Short 11-00 Jart Armin - The Pocket Botnet

645 views
575 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
645
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Short 11-00 Jart Armin - The Pocket Botnet

  1. 1. Конференция UISG #7The Pocket Botnet Jart ArminHostExploit – CyberDefcon DeepEnd Research Org Kiev – Ukraine – USIG December 2011
  2. 2.  Specialist international team via HostExploit and CyberDefcon that provides cybercrime analysis and quarterly reports on all the world’s hosts and Internet servers. Quarterly series of Top 50 Bad Hosts & Networks. CSF (Cyber Security Foundation) Team member of DeepEnd Research Конференция UISG #7 - Jart Armin UNICRI, ENISA, APWG
  3. 3. Конференция UISG #7 - Jart Armin3rd Quarter World Host Report – Oct 2011
  4. 4. Overview Botnets - Problem? What Problem? The Market Конференция UISG #7 - Jart Armin Mobile Malware The Pocket Botnet
  5. 5. Botnets in General - A Problem – What Problem?  Currently around 5,720 measurably active botnets • IRC (still around 30%), Jabber, I2P, P2P, HTTP, mini, Pocket Botnet Конференция UISG #7 - Jart Armin  DDoS, RFI, vulnerability scanning, spam, phishing, malware, data exfiltration…. APT  Covert channels  Bad guys & gray guys?
  6. 6. Smartphone Market Oct 2011 (a) Конференция UISG #7 - Jart Armin 468 million units by the end of 2011, a rise of 60% compared 2010 (296m)
  7. 7. Smartphone Market (a) O/S 2012Конференция UISG #7 - Jart Armin
  8. 8. Smartphone Market (b)O/S – 2010 / 2015 Конференция UISG #7 - Jart Armin
  9. 9. Smartphone Shipping – 2010 /2015 PC Ref: Est. 500m PCs sold 2011, and 2 Конференция UISG #7 - Jart Armin billion PCs in use around the world, in 2015
  10. 10. Mobile Security Habits – Oct 2011 • People choose convenience over security practices • Towards 50% use to connect to banks or financial accounts • 97% use to connect to email accounts either work or Конференция UISG #7 - Jart Armin personal • 87% of phones are not supplied by an employer • One third leave apps/accounts constantly logged in • Best example – Reported as a major hack against USA – A US contractor for SCADA (Illinois water authority) login and maintaining data while on trip to Egypt & Russia via his mobile phone !!!
  11. 11. Mobile Malware – Pocket Botnet Ready • 1,700 versions (NetQin) • 113 samples (Contagio / Deepend) • 1410% increase in mobile malware samples (Trend Micro) Конференция UISG #7 - Jart Armin • Zitmo Android Edition (Zeus for mobile) • SpyEye – SMS banking hijacks (mTANs) • Premium SMS, root kits, data stealers, click fraud, spyware, malware
  12. 12. Android.SmsSend family – 6 to 60 in 2011 Конференция UISG #7 - Jart ArminPrimarily the same deception as fake A/V
  13. 13. ANSERVER.A Конференция UISG #7 - Jart ArminPermissions Using a C&C server
  14. 14. Pocket Botnet - ThemeInstaller.A –(zombie – China) • Infected 1 million Symbian smartphones in 1 week & Конференция UISG #7 - Jart Armin slower propagation (CNcert) • Concealment – clear logs, self destruction, acts when phone not used • Defence – attacks security software • Transmission – infects other devices via SMS, downloads new malware from C&C
  15. 15. The Pocket BotnetКонференция UISG #7 - Jart Armin
  16. 16. Pocket Botnet Takedown – US Telco & GG tracker GG tracker (abusing premium SMS by malware) • Signup via website, SMS used to authenticate Конференция UISG #7 - Jart Armin • Subscriber pays $9.99 / call • Operator pays SMS aggregator • Aggregator pays to content provider • Content provider pays spammers etc. • Around 30,000 victims mid 2011
  17. 17. Pocket Botnet, another method to infect the PC? Конференция UISG #7 - Jart Armin Note: recent SpyEye banking SMS hijacking (blended threat)
  18. 18. Pocket Botnet - DDoS DDoS– partly smart phone based Конференция UISG #7 - Jart Armin
  19. 19. The Pocket Botnet – Build your Own? -Android.Pjapps Конференция UISG #7 - Jart Armin
  20. 20. The Pocket Botnet - Android.PjappsTrojan C&C building manifest Конференция UISG #7 - Jart Armin
  21. 21. The Pocket Botnet – Build Your Own?Hijacking Android or Symbian - ExampleEstablish a dial in server - based on modem configuration for mgetty • Establish: #/AutoPPP/ - a_ppp /usr/sbin/pppd auth -chap +pap login debug Конференция UISG #7 - Jart Armin • Change to = /AutoPPP/ - a_ppp /usr/sbin/pppd auth -chap +pap login debug • Setup PPP options e.g. ms-dns 3.4.5.6 #replace 3.4.5.6 with DNS address Slave • Add users (zombies) to pap-secrets • Create Linux users • Broadcast
  22. 22. Pocket Botnet – warning notice : Конференция UISG #7 - Jart Armin
  23. 23. The Pocket Botnet - Discussion• With market growth increasing target is Android, but all O/S vulnerable• Different to pc based botnets, shorter lived but as a wildfire Конференция UISG #7 - Jart Armin• The ‘free app’ & similar to PCs‘fake A/V’ syndrome.• Telcos’ have an advantage to strike down, but example of China Telecom only method was to block & takedown C&Cs / download servers
  24. 24. Action Perspective • The main effort for manufacturers is to prevent smartphones from becoming mini ISPs/re-broadcasting hubs. • Avoid the unit becoming a router and using PPP (Point- Конференция UISG #7 - Jart Armin to-Point Protocol); through using “mgetty” or similar commands; or in Microsoft Windows RAS (Remote Access Service). • Best if the platform reveals the phone number of the device only to the smartphone’s modem • Issue an IPv6 IP and public encryption for each smartphone
  25. 25. The Pocket Botnet Contact presenter at jart@cyberdefcon.com if you have further interest: CyberDefcon – Cybercrime Clearing House & Early warning Coalition DeepEndResearch.org - fostering collaborative security research and analysis efforts UNICRI - United Nations Interregional Crime and Justice Research Institute ENISA -the European Network and Information Security Agency The opinions hereby expressed are those of the Authors and do not necessarily represent the ideas and opinions of the United Nations, the UN agency “UNICRI”, ENISA, ENISA PSG, nor others.
  26. 26. Useful Community Sources• Eicar 2011 - New type of threat: Mobile botnets on Symbian - Cao Yang, Zou Shihong, Li Wei• Niebezpiecznik (Pl) http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/• Collin Mulliner and Jean-Pierre Seifert IEEE (Fr) http://mulliner.org/collin/academic/publications/ibots_MALWARE2010.pdf Конференция UISG #7 - Jart Armin• Georgia Weider ShmooCon http://www.grmn00bs.com/GeorgiaW_Smartphone_Bots_SLIDES_Shmoocon2011.pdf• AnserverBot - AnserverBot_Analysis.pdf• HostExploit (hosts)• DeependResearch.org (botnets+)• Contagio.Blogspot (mobile malware samples)• Commercial: Trend Micro, Damballa, Lookout Mobile Security, Symantec

×