Tuesday, September 28, 2010

Zeus In The Mobile (Zitmo): Online Banking’s Two Factor Authentication Defeated

During the weekend, in our monitoring of the Zeus botnet, my colleague Kyle Yang stumbled upon an unexpected payload: a brand new mobile malware piece we named SymbOS/Zitmo.A!tr (Zitmo standing for “Zeus In The MObile”), likely aimed at intercepting confirmation SMS sent by banks to their customers. This also caught the eye of s21sec with a nice analysis you should read.


Basically, the ZeuS network initiated some social engineering operations (via injection of HTML forms in the victims’ browser) to get the phone number and phone model of its infected victims. Based on that info, it sends an SMS with a link to the appropriate version of the malicious package (a Symbian package for Symbian phones, a BlackBerry Jar for BlackBerry phones etc).

This malicious package is still under investigation, but given the context, it is logical to believe it is aimed at defeating SMS-based two-factor authentication that most banks implement today to confirm transfers of funds initiated online by their end users, and that currently impedes the plunging of infected users’ online accounts by Zeus masters (Note: although it was possible before, with man-in-the-middle attacks, it required the victim to initiate a financial transfer in the first place).

On the technical side, this malware is not altogether that much ‘unexpected’ because, since SymbOS/Yxes, we always said somebody would use web servers to distribute platform-specific malware to victims. Yet, it is the first time we acknowledge the technique to be used by a real gang.

So far, we have seen that:
» the Symbian version is correctly signed, using the Express Signed program, once more. Symbian has been notified, but meanwhile, please beware this certificate hasn’t been revoked yet:

Serial Number: 61:f1:00:01:00:23:5b:c2:79:43:80:40:5e:52

C=AZ, ST=Baku, L=Baku, O=Mobil Secway, OU=certificate 1.00,

OU=Symbian Signed ContentID, CN=Mobil Secway» the malware creates its own malicious database on the phone, where it stores all information it steals (contact first and last names for instance, phone numbers) and needs. This database is named NumbersDB.db, and contains 3 tables:
» tbl_contact with 4 columns: index, name, descr, pb_contact_id.
» tbl_phone_number with 2 columns: contact_id, phone_number
» and tbl_history with 6 columns: event_id, pn_id, date, description, contact_info, contact_id.

The malware searches those tables using standard SQL queries.
» the malware sends SMS messages. In particular, it sends a message to a phone number located in the United Kingdom to notify that the malware has been successfully installed (”App installed ok”).

"27/09/2010","12:09","Short message","Outgoing","App installed ok","+44778xxxxxxx"

(NOT SENT - OFFLINE)Additionally, as explained by s21sec, the malware seems to be able to answer to a few commands such as ’set admin’, which might be particularly dangerous: anyone sending a “set admin” SMS to your infected phone may be able to take control of it. We’re of course investigating this, as well as the rest.

Tuesday, September 7, 2010

Worst U.S. military security breach ever

A malware-laden flash drive inserted in a laptop at a U.S. military base in the Middle East in 2008 led to the "most significant breach of" the nation's military computers ever, according to a new magazine article by a top defense official.

The malware uploaded itself to the U.S. Central Command network and spread undetected on classified and unclassified computers creating a "digital beachhead, from which data could be transferred to servers under foreign control," William J. Lynn III, U.S. deputy secretary of defense, wrote in his essay in the September/October issue of Foreign Affairs.

"It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary," he wrote. This previously classified incident was the most significant breach of U.S. military computers ever, and it served as an important wake-up call. The Pentagon's operation to counter the attack, known as Operation Buckshot Yankee, marked a turning point in U.S. cyberdefense strategy."


Read more: http://news.cnet.com/8301-27080_3-20014732-245.html#ixzz0ypX371xv