Transparent Botnet C&C for Smartphones over SMS

Georgia Weidman
Georgia WeidmanInformation Security Consultant
Transparent Botnet Command and Control for Smartphones over Text Messages Georgia Weidman
Why Smartphone Botnets • Ubiquitous smartphones • Common development platforms • Strong technical specs
Why Text Messages? • Battery managements • Difficult to monitor • Fault Tolerant
How an SMS is sent and received 4
How an SMS is sent and received © Georgia Weidman 2011 5
How an SMS is sent and received © Georgia Weidman 2011 6
How an SMS is sent and received © Georgia Weidman 2011 7
How an SMS is sent and received © Georgia Weidman 2011 8
How an SMS is sent and received © Georgia Weidman 2011 9
How an SMS is sent and received © Georgia Weidman 2011 10
How an SMS is sent and received © Georgia Weidman 2011 11
How an SMS is sent and received © Georgia Weidman 2011 12
How an SMS is sent and received © Georgia Weidman 2011 13
Previous Work: SMS Fuzzing At Blackhat 2009, Charlie Miller & Collin Mulliner proxied the application layer and modem to crash smartphones with SMS. http://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller- FuzzingPhone-PAPER.pdf © Georgia Weidman 2011 14
Previous Work: SMS Fuzzing © Georgia Weidman 2011 15
Previous Work: SMS Fuzzing © Georgia Weidman 2011 16
Previous Work: SMS Fuzzing © Georgia Weidman 2011 17
My Work: SMS Botnet C&C © Georgia Weidman 2011 18
My Work: SMS Botnet C&C © Georgia Weidman 2011 19
SMS-Deliver PDU 07914140540510F1040B916117345476F100000121037140044A0A E8329BFD4697D9EC37 Field Value Length of SMSC 07 Type of Address (SMSC) 91 Service Center Address (SMSC) 41 40 54 05 10 F1 SMS Deliver Info 04 Length of Sender Number 0B Type of Sender Number 91 Sender Number 51 17 34 45 88 F1 Protocol Identifier 00 Data Coding Scheme 00 Time Stamp 01 21 03 71 40 04 4A User Data Length 0A User Data E8 32 9B FD 46 97 D9 EC 37 © Georgia Weidman 2011 20 http://www.dreamfabric.com/s
SMS-Deliver PDU 07914140540510F1040B916117345476F100000121037140044A0A E8329BFD4697D9EC37 Field Value Length of SMSC 07 Type of Address (SMSC) 91 Service Center Address (SMSC) 41 40 54 05 10 F1 SMS Deliver Info 04 Length of Sender Number 0B Type of Sender Number 91 Sender Number 61 17 34 54 76 F1 Protocol Identifier 00 Data Coding Scheme 00 Time Stamp 01 21 03 71 40 04 4A User Data Length 0A User Data E8 32 9B FD 46 97 D9 EC 37 © Georgia Weidman 2011 21
How the Botnet Works 1. Bot Receives Message 2. Bot Decodes User Data 3. Bot Checks for Bot Key 4. Bot Performs Payload Functionality
How the Botnet Works 1. Bot Receives Message 2. Bot Decodes User Data 3. Bot Checks for Bot Key 4. Bot Performs Payload Functionality
How the Botnet Works 1. Bot Receives Message 2. Bot Decodes User Data 3. Bot Checks for Bot Key 4. Bot Performs Payload Functionality
How the Botnet Works 1. Bot Receives Message 2. Bot Decodes User Data 3. Bot Checks for Bot Key 4. Bot Performs Payload Functionality
How the Botnet Works 1. Bot Receives Message 2. Bot Decodes User Data 3. Bot Checks for Bot Key 4. Bot Performs Payload Functionality
Botnet Structure © Georgia Weidman 2011 27
Master Bot © Georgia Weidman 2011 28
Sentinel Bots © Georgia Weidman 2011 29
Slave Bots © Georgia Weidman 2011 30
Security Concerns • Impersonation • Replay • Cryptographic solutions
Limitations • Possible detection methods • User data length
Getting the Bot Installed • Regular Users • Rooted/Jailbroken Users • Remote
Example Payloads • Spam • Denial of service • Load new functionality • Degrading cell service
What This Really Means • If attackers can get the bot installed they can remotely control a user's phone without giving any sign of compromise to the user.
Mitigations •Integrity checks •Liability for smartphone applications •User awareness
Demo • Android Bot with Spam Payload
Contact •Georgia Weidman •Company: Neohapsis Inc. •Email: Georgia@grmn00bs.com Georgia.weidman@neohapsis.com •Website: http://www.grmn00bs.com •Twitter: vincentkadmon
Selected Bibliography •SMS fuzzing: http://www.blackhat.com/presentations/bh-usa- 09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf •Cell bots attack GSM core: http://www.patrickmcdaniel.org/pubs/ccs09b.pdf •Twilight botnet: http://jon.oberheide.org/files/summercon10-androidhax- jonoberheide.pdf •SMS/P2P iPhone bots: http://mulliner.org/collin/academic/publications/ibots_m alware10_mulliner_seifert.pdf
1 of 39

