debit in a shop
Using an e-payment system (e.g. PayPal)
Other
  View responses
 

  Home / Weblog

Analyst's Diary

Viver unveiled


  Aleks       May 17, 2007 | 16:35  GMT

comment  

This week's been an interesting one in the world of mobile malware. We detected three variants of a new Trojan for mobile phones. Trojan-SMS.SymbOS.Viver uses an approach that was pioneered by RedBrowser and Wesber, Trojans which first appeared last year. Once these Trojans are installed, they'll send SMS messages to a premium number.

In contrast to RedBrowser and Wesber, which were the first malicious programs for phones running Java, Viver is coded to run on phones with Symbian, making it the first Trojan of this type for smartphones.

We've managed to establish how the Trojan is being spread, and exactly how the scammers are making money from it. Not surprisingly, the Trojan was uploaded to the file sharing section of a very popular site for mobile users, and presented as being a program users would want - a photo editor, a set of video codecs etc. A tried and tested approach.

Once Viver's on the smartphone, it sends a message to a premium rate short number. 177 roubles (almost $7) will be deducted from the user's account. But how does the money get to the people who put the Trojan up on the mobile site?

Mobile service providers offer short code numbers. They're too expensive for individuals but content providers will sign up for short numbers, and then effectively sublet them to anyone who's interested. Users of shared short numbers will have a prefix, or keyword, assigned to them, ensuring that the content provider can assign payment for SMSs received to the correct user. In the case of Viver, the number the Trojan sends its messages to was managed by Infon, a major Russian content provider.

The 177 roubles that a user gets charged for the Viver SMS gets split up, with between 45% - 49% going to the mobile operator, approximately 10% to Infon, and the remainder to the person renting the number from Infon.

We know that one of the Viver variants was downloaded by around 200 people in less than 24 hours. The Trojan was then deleted by the site adminstration. Simple math tells us that if there are 200 victims, and an SMS costs 177 roubles, then the scammer could have made 14,000 roubles (more than $500) in the space of a single day.

This month alone we've logged three similar incidents. We can only guess how many more of these Trojans are out there, but one thing is for sure - if there's money to be made, virus writers won't be slow to take up the opportunity.

 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com