DRAGON LADY
AN INVESTIGATION OF
RUSSIAN SMS FRAUD
RYAN W SMITH & TIM STRAZZERE
Lookout, Inc.
Read
the
report
WHO ARE WE - RYAN W SMITH
• Senior Research and Response Engineer @
Lookout
• Contributing member of the Honeynet Project
...
WHO ARE WE - “DIFF” @TIMSTRAZZ
• Lead Research & Response Engineer @
Lookout
• Reversed the Android Market/Google Play
Pro...
WHY DEEP DIVE?
• Stats are extremely misleading; but get headlines!
• Did it just go from 100 samples to 163?
163 / 100 ==...
WHY DEEP DIVE?
• New hash != new “sample” -- need context!
• Impressive... “server-side polymorphism”
bebop:alphasms tstra...
FAMILY INTEL.
Threat Sends SMS Downloads Apps Exfiltrates PII
Obfuscation
(non-commercial)
ALPHASMS
   
BADNEWS
 
CON...
FAMILY INTEL.
Threat Sends SMS Downloads Apps Exfiltrates PII
Obfuscation
(non-commercial)
ALPHASMS
   
BADNEWS
 
CON...
SAMPLE EVOLUTION IS IMPORTANT
e6d823...
Packaged: 07-30-12
No obfuscation / crypto
Debug information available
ConnectSMS....
• Underlying code still
similar
• “Polymorphism” easily
confused with “omg sky
is falling”
• Trends across different
distri...
AGILE THREAT RELEASES
Read
the
report
BEYOND SMS FRAUD - NOTCOMPATIBLE
• Interesting exercise in malware component
commoditization
• Relates directly to PC malw...
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
Read
the
report
CONCLUSIONS
• Top 10 Russian SMS fraud organizations
account for over 30% of worldwide malware
detections
• SMS Fraud is a...
THE GIANTS ON WHICH WE STAND
• Thanks to:
• The entire R&R and security team at
Lookout
• The Honeynet Project
• Mila @ Co...
Keep in touch with
@lookout
/mylookout
blog.lookout.com
contact@lookout.com
http://bit.ly/dragon-lady
Dragon lady
Dragon lady
Dragon lady
Dragon lady
Dragon lady
Dragon lady
Dragon lady
Upcoming SlideShare
Loading in...5
×

Dragon lady

2,562
-1

Published on

Published in: Technology, Business
1 Comment
1 Like
Statistics
Notes
  • I dont know an artisan/artist in his privacy
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
2,562
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
1
Comments
1
Likes
1
Embeds 0
No embeds

