Cатсн²² (in)sесuяitу / ChrisJohnRiley

Defeating mTANs for profit

Axelle Apvrille and Kyle Yang

Zeus In The MObile –> ZITMO

Malware for Symbian OS > 9.0

Intercepts mTANs (one-time passwords sent over SMS)

Targeting Spanish online banks

Propagated on PC by Zeus botnet

First case seen of organized criminals exploiting mobile TANs

Zeus (AKA Zbot)

It’s a crimeware kit and not a single botnet (there are several)

Designed to steal banking credentials

Zitmo in a nutshell

Once Zeus has infected a pc, and the user initiates a transaction, Zeus detects the mobile number and attempts to propagates to the mobile device by sending the end-user an SMS to prompt the user to download a new certificate. Once this is installed the attacker can transfer the money at any time as the attacker has access to the online login information (stolen by Zeus through keylogging) and the mTAN for the transaction (stolen through Zitmo). The end-user never receives an SMS due to it being intercepted by Zitmo.

This means attackers can do the transfer at any point they wish without any user interaction.

Analysis of the Zitmo malware showed the program shared a lot of similarities with a Russian software called SMS Monitor which offers a lot of the same functions, but marketed as a parent controls and security audit tool.

However some of the code from SMS Monitor was published in Russian magazines. Maybe the code was stolen?

Reverse Engineering Zitmo

Three actors –> Victim, Administrator (bad guy) and Others (e.g. bank, friends, …)

2 separate processes –> INIT and SMS Processing Engine

Daemon listens for incoming SMS requests and checks them to see if they need to be processed (commands, mTANs, etc…) or forwarded to the phone’s inbox.

Due to the way Symbian works it’s not possible to hook directly into the “Listen to all SMS” function (in use by the phone). However it is possible to hook into the “Listen to all SMS containing the following”. By setting this to IfNotNULL, they can bypass the restriction of listening to ALL SMS messages.

Zitmo doesn’t block all SMS messages, but checks all incoming to check for appropriate actions. Blocking all SMS messages would result in the user becoming suspicious.

Zitmo Commands

• ON / OFF (disable Zitmo)
• SET ADMIN xx
• ADD SENDER xx, xx / ALL
• REM SENDER xx, xx / ALL
• SET SENDER xx
• BLOCK ON / OFF (block incoming calls)

Spoof administrator

Protocol flaw: Anybody can claim to be the administrator!

How to 0wn the adm1n :

1. Method 1: Send SET ADMIN command by SMS to the phone
2. Method 2: Craft a new settings file

By using remote debugging on Symbian it’s easy to step through the process used to handle commands as they come in from the lab administrator phone.

Zitmo’s Hidden debug window

Zitmo was secretly writing to a hidden debug window

By putting in a breakpoint on the hide function and altering it to visible, it was possible to view the hidden debug window and watch status information change when receiving commands.

Conclusions

Very difficult to spot due to the lack of symptoms

One possible trigger to detection is that the application was delivered as a .sis/.sisx application and not as a certificate (as advertised)

It also shows in the installed applications list

Zitmo is signed by Symbian, therefore accepted by the phone –> Express Signed

This is not uncommon however as multiple malware has been signed using this abuse

Links:

• Shmoocon Schedule –> HERE
• Talk Synopsis –> HERE
• Zeus In The Mobile (Zitmo): Online Banking’s Two Factor Authentication Defeated – Fortinet Blog
• Fortinet