SymbOS/Zitmo.A!tr.spy

Analysis

SymbOS/Zitmo.A!tr is a Symbian malware known to be propagated by the infamous ZeuS botnet. It sends SMS messages to a C&C (without the victim's consent).
The malware is known to infect mobile phone by some clever social engineering work. From an infected PC, the ZeuS botnet initially asks for the victim's phone number and phone model, for instance using HTML injection. Then, it sends an apparently genuine SMS to this phone number (for example, claiming to send a new security certificate). When the victim clicks on the link, the malware installs on the phone (the victim is not suspicious and thinks it's a security update).
The ultimate goal of this malware is said to retrieve online banking credentials sent by SMS.

Technical Details

The malware is packaged under the name cert.sis, but other names might be used. Samples we analyzed pose as a "Nokia Update".
Basically, SymbOS/Zitmo.A!tr.spy is a spyware that forwards some of the victim's SMS messages to another phone number (controlled by the spy). The spy can configure remotely which SMS messages to forward or not.
The malware runs as a background task. It does not show any application icon on the phone and is usually invisible to the victim. In particular, the malware sends and receives SMS without the victim noticing anything.
The spyware responds to a few commands (case insensitive). Those commands are sent by SMS by the spy. They are automatically deleted by the spyware, thus not displayed to the victim:

• ON or OFF: this enables or disables the spy engine
• ADD SENDER PHONENUMBER or ADD SENDER ALL: tells the spy engine to forward all SMS messages that originates from or go to the specified phone number. The phone numbers to monitor are added to a table.
  If the ADD SENDER ALL command is specified, all SMS messages will be forwarded whoever they come from.
• SET SENDER PHONENUMBER is like ADD SENDER PHONENUMBER except it first erases all phone numbers in the table of numbers to monitor, and then adds the new number. This is a quick way to monitor a given phone number.
• REM SENDER PHONENUMBER, REM SENDER ALL removes a phone number from the list of numbers to monitor
• BLOCK ON or OFF: blocks incoming calls
• SET ADMIN PHONENUMBER: sets the phone number of the spy (where to forward SMS to). This is the only command that may originate from a phone number different from the number of the spy. So, anybody can become a spy...

SymbOS/Zitmo.A!tr.spy has been known to catch mTANs (authentication codes) sent by online banks: the spy configures the spy engine to monitor incoming SMS messages from a given bank, and has all those SMS forwarded to his own phone number. The cybercriminal can then log onto the victim's bank account.
The malware's package contains:

• C:\resource\apps\NokiaUpdate.rsc
• c:\private\101f875a\import\[20022b8e].rsc: this resource makes sure the malicious executable is automatically launched when the phone reboots
• C:\private\20022B8E\dummy.r01
• C:\private\10003a3f\import\apps\NokiaUpdate_reg.rsc
• C:\sys\bin\NokiaUpdate.exe: this is the main malicious executable. It is a light version of a spyware named 'SMS Monitor': it eavesdrops incoming/outgoing SMS from a configurable list of senders.

Additionally, the malware creates and updates those files:

• C:\private\20022B8E\firststart.dat: this file contains "1" if the malware has been successfully installed. In that case, the malware sends an SMS to a hard coded phone number in the United Kingdom, saying "App installed ok"
• C:\private\20022B8E\NumbersDB.db: this is a database created and used by the malware. It contains 3 tables:
  • tbl_contact with 4 columns: index, name, descr, pb_contact_id
  • tbl_phone_number with 2 columns: contact_id, phone_number
  • and tbl_history with 6 columns: event_id, pn_id, date, description, contact_info, contact_id.
  Those tables are used to store the phone numbers of incoming SMS to monitor.
• C:\private\20022B8E\settings2.dat: contains the phone number of the spy. Incoming or outgoing SMS from the last phone number the malware sent an SMS to

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.