No notes for slide

Dragon lady

  1. 1. DRAGON LADY AN INVESTIGATION OF RUSSIAN SMS FRAUD RYAN W SMITH & TIM STRAZZERE Lookout, Inc. Read the report
  2. 2. WHO ARE WE - RYAN W SMITH • Senior Research and Response Engineer @ Lookout • Contributing member of the Honeynet Project for more than 10 years • Worked on automated x86/Windows shellcode deobfuscation and malware sandboxing and before starting Android reversing • Previously spoke about scalable Android reversing @ AppSec USA and IEEE HICSS Read the report
  3. 3. WHO ARE WE - “DIFF” @TIMSTRAZZ • Lead Research & Response Engineer @ Lookout • Reversed the Android Market/Google Play Protocol • Junkie for reversing mobile malware, creating write ups and teaching other to help raise the bar • Spoke previously about anti-/analysis/ decompilation/emulation at BH’11/12, EICAR’12, HiTCON13, SySCAN ’13 etc. Read the report
  4. 4. WHY DEEP DIVE? • Stats are extremely misleading; but get headlines! • Did it just go from 100 samples to 163? 163 / 100 == 1.63 == 163% • Different (zip) hash? Different (unique) sample? • Correlation by SENDS_SMS is not good enough! Read the report
  5. 5. WHY DEEP DIVE? • New hash != new “sample” -- need context! • Impressive... “server-side polymorphism” bebop:alphasms tstrazzere$ shasum *apk e780f49dd81fec4df1496cb4bc1577aac92ade65 mwlqythh.rwbkulojmti-1.apk 8263d3aa255fe75f4d02d08e928a3113fa2f9e17 mwlqythh.rwbkulojmti-2.apk 521d3734e927f47af62e15e9880017609c018373 mwlqythh.rwbkulojmti-3.apk bebop:alphasms tstrazzere$ shasum *.dex* 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-1 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-2 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-3 Read the report
  6. 6. FAMILY INTEL. Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation (non-commercial) ALPHASMS     BADNEWS   CONNECTSMS    DEPOSITMOBI  FAKEBROWS    SMSACTOR   NOTCOMPATIBLE Read the report
  7. 7. FAMILY INTEL. Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation (non-commercial) ALPHASMS     BADNEWS   CONNECTSMS    DEPOSITMOBI  FAKEBROWS    SMSACTOR   NOTCOMPATIBLE FakeInst / SMSSend / Other generic name Read the report
  8. 8. SAMPLE EVOLUTION IS IMPORTANT e6d823... Packaged: 07-30-12 No obfuscation / crypto Debug information available ConnectSMS.a 00f35f... Packaged: 12-13-12 SMS Endpoints / URL crypted Debug info stripped Added contact exfiltration ConnectSMS.f 355d6f... Packaged: 01-11-13 SMS Endpoints / URL crypted Debug info stripped Removed contact exfiltration ConnectSMS.p 383069... Packaged: 04-03-13 SMS / URL remotely pull & decrypted Debug info re-added ConnectSMS.s Same Crypto Read the report
  9. 9. • Underlying code still similar • “Polymorphism” easily confused with “omg sky is falling” • Trends across different distributing organizations DECIPHERING OBFUSCATION AlphaSMS Read the report
  10. 10. AGILE THREAT RELEASES Read the report
  11. 11. BEYOND SMS FRAUD - NOTCOMPATIBLE • Interesting exercise in malware component commoditization • Relates directly to PC malware • Used mass compromised web sites, compromised swaths of accounts (AOL, Yahoo, etc.) for distribution (likely purchased?) • Actively used for evading fraud detection   DRAG + DROP IMAGE HERE   Attacker in Europe Purchasing Service, inside US Block by fraud detection Infected proxy device, inside US Read the report
  12. 12. Read the report
  13. 13. Read the report
  14. 14. Read the report
  15. 15. Read the report
  16. 16. Read the report
  17. 17. Read the report
  18. 18. Read the report
  19. 19. Read the report
  20. 20. Read the report
  21. 21. Read the report
  22. 22. Read the report
  23. 23. Read the report
  24. 24. Read the report
  25. 25. Read the report
  26. 26. Read the report
  27. 27. Read the report
  28. 28. Read the report
  29. 29. Read the report
  30. 30. Read the report
  31. 31. Read the report
  32. 32. Read the report
  33. 33. Read the report
  34. 34. Read the report
  35. 35. Read the report
  36. 36. Read the report
  37. 37. Read the report
  38. 38. Read the report
  39. 39. Read the report
  40. 40. Read the report
  41. 41. Read the report
  42. 42. Read the report
  43. 43. CONCLUSIONS • Top 10 Russian SMS fraud organizations account for over 30% of worldwide malware detections • SMS Fraud is a diverse threat, and requires careful categorization • SMS Fraud has effectively been commoditized in Russia and has a thriving support system • By taking a “full-stack” approach to tracking these threats we avoid the typical “whack-a- mole” AV strategy Read the report
  44. 44. THE GIANTS ON WHICH WE STAND • Thanks to: • The entire R&R and security team at Lookout • The Honeynet Project • Mila @ Contagio Dump • @jduck @pof @osxreverser @thomas_cannon @adesnos @Gunther_AR @TeamAndIRC @cryptax Read the report
  45. 45. Keep in touch with @lookout /mylookout blog.lookout.com contact@lookout.com http://bit.ly/dragon-lady
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×