Fortinet Blog | News and Threat Research

While wearing my eyes off on the assembly code of the Symbian malware Zitmo, I had been quite embarrassed not to find any clear link with stealing online banking credentials as the rest of the ZeuS attack seemed to indicate. This issue is now solved, I know how the cyber-criminals did it or intended to.

The Zitmo malware is actually a light version (or a cracked one) of the Russian SMS Monitor application. This borderline application is officially meant for “parental control” and “security audit”, but it looks like it ended upin the wrong hands…

We already know Zitmo responds to several simple commands such as “set admin”, “set sender”, “add sender” but their use wasn’t clear yet. There it is:

* ADD SENDER, followed by phone numbers, will set those phone numbers to be spied on. Any SMS sent by such a phone number will silently be forwarded to the spy (the “admin” phone number).

* REM SENDER will obviously stop spying a given phone number

* BLOCK ON/OFF will block incoming and outgoing phone calls

* ON/OFF turns the spy engine on or off

In the case of ZeuS and online bank credentials, the cyber criminals merely need to send a “add sender” command specifying the phone number of the bank, and then an “on” command. Any SMS credential sent to an unsuspecting victim will then be forwarded to the cyber-criminals who can use it and successfully log on the bank account. Bingo.

As a side note, we confirmed what we suspected in our previous post: anyone can send a SET ADMIN command to an infected phone, and start to spy on SMS messages it receives. A rather explicit example of  how malware can “lower your defenses” (in addition of  stealing your money).

– the Crypto Girl

PS. By the way, s21sec reports the certificate for Zitmo is now revoked. Be sure to enable OCSP on your phones to retrieve the latest CRL when you install applications.