Transparent Botnet C&C for Smartphones over SMS

Download to read offline
TechnologyBusiness
Georgia Weidman
Georgia WeidmanInformation Security Consultant

Recommended

Throw It in the River: Towards Real Live Actual Smartphone Security by
Throw It in the River: Towards Real Live Actual Smartphone SecurityThrow It in the River: Towards Real Live Actual Smartphone Security
Throw It in the River: Towards Real Live Actual Smartphone SecurityGeorgia Weidman
1.8K views36 slides
Transparent Smartphone Spying by
Transparent Smartphone SpyingTransparent Smartphone Spying
Transparent Smartphone SpyingGeorgia Weidman
4.2K views29 slides
Major project of Video calling and remote accessing by
Major project of Video calling and remote accessingMajor project of Video calling and remote accessing
Major project of Video calling and remote accessingsyed Farhan Rizvi
138 views41 slides
Defcon 22-robert-rowley-detecting-defending-against-surveill by
Defcon 22-robert-rowley-detecting-defending-against-surveillDefcon 22-robert-rowley-detecting-defending-against-surveill
Defcon 22-robert-rowley-detecting-defending-against-surveillPriyanka Aash
2.7K views40 slides
J-Telecom_V2 by
J-Telecom_V2J-Telecom_V2
J-Telecom_V2Jihad Dib
240 views26 slides
Caller ID Android Application by
Caller ID Android Application Caller ID Android Application
Caller ID Android ApplicationSmitakshi Sen
718 views15 slides

More Related Content

Similar to Transparent Botnet C&C for Smartphones over SMS

GSM Optimization and Tems-3.pdf by
GSM Optimization and Tems-3.pdf GSM Optimization and Tems-3.pdf
GSM Optimization and Tems-3.pdfRakhiJadav1
13 views55 slides
NFC Basic Concepts by
NFC Basic ConceptsNFC Basic Concepts
NFC Basic ConceptsAde Okuboyejo
14.9K views30 slides
Training on SMS App - Anjesh Tuladhar by
Training on SMS App - Anjesh TuladharTraining on SMS App - Anjesh Tuladhar
Training on SMS App - Anjesh TuladharMobileNepal
974 views23 slides
Meid overview by
Meid overviewMeid overview
Meid overviewPhuoc Phuoc
909 views22 slides
Bhusa09 Miller Fuzzing Phone Paper by
Bhusa09 Miller Fuzzing Phone PaperBhusa09 Miller Fuzzing Phone Paper
Bhusa09 Miller Fuzzing Phone PaperMousselmal Tarik
783 views21 slides
Switching systems lecture7 by
Switching systems lecture7Switching systems lecture7
Switching systems lecture7Jumaan Ally Mohamed
556 views48 slides

Similar to Transparent Botnet C&C for Smartphones over SMS(20)

