What's new in Zitmo.B?
Zitmo is a mobile malware Fortinet has particularly been focusing on since the beginning (see our first blog post and my presentation at ShmooCon 2011) as it is one of the first palpable signs organized criminals show interest in infecting mobile phones. As you may know (see F-Secure and Kaspersky's blog posts), it is unfortunately back, with a new version.
So, technically speaking, what's new?
- it now supports Windows Mobile phones too. Not only Symbian (there was rumors concerning a BlackBerry version - never confirmed).
- the default phone number it sends intercepted SMS to has changed, though it is still a mobile phone number, in the UK and probably from the same operator.
- it intercepts both incoming and outgoing SMS. The previous version only intercepted incoming SMS and did not care about outgoing ones. It is possible this feature isn't actually used by the gang, but has just been put back in the executable from "SMS Monitor", the trojan spyware Zitmo is highly inspired from.
- it sends an SMS (to the UK number by default) with the text "app installed ok" each time a SET ADMIN command is processed. In the previous version, this SMS was only sent at the first install of the trojan.
- it features a new command "UNINSTALL"... which actually installs a new package (see Figure below). Zitmo searches on the mobile phone for a file named c:systemappsu.dat (note the file is not downloaded from the web - Zitmo does not connect to Internet). The extension of this file is intentionally misleading, it is actually a Symbian package. Zitmo renames it u.sisx and silently installs it on the phone (no prompt, no warning whatsoever).
So far, this variant has been found in the wild in different European countries, albeit in low volumes. In Poland, in particular, it has been reported to be used by the PC component of ZeuS to target ING Poland and mBank. Note that Zitmo itself (aka the mobile component of the ZeuS toolkit) works for any target: as it simply forward the one-time passwords, it is bank agnostic. Thus, the target is solely determined by the PC component, and is found in an encrypted configuration file, fed to it by the cyber-criminals from the command and control center.
-- the Crypto Girl