30 September 2010

Sophisticated Mobile Version Of Zeus Trojan
Is Now Spreading On Symbian Powered Phones

Fortinet - the worldwide leader of unified threat management (UTM) solutions and network security provider, today announced that its Global Security Research Team has detected a new Trojan identified as 'SymbOS/Zitmo.A!tr (Zitmo standing for 'Zeus In The MObile')' aimed at Symbian and BlackBerry smartphones.

Basically, the ZeuS network initiated some social engineering operations (via injection of HTML forms in the victims’ browser) to get the phone number and phone model of its infected victims.

Based on that info, it sends an SMS with a link to the appropriate version of the malicious package (a Symbian package for Symbian phones, a BlackBerry Jar for BlackBerry phones etc).

This malicious package is still under investigation, but given the context, it is logical to believe it is aimed at defeating SMS-based two-factor authentication that most banks implement today to confirm transfers of funds initiated online by their end users, and that currently impedes the plunging of infected users’ online accounts by Zeus masters (Note: although it was possible before, with man-in-the-middle attacks, it required the victim to initiate a financial transfer in the first place).

On the technical side, this malware is not altogether that much ‘unexpected’ because, since SymbOS/Yxes, it was expected that somebody would use web servers to distribute platform-specific malware to victims. Yet, it is the first time we acknowledge the technique to be used by a real gang.

Discovered So Far:

• the Symbian version is correctly signed, using the Express Signed program, once more. Symbian has been notified, but meanwhile, please beware this certificate hasn’t been revoked yet:

  Serial Number: 61:f1:00:01:00:23:5b:c2:79:43:80:40:5e:52 
  C=AZ, ST=Baku, L=Baku, O=Mobil Secway, OU=certificate  
  1.00, OU=Symbian Signed ContentID, CN=Mobil Secwa

• the malware creates its own malicious database on the phone, where it stores all information it steals (contact first and last names for instance, phone numbers) and needs. This database is named NumbersDB.db, and contains 3 tables:
  • tbl_contact with 4 columns: index, name, descr, pb_contact_id.
  • tbl_phone_number with 2 columns: contact_id, phone_number
  • and tbl_history with 6 columns: event_id, pn_id, date, description, contact_info, contact_id.

  The malware searches those tables using standard SQL queries.

• the malware sends SMS messages. In particular, it sends a message to a phone number located in the United Kingdom to notify that the malware has been successfully installed (”App installed ok”).

  "27/09/2010","12:09","Short message","Outgoing","App installed ok","+44778xxxxxxx" (NOT SENT - OFFLINE)

Additionally, the malware seems to be able to answer to a few commands such as ’set admin’, which might be particularly dangerous: anyone sending a “set admin” SMS to your infected phone may be able to take control of it. We’re of course investigating this, as well as the rest.