This document discusses mobile botnets and rootkits. It begins by introducing the author and their work in mobile malware analysis. Various examples of existing mobile malware are provided, including botnets that coordinate infected devices and rootkits that hide on phones. The document outlines characteristics of botnets like command and control and how they are used for attacks. It also defines rootkits and provides examples found in the wild for Symbian and other mobile platforms. Finally, it discusses the potential for future mobile botnets and rootkits as the capabilities of smartphones increase.
2. Smartphone Ownage: The State of Mobile Botnets and Rootkits2
Contents
• Who we are
• Mobile malware
• Definitions
• Mobile Botnets
• Mobile Rootkits
4. Smartphone Ownage: The State of Mobile Botnets and Rootkits4
Who we are
• Mobile Antivirus Researchers
• My team and I specialize in mobile malware and threat analysis on
existing(J2ME, SymbOS,WM, iPhone OS, Android) and upcoming
mobile platforms.
• We work with a number of large mobile network operators.
5. Smartphone Ownage: The State of Mobile Botnets and Rootkits5
Mobile malware
In the Wild
Comparison to PC malware
Trends
6. Smartphone Ownage: The State of Mobile Botnets and Rootkits6
In the Wild
SymbOS
J2ME
WinCE
Python
MSIL
VBS
Linux
740+ variants
7. Smartphone Ownage: The State of Mobile Botnets and Rootkits7
Mobile malware
In the Wild
Comparison to PC malware
Trends
8. Smartphone Ownage: The State of Mobile Botnets and Rootkits8
Comparison to PC malware
PCs Mobile Examples
Worms
● SymbOS/Commwarrior family
● MSIL/Xrove.A
● SymbOS/Cabir.A
Viruses
● WinCE/Duts.1536
● SymbOS/Lasco.A
Trojan Horses
● J2ME Trojans
● SymbOS Trojans
● WinCE Trojans
Spyware
● Commercial spyware – jailbroken/rooted devices
● txbbspy – Blackberry
● PhoneSpy – iPhone
9. Smartphone Ownage: The State of Mobile Botnets and Rootkits9
Mobile malware
In the Wild
Comparison to PC malware
Trends
10. Smartphone Ownage: The State of Mobile Botnets and Rootkits10
Trends – Mobile Malware Lifecycle
11. Smartphone Ownage: The State of Mobile Botnets and Rootkits11
Definitions
Botnets
Rootkits
12. Smartphone Ownage: The State of Mobile Botnets and Rootkits12
Botnets
• Network
– Clients - Infected machines, “bots”, “zombies” , “bot clients”, etc.
– Server(s) - Command & control, “bot master”, “herd master”, etc.
• Uses
– Stealing PII, confidential information, etc.
– Attacks(DDoS, Spam, phishing)
13. Smartphone Ownage: The State of Mobile Botnets and Rootkits13
Definitions
Botnets
Rootkits
14. Smartphone Ownage: The State of Mobile Botnets and Rootkits14
Rootkits
• Originally used on UNIX systems to assist in gaining/keeping root
access
– Scripts and rigged binaries
• Essentially, rootkits do a few things
– Evasion
– Reduce or maintain reduced security
– Self-Protection
First one on the machine wins.
15. Smartphone Ownage: The State of Mobile Botnets and Rootkits15
Mobile Rootkits
Examples in the wild
Precursors
Actual
16. Smartphone Ownage: The State of Mobile Botnets and Rootkits16
SymbOS/Commwarrior
Variant Feature Type
A-B Delete other malware Self-protection
C Copies itself to the memory card Evasion/Self-protection
C Self-repair, protection from being deleted Self-protection
D Encrypts internal strings Evasion
D Infects other programs' installation files Evasion
D Deletes Antivirus programs Evasion/Self-protection
17. Smartphone Ownage: The State of Mobile Botnets and Rootkits17
WinCE/Infojack.A
• Self-protection
– Installing as an autorun program on the memory card
– installing itself to the phone when an infected memory card is inserted
– protecting itself from deletion, copying itself back to disk
• Reduce security/bypass protection
– allows unsigned applications to install without warning
WinCE/InfoJack is installed with
a collection of legitimate games
WinCE/InfoJack installs silently
along with other applications
WinCE/InfoJack installs as an autorun
program on the memory card
18. Smartphone Ownage: The State of Mobile Botnets and Rootkits18
Mobile Rootkits
Examples in the wild
Precursors
Actual
19. Smartphone Ownage: The State of Mobile Botnets and Rootkits19
Linux Mobile Phone Rootkits
• Rutgers University Researchers Bickford, et al developed a set of
mobile rootkits
• Perform attacks
– Dial attacker on alarm
– Dial attacker on SMS
– GPS coords. Sent to attacker via SMS
– Battery drain attack
• Evasion/Self-protection
– Evade user-mode detection
• Port to N900 in the works
Openmoko Neo1973 (Photo Credit: Ryan Baumann)
20. Smartphone Ownage: The State of Mobile Botnets and Rootkits20
Mobile Rootkits
Future Research
21. Smartphone Ownage: The State of Mobile Botnets and Rootkits21
Android on iPhone/iPhone Linux
• Spinoff/side project from one of the iPhone dev team developers
• Security reduced
– Requires jailbroken phone
– Entirely different OS runs
• Self-protection
– Custom iboot designed to load linux
