Transparent Botnet C&C for Smartphones over SMS

2,268 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,268
On SlideShare
0
From Embeds
0
Number of Embeds
18
Actions
Shares
0
Downloads
43
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Nearly 62 million smartphones sold in Q2 2010Development is similar to standard platformsAndroid = LinuxiPhone = OSXWindows Mobile = WindowsTechnical specs not as good as top of the linedesktops. They are capable and improving rapidly.
  • Battery Management: IP runs down batteryquicklyFault Tolerant: If SMS fails it will queue and retryDifficult for security researchers to monitor
  • Bot receives all communication from modemIf SMS (code CMT) continue analysisIf not SMS pass up to user space
  • Moves through PDU to User DataDecode 7 bit GSM to plaintext
  • Bot checks for secret key in messageIf bot message continue analysis and swallowsmessage (user never sees it)If not bot message passed to user space
  • Bot reads functionality request in messageIf found perform functionalityIf not found fail silently
  • Impersonation:Use cryptographic keys to authenticatemaster bot and sentinel botsReplay:SMS timestampsSequence numbers/ one time keysElliptic Curve Algorithm
  • Possibility of detection from phone billsUser Data is limited to 160 characters(instructions and keys must fit in this space)On some platforms only the modem knows thephone number
  • Regular Users:App + Local Root Exploit (Sendpage etc.)Example: John Oberheide's TwilightAndroid BotnetDefconSkytalks 2010Root-level/Jailbroken Users:Root level app using proxy function forAWESOME + BotExample: flashlight + tether for iPhoneRemote: Remote root exploit (rooted and nonrooted)Example: iKee-B “Duh” Worm for iPhone
  • SpamCreating SMS-Send PDUs and passing them to themodemExample: SMS adsDDOSMillions of smartphones vs. a serverLoading New FunctionalitySend URL in payloadDownload the module into known payloadsDegrading GSM serviceOverloading the network with bogus requests
  • Transparent Botnet C&C for Smartphones over SMS

    1. 1. Transparent Botnet Command andControl for Smartphones over Text Messages Georgia Weidman
    2. 2. Why Smartphone Botnets• Ubiquitous smartphones• Common development platforms• Strong technical specs
    3. 3. Why Text Messages?• Battery managements• Difficult to monitor• Fault Tolerant
    4. 4. How an SMS is sent and received 4
    5. 5. How an SMS is sent and received © Georgia Weidman 2011 5
    6. 6. How an SMS is sent and received © Georgia Weidman 2011 6
    7. 7. How an SMS is sent and received © Georgia Weidman 2011 7
    8. 8. How an SMS is sent and received © Georgia Weidman 2011 8
    9. 9. How an SMS is sent and received © Georgia Weidman 2011 9
    10. 10. How an SMS is sent and received © Georgia Weidman 2011 10
    11. 11. How an SMS is sent and received © Georgia Weidman 2011 11
    12. 12. How an SMS is sent and received © Georgia Weidman 2011 12
    13. 13. How an SMS is sent and received © Georgia Weidman 2011 13
    14. 14. Previous Work: SMS Fuzzing At Blackhat 2009, Charlie Miller & Collin Mulliner proxied the application layer and modem to crash smartphones with SMS.http://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf © Georgia Weidman 2011 14
    15. 15. Previous Work: SMS Fuzzing © Georgia Weidman 2011 15
    16. 16. Previous Work: SMS Fuzzing © Georgia Weidman 2011 16
    17. 17. Previous Work: SMS Fuzzing © Georgia Weidman 2011 17
    18. 18. My Work: SMS Botnet C&C © Georgia Weidman 2011 18
    19. 19. My Work: SMS Botnet C&C © Georgia Weidman 2011 19
    20. 20. SMS-Deliver PDU07914140540510F1040B916117345476F100000121037140044A0AE8329BFD4697D9EC37 Field Value Length of SMSC 07 Type of Address (SMSC) 91 Service Center Address (SMSC) 41 40 54 05 10 F1 SMS Deliver Info 04 Length of Sender Number 0B Type of Sender Number 91 Sender Number 51 17 34 45 88 F1 Protocol Identifier 00 Data Coding Scheme 00 Time Stamp 01 21 03 71 40 04 4A User Data Length 0A User Data E8 32 9B FD 46 97 D9 EC 37 © Georgia Weidman 2011 20 http://www.dreamfabric.com/s
    21. 21. SMS-Deliver PDU07914140540510F1040B916117345476F100000121037140044A0AE8329BFD4697D9EC37 Field Value Length of SMSC 07 Type of Address (SMSC) 91 Service Center Address (SMSC) 41 40 54 05 10 F1 SMS Deliver Info 04 Length of Sender Number 0B Type of Sender Number 91 Sender Number 61 17 34 54 76 F1 Protocol Identifier 00 Data Coding Scheme 00 Time Stamp 01 21 03 71 40 04 4A User Data Length 0A User Data E8 32 9B FD 46 97 D9 EC 37 © Georgia Weidman 2011 21
    22. 22. How the Botnet Works1. Bot Receives Message2. Bot Decodes User Data3. Bot Checks for Bot Key4. Bot Performs Payload Functionality
    23. 23. How the Botnet Works1. Bot Receives Message2. Bot Decodes User Data3. Bot Checks for Bot Key4. Bot Performs Payload Functionality
    24. 24. How the Botnet Works1. Bot Receives Message2. Bot Decodes User Data3. Bot Checks for Bot Key4. Bot Performs Payload Functionality
    25. 25. How the Botnet Works1. Bot Receives Message2. Bot Decodes User Data3. Bot Checks for Bot Key4. Bot Performs Payload Functionality
    26. 26. How the Botnet Works1. Bot Receives Message2. Bot Decodes User Data3. Bot Checks for Bot Key4. Bot Performs Payload Functionality
    27. 27. Botnet Structure © Georgia Weidman 2011 27
    28. 28. Master Bot © Georgia Weidman 2011 28
    29. 29. Sentinel Bots © Georgia Weidman 2011 29
    30. 30. Slave Bots © Georgia Weidman 2011 30
    31. 31. Security Concerns• Impersonation• Replay• Cryptographic solutions
    32. 32. Limitations• Possible detection methods• User data length
    33. 33. Getting the Bot Installed• Regular Users• Rooted/Jailbroken Users• Remote
    34. 34. Example Payloads• Spam• Denial of service• Load new functionality• Degrading cell service
    35. 35. What This Really Means• If attackers can get the bot installed they can remotely control a users phone without giving any sign of compromise to the user.
    36. 36. Mitigations•Integrity checks•Liability for smartphone applications•User awareness
    37. 37. Demo• Android Bot with Spam Payload
    38. 38. Contact•Georgia Weidman•Company: Neohapsis Inc.•Email: Georgia@grmn00bs.com Georgia.weidman@neohapsis.com•Website: http://www.grmn00bs.com•Twitter: vincentkadmon
    39. 39. Selected Bibliography•SMS fuzzing:http://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf•Cell bots attack GSM core:http://www.patrickmcdaniel.org/pubs/ccs09b.pdf•Twilight botnet:http://jon.oberheide.org/files/summercon10-androidhax-jonoberheide.pdf•SMS/P2P iPhone bots:http://mulliner.org/collin/academic/publications/ibots_malware10_mulliner_seifert.pdf

    ×