"The Zeus (Zbot) crimeware is sold to criminals as a complete toolkit for building custom Trojans, usually to steal banking logins. The Trojans are generally quite complex; injecting HTML into banking websites on the Internet Explorer and Firefox web browsers, intercepting keystrokes, and grabbing screenshots. Until a few months ago the Zeus infrastructure targeted only Windows PCs, but the adoption of certain security measures (mTANs sent via SMS) used by some banks caused the criminals to change their tactics.
SymbOS/Zitmo.A was a mobile spyware application used to intercept and forward the mTAN SMS messages sent from an infected user’s bank to an attacker. This was implemented by the Zeus Trojan for gathering information from victims about their mobile phones so that it could send a targeted download link to them. The attacker could then change what numbers were monitored by the spyware to go after specific banks. This particular group of crooks was using SymbOS/Zitmo.A in a targeted attack against Spanish banks. It was suspected that a Blackberry version of the spyware was also being distributed, but no samples have yet been found."[...]
Mobile Malware Benefiting From Virtual Machines?
The people behind Zeus are now targeting at least two, if not three, of the major smartphone platforms. Writing for one smartphone platform can be challenging, writing for multiple devices can be a bigger headache. By writing a malicious app for the .Net Common Language Runtime(CLR) and Compact Framework, the Zeus authors might be trying to take advantage of coding for virtual machines (VMs).
There are a number of benefits of using VMs for the malware author:[...]
- maintaining compatibility
- APIs on the VM will remain the same
- code reuse
- working parts of the malware (SMS sending, Bluetooth transfers, etc.) don’t need to be rewritten
- affecting more devices/OS
- malware can run on vastly different phones or devices
Given the availability of a common smartphone-based virtual machine (Dalvik on Android/Alien Dalvik on other OS) it would not surprise us if the Zeus authors eventually consolidated their mobile malware onto that single platform. Instead of just “Angry Birds” one could also get the latest spyware or SMS Trojan.
Alien Dalvik currently runs on a Nokia N900. Apps run at the same speed as on an Android phone with nearly identical specs. Credit: PRNewsFoto/Myriad Group AG
