We previously wrote several times about Man-in-the-Mobile attacks which aim to steal mTANs sent via SMS. For a long time, only two families of such malware have been known: ZeuS-in-the-Mobile (ZitMo) and SpyEye-in-the-Mobile (SpitMo). ZitMo and SpitMo work together with their Windows ‘brothers’. Actually, without them, they would look like trivial SMS spy Trojans. It is necessary to mention that during the last two years such attacks have been observed only in some European countries like Spain, Italy, Germany, Poland and few others.

But when the mobile version of Carberp Trojan appeared (we detect it as Trojan-Spy.AndroidOS.Citmo, Carberp-in-the-Mobile) such attacks became real in Russia as well. There is no secret that online banking is becoming more and more popular in Russia; and banks are very active in promoting online banking with various authorization methods.

Carberp for Windows works in a similar way to the ZeuS Trojan. If a user tries to login into his online banking account using a machine infected by Carberp, the malware will modify the transaction so that user credentials are sent to a malicious server rather than a bank server.

In addition to the login and password, cybercriminals still need mTANs in order to confirm any money transfer operation from a stolen account. That is why one of the Carberp modifications (we call it Trojan-Spy.Win32.Carberp.ugu and we've added detection for it on 11th of December) alters the online banking web page on the fly, inviting the user to download and install an application which is allegedly necessary for logging into the system. And the user can get this link via SMS message by entering his phone number or by scanning a QR-code:

According to this screenshot, users of one of the most popular Russian banks, Sberbank, are under attack. ‘Sberbank’ updated its web page on 12th of December with information about the attack. The link in the QR-code led to the fake ‘SberSafe’ application (Trojan-Spy.AndroidOS.Citmo) which has been in Google Play since 30th of November.

Ten months ago we’ve published an article about ZeuS-in-the-Mobile which contains an overview of everything we knew about ZitMo at that moment. The paper finishes with the following prediction: ‘they [attacks involving ZitMo] will become more specifically targeted against a smaller number of victims’. This prediction appears to have been correct. It’s not that often when we hear/find new wave of ZeuS-in-the-Mobile (or SpyEye-in-the-Mobile) attack. So every new piece of information about these types of malware and/or attacks involving them is very important and helps to understand the evolution of one of the most interesting threats in mobile space so far. Just a small reminder: ZeuS-in-the-Mobile is almost 2 years old. And this blog is about new samples (and probably new wave of attack)) of ZitMo for Android and Blackberry.

New samples overview

We’ve got 5 new files of ZitMo: 4 for Blackberry and 1 for Android. As you may know, the Blackberry platform has never been actively targeted by malware. And here we have 4 different samples of ZeuS-in-the-Mobile for Blackberry at once: 3 .cod files and 1 .jar file (with one more .cod inside). Yes, finally we’ve got a ZitMo dropper file for Blackberry.

As for Android, there is only one .apk dropper. But this ZeuS-in-the-Mobile for Android has been modified and now looks like a ‘classic’ ZitMo with same commands and logic.

Countries and C&C numbers

All samples of ZitMo we’ve seen so far target users from various European countries (Spain, Poland, Germany, etc). This case is no exception. Here is a list of countries from which users are threatened by new ZeuS-in-the-Mobile with C&C number from the sample.

Blackberry:

• Germany +46769436094
• Spain +46769436073
• Italy +46769436073
• Spain +46769436073

Android

• Germany +46769436094

To summarize, there are 3 countries (Germany, Spain and Italy) and 2 C&C numbers (both are Swedish). We found out that these cell phone numbers belong to Tele2 mobile operator in Sweden.

On the 4th of June 2012 we found 3 APK files of ~207 kb in size each heuristically detected by our engine as HEUR:Trojan-Spy.AndroidOS.Zitmo.a. All these applications are malicious and were created to steal incoming SMS messages from infected devices. SMS messages will be uploaded to a remote server whose URL is encrypted and stored inside the body of the Trojan. We found 3 more APK files with exactly the same functionality on 8th, 13th and 14th of June. So there are at least 6 files which pretend to be ‘Android Security Suite Premium’ but in fact were created only for stealing incoming SMS messages.

