Android Security Suite Premium

显示全部楼层 · 发表于 2012-6-19 01:00:11

本帖最后由 360Tencent 于 2012-6-19 22:03 编辑

http://www.securelist.com/en/blo ... e_Premium_New_ZitMo

http://blog.webroot.com/2012/06/ ... roid-there-you-are/

好吧，又是个没样本的。根据卡巴斯基的博客，在过去几天至少发现了六个类似的文件（大小都在207 KB 左右），

卡巴斯基的博客里提及了六个C&C 服务器，最后一个的域名最好猜

UpdateAndroid.biz

到whois 上看一下

http://whois.domaintools.com/updateandroid.biz

再到server stats 里瞄一眼

IP Address:195.242.161.166 Reverse-IP | Ping | DNS Lookup | Traceroute ASN: AS47434 IP Location: - Ukraine - Fortune Science And Production Company

接着到clean-mx.de搜一下IP 或者ASN

http://bancomovil.info/cajamar.apk

：( 下载不了

这是VT 的报告

https://www.virustotal.com/file/ ... 552b07114/analysis/

Kaspersky HEUR:Trojan-Spy.AndroidOS.Zitmo.a

另外根据UpdateAndroid.biz 的注册信息，谷歌一下会发现在2011年同样的虚假信息被用于注册ZeuS 的服务器，比如

http://www.malwaredomainlist.com ... com&inactive=on

最后，有哪位看官碰巧有文中提及的样本，欢迎分享

显示全部楼层 · 发表于 2012-6-19 07:12:52

原來 fake AV 類的，都會偷竊信息。

显示全部楼层 · 发表于 2012-6-19 10:18:41

VT上没有看到Dr.Web的报告，倒是SpIDer Gate已经阻止了这两个下载点，现在fakeav都移植到了Android系统上了，真是令人防不胜防啊！

显示全部楼层 · 发表于 2012-6-19 15:31:41

本帖最后由 360Tencent 于 2012-6-19 15:34 编辑

Trojan-Spy.AndroidOS.Zitmo.a

Xylitol 提供

显示全部楼层 · 发表于 2012-6-19 16:07:58

本帖最后由 humanlwj52 于 2012-6-19 16:19 编辑

To ESET.

随便找了一个上传到 Anubis：

Analysis Report for ceb54cba2561f62259204c39a31dc204105d358a1a10cee37de889332fe6aa27.apk

- Activities

com.android.security.MainActivity
intent-filter action: android.intent.action.MAIN
intent-filter category: android.intent.category.LAUNCHER

- Used Permissions

android.permission.SEND_SMS
method call: "Lcom/android/security/SecurityReceiver/sendSMS(Ljava/lang/String; Ljava/lang/String;)V" calls "Landroid/telephony/SmsManager/getDefault()Landroid/telephony/SmsManager;"
method call: "Lcom/android/security/SecurityReceiver/sendSMS(Ljava/lang/String; Ljava/lang/String;)V" calls "Landroid/telephony/SmsManager/sendTextMessage(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V"

android.permission.INTERNET
method call: "Lcom/android/security/WebManager/MakeHttpRequest(Ljava/lang/String;)I" calls "Ljava/net/URL/openConnection()Ljava/net/URLConnection;"

android.permission.READ_PHONE_STATE
method call: "Lcom/android/security/ValueProvider/GetActivationCode()Ljava/lang/String;" calls "Landroid/telephony/TelephonyManager/getDeviceId()Ljava/lang/String;"
method call: "Lcom/android/security/ValueProvider/GetStaticDataString()Ljava/lang/String;" calls "Landroid/telephony/TelephonyManager/getLine1Number()Ljava/lang/String;"
method call: "Lcom/android/security/ValueProvider/GetStaticDataString()Ljava/lang/String;" calls "Landroid/telephony/TelephonyManager/getSubscriberId()Ljava/lang/String;"
method call: "Lcom/android/security/ValueProvider/GetStaticDataString()Ljava/lang/String;" calls "Landroid/telephony/TelephonyManager/getDeviceId()Ljava/lang/String;"

- Screenshots

显示全部楼层 · 发表于 2012-6-19 20:40:08

Dear Depp,

Thank you for your submission.
The detection for this threat will be included in our next signature update.

5e43837a72ff33168df7c877b07a3c89ad64b82a2719be1cd2601be552b07114 - Android/Spy.Zitmo.A trojan

Regards,

ESET Malware Response Team

显示全部楼层 · 发表于 2012-6-21 20:56:12

http://blog.damballa.com/?p=1710

更新C&C 服务器列表

[其他相关] Android Security Suite Premium

本帖子中包含更多资源

本帖子中包含更多资源

评分

本帖子中包含更多资源