Zorenium Bot: Heading to an iPhone Near You?

Cross-platform Zorenium Bot: Heading to an iPhone Near You?
Cross-platform Zorenium Bot: Heading to an iPhone Near You?

According to Tanya Koyfman and Assaf Keren of security firm Terrogence, Zorenium has been on sale since January, but it has added an update to include the ability to infect iOS devices (versions 5-7), alongside its existing capabilities to run on Linux- and Windows-based machines. The developers have also updated the rootkit to TDL4 (making it vulnerable to anti-TDSS tools). 

“Zorenium, a relative of Betabot, is a very robust bot which is still undetected by most AV companies,” they explained in a blog. “It has several key abilities, including DDoS, form-grabbing, bot-killing, banking Trojan and Bitcoin mining.”

The cost of a basic Zorenium bot is around $500, but with advanced features (including P2P C&C, i2p C&C and more) it can go up to more than $7,000. According to its developers, it is still in beta mode and more features will be available in time, but the company did an initial analysis on its cross-platform features.

There are a number of notable capabilities, including the “FakeShoutDown” mechanism. The code imitates the entire shutdown sequence once initiated by the user, including displaying the proper images and slowing down the computer fans to eliminate the noise—but in reality the computer doesn’t shut down at all and is left to carry out commands.

“If according to the author indeed it operates as they say it does, then it is definitely a new way of thinking,” Terrogence noted.

Amongst the other various features, the bot will replicate a new disk drive and will drop the core dll’s onto it. Then it will encrypt the hard drive and thus protect it from various AV and anti-malware mechanisms. The bot also has a stenography module and multiple interfaces of management (such as IRC and I2P), and all come with a set of 256-bit AES keys.

Then there’s the iOS module. The analysis suggests that Apple devices must be jail-broken to be vulnerable, which makes sense given Apple’s tight control over the iOS ecosystem—there’s a reason after all that virtually all mobile malware targets Android.

“The cherry on this ice cream would be the iOS module. This is definitely the first bot that I have seen that actually operates on cross-platforms,” the researchers said. “It can infect Android, Windows and iOS systems – a true nightmare to all security specialists. The main question regarding iOS still remains – are only jailbroken phones at risk or is it much, much worse?”

Troy Gill, senior security analyst at AppRiver, in a mail to Infosecurity noted the danger. “Hypothetically Zorenium could run on a current updated version of iOS if it were using an unknown vulnerability (this seems unlikely and is purely speculative at this point). If this proves to be the case then it would be a game-changer since virtually all mobile malware that exists today is designed to target Android devices.”

He added that for jailbreakers, it’s a cautionary turn of events. “Zorenium can allegedly run on a jail-broken device, and it’s important to note that anyone who jailbreaks their IOS device should have no expectations of security since they’re circumventing security measures put in place by Apple,” said Gill.

What’s hot on Infosecurity Magazine?