Analysis by: Karl Dominguez
 PLATFORM:

Windows Mobile

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This spyware is a variant of the ZBOT/ZeuS malware family that targets smartphones running on Windows Mobile. It intercept calls and text messages to steal user credentials used in online banking.

To get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown below.

It monitors SMS messages of an infected Windows mobile phone then forwards the message if the sender is listed in its monitored list.

Its primary objective is to steal authentication codes used in online banking. It sends and receives information/commands from a specific phone number.

It is a counterpart of SYMBOS_ZBOT.B and BBOS_ZITMO.B, which are for devices running on Symbian OS and BlackBerry OS, respectively. It is also a counterpart of TSPY_ZBOT.HQ, a Windows system malware.

This spyware may be unknowingly downloaded by a user while visiting malicious websites.

  TECHNICAL DETAILS

File Size: 46,371 bytes
File Type: PE
Memory Resident: Yes
Initial Samples Received Date: 02 Mar 2011
Payload: Compromises system security

Arrival Details

This spyware may be unknowingly downloaded by a user while visiting malicious websites.

Other Details

This spyware does the following:

  • Monitors text messages of an infected Windows Mobile phone then forwards these messages to the cybercriminal if the sender is listed in its monitored list
  • Steals authentication codes used in online banking
  • Sends and receives information/commands from the following phone number:
    • {BLOCKED}1481813
  • Interprets the following messages as its backdoor commands:
    • ON/OFF - sets the malware state
    • SET ADMIN - sets a number as the command and control (C&C)
    • REM SENDER ALL - removes all senders from monitored list
    • ADD SENDER ALL - adds all contacts to the monitored list
    • BLOCK ON - blocks incoming calls is ON
    • BLOCK OFF - blocks incoming call is OFF
    • ADD SENDER - adds a number to the monitored list
    • REM SENDER - removes a number from the monitored list
    • SET SENDER - replaces all numbers in the monitored list with a new number
  • Notifies the cybercriminal of this spyware's current status by sending any of the following messages:
    • App installed OK
    • Blocking is on
    • Blocking is off
    • Monitoring all
    • State is On
    • State is Off

NOTES:
This spyware is a counterpart of SYMBOS_ZBOT.B and BBOS_ZITMO.B, which are for devices running on Symbian OS and BlackBerry OS, respectively. It is also a counterpart of TSPY_ZBOT.HQ, a Windows system malware.

  SOLUTION

Minimum Scan Engine: 8.900
FIRST VSAPI PATTERN FILE: 7.870.07
FIRST VSAPI PATTERN DATE: 03 Mar 2011
VSAPI OPR PATTERN File: 7.873.00
VSAPI OPR PATTERN Date: 04 Mar 2011

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product to delete files detected as WINCE_ZBOT.B. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:
If you recently connected your smartphone to your Windows PC, please do the aforementioned cleanup step.


Did this description help? Tell us how we did.

Related Blog Entries