This is a short update to our prior post concerning Zitmo on Android.

Is this really Zitmo?

This fake Trusteer malware shows several differences with prior Symbian variants, but, for simplicity (and because it’s easy to remember), we call it Zitmo.

This does not mean this variant was written by the same authors (no proof on that account, one way or another)
nor that it has exactly the same technical functionalities or even, depending on naming policies, the same name among AV vendors, but what we mean is that this sample was propagated by ZeuS PC trojans – which is all that matters from an end-user perspective…

Denis Maslennikov proves it in his blog post where he shows Win32 ZeuS configuration files with modified Trusteer web pages. This is confirmed by our own research too: we decrypted a ZeuS configuration file and found the Trusteer-related injected pages.

Also, note that another Android Zitmo sample was discovered and fakes a Kaspersky anti-virus. We detect that sample as Android/Zitmo.D!tr.spy.

– the Crypto Girl

Kyle Yang and Alexandre Aumoine contributed to this research.

Zitmo is a mobile malware Fortinet has particularly been focusing on since the beginning (see our first blog post and my presentation at ShmooCon 2011) as it is one of the first palpable signs organized criminals show interest in infecting mobile phones. As you may know (see F-Secure and Kaspersky‘s blog posts), it is unfortunately back, with a new version.

So, technically speaking, what’s new?

• it now supports Windows Mobile phones too. Not only Symbian (there was rumors concerning a BlackBerry version – never confirmed).
• the default phone number it sends intercepted SMS to has changed, though it is still a mobile phone number, in the UK and probably from the same operator.
• it intercepts both incoming and outgoing SMS. The previous version only intercepted incoming SMS and did not care about outgoing ones. It is possible this feature isn’t actually used by the gang, but has just been put back in the executable from “SMS Monitor”, the trojan spyware Zitmo is highly inspired from.
• it sends an SMS (to the UK number by default) with the text “app installed ok” each time a SET ADMIN command is processed. In the previous version, this SMS was only sent at the first install of the trojan.
• it features a new command “UNINSTALL”… which actually installs a new package (see Figure below). Zitmo searches on the mobile phone for a file named c:\system\apps\u.dat (note the file is not downloaded from the web – Zitmo does not connect to Internet). The extension of this file is intentionally misleading, it is actually a Symbian package. Zitmo renames it u.sisx and silently installs it on the phone (no prompt, no warning whatsoever).

So far, this variant has been found in the wild in different European countries, albeit in low volumes. In Poland, in particular, it has been reported to be used by the PC component of ZeuS to target ING Poland and mBank. Note that Zitmo itself (aka the mobile component of the ZeuS toolkit) works for any target: as it simply forward the one-time passwords, it is bank agnostic.  Thus, the target is solely determined by the PC component, and is found in an encrypted configuration file, fed to it by the cyber-criminals from the command and control center.

Finally, Fortinet detects those trojans as SymbOS/Zitmo.B!tr and WinCE/Zitmo.B!tr.

– the Crypto Girl

Tomorrow starts the quite famous – and ever sold-out – security conference Shmoocon, held in Washington DC until Sunday. The keynote this year will be filled by Peiter Mudge Zatko, inventor of L0phtcrack and early pioneer of buffer overflows.

Among the talks filling the tri-tracks program (Build it / Break it / Bring it on), we’re glad to find our Crypto Girl, Axelle, who will present a paper she co-wrote with Kyle Yang (another regular poster on this blog) on the infamous mobile phone malware Zitmo, that we discovered (simultaneously with Spanish company S21sec) and named last September.

Zitmo stands for “ZeuS in the Mobile”; this offspring of the gang behind the infamous banking credential theft kit named “ZeuS” has the interesting peculiarity of attacking so-called “mTAN” (mobile Transaction Authentication Number), which are sent as SMS messages by many banks to serve as a second authentication factor, when customers want to initiate a financial transaction online.

Axelle will elaborate on the details during the preso, so if you’re around, make sure you attend!

In prevision of the anticipated merge between the two infamous banking malware ZeuS and SpyEye, our Threat Analyst Kyle Yang spent some time dissecting the most current version of SpyEye we could get our hands on (W32/SpyEye.C!tr.spy).

While SpyEye shares some similarities with ZeuS (encrypted/compressed configuration file, updateable injection scripts, drop zones, update zones for binary and config update, etc …), an extra feature quickly caught our attention: SpyEye connects to a “log server” that is different than the server where it fetches updates from, where fraudulent transactions done by the trojan are logged:

Of course, because most banks today won’t allow transactions initiated online to be transnational, the recipients of such transfers are what we call “mules” (in the money laundering jargon) or “drops” (in the jargon used by cybercriminals themselves) – intermediaries between the victim and the cyber criminals, living in the victim’s country.

Unsurprisingly, the drops are not hardcoded in the trojan’s binary, but simply configured in the log server itself:

Note that the names and account numbers were modified to dumb values for the screenshot. However, the rest of the drop info was untouched, which prompts comments on two items:

• Transfer limits: Those are relatively low, possibly to stay “under the radar.” Transferring a large sum of money “by small chunks” in order to avoid the new anti-laundering legislation (where mandatory records and reports are needed for large sums, etc…) is called “smurfing”. While the chunk limit in the USA is $10,000, thus well above the ~1000  upper limit used by SpyEye, we are not sure these are dollars. They could be British Pounds, and in UK there is no chunk limit: any suspicious transaction must be reported. Or… the SpyEye upper limit may simply reflect the amount of trust the cybercriminals have in each particular drop.

• A percentage: It very likely represents the share taken by each of the two parties (the mule and the cybercriminal) on the transfers. Now, given the unbalance (90% – 10%) it creates, the question is: who gets 10%, and who gets 90%? Some years ago, the question would have been quickly resolved, with the cybercriminals usually taking the bigger piece of cake – which would seem normal, as he/she was the one putting the most effort into the whole operation. But with the large “mule busting” operations conducted in UK and US lately, it is fairly possible that the odds got inverted,which would seem… normal – given the risks now involved for each party. That would at least indicate that while mule busting operations lead by law enforcement do not catch the bigger fishes, warmly sheltered under the complexities of transnational judiciary operations, it does contribute to make them less rich.

Kyle will address some technical points in an upcoming post.