The phone number used by the spammer:
+6019-5451395 (Can be several other phone numbers)
The SMS message contain a URL which is will redirect to another server that provide a download link:
hxxp://bit.ly/RuMmBi ---> hxxp://203.223.148.215/R340.jar
The .jar file look suspicious and inappropriate way to promote sometime with such attachment. Lets try to access on IP 203.223.148.215 with browser.
The IP 203.223.148.215 is resolved to domain name www.smsgateway.cc . Seem like it's running with IIS on Windows machine. Now lets NMAP it.
Host is up (0.011s latency). Not shown: 979 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 25/tcp filtered smtp 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html |_http-title: 403 - Forbidden: Access is denied. 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 593/tcp filtered http-rpc-epmap 1026/tcp filtered LSA-or-nterm 1027/tcp filtered IIS 1433/tcp open ms-sql-s Microsoft SQL Server 2008 2383/tcp open ms-olap4? 3389/tcp open microsoft-rdp Microsoft Terminal Service 4444/tcp filtered krb524 6129/tcp filtered unknown 6667/tcp filtered irc 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49160/tcp open msrpc Microsoft Windows RPC 49161/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servi t.cgi : SF-Port1433-TCP:V=5.51%I=7%D=9/1%Time=50421EB0%P=i686-pc-windows-windows%r SF:(ms-sql-s,25,"\x04\x01\0%\0\0\x01\0\0\0\x15\0\x06\x01\0\x1b\0\x01\x02\0 SF:\x1c\0\x01\x03\0\x1d\0\0\xff\n2\x06@\0\0\0\0"); Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2008|7|Vista (94%), FreeBSD 6.X (86%) Aggressive OS guesses: Microsoft Windows Server 2008 SP2 (94%), Microsoft Windows 7 (94%), Microsoft Windows Vista SP0 or SP1, Server 2008 SP1, or Windows 7 (94 oft Windows Server 2008 (94%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows 7 Professional (93%), Microsoft Windows Server 2008 Beta 3 (93%), Micro ws 7 Ultimate (92%), Microsoft Windows Vista Business SP1 (91%), Microsoft Windows Vista Home Premium SP1 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 6 hops Service Info: OS: Windows TRACEROUTE (using port 8888/tcp) HOP RTT ADDRESS 1 8.00 ms 60.53.173.202 2 5.00 ms 115.132.110.213 3 5.00 ms 115.132.110.213 4 8.00 ms 10.55.36.118 5 12.00 ms ge-0-1.edge-gw-1-kul-sip.my.globaltransit.net (61.11.210.174) 6 11.00 ms 203.223.148.215 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 59.76 seconds
Well, the following is the only port that can be accesses by public:
21/tcp Microsoft ftpd 80/tcp Microsoft IIS httpd 7.5 1433/tcp Microsoft SQL Server 2008 2383/tcp ms-olap4? 3389/tcp microsoft-rdp Microsoft Terminal Service 49152/tcp Microsoft Windows RPC 49153/tcp Microsoft Windows RPC 49154/tcp Microsoft Windows RPC 49155/tcp Microsoft Windows RPC 49160/tcp Microsoft Windows RPC 49161/tcp Microsoft Windows RPC
Now we need to take a look on the .jar file. First of all let see how it's look like when running on the phone. In this case I use Nokia Emulator.
Once victim user run the spam app it will instantly popup a message to send a message to the 33375 number. If user click/tap on Yes button it will automatically subscribe RM3.00 for another spam data. Your credit will be 'stolen' for RM3.00 monthly.
As the details SMS traffic shown on the image above. Let's take a look on .jar source code below:
The variables paramString1 and paramString3 will corresponds to the manisfest file.
If we take a look on 'c' class on the source code there is another shorten link which is will redirect to their Terms and Conditions web page.
The shortened link will be redirect as the following:
hxxp://bit.ly/Mubvpe ---> hxxp://progain.smsgateway.cc/tnc.html
Based on their TnC, it seem that Million Progain Sdn Bhd (916763-X) is responsible for receiving payment from the user. Several TnC also has been violated by this company. I'll keep the details about this company because it seem lead to more abusive services.