Home > Malware, News > Vodafone distributes Mariposa – Part 2

Vodafone distributes Mariposa – Part 2

March 17th, 2010

It seems that my original post Vodafone distributes Mariposa botnet caught a lot of attention. It was very interesting to see the reactions from the different actors. On the one hand Vodafone called it an isolated incident, deleted all posts on their forum from users asking about the incident, and then two days later announced the end of life of the HTC Magic. On the other hand reactions from users all over the blogosphere ranged from applause for uncovering this to accusing us of making it up, along with the inevitable and always amusing Android vs. iPhone fanboy quarrels.

However it also caught the attention of an employee of a different IT security company here in Spain, S21Sec, which specializes in researching banking trojans & vulnerabilities. This guy had also purchased an HTC Magic direct from Vodafone’s official website the same week as my co-worker. He hadn’t connected the phone to his PC yet, but as soon as he saw the news hurried back home, plugged it in via USB and scanned its memory card with both MalwareBytes and AVG Free. Lo and behold, Mariposa emerged again, exactly in the same way as in our original finding.

htc-magic-sd-autorun

He immediately contacted us and was kind enough to send us the microSD card and allowed us to connect to his PC to analyze what had happend. According to the dates of the files, it seems his Vodafone HTC Magic was loaded with the Mariposa bot client on March 1st, 2010 at 19:07, a little over a week before the phone was delivered to him directly from Vodafone.

This Mariposa botnet client is also loaded in the same hidden NADFOLDER directory. It is also named as AUTORUN.EXE and will automatically run when connected into a Windows machine unless you have autorun disabled (download USB Vaccine to disable autorun if you haven’t done so yet).

The Mariposa botnet client itself is exactly the same as reported last week, with the same nickname and same Command & Control servers.

00129953  |.  81F2 736C6E74  |XOR EDX,746E6C73 ; â€tnls”

mx5.nadnadzz2.info
mx5.channeltrb123trb.com
mx5.ka3ek2.com

If these are not enough coincidences, there was also more malware in the SD card in addition to Mariposa. I also found a Win32/AutoRun worm in the following location of the phone’s card:

I:\RECYCLER\S-1-5-21-1254416572-1263425100-317347820-0350\system.exe

And for those conspiracy theorists amongst you (bess you!), the AV that he has installed was not Panda but AVG.

htc-magic-avg

So what conclusions can we draw from all this?

  • Vodafone stated it was an isolated incident, but that theory is losing ground as quick as you can say “p0wn3d”
  • Originally I had thought it was an issue with a specific refurbished phone as well. But having the exact same botnet client with the exact same characteristics, with such little time difference between the malware being loaded and delivered to the client and all happening during the same week, makes me think this might be a bigger problem, either with QA or with a specific batch of phones.
  • If you’re in Europe and you’ve purchased a HTC Magic from Vodafone a few weeks before or after March 1st 2010, I’d double-check my PC and my HTC’s microSD card if I were you.

The lesson to be learned here could be: either stop pre-loading malware into the phones or at least stop selling them to employees of IT security companies ;)

Categories: Malware, News Tags: ,
  1. March 17th, 2010 at 20:30 | #1

    An isolated incident ? the last week we see the same activity, the same signature and the same control servers on a hotel wifi spot at Andorra with the shark sniffer. We found 4 HTC magic from tourists, and their laptops also. One of the HTC from a Diplomatic man on Holidays purchased at spain 2 month ago at the same phone company.

    Best regards.

  2. mikea
    March 21st, 2010 at 11:22 | #2

    What I find disturbing about the report is actually vodafone’s response. Particularly the point that they deleted user threads relating to the issue from their forums. That in itself seems to me to be a significant indication of their approach to security and a reason not to be a vodafone subscriber. In other industries the issue of vendor liability has led to the attempts to destroy “evidence” being regarded by courts as a serious evidence of culpability.

    I wonder how long it will take before the software industry in general is forced to take responsibility for product quality. It also bothers me more than a little that these security issues are placing large amounts of the private sector at risk in the area of data privacy, but the software industry is still managing to escape liability. I do think the tide is turning against them however (for example in the credit-card and financial sector). It is good so !

  3. March 29th, 2010 at 08:36 | #3

    You have posted such a nice article. Thumbs up! Very nice article.

  4. March 30th, 2010 at 20:52 | #4

    You may want to check a comment I just got in my website. The virus also has surfaced in the Sony Ericsson from Vodafone too.

    http://noticiastech.com/wordpress/?p=31112#comments

  5. Damian
    April 10th, 2010 at 22:29 | #5

    Hi Pedro,

    I hope you see this and can email me.

    Can I remove the Panda USB vaccination from my USB drive without formatting or is that the only way?

    Thank you for your help,

    Regards – Damian

  6. Pedro Bustamante
    April 10th, 2010 at 22:42 | #6

    @Damian Yes, if its FAT or FAT32, plugin your USB drive to a linux or mac computer and try removing the autorun.inf file from there.

  7. May 22nd, 2010 at 09:51 | #7

    Deep Rai says……….
    i think that I wonder how long it will take before the software industry in general is forced to take responsibility for product quality.Originally I had thought it was an issue with a specific refurbished phone as well.

Comments are closed.