FYI....
During the weekend, in our monitoring of the Zeus botnet, my colleague Kyle Yang stumbled upon an unexpected payload: a brand new mobile malware piece we named *SymbOS/Zitmo.A!tr* (Zitmo standing for “Zeus In The MObile”), likely aimed at intercepting confirmation SMS sent by banks to their customers. This also caught the eye of s21sec<http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html>with a nice analysis you should read. Basically, the ZeuS network initiated some social engineering operations (via injection of HTML forms in the victims’ browser) to get the phone number and phone model of its infected victims. Based on that info, it sends an SMS with a link to the appropriate version of the malicious package (a Symbian package for Symbian phones, a BlackBerry Jar for BlackBerry phones etc). This malicious package is still under investigation, but given the context, it is logical to believe it is aimed at defeating SMS-based two-factor authentication that most banks implement today to confirm transfers of funds initiated online by their end users, and that currently impedes the plunging of infected users’ online accounts by Zeus masters (Note: although it was possible before, with man-in-the-middle attacks, it required the victim to initiate a financial transfer in the first place). On the technical side, this malware is not altogether that much ‘unexpected’ because, since SymbOS/Yxes<http://blog.fortinet.com/symbosyxes-or-downloading-customized-malware/>, we always said somebody would use web servers to distribute platform-specific malware to victims. Yet, it is the first time we acknowledge the technique to be used by a real gang. So far, we have seen that: - the Symbian version is correctly signed, using the Express Signed program, once more. Symbian has been notified, but meanwhile, please beware this certificate hasn’t been revoked yet: Serial Number: 61:f1:00:01:00:23:5b:c2:79:43:80:40:5e:52 C=AZ, ST=Baku, L=Baku, O=Mobil Secway, OU=certificate 1.00, OU=Symbian Signed ContentID, CN=Mobil Secway - the malware creates its own malicious database on the phone, where it stores all information it steals (contact first and last names for instance, phone numbers) and needs. This database is named NumbersDB.db, and contains 3 tables: - tbl_contact with 4 columns: index, name, descr, pb_contact_id. - tbl_phone_number with 2 columns: contact_id, phone_number - and tbl_history with 6 columns: event_id, pn_id, date, description, contact_info, contact_id. The malware searches those tables using standard SQL queries. - the malware sends SMS messages. In particular, it sends a message to a phone number located in the United Kingdom to notify that the malware has been successfully installed (”App installed ok”). "27/09/2010","12:09","Short message","Outgoing","App installed ok","+44778xxxxxxx" (NOT SENT - OFFLINE) Additionally, as explained by s21sec, the malware seems to be able to answer to a few commands such as ’set admin’, which might be particularly dangerous: anyone sending a “set admin” SMS to your infected phone may be able to take control of it. We’re of course investigating this, as well as the rest. -- Thanks & Regards: Haren Bhatt | Security Analyst |MCSA |SCSA |ENSA |CEHv5 |ECSA-LPT . Blog : http://security-culture.blogspot.com/ *"We Have A Culture Of Security."* NOTICE:This communication is meant only for the addressee(s) named above and may contain information which is and/or legally privileged. If you are not the named addressee(s), or the agent responsible for receiving and delivering this communication to the named addressee(s), this communication has been sent to you in error, please notify the sender and delete all copies. If so, kindly contact us immediately for retrieval purposes. Unauthorized dissemination, distribution, copying or reliance on this communication is prohibited and may attract criminal penalties. *For privacy reasons all the addressee(s) may be hidden.* -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
