Home / malware Trojan:SymbOS/Zitmo.B
First posted on 26 October 2011.
Source: SecurityHomeAliases :
Trojan:SymbOS/Zitmo.B is also known as Trojan-Spy.SymbOS.SmsSpy.b (Kaspersky), SYMBOS/ZeusMitmo.A (Avira), Trojan.SymbOS.ZeusMitmo.A (BitDefender), Symbian.Panda (Dr.Web), Trojan-Spy.SymbOS.SmsSpy (Ikarus), SymbOS/Zbot (McAfee), SymbOS/ZeusMitmo.A (Panda), Troj/Zbotmob-A (Sophos), Trojan.SymbOS.Zitmo.a (Sunbelt Software), SymbOS.Zeusmitmo (Symantec), SYMBOS_ZBOT.A (Trend Micro).
Explanation :
Trojan:SymbOS/Zitmo.B is a trojan that targets mobile devices running Symbian operating system (SymbOS). This trojan is installed when opening a malicious Software Installation Script (SIS) file that was linked to Zbot(also known as the "Zeus botnet"). The trojan could send sensitive data to a remote Command & Control (C&C) number via Short Message Service (SMS) messaging.
Top
Trojan:SymbOS/Zitmo.B is a trojan that targets mobile devices running Symbian operating system (SymbOS). This trojan is installed when opening a malicious Software Installation Script (SIS) file that was linked to Zbot(also known as the "Zeus botnet"). The trojan could send sensitive data to a remote Command & Control (C&C) number via Short Message Service (SMS) messaging.
Installation
The trojan might attempt to lure users to click on a link serving the malicious SIS package, or it may be installed through a social engineering technique accomplished by the Zbot malware stealing the user's credentials from an infected phone.
The malicious SIS file poses as a "Nokia Update" and may be distributed as "cert.sis".
Payload
Steals user credentials
Trojan:SymbOS/Zitmo.B creates a database on the infected phone in which to save the infected user's information:
- \private\20039E30\NumbersDB.db - database file
- \private\20039E30\firststart.dat - configuration data file
- \private\20039E30\settings2.dat - command and control (C&C) phone number
Sends unauthorized messages
This trojan sends SMS messages containing particular information from the infected user to a specified remote C&C destination number. The trojan can monitor and send SMS messages related to banking transactions from the affected mobile device to the attacker.
It may accept commands from the remote attacker that includes the following:
- Set admin - sets the number of the attacker
- Set sender/add sender - adds a number to monitor
- Rem sender - disables monitoring for the particular number
- Block on/off - blocks incoming calls
- On/off - turns monitoring on/off
Analysis by Marianne Mallen
Last update 26 October 2011