NEWS FROM THE LAB - Thursday, March 17, 2011

New Mitmo: SpyEye Edition Posted by Sean @ 19:12 GMT

Our Threat Research team just completed some interesting analysis of a new Man-in-the-mobile (Mitmo) Symbian trojan (designed to steal mTANs), and what's particularly interesting about this variant is that it appears to be a component of SpyEye.

Previous versions of Mitmo were coupled with the ZeuS trojan. There were publicly disclosed cases of ZeuS Mitmo in September, 2010 (Spain) and February of this year (Poland).

ZeuS and SpyEye recently merged — Krebs on Security has details.

This new version of Mitmo was discovered by a partner a couple of weeks ago (somewhere in Europe…).

The technique used by SpyEye Mitmo to circumvent Symbian's signing requirement — was to use a developer certificate issued by OPDA in China.

The fields injected into a SpyEye Mitmo compromised online banking session include a request for the user's phone IMEI. Once SpyEye had the IMEI, it was added to the list embedded within its certificate, and so, the phone's user installed "self-signed" software and bypassed security prompts. Nokia has taken probationary actions against OPDA to prevent further abuse of their services.

We'll have further analysis available tomorrow.

Researchers can contact us over the usual channels to obtain the sample.