NEWS FROM THE LAB - Monday, September 27, 2010

ZeuS Variants Targeting Mobile Banking Posted by Sean @ 16:42 GMT

There's an interesting Windows+mobile case today involving a ZeuS variant that steals mTANs, using a Symbian (.sis) or Blackberry (.jad) component.

An mTAN is a mobile transaction authentication number, sent via SMS, and is used by some banks as a form of single use one-time password to authorize an online financial transaction. The SMS message may also include transaction data that allows you to ensure that nothing has been modified (via a Man-in-the-Browser attack).

Windows OS based online banking is constantly under attack from phishing, pharming, cross-site scripting, and password stealing trojans. Adding an "outside" device to the process is a useful security countermeasure; one that we thought might be technically challenging enough to dissuade any would-be attackers. However, online security is ever a cat-and-mouse game, and we've often predicted it's only a matter of time before some banking trojan focused on phones.

Enter case Mitmo: S21sec, a digital security services company, posted on their blog on Saturday: ZeuS Mitmo: Man-in-the-mobile. The ZeuS variants they've discovered (which we detect as Trojan-Spy:W32/Zbot.PUA and PUB) ask for mobile phone details and then send an SMS with a download link based on the answers given by the victim.

We've analyzed the Symbian component (which we detect as Trojan:SymbOS/ZeusMitmo.A) and can confirm S21sec's research. The Symbian file, cert.sis, calls itself "Nokia update" and is Symbian Signed for S60 3rd Edition mobile phones.

It is difficult to get the complete picture of this emerging threat vector as the C&C used by the Zbot.PUA is no longer online, but based on the analysis and their configuration files, this attack is not a one-off by some hobbyist. It's been developed by individuals with an excellent understanding of mobile applications and social engineer. We expect that they'll continue its development.

Cat-and-mouse continues.