An iOS keylogger and crypto-ransomware you shouldn't be afraid of yet

Security vendors are often accused of spreading fear, uncertainty and doubt (FUD) in the name of software sales. But occasionally they also hose down overstated claims by malware authors.

According to Symantec, one such piece of malware that fails to live up to its author’s claims is Zorenium, which gained some attention earlier this after its author, “Rex”, claimed it could run on iOS, steal banking credentials, support peer-to-peer communications and multiply over Skype and Facebook.

While Zorenium is certainly malware, Symantec researchers have debunked most of its claimed features and called into question the malware’s £5000 price tag.

According to Symantec’s analysis of available samples, claims made by Rex in January that Zorenium could run on iOS 5 to iOS 7 — and had similar capabilities to an infamous rootkit with Russian origins known as TDL-4 — are basically a fib. The document reads like a round up of malware stories in the press.

Features that Zorenium won’t support, according to Symantec, include:

  • Running on iOS 5 to iOS 7
  • Running on most Debian platforms, as well as the latest Android tablets
  • Similar capabilities to the sophisticated TDL-4 rootkit
  • The ability to spread though Skype or Facebook
  • P2P communications
  • The ability to steal banking details.

Had it actually lived up to the iOS claim, the single sample would have become eight percent of all known iOS malware by numbers from security vendor Fortinet.

While the malware developers could build iOS support into their product, Symantec’s write-up for one sample discovered in June, notes that it is a Windows worm that opens a back door ad steals information on the compromised computer.

Another sample showed however that the developers had managed to build new data stealing capabilities, such as capturing screen shots and keylogging, in addition to worm-like capabilities to spread through email — but not Skype.

Still, as Symantec notes, what’s known about the malware suggests it has a long way to go before it’s worth its price tag.

“While the threat can be used for nefarious purposes, in its current form, it is punching well below its marketed weight. There is the possibility that the marketed Zorenium bot’s features and released samples are nothing but a scam in an effort to trick buyers into paying for a dud.”

Another category of malware that’s been causing problems for consumers and businesses over the past two years is crypto-ransomware and to a lesser extent, police-themed lock screen ransomware.

Following the recent arrest of criminals behind the infamous CryptoLocker ransomware, several copycats have stepped up to the plate. One of them is Cryptowall, which reportedly caused headaches for a police department in New Hampshire in the US — who incidentally told media they refused to pay.

Other copycats have had less success. Security vendor Sophos analysed one piece of crypto-ransomware that’s detected by 23 out of 51 security products. It's botched, according to the company.

Actions the malware author claims its ransomware will do when victims’ machines become infected include:

  • Generate a random AES key.
  • Use this key to scramble the first 42KB of a large list of files on all visible drives, with the AES-CBC
  • Cipher plus a randomly created initialisation vector for each file. (That means even two identical files will encrypt differently.)
  • Encrypt the AES key with an RSA public key carried along with the malware.
  • Call home with the RSA-encrypted AES key and a numeric code to identify the victim. Leave behind a file called HOWTODECRYPT.html in every affected directory.
  • Victims should be aware that not paying the ransom in this case won’t result in a total loss of files the attacker claims were encrypted, Paul Ducklin, Sophos’ Asia Pacific head of technology points.

    “The sample we saw was broken, though whether due to the incompetence of the malware author, or due to a bug in some server-side software programmed to generate a customised sample for each potential victim, we shall never know."

    This article is brought to you by Enex TestLab, content directors for CSO Australia.