NEWS FROM THE LAB - Monday, April 4, 2011

Trojan:SymbOS/Spitmo.A Posted by Sean @ 17:23 GMT

SpyEye IMEIOn March 17th, we noted a new man-in-the-mobile attack, SpyEye edition.

Here are the notes from our Threat Research team:

This variant of SpyEye has been used in an attack against a European bank. The bank uses SMS based mTANs to authorize transfers. The trojan injects fields into the bank's webpage and asks the customer to input his mobile phone number and the IMEI of the phone. The bank customer is then told the information is needed so a "certificate" can be sent to the phone and is informed that it can take up to three days before the certificate is ready.

Our detection for this (and other SpyEye variants made with the same kit) is Trojan-Spy:W32/Spyeye.AG.

The so-called certificate, the Symbian component of the malware, is detected as Trojan:SymbOS/Spitmo.A.

Spitmo.A contains the malicious executable (sms.exe) and another installer which contains an executable named SmsControl.exe. SmsControl.exe will just display the message "Die Seriennummer des Zertifikats: Ü88689-1299F" to fool the user into thinking that the installer was indeed a certificate.

The name SmsControl.exe is quite a co-incidence as a variant of ZeusMitmo used the same filename for the file containing the actual trojan. Faking the trojan to be a certificate is also a trick that ZeusMitmo has used. However, the code itself looks completely different than in ZeusMitmo. Full details of how the SMS based mTANs are delivered to the attacker are still under investigation, but it looks as if they are delivered via HTTP and not by SMS as with ZeusMitmo.

The trojan is signed with a developer certificate. Developer certificates are tied to certain IMEIs and can only be installed to phones that have an IMEI that is listed in the certificate. This is why the malware author(s) request the IMEI in addition to the phone number on the bank's website. Once they receive new IMEIs, they request an updated certificate with IMEIs for all victims and create a new installer signed with the updated certificate. A possible source for the certificate is OPDA (http://cer.opda.cn/en), as searching for the unusually long organization name ("Beijing shi ji yi jia wang dian zi shang wu you xian gong si") returns hits related to OPDA. The delay in getting the new certificate explains why the SpyEye-injected message states it can take up to three days for the certificate to be delivered.

Trojan contents:

  •  c:\Private\E13D4ECD\settings.dat — contains two URLs http://[*].net/input.php and http://[*].net/delete.php
     — also contains: c:\Data\delete.sis — sms.exe contains code to silently install other applications
  •  c:\Private\E13D4ECD\first.dat — an empty file, deleted by sms.exe if present, used as execution check
  •  c:\sys\bin\Sms.exe — payload, executed after installation
  •  c:\private\101f875a\import\[E13D4ECD].rsc — runs sms.exe when the phone is turned on

Embedded installer SmsControl.sis:

  •  c:\resource\apps\SmsControl.r01
  •  c:\private\10003a3f\import\apps\SmsControl_reg.r01
  •  c:\resource\apps\SmsControl_aif.mif
  •  c:\Private\EAF7F915\data.txt — contains the message displayed to the user
  •  c:\sys\bin\SmsControl.exe — executed after installation, displays decoy message

Updated to add SHA-1:

Spitmo.A: 11d21bb2a63da2a0374a1dbbe21ddb4c5d18b43e
SpyEye trojan: d7d60f4a8ae05aa633c36a10b52464ee3295c18d

And here's a screenshot of the decoy message:

Spitmo.A decoy message