FortiGate
FortiWiFi
FortiAnalyzer
FortiManager
FortiAuthenticator
FortiClient
FortiMail
FortiSwitch
FortiAP
FortiBalancer
FortiDB
FortiWeb
FortiCarrier
During the weekend, in our monitoring of the Zeus botnet, my colleague Kyle Yang stumbled upon an unexpected payload: a brand new mobile malware piece we named SymbOS/Zitmo.A!tr (Zitmo standing for “Zeus In The MObile”), likely aimed at intercepting confirmation SMS sent by banks to their customers. This also caught the eye of s21sec with a nice analysis you should read.
Basically, the ZeuS network initiated some social engineering operations (via injection of HTML forms in the victims’ browser) to get the phone number and phone model of its infected victims. Based on that info, it sends an SMS with a link to the appropriate version of the malicious package (a Symbian package for Symbian phones, a BlackBerry Jar for BlackBerry phones etc).
This malicious package is still under investigation, but given the context, it is logical to believe it is aimed at defeating SMS-based two-factor authentication that most banks implement today to confirm transfers of funds initiated online by their end users, and that currently impedes the plunging of infected users’ online accounts by Zeus masters (Note: although it was possible before, with man-in-the-middle attacks, it required the victim to initiate a financial transfer in the first place).
On the technical side, this malware is not altogether that much ‘unexpected’ because, since SymbOS/Yxes, we always said somebody would use web servers to distribute platform-specific malware to victims. Yet, it is the first time we acknowledge the technique to be used by a real gang.
So far, we have seen that:
- the Symbian version is correctly signed, using the Express Signed program, once more. Symbian has been notified, but meanwhile, please beware this certificate hasn’t been revoked yet:
Serial Number: 61:f1:00:01:00:23:5b:c2:79:43:80:40:5e:52 C=AZ, ST=Baku, L=Baku, O=Mobil Secway, OU=certificate 1.00, OU=Symbian Signed ContentID, CN=Mobil Secway
- the malware creates its own malicious database on the phone, where it stores all information it steals (contact first and last names for instance, phone numbers) and needs. This database is named NumbersDB.db, and contains 3 tables:
- tbl_contact with 4 columns: index, name, descr, pb_contact_id.
- tbl_phone_number with 2 columns: contact_id, phone_number
- and tbl_history with 6 columns: event_id, pn_id, date, description, contact_info, contact_id.
The malware searches those tables using standard SQL queries.
- the malware sends SMS messages. In particular, it sends a message to a phone number located in the United Kingdom to notify that the malware has been successfully installed (“App installed ok”).
"27/09/2010","12:09","Short message","Outgoing","App installed ok","+44778xxxxxxx" (NOT SENT - OFFLINE)
Additionally, as explained by s21sec, the malware seems to be able to answer to a few commands such as ‘set admin’, which might be particularly dangerous: anyone sending a “set admin” SMS to your infected phone may be able to take control of it. We’re of course investigating this, as well as the rest.
Please stay tuned for more information.
– the Crypto Girl
Loading ...
All Posts
Twitter
FaceBook
LinkedIn
YouTube
[...] in mobile banking are the malicious mobile components of Zeus and SpyEye malware. Zitmo (or "Zeus in the mobile") and Spitmo, as they are called respectively, steal [...]
Wonderful website. Lots of helpful info here. I am sending it to a few friends ans additionally sharing in delicious. And naturally, thanks in your effort!
[...] версией «Zitmo» (семейство мобильного вредоносного ПО, впервые обнаруженное в прошлом году и призванного сыграть роль ZeuS в мире мобильных [...]
[...] malware op voor verschillende mobiele platformen die naar alle waarschijnlijkheid gericht is op het afvangen van bank-smsjes met controlegetallen, die gebruikers moeten invullen om hun online transacties te [...]
[...] said the malicious file is a new version of “Zitmo,” a family of mobile malware first spotted last year that stands for “ZeuS in the mobile.” The Zitmo variant, disguised as a security [...]
[...] has been used by the ZeuS gang to defeat SMS-based banking two-factor authentication on Symbian, BlackBerry and Windows Mobile for a several months (see my ShmooCon [...]
[...] is a mobile malware Fortinet has particularly been focusing on since the beginning (see our first blog post and my presentation at ShmooCon 2011) as it is one of the first palpable signs organized criminals [...]
[...] poměrně snadno realizovat, ale že již dokonce začal, viz informace na blogu s21sec nebo fortinet, kde je popsáno, jak tato nová verze trojského koně ZeuS, která útok na uživatele [...]
[...] have so far been few and far between, as “jailbreaking” on the iPhone and the arrival of Zeus were the primary mobile threats in 2010. With the widespread adoption of mobile devices in business [...]
[...] have so far been few and far between, as “jailbreaking” on the iPhone and the arrival of Zeus were the primary mobile threats in 2010. With the widespread adoption of mobile devices in business [...]
[...] http://blog.fortinet.com/zeus-in-the-mobile-zitmo-online-bankings-two-factor-authentication-defeated... octubre 2nd, 2010 Tags: SMS, [...]
[...] writes, “Fortinet said today that it had uncovered new mobile malware dubbed SymbOS/Zitmo, which stands for Zeus in the Mobile, [...]
[...] Zeus, que tanto daño ha causado a los usuarios de banca online. Precisamente fue bautizado como Zitmo (Zeus In The Mobile) en referencia al tipo de ataque ‘Man in the Middle’ (análisis en [...]
[...] recently been found by Kyle Yang, a researcher at security firm Fortinet (www.fortinet.com), that the Zeus botnet has a new mobile malware component, which is likely aimed at intercepting confirmation text messages sent by banks to their [...]
[...] http://blog.fortinet.com/zeus-in-the-mobile-zitmo-online-bankings-two-factor-authentication-defeated... [...]
[...] Vía | Fortinet. [...]
[...] said today that it had uncovered new mobile malware dubbed SymbOS/Zitmo, which stands for Zeus in the Mobile, [...]
[...] información: Fortinet Etiquetas: fortinet, Seguridad, Troyano, troyano zeus, [...]
[...] | Fortinet. 0 me [...]
[...] Once Zitmo is installed, any SMS message that gets sent to the phone can be captured by the attacker. The variant Fortinet analysed was a light, possibly cracked, version of an application called SMS Monitor that targeted Symbian devices. Once attackers know the phone number and model of their intended victim, the attacker will send an SMS with a link to the appropriate version of the malicious package, such as JAR files for BlackBerry phones. [...]
[...] wearing my eyes off on the assembly code of the Symbian malware Zitmo, I had been quite embarrassed not to find any clear link with stealing online banking credentials [...]
[...] Zeus banking Trojan, is now also being used to target victims’ mobile phones. According to Fortinet, this new malicious package is still under investigation, but it appears that the malware, named [...]