After the infection there is a blue shield icon in the menu with the name ‘Android Security Suite Premium’:

If the application is launched it will show a generated ‘activation code’:

Spam

On 20 March, we detected a spam campaign targeting passengers of US Airways. Almost the entire week cybercriminals were sending users the following email allegedly from US Airways:

There is a brief description of the check-in procedure and a confirmation code is provided for online reservation.

The criminals are obviously banking on any recipients flying on the flight mentioned in the email clicking on the link "Online reservation details".

Different emails contained different links — for example, we noticed the following domains: sulichat.hu, prakash.clanteam.com, panvelkarrealtors.com.

After clicking the link a series of redirects eventually leads to a domain hosting BlackHole Exploit Kit.

LANDesk Interchange 2011 is winding down in Las Vegas today. The event gathered partners and displayed newer technologies offered by the decade old systems management company. It was interesting hearing from IT "old-timers" that have worked with the technology, describing the company's impact on the industry - its spinoff from Intel, the original LANDesk AV product that wound up in another vendor’s product, and what they like about Kaspersky Lab technologies integration into the security suite. We were happy to present at our partner's conference with "The Dark Side of Unmanaged Desktops", where I described 2011 incidents that both I and our Global Emergency Response Team have investigated and remediated, some incidents in the news, and some of the IT mismanagement issues that enabled these incidents to occur.

It has become clear that the creator of the banking Trojan SpyEye have added plugin support to their code. In this new design, these plugins can be used by third parties to add extra functions to the core bot. The plugins are DLLs stored in the bot’s configuration file. Among the core plugins created for SpyEye is customconnector. As its name implies, this supports the bot’s communications with the botnet C&C or its collector. The collector is a malicious server which receives data harvested from the victim’s computer; it can be distinct from the C&C server. Since the creator of SpyEye has outsourced the botnet’s links to the C&C server, different SpyEye operators can create unique protocols governing communications between bot and server. Naturally, these protocols could make it more difficult to track the activity of SpyEye botnets. Despite this, cybercriminals have not, so far, rushed to take advantage of this opportunity: SpyEye’s old protocol in the basic customconnector.dll is still in use. Even so, we have recently spotted some changes related to this plugin.

Each plugin has a configuration file attached. If the plugin is customconnector.dll, its configuration file will be customconnector.dll.cfg. Cybercriminals can insert plain-text fragments into this config file containing settings for the plugin’s functions. Since customconnector.dll is a communication plugin, its config file has always identified the botnet’s C&C servers. The botnet operator could easily switch to a new C&C server by introducing the new URLs into the text file and updating the configuration file in the botnet.

Here is a sample configuration file:

Figure 1. A configuration file for customconnector.dll

After rumors about the supposed merger between SpyEye and ZeuS, and the public release of the source of the latter, it was logical that the range of possibilities opened up even more for new cybercriminals into the ecosystem of crimeware.

Consistent with this, it was only a matter of time for the emergence of new packages based on ZeuS crimeware, which is now realized. Ice IX Botnet is the first new generation of web applications developed to manage centralized botnets through the HTTP protocol based on leaked ZeuS source code.

The first version of ZeuS-in-the-Mobile (ZitMo), malware which targets mTANs, was discovered in the end of September 2010. In that case it was targeting Symbian smartphones. Later on, ZitMo versions for Windows Mobile and Blackberry were found. It comes as no surprise that cybercriminals have created new and sophisticated pieces of mobile malware for Symbian and Windows Mobile; more surprising is that Blackberry devices were also targeted; and even more surprising is that until July 2011 there was no evidence of ZitMo for Android’s existence. And now please ‘welcome’ ZeuS-in-the-Mobile for Android.

