Home / malwarePDF  

Trojan:SymbOS/Zitmo.B


First posted on 26 October 2011.
Source: SecurityHome

Aliases :

Trojan:SymbOS/Zitmo.B is also known as Trojan-Spy.SymbOS.SmsSpy.b (Kaspersky), SYMBOS/ZeusMitmo.A (Avira), Trojan.SymbOS.ZeusMitmo.A (BitDefender), Symbian.Panda (Dr.Web), Trojan-Spy.SymbOS.SmsSpy (Ikarus), SymbOS/Zbot (McAfee), SymbOS/ZeusMitmo.A (Panda), Troj/Zbotmob-A (Sophos), Trojan.SymbOS.Zitmo.a (Sunbelt Software), SymbOS.Zeusmitmo (Symantec), SYMBOS_ZBOT.A (Trend Micro).

Explanation :

Trojan:SymbOS/Zitmo.B is a trojan that targets mobile devices running Symbian operating system (SymbOS). This trojan is installed when opening a malicious Software Installation Script (SIS) file that was linked to Zbot(also known as the "Zeus botnet"). The trojan could send sensitive data to a remote Command & Control (C&C) number via Short Message Service (SMS) messaging.


Top

Trojan:SymbOS/Zitmo.B is a trojan that targets mobile devices running Symbian operating system (SymbOS). This trojan is installed when opening a malicious Software Installation Script (SIS) file that was linked to Zbot(also known as the "Zeus botnet"). The trojan could send sensitive data to a remote Command & Control (C&C) number via Short Message Service (SMS) messaging.



Installation

The trojan might attempt to lure users to click on a link serving the malicious SIS package, or it may be installed through a social engineering technique accomplished by the Zbot malware stealing the user's credentials from an infected phone.

The malicious SIS file poses as a "Nokia Update" and may be distributed as "cert.sis".



Payload

Steals user credentials

Trojan:SymbOS/Zitmo.B creates a database on the infected phone in which to save the infected user's information:

  • \private\20039E30\NumbersDB.db - database file
  • \private\20039E30\firststart.dat - configuration data file
  • \private\20039E30\settings2.dat - command and control (C&C) phone number


Sends unauthorized messages

This trojan sends SMS messages containing particular information from the infected user to a specified remote C&C destination number. The trojan can monitor and send SMS messages related to banking transactions from the affected mobile device to the attacker.

It may accept commands from the remote attacker that includes the following:

  • Set admin - sets the number of the attacker
  • Set sender/add sender - adds a number to monitor
  • Rem sender - disables monitoring for the particular number
  • Block on/off - blocks incoming calls
  • On/off - turns monitoring on/off




Analysis by Marianne Mallen

Last update 26 October 2011

 

TOP

Malware :

Family: