GTC Malware Library Search
META-INF/
META-INF/MANIFEST.MF
Registration.cod
Registration.csl
Registration.cso
com/
com/ss8/
com/ss8/interceptor
com/ss8/interceptor/app/
com/ss8/interceptor/app/Commands.class
com/ss8/interceptor/app/Constants.class
com/ss8/interceptor/app/Log.class
com/ss8/interceptor/app/Main$1.class
com/ss8/interceptor/app/Main.class
com/ss8/interceptor/app/MsgOut.class
com/ss8/interceptor/app/Recv.class
com/ss8/interceptor/app/Send.class
com/ss8/interceptor/app/StatusChange.class<
com/ss8/interceptor/app/Transmit.class
com/ss8/interceptor/tcp/
com/ss8/interceptor/tcp/HTTPDeliver.class
com/ss8/interceptor/tcp/smtp/
com/ss8/interceptor/tcp/smtp/SMTPHeader.class
com/ss8/interceptor/tcp/SocketBase.class
Interceptor.class
The included classes allow the application to hook into folder updates, message store, outbound messages, and radio events:
-The Recv.class allows the application to monitor for inbound messages by implementing net.rim.blackberry.api.mail.event.FolderListener and net.rim.blackberry.api.mail.event.StoreListener
-The Send.class allows the application to monitor outbound messages, though it’s only used to forward messags on later, by implementing net.rim.blackberry.api.mail.event.FolderListener and net.rim.blackberry.api.mail.SendListener.
- The StatusChange.class allows the application to monitor radio events such as a change of network. It removes and re-registers the Recv listener when certain network changes occur.
Upon installation, the spyware application attempts to register the device by sending the following information to the registration server from the responseToCentral method found in Send.java:
version:4.91
Copyright message
Time and Date
Pin no.
Phone No
IMEI
IMSI
Serial No:
Device Name:
Device Manufacture
Platform Version
Reason: Which can be either “Service change” or “Network Started”
State: Is device running ot stopped.
These commands are available in Commands.java which calls the MsgOut constructor and passes the message to MsgOut.java. An additional message is sent to the registration server with the following information:
version:4.91
Time and Date
After registration has occurred, the application will remain inactive until a “start” command is received from the controlling agent. This command email will be immediately deleted. There are a possible four commands (version, bCkp, start, stop), which are encrypted.
Once the appliation has been activated, it will listen for email messages. When a message is received the Recv class inspects the message to determine if it contains one of the 4 possible embedded commands. If it does not, it UTF-8 encodes the message, GZIP’s it, AES encrypts the message using a static key of “EtisalatIsAProviderForBlackBerry”, then Base64 encodes the whole thing. The message will then be forwarded via an HTTP Post to http://10.116.3.99:7095/bbupgr. The following information is included in the message being sent to the controlling agent:
Message Subject
Body of the Message
From Address
To Address
It is assumed that the receiving HTTP server will then construct an email and forward the received information to the following email addresses:
regbb@etisalat.ae
etisalat_upgr@etisalat.ae
to reboot. Upon reboot, the user will be forced to go through the setup wizard process to reconfigure network settings that were lost when the application was removed. This setup wizard process will not affect any custom applicatons or data.