Dragon lady

2,851 views

Published on

Published in: Technology, Business
1 Comment
2 Likes
Statistics
Notes
  • I dont know an artisan/artist in his privacy
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
2,851
On SlideShare
0
From Embeds
0
Number of Embeds
295
Actions
Shares
0
Downloads
1
Comments
1
Likes
2
Embeds 0
No embeds

No notes for slide

Dragon lady

  1. 1. DRAGON LADY AN INVESTIGATION OF RUSSIAN SMS FRAUD RYAN W SMITH & TIM STRAZZERE Lookout, Inc. Read the report
  2. 2. WHO ARE WE - RYAN W SMITH • Senior Research and Response Engineer @ Lookout • Contributing member of the Honeynet Project for more than 10 years • Worked on automated x86/Windows shellcode deobfuscation and malware sandboxing and before starting Android reversing • Previously spoke about scalable Android reversing @ AppSec USA and IEEE HICSS Read the report
  3. 3. WHO ARE WE - “DIFF” @TIMSTRAZZ • Lead Research & Response Engineer @ Lookout • Reversed the Android Market/Google Play Protocol • Junkie for reversing mobile malware, creating write ups and teaching other to help raise the bar • Spoke previously about anti-/analysis/ decompilation/emulation at BH’11/12, EICAR’12, HiTCON13, SySCAN ’13 etc. Read the report
  4. 4. WHY DEEP DIVE? • Stats are extremely misleading; but get headlines! • Did it just go from 100 samples to 163? 163 / 100 == 1.63 == 163% • Different (zip) hash? Different (unique) sample? • Correlation by SENDS_SMS is not good enough! Read the report
  5. 5. WHY DEEP DIVE? • New hash != new “sample” -- need context! • Impressive... “server-side polymorphism” bebop:alphasms tstrazzere$ shasum *apk e780f49dd81fec4df1496cb4bc1577aac92ade65 mwlqythh.rwbkulojmti-1.apk 8263d3aa255fe75f4d02d08e928a3113fa2f9e17 mwlqythh.rwbkulojmti-2.apk 521d3734e927f47af62e15e9880017609c018373 mwlqythh.rwbkulojmti-3.apk bebop:alphasms tstrazzere$ shasum *.dex* 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-1 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-2 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-3 Read the report
  6. 6. FAMILY INTEL. Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation (non-commercial) ALPHASMS     BADNEWS   CONNECTSMS    DEPOSITMOBI  FAKEBROWS    SMSACTOR   NOTCOMPATIBLE Read the report
  7. 7. FAMILY INTEL. Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation (non-commercial) ALPHASMS     BADNEWS   CONNECTSMS    DEPOSITMOBI  FAKEBROWS    SMSACTOR   NOTCOMPATIBLE FakeInst / SMSSend / Other generic name Read the report
  8. 8. SAMPLE EVOLUTION IS IMPORTANT e6d823... Packaged: 07-30-12 No obfuscation / crypto Debug information available ConnectSMS.a 00f35f... Packaged: 12-13-12 SMS Endpoints / URL crypted Debug info stripped Added contact exfiltration ConnectSMS.f 355d6f... Packaged: 01-11-13 SMS Endpoints / URL crypted Debug info stripped Removed contact exfiltration ConnectSMS.p 383069... Packaged: 04-03-13 SMS / URL remotely pull & decrypted Debug info re-added ConnectSMS.s Same Crypto Read the report
  9. 9. • Underlying code still similar • “Polymorphism” easily confused with “omg sky is falling” • Trends across different distributing organizations DECIPHERING OBFUSCATION AlphaSMS Read the report
  10. 10. AGILE THREAT RELEASES Read the report
  11. 11. BEYOND SMS FRAUD - NOTCOMPATIBLE • Interesting exercise in malware component commoditization • Relates directly to PC malware • Used mass compromised web sites, compromised swaths of accounts (AOL, Yahoo, etc.) for distribution (likely purchased?) • Actively used for evading fraud detection   DRAG + DROP IMAGE HERE   Attacker in Europe Purchasing Service, inside US Block by fraud detection Infected proxy device, inside US Read the report
  12. 12. Read the report
  13. 13. Read the report
  14. 14. Read the report
  15. 15. Read the report
  16. 16. Read the report
  17. 17. Read the report
  18. 18. Read the report
  19. 19. Read the report
  20. 20. Read the report
  21. 21. Read the report
  22. 22. Read the report
  23. 23. Read the report
  24. 24. Read the report
  25. 25. Read the report
  26. 26. Read the report
  27. 27. Read the report
  28. 28. Read the report
  29. 29. Read the report
  30. 30. Read the report
  31. 31. Read the report
  32. 32. Read the report
  33. 33. Read the report
  34. 34. Read the report
  35. 35. Read the report
  36. 36. Read the report
  37. 37. Read the report
  38. 38. Read the report
  39. 39. Read the report
  40. 40. Read the report
  41. 41. Read the report
  42. 42. Read the report
  43. 43. CONCLUSIONS • Top 10 Russian SMS fraud organizations account for over 30% of worldwide malware detections • SMS Fraud is a diverse threat, and requires careful categorization • SMS Fraud has effectively been commoditized in Russia and has a thriving support system • By taking a “full-stack” approach to tracking these threats we avoid the typical “whack-a- mole” AV strategy Read the report
  44. 44. THE GIANTS ON WHICH WE STAND • Thanks to: • The entire R&R and security team at Lookout • The Honeynet Project • Mila @ Contagio Dump • @jduck @pof @osxreverser @thomas_cannon @adesnos @Gunther_AR @TeamAndIRC @cryptax Read the report
  45. 45. Keep in touch with @lookout /mylookout blog.lookout.com contact@lookout.com http://bit.ly/dragon-lady

×