SMS lures for Trojan bot

Date:06.21.2006

Threat Type: Malicious Code Alert

Websense® Security Labs™ has received reports of users being lured to install malicious code via Short Message Service (SMS) messages (also known as text messages). Victims receive an SMS message on their mobile phone, thanking them for subscribing to a fictitious dating service. The message states that the subscription fee of $2.00 per day will be automatically charged to their cell phone bill until their subscription is cancelled at the online site.

"Thank you for subscribing to <URL Removed> - Dating Service ! Your phone will be charged now $2.00 per day untill you unsubscribe online."

The same message is also spammed to the comments section of numerous message boards.

Users who visit the site to unsubscribe from the service are prompted to download a Trojan bot. The site does not attempt to exploit any vulnerabilities; instead, the attacker provides instructions to bypass the Internet Explorer security warning prompt.

This bot is Dumador variant and is controlled by the web-based HTTP controller, discussed in an alert last year:
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=257

Front Page Screenshot:

Security Warning Screenshot:

Thanks to Sunbelt Software for their research assistance.