NEWS FROM THE LAB - Monday, February 21, 2011

ZeuS Mitmo Strikes Again: Polish ING Bank Posted by Sean @ 13:50 GMT

Breaking news from Poland today: A variant of the ZeuS trojan is targeting the mobile phone based, two-factor authentication used by ING Bank Slaski (Polish ING Bank).

Security consultant and blogger, Piotr Konieczny, has details on his blog, Niebezpiecznik (Google Translate).

ZeuS in the Mobile, Zitmo, ING Poland, http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/

From the details that we've gathered so far, this appears to be the same type of ZeuS Man-in-the-mobile attack that took place in Spain last year. Spanish security company, S21sec, first reported on ZeuS Mitmo here.

ZeuS Mitmo is designed to steal mTANs, and computers infected with a ZeuS Mitmo trojan will inject a "security notification" into the Web banking process, attempting to lure the user into providing their phone number. If a phone number is provided, the user will receive an SMS link pointing to the mobile component, ZeusMitmo.


Updated to add on February 23rd: SHA1 hashes related to this case (thank you, Piotr).

Trojan-Spy:W32/Zbot.AHSO: f85d51e4f171b2a3c3a42bf306d86c6587069cf0
Trojan-Spy:SymbOS/ZeusMitmo.B: 1045daa75c457aa5d8883531ea29b5c8dcf9cc2d


Updated to add on February 24th: Nokia has revoked the certificate used by Symbian based ZeusMitmo.B.

For this to have a practical effect, you should configure your Symbian phone to perform an online certificate check by default. See our March 26, 2010 post for details.

There's also a Windows Mobile binary associated with this new Mitmo case. Axelle Apvrille has written about it over on Fortinet's blog.

Here's the SHA1 and our detection name:
Trojan-Spy:WinCE/ZeusMitmo.A: e93d8723c23523fc064d331bd97985fe3280ea09