The first fact that must be mentioned is that ZitMo for Android differs from Symbian, Windows Mobile and Blackberry versions a lot. The functionality and logic of ZitMo for Symbian, Windows Mobile and Blackberry is the same: C&C cell phone number, SMS commands, and the ability to forward SMS messages from a particular number, as well as the ability to change C&C.

The functionality and logic of ZitMo for Android is far more primitive. The APK file itself has a 19k size. It passes itself off as a security tool from the ‘Trusteer’ company. If a user installs the malicious application then the following ‘Trusteer Rapport’ icon will appear in the main menu:

And that’s what going to be on the screen after clicking on the application’s link:

As I said previously, ZitMo for Android is very primitive. Its functionality consists only of the ability to upload all incoming SMS messages (with mTANs also) to a remote web server http://******rifty.com/security.jsp in the following format:

f0={SMS_sender_number}&b0={SMS_text}&pid={infected_device_ID}

The first attacks with ZeuS-in-the-Mobile for Android started probably in early June. But how does ZitMo for Android actually infect devices? Nothing has changed in this area.

A little while ago it became clear that the ZeuS program design had been passed on to the creator of another competitor Trojan called SpyEye. Now everyone is waiting to see when these two spyware programs combine to create a monster. The author of SpyEye will most probably extract the most valuable things from ZeuS and implement them in SpyEye. Some researchers have already found a code piece from ZeuS in a SpyEye sample.

 
Section of SpyEye code identical to that in ZeuS

We didn’t expect new modifications of ZeuS to appear after it had been transferred to the new owner. Of course, we are still seeing a steady stream of ZeuS samples, but virtually all of them are well known versions of the malicious program. The new variants are usually the result of rebuilding that can be carried out with minimum fuss using programs known as ZeuS Builder kits. But from time to time I come across some rather unusual variants of the Trojan and I now have very good reason to believe that ZeuS is still to some extent being maintained and developed.

Two months ago we noted that ZeuS had new functionality: it was checking to see if it was being launched on a test platform, e.g. in the sandbox of a research company. The launch of the Trojan was stopped if there were signs that it was being executed in an environment set up to analyze its behavior.

Here is an example of one such check – ZeuS verifies if it is being launched on a VMware system by opening a specific device for that virtual machine:

1st check to see if ZeuS is launched on a VMware virtual machine

2nd check to see if ZeuS is launched on a VMware virtual machine

A few weeks ago a different ZeuS variant appeared that displayed unusual behavior for that family. All the latest variants of ZeuS had the same algorithm to decrypt a section in their code which contained the Trojan’s initial internal settings (a link used to download the configuration file, traffic encryption key, etc.). In the new, unusual sample there was double encryption. First of all, data was decrypted using the standard algorithm, but the address to the configuration file was a fake. The genuine link to the configuration file, which contained the address of the botnet command center, was only revealed at the second decryption.

Below you can see what this looks like in practice. After the first decryption you can see the initial settings (highlighted in green), but the link at the bottom is a fake. The real link is hidden in the area highlighted in red that only appears after the second decryption.

Decryption section of primary data

A few days ago I found a ZeuS sample that also checks if it is being analyzed, for example, by antivirus companies. The functionality is basically the same but with minor modifications – another criterion for detecting a new test platform had been added.

In this variant of ZeuS there are also modifications to the structure in pieces of code, which had remained unchanged for over 6 months and been used in thousands of samples of the Trojan.

Modifications to a previously unchanged piece of ZeuS code

The changes to the code show that the sample was created using a new, recompiled version of the ZeuS Builder.

Functionality that is capable of detecting a test platform is unique. It looks like it was probably added to the standard ZeuS functionality as an optional extra. This suggests that technical support is still available for the last few VIP clients using ZeuS.

So, what exactly do we have here: the death throes of a ‘god’ or a reawakening? Maybe ZeuS will become less widespread, more exclusive, for a chosen few instead of the masses. No doubt, time will tell…