Man-in-the-middle goes Mobile
Introduction
The term Man-in-the-middle in a security context refers to an attack where someone/-thing is inserted between two endpoints and intercepts the communication between those. The intent is usually to obtain information and use this for illegitimate purposes.
Recently the term Man-in-the-mobile, abbreviated as Mitmo, emerged.
New functionality in the ZeuS/Zbot malware
Overview
The Man-in-the-mobile term was cleverly used by the security company S21sec to describe a new functionality in the ZeuS/Zbot family of financial malware.
ZeuS/Zbot has been the focus for much discussion since its arrival, and it is an advanced piece of malware, which primarily targets financial systems, typically banks. The malware was also the basis for one of our security article earlier this year - Cyber crime imitates legitimate business.
The new functionality that ZeuS/Zbot uses, focuses on the fact that many authentication techniques (also popular in banking systems) use two sets of authentication. One of these is sent to e.g. the bank account owner's mobile phone.
The new scheme is that the account owner's mobile phone is infected by a piece of malware, which forwards the authentication code to another device. This code, combined with the account owner's other credentials (obtained through a computer infected by ZeuS/Zbot) are then used to perform illegitimate bank transactions.
Infecting the mobile phone
The mobile phone is infected by use of social engineering techniques.
The ZeuS/Zbot malware, which has compromised the computer, requests information about mobile phone number and type of phone. After the phone owner has submitted this information a message is sent to the phone requesting a security certificate to be installed. Instead of a security certificate, however, a malicious program is installed.
The mobile phones that are vulnerable for this ZeuS/Zbot technique are Symbian and Blackberry. Apple's (non-jailbroken) iPhones are not vulnerable due to Apple's restrictions to disallow applications not downloaded through App Store. Malware variants targeting Android-based mobile phones may perhaps be expected.
Please see the link in the References section for a more detailed analysis of the mobile phone malware.
Food for thought
There are some interesting general observations to make from this new ZeuS/Zbot variant.
Combined infections of two types of hardware
In order for the scheme outlined above to succeed, two different types of devices must be infected (computer and mobile phone). Both must have a malicious program installed. This is not usual for malicious software. In other cases where additional devices are used, their functionality is as carriers of the malware, rather than as hosts for independent malware components; one typical type of malware carrier is USB sticks with AUTORUN functionality.
Infecting devices regarded as relatively safe
Mobile and handheld devices have so far not been seen as particularly vulnerable for malware (see our security article Systems prime for exploitation? for a more in-depth discussion about this).
Users of these devices will therefore "by default" be less inclined to apply their inherent skepticism against allowing new software (disguised as a certificate in this case) to be installed.
This problem has been discussed in several of our previous (and most likely also upcoming) security articles. See for example Facebook - an increasingly popular spreading vector for malware.
No systems are safe
The technique with two different sets of authentication, one of which expires after a short time, has traditionally been seen as quite safe (although not fool-proof). The new ZeuS/Zbot variant shows that this security measures can be circumvented by a technique that is not very complicated to set into action.
It is interesting to note that this new ZeuS/Zbot variant is released not long after another presumed safe system was compromised by the advanced Stuxnet malware - see our security article last week: A new generation of malware
References
- Zeus Mitmo: Man-in-the mobile (blog items about this from S21sec's blog)
