An iOS keylogger and crypto-ransomware you shouldn't be afraid of yet

Security vendors are often accused of spreading fear, uncertainty and doubt (FUD) in the name of software sales. But occasionally they also hose down overstated claims by malware authors.

According to Symantec, one such piece of malware that fails to live up to its author’s claims is Zorenium, which gained some attention earlier this after its author, “Rex”, claimed it could run on iOS, steal banking credentials, support peer-to-peer communications and multiply over Skype and Facebook.

While Zorenium is certainly malware, Symantec researchers have debunked most of its claimed features and called into question the malware’s £5000 price tag.

According to Symantec’s analysis of available samples, claims made by Rex in January that Zorenium could run on iOS 5 to iOS 7 — and had similar capabilities to an infamous rootkit with Russian origins known as TDL-4 — are basically a fib. The document reads like a round up of malware stories in the press.

Features that Zorenium won’t support, according to Symantec, include:

  • Running on iOS 5 to iOS 7
  • Running on most Debian platforms, as well as the latest Android tablets
  • Similar capabilities to the sophisticated TDL-4 rootkit
  • The ability to spread though Skype or Facebook
  • P2P communications
  • The ability to steal banking details.

Had it actually lived up to the iOS claim, the single sample would have become eight percent of all known iOS malware by numbers from security vendor Fortinet.

While the malware developers could build iOS support into their product, Symantec’s write-up for one sample discovered in June, notes that it is a Windows worm that opens a back door ad steals information on the compromised computer.

Another sample showed however that the developers had managed to build new data stealing capabilities, such as capturing screen shots and keylogging, in addition to worm-like capabilities to spread through email — but not Skype.

Still, as Symantec notes, what’s known about the malware suggests it has a long way to go before it’s worth its price tag.

“While the threat can be used for nefarious purposes, in its current form, it is punching well below its marketed weight. There is the possibility that the marketed Zorenium bot’s features and released samples are nothing but a scam in an effort to trick buyers into paying for a dud.”

Another category of malware that’s been causing problems for consumers and businesses over the past two years is crypto-ransomware and to a lesser extent, police-themed lock screen ransomware.

Following the recent arrest of criminals behind the infamous CryptoLocker ransomware, several copycats have stepped up to the plate. One of them is Cryptowall, which reportedly caused headaches for a police department in New Hampshire in the US — who incidentally told media they refused to pay.

Other copycats have had less success. Security vendor Sophos analysed one piece of crypto-ransomware that’s detected by 23 out of 51 security products. It's botched, according to the company.

Actions the malware author claims its ransomware will do when victims’ machines become infected include:

  • Generate a random AES key.
  • Use this key to scramble the first 42KB of a large list of files on all visible drives, with the AES-CBC
  • Read more: CryptoLocker ransom malware infected 2,000 users in Singapore
  • Cipher plus a randomly created initialisation vector for each file. (That means even two identical files will encrypt differently.)
  • Encrypt the AES key with an RSA public key carried along with the malware.
  • Call home with the RSA-encrypted AES key and a numeric code to identify the victim. Leave behind a file called HOWTODECRYPT.html in every affected directory.
  • Victims should be aware that not paying the ransom in this case won’t result in a total loss of files the attacker claims were encrypted, Paul Ducklin, Sophos’ Asia Pacific head of technology points.

    “The sample we saw was broken, though whether due to the incompetence of the malware author, or due to a bug in some server-side software programmed to generate a customised sample for each potential victim, we shall never know."

    This article is brought to you by Enex TestLab, content directors for CSO Australia.

    Join the CSO newsletter!

    Error: Please check your email address.

    Tags Zoreniumcrypto-ransomwareiOS keyloggersymantecmalware

    More about AES EnvironmentalCBCCSODebianEnex TestLabFacebookFortinetRSASkypeSophosSymantec

    Show Comments

    Featured Whitepapers

    Editor's Recommendations

    Solution Centres

    Stories by Liam Tung

    Latest Videos

    • 150x50

      CSO Webinar: Will your data protection strategy be enough when disaster strikes?

      Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

      Play Video

    • 150x50

      CSO Webinar: The Human Factor - Your people are your biggest security weakness

      ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

      Play Video

    • 150x50

      CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

      Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

      Play Video

    • 150x50

      CSO Webinar: Get real about metadata to avoid a false sense of security

      Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

      Play Video

    • 150x50

      CSO Webinar: How banking trojans work and how you can stop them

      CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

      Play Video

    More videos

    Blog Posts

    Market Place