GSM Optimization and Tems-3.pdf by RakhiJadav1
GSM Optimization and Tems-3.pdf GSM Optimization and Tems-3.pdf
GSM Optimization and Tems-3.pdf
RakhiJadav113 views
NFC Basic Concepts by Ade Okuboyejo
NFC Basic ConceptsNFC Basic Concepts
NFC Basic Concepts
Ade Okuboyejo14.9K views
Training on SMS App - Anjesh Tuladhar by MobileNepal
Training on SMS App - Anjesh TuladharTraining on SMS App - Anjesh Tuladhar
Training on SMS App - Anjesh Tuladhar
MobileNepal974 views
Meid overview by Phuoc Phuoc
Meid overviewMeid overview
Meid overview
Phuoc Phuoc909 views
Bhusa09 Miller Fuzzing Phone Paper by Mousselmal Tarik
Bhusa09 Miller Fuzzing Phone PaperBhusa09 Miller Fuzzing Phone Paper
Bhusa09 Miller Fuzzing Phone Paper
Mousselmal Tarik783 views
Switching systems lecture7 by Jumaan Ally Mohamed
Switching systems lecture7Switching systems lecture7
Switching systems lecture7
Jumaan Ally Mohamed556 views
DefCamp 2013 - 0Class2DOS by DefCamp
DefCamp 2013 - 0Class2DOSDefCamp 2013 - 0Class2DOS
DefCamp 2013 - 0Class2DOS
DefCamp939 views
Transecq ITA by transecq
Transecq ITATransecq ITA
Transecq ITA
transecq303 views
Vo ip overview by viroj tanggasemsun
Vo ip overviewVo ip overview
Vo ip overview
viroj tanggasemsun365 views
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG by Bjorn Hjelm
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WGOverview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Bjorn Hjelm326 views
VoLTE-Implementation-Guide-Jan-2021.pdf by AhmadEmara1
VoLTE-Implementation-Guide-Jan-2021.pdfVoLTE-Implementation-Guide-Jan-2021.pdf
VoLTE-Implementation-Guide-Jan-2021.pdf
AhmadEmara120 views
VoLTE Charging and Clearing Explained by Syniverse
VoLTE Charging and Clearing ExplainedVoLTE Charging and Clearing Explained
VoLTE Charging and Clearing Explained
Syniverse7.9K views
QUOTATION VNN INTERNET LEASEDLINE VNPT SERVICES by Tùng Hội Tụ Số
QUOTATION VNN INTERNET LEASEDLINE VNPT SERVICES QUOTATION VNN INTERNET LEASEDLINE VNPT SERVICES
QUOTATION VNN INTERNET LEASEDLINE VNPT SERVICES
Tùng Hội Tụ Số872 views
Lte identifiers by Irfan Ahmad
Lte identifiersLte identifiers
Lte identifiers
Irfan Ahmad1.4K views
Industrial presentation(Summer Training) On GSM at BSNL by Anshul Joshi
Industrial presentation(Summer Training) On GSM at BSNLIndustrial presentation(Summer Training) On GSM at BSNL
Industrial presentation(Summer Training) On GSM at BSNL
Anshul Joshi1.8K views
sms and calls_finaal.pptx by malekkaka
sms and calls_finaal.pptxsms and calls_finaal.pptx
sms and calls_finaal.pptx
malekkaka3 views
Creating a smarter world with eSIM by JT IoT
Creating a smarter world with eSIMCreating a smarter world with eSIM
Creating a smarter world with eSIM
JT IoT163 views
What to Expect from a Mobile Banking Solution? (Whitepaper) by Thinksoft Global
What to Expect from a Mobile Banking Solution? (Whitepaper)What to Expect from a Mobile Banking Solution? (Whitepaper)
What to Expect from a Mobile Banking Solution? (Whitepaper)
Thinksoft Global521 views
e-Sim Sharing (extract) by BearingPoint
e-Sim Sharing (extract)e-Sim Sharing (extract)
e-Sim Sharing (extract)
BearingPoint5.5K views
Introduction To SIP by Chris McAndrew
Introduction To SIPIntroduction To SIP
Introduction To SIP
Chris McAndrew7.9K views

