Your SlideShare is downloading. ×
Конференция UISG #7The Pocket Botnet     Jart ArminHostExploit – CyberDefcon DeepEnd Research Org  Kiev – Ukraine – USIG  ...
   Specialist international team via HostExploit and CyberDefcon that    provides cybercrime analysis and quarterly repor...
Конференция UISG #7 - Jart Armin3rd Quarter World Host Report – Oct 2011
Overview    Botnets - Problem? What Problem?       The Market                                       Конференция UISG #7 - ...
Botnets in General - A Problem – What Problem?                            Currently around 5,720                         ...
Smartphone Market Oct 2011 (a)                                                                            Конференция UISG...
Smartphone Market (a) O/S 2012Конференция UISG #7 - Jart Armin
Smartphone Market (b)O/S – 2010 / 2015                        Конференция UISG #7 - Jart Armin
Smartphone Shipping – 2010 /2015                      PC Ref:                            Est. 500m                        ...
Mobile Security Habits – Oct 2011  • People choose convenience over security practices  • Towards 50% use to connect to ba...
Mobile Malware – Pocket Botnet Ready             • 1,700 versions (NetQin)             • 113 samples (Contagio / Deepend) ...
Android.SmsSend family – 6 to 60 in 2011                                           Конференция UISG #7 - Jart ArminPrimari...
ANSERVER.A                                     Конференция UISG #7 - Jart ArminPermissions     Using a C&C server
Pocket Botnet - ThemeInstaller.A –(zombie – China) • Infected 1 million Symbian smartphones in 1 week &                   ...
The Pocket BotnetКонференция UISG #7 - Jart Armin
Pocket Botnet Takedown – US Telco & GG tracker  GG tracker (abusing premium SMS by malware)   • Signup via website, SMS us...
Pocket Botnet, another method to infect the PC?                                                               Конференция ...
Pocket Botnet - DDoS     DDoS– partly smart phone based                                      Конференция UISG #7 - Jart Ar...
The Pocket Botnet – Build your Own? -Android.Pjapps                                        Конференция UISG #7 - Jart Armin
The Pocket Botnet - Android.PjappsTrojan C&C building manifest                                     Конференция UISG #7 - J...
The Pocket Botnet – Build Your Own?Hijacking Android or Symbian - ExampleEstablish a dial in server - based on modem confi...
Pocket Botnet – warning notice :                                   Конференция UISG #7 - Jart Armin
The Pocket Botnet - Discussion• With market growth increasing target is  Android, but all O/S vulnerable• Different to pc ...
Action Perspective • The main effort for manufacturers is to prevent   smartphones from becoming mini ISPs/re-broadcasting...
The Pocket Botnet             Contact presenter at jart@cyberdefcon.com if you             have further interest:         ...
Useful Community Sources• Eicar 2011 - New type of threat: Mobile botnets on Symbian - Cao Yang, Zou Shihong, Li  Wei• Nie...
Upcoming SlideShare
Loading in...5
×

Short 11-00 Jart Armin - The Pocket Botnet

515

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
515
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Short 11-00 Jart Armin - The Pocket Botnet"