22. Smartphone Ownage: The State of Mobile Botnets and Rootkits22
Mobile Botnets
Examples in the wild
Precursors
Actual
23. Smartphone Ownage: The State of Mobile Botnets and Rootkits23
OSX/iPHSponey.A
• Network Communication
– Exfiltrate data via email
• Not hardcoded or updated in PoC
• Data gathering(including PII)
– Acquire data from
• interesting apps(Safari, YouTube)
• keyboard cache
24. Smartphone Ownage: The State of Mobile Botnets and Rootkits24
OSX/RRoll.C/OSX/iPHDownloader.A - “botnet”
• Reduce Security
– Enable phishing via hosts file entry
– Unlike previous variant does not disable sshd
– Alters password of user 'mobile' (not root)
• Data gathering
– Attempts to send SMS DB to attacker
• C & C
– /etc/hosts changing script downloaded
• Redirects Dutch bank site to attacker's server
• More of an intended botnet
– OSX/RRoll.C propagates OSX/iPHDownloader.A, but neither propagate
on their own
– C & C server taken down
25. Smartphone Ownage: The State of Mobile Botnets and Rootkits25
SymbOS/XMJTC - “sexy view” worm
• Self-protection/evasion
– Signed installation file
• No warning to user during installation
– Silent install of updates
• Kills processes of 3rd party task managers
• C&C via SMS messages
– Download and install update from supplied URL
– Writes a “serial number” to disk
– Ping the attacker's server/phone via SMS
• Perform attacks
– spamming links to malware via SMS
26. Smartphone Ownage: The State of Mobile Botnets and Rootkits26
“Rise of the iBots: 0wning a telco network”
• Security researchers Collin Mulliner and Jean-Pierre Seifert developed
a PoC iPhone botnet
– Research concentrated on evading detection
• C&C over SMS and P2P network
– Encrypted commands
• Tested in lab
– “Installed bot(s) on a number of iPhones in the lab.”
• No “spreading functionality”
– Experiments were testing the feasibility of the C&C channels
• Presented at the 5th International Conference on Malicious and
Unwanted Software(MALWARE 2010)
27. Smartphone Ownage: The State of Mobile Botnets and Rootkits27
“Rise of the iBots: 0wning a telco network”
Signature
Length
ECDSA
Signature
Sequence
Number
Command
Type
Command
1 <variable> 4 1 <variable>
Command Function
Add phone number(s)
Adds numbers to the forwarding list. Commands
are forwarded to all bots on the list.
Set sleep interval
Sets how long the client waits before searching
the P2P network for a command
Execute shell sequence Run a command in the shell( e.g. ls, ping, etc.)
Download URL Downloads a command file from the botmaster
28. Smartphone Ownage: The State of Mobile Botnets and Rootkits28
Mobile Botnets
Examples in the wild
Precursors
Actual
29. Smartphone Ownage: The State of Mobile Botnets and Rootkits29
WeatherFistBadMonkey – iPhone/Android botnet
• PoC created by Security Researchers
– Derek Brown and Daniel Tijerina(Tipping Point DV Labs)
• Evasion
– Performs nominal function – connects to legitimate weather site
• Bot capability
– Clients available for multiple platforms
– Jailbroken iPhone
– Stock Android
• C & C Server
– Spamming
– provide reverse shell
– perform DDoS
Screenshot Weather Underground site
30. Smartphone Ownage: The State of Mobile Botnets and Rootkits30
Rootstrap & Eclipsetrap
• PoC created by Security Researcher Jon Oberheide of Scio Security
• Evasion
– Pretends to be “Twilight Eclipse Preview” app
• Updates/Commands
– Downloads new native binaries regularly
Despite being only nominally a movie preview app and receiving bad reviews, the PoC garnered over 200 downloads.
31. Smartphone Ownage: The State of Mobile Botnets and Rootkits31
• Zeus trojan on the PC puts up a dialog asking for the victims phone
model and mobile number
– Uses number to send download link to victim
– Download is a signed installation file pretending to be a “Nokia update”
• Zitmo.A is spyware used to forward incoming SMS to the attacker
– Unlike other more common Symbian spyware, forwarded SMS are not
logged to an account on a central server
SymbOS/Zitmo.A
32. Smartphone Ownage: The State of Mobile Botnets and Rootkits32
SymbOS/Zitmo.A, cont.
Command Function
set admin/
SET ADMIN
Setting the C&C phone
number(in memory or in the
config file)[case-sensitive]
[ON/OFF]
Starting/Stopping the
forwarding of SMS messages
BLOCK [ON|OFF] Ignore SMS commands
SET SENDER <number>
ADD SENDER <number1>,…,<number n>
ADD SENDER ALL
Add sender's number to the
forwarding list
REM SENDER <number1>,…,<number n>
REM SENDER ALL
Remove specific/all senders'
numbers
33. Smartphone Ownage: The State of Mobile Botnets and Rootkits33
SymbOS/Zitmo.A, cont.
• Used for stealing mTAN/mTAC(Mobile Transaction Authorization
Number/Code)
– mTAN/mTAC are not used by all banks
• Not written from scratch
– Cracked version of commercial spyware “SMS Monitor”
Installation of the commercial spyware
(images from dTarasov.ru documentation)
The original program required payment.
(images from dTarasov.ru documentation)