  1. 1. Конференция UISG #7The Pocket Botnet Jart ArminHostExploit – CyberDefcon DeepEnd Research Org Kiev – Ukraine – USIG December 2011
  2. 2.  Specialist international team via HostExploit and CyberDefcon that provides cybercrime analysis and quarterly reports on all the world’s hosts and Internet servers. Quarterly series of Top 50 Bad Hosts & Networks. CSF (Cyber Security Foundation) Team member of DeepEnd Research Конференция UISG #7 - Jart Armin UNICRI, ENISA, APWG
  3. 3. Конференция UISG #7 - Jart Armin3rd Quarter World Host Report – Oct 2011
  4. 4. Overview Botnets - Problem? What Problem? The Market Конференция UISG #7 - Jart Armin Mobile Malware The Pocket Botnet
  5. 5. Botnets in General - A Problem – What Problem?  Currently around 5,720 measurably active botnets • IRC (still around 30%), Jabber, I2P, P2P, HTTP, mini, Pocket Botnet Конференция UISG #7 - Jart Armin  DDoS, RFI, vulnerability scanning, spam, phishing, malware, data exfiltration…. APT  Covert channels  Bad guys & gray guys?
  6. 6. Smartphone Market Oct 2011 (a) Конференция UISG #7 - Jart Armin 468 million units by the end of 2011, a rise of 60% compared 2010 (296m)
  7. 7. Smartphone Market (a) O/S 2012Конференция UISG #7 - Jart Armin
  8. 8. Smartphone Market (b)O/S – 2010 / 2015 Конференция UISG #7 - Jart Armin
  9. 9. Smartphone Shipping – 2010 /2015 PC Ref: Est. 500m PCs sold 2011, and 2 Конференция UISG #7 - Jart Armin billion PCs in use around the world, in 2015
  10. 10. Mobile Security Habits – Oct 2011 • People choose convenience over security practices • Towards 50% use to connect to banks or financial accounts • 97% use to connect to email accounts either work or Конференция UISG #7 - Jart Armin personal • 87% of phones are not supplied by an employer • One third leave apps/accounts constantly logged in • Best example – Reported as a major hack against USA – A US contractor for SCADA (Illinois water authority) login and maintaining data while on trip to Egypt & Russia via his mobile phone !!!
  11. 11. Mobile Malware – Pocket Botnet Ready • 1,700 versions (NetQin) • 113 samples (Contagio / Deepend) • 1410% increase in mobile malware samples (Trend Micro) Конференция UISG #7 - Jart Armin • Zitmo Android Edition (Zeus for mobile) • SpyEye – SMS banking hijacks (mTANs) • Premium SMS, root kits, data stealers, click fraud, spyware, malware
  12. 12. Android.SmsSend family – 6 to 60 in 2011 Конференция UISG #7 - Jart ArminPrimarily the same deception as fake A/V
  13. 13. ANSERVER.A Конференция UISG #7 - Jart ArminPermissions Using a C&C server
  14. 14. Pocket Botnet - ThemeInstaller.A –(zombie – China) • Infected 1 million Symbian smartphones in 1 week & Конференция UISG #7 - Jart Armin slower propagation (CNcert) • Concealment – clear logs, self destruction, acts when phone not used • Defence – attacks security software • Transmission – infects other devices via SMS, downloads new malware from C&C
  15. 15. The Pocket BotnetКонференция UISG #7 - Jart Armin
  16. 16. Pocket Botnet Takedown – US Telco & GG tracker GG tracker (abusing premium SMS by malware) • Signup via website, SMS used to authenticate Конференция UISG #7 - Jart Armin • Subscriber pays $9.99 / call • Operator pays SMS aggregator • Aggregator pays to content provider • Content provider pays spammers etc. • Around 30,000 victims mid 2011
  17. 17. Pocket Botnet, another method to infect the PC? Конференция UISG #7 - Jart Armin Note: recent SpyEye banking SMS hijacking (blended threat)
  18. 18. Pocket Botnet - DDoS DDoS– partly smart phone based Конференция UISG #7 - Jart Armin
  19. 19. The Pocket Botnet – Build your Own? -Android.Pjapps Конференция UISG #7 - Jart Armin
  20. 20. The Pocket Botnet - Android.PjappsTrojan C&C building manifest Конференция UISG #7 - Jart Armin
  21. 21. The Pocket Botnet – Build Your Own?Hijacking Android or Symbian - ExampleEstablish a dial in server - based on modem configuration for mgetty • Establish: #/AutoPPP/ - a_ppp /usr/sbin/pppd auth -chap +pap login debug Конференция UISG #7 - Jart Armin • Change to = /AutoPPP/ - a_ppp /usr/sbin/pppd auth -chap +pap login debug • Setup PPP options e.g. ms-dns 3.4.5.6 #replace 3.4.5.6 with DNS address Slave • Add users (zombies) to pap-secrets • Create Linux users • Broadcast
  22. 22. Pocket Botnet – warning notice : Конференция UISG #7 - Jart Armin
  23. 23. The Pocket Botnet - Discussion• With market growth increasing target is Android, but all O/S vulnerable• Different to pc based botnets, shorter lived but as a wildfire Конференция UISG #7 - Jart Armin• The ‘free app’ & similar to PCs‘fake A/V’ syndrome.• Telcos’ have an advantage to strike down, but example of China Telecom only method was to block & takedown C&Cs / download servers
  24. 24. Action Perspective • The main effort for manufacturers is to prevent smartphones from becoming mini ISPs/re-broadcasting hubs. • Avoid the unit becoming a router and using PPP (Point- Конференция UISG #7 - Jart Armin to-Point Protocol); through using “mgetty” or similar commands; or in Microsoft Windows RAS (Remote Access Service). • Best if the platform reveals the phone number of the device only to the smartphone’s modem • Issue an IPv6 IP and public encryption for each smartphone
  25. 25. The Pocket Botnet Contact presenter at jart@cyberdefcon.com if you have further interest: CyberDefcon – Cybercrime Clearing House & Early warning Coalition DeepEndResearch.org - fostering collaborative security research and analysis efforts UNICRI - United Nations Interregional Crime and Justice Research Institute ENISA -the European Network and Information Security Agency The opinions hereby expressed are those of the Authors and do not necessarily represent the ideas and opinions of the United Nations, the UN agency “UNICRI”, ENISA, ENISA PSG, nor others.
  26. 26. Useful Community Sources• Eicar 2011 - New type of threat: Mobile botnets on Symbian - Cao Yang, Zou Shihong, Li Wei• Niebezpiecznik (Pl) http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/• Collin Mulliner and Jean-Pierre Seifert IEEE (Fr) http://mulliner.org/collin/academic/publications/ibots_MALWARE2010.pdf Конференция UISG #7 - Jart Armin• Georgia Weider ShmooCon http://www.grmn00bs.com/GeorgiaW_Smartphone_Bots_SLIDES_Shmoocon2011.pdf• AnserverBot - AnserverBot_Analysis.pdf• HostExploit (hosts)• DeependResearch.org (botnets+)• Contagio.Blogspot (mobile malware samples)• Commercial: Trend Micro, Damballa, Lookout Mobile Security, Symantec

×