Recently uploaded

SAP Automation Using Bar Code and FIORI.pdf by
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdfVirendra Rai, PMP
19 views38 slides
Attacking IoT Devices from a Web Perspective - Linux Day by
Attacking IoT Devices from a Web Perspective - Linux Day Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day Simone Onofri
15 views68 slides
Understanding GenAI/LLM and What is Google Offering - Felix Goh by
Understanding GenAI/LLM and What is Google Offering - Felix GohUnderstanding GenAI/LLM and What is Google Offering - Felix Goh
Understanding GenAI/LLM and What is Google Offering - Felix GohNUS-ISS
41 views33 slides
.conf Go 2023 - Data analysis as a routine by
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routineSplunk
93 views12 slides
handbook for web 3 adoption.pdf by
handbook for web 3 adoption.pdfhandbook for web 3 adoption.pdf
handbook for web 3 adoption.pdfLiveplex
19 views16 slides
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor... by
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...Vadym Kazulkin
75 views64 slides

Recently uploaded(20)

SAP Automation Using Bar Code and FIORI.pdf by Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
Virendra Rai, PMP19 views
Attacking IoT Devices from a Web Perspective - Linux Day by Simone Onofri
Attacking IoT Devices from a Web Perspective - Linux Day Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day
Simone Onofri15 views
Understanding GenAI/LLM and What is Google Offering - Felix Goh by NUS-ISS
Understanding GenAI/LLM and What is Google Offering - Felix GohUnderstanding GenAI/LLM and What is Google Offering - Felix Goh
Understanding GenAI/LLM and What is Google Offering - Felix Goh
NUS-ISS41 views
.conf Go 2023 - Data analysis as a routine by Splunk
.conf Go 2023 - Data analysis as a routine.conf Go 2023 - Data analysis as a routine
.conf Go 2023 - Data analysis as a routine
Splunk93 views
handbook for web 3 adoption.pdf by Liveplex
handbook for web 3 adoption.pdfhandbook for web 3 adoption.pdf
handbook for web 3 adoption.pdf
Liveplex19 views
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor... by Vadym Kazulkin
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
How to reduce cold starts for Java Serverless applications in AWS at JCON Wor...
Vadym Kazulkin75 views
STPI OctaNE CoE Brochure.pdf by madhurjyapb
STPI OctaNE CoE Brochure.pdfSTPI OctaNE CoE Brochure.pdf
STPI OctaNE CoE Brochure.pdf
madhurjyapb12 views
AMAZON PRODUCT RESEARCH.pdf by JerikkLaureta
AMAZON PRODUCT RESEARCH.pdfAMAZON PRODUCT RESEARCH.pdf
AMAZON PRODUCT RESEARCH.pdf
JerikkLaureta15 views
20231123_Camunda Meetup Vienna.pdf by Phactum Softwareentwicklung GmbH
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdf
Phactum Softwareentwicklung GmbH28 views
Digital Product-Centric Enterprise and Enterprise Architecture - Tan Eng Tsze by NUS-ISS
Digital Product-Centric Enterprise and Enterprise Architecture - Tan Eng TszeDigital Product-Centric Enterprise and Enterprise Architecture - Tan Eng Tsze
Digital Product-Centric Enterprise and Enterprise Architecture - Tan Eng Tsze
NUS-ISS19 views
Uni Systems for Power Platform.pptx by Uni Systems S.M.S.A.
Uni Systems for Power Platform.pptxUni Systems for Power Platform.pptx
Uni Systems for Power Platform.pptx
Uni Systems S.M.S.A.50 views
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica... by NUS-ISS
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...
Emerging & Future Technology - How to Prepare for the Next 10 Years of Radica...
NUS-ISS16 views
Data-centric AI and the convergence of data and model engineering: opportunit... by Paolo Missier
Data-centric AI and the convergence of data and model engineering: opportunit...Data-centric AI and the convergence of data and model engineering: opportunit...
Data-centric AI and the convergence of data and model engineering: opportunit...
Paolo Missier34 views
Spesifikasi Lengkap ASUS Vivobook Go 14 by Dot Semarang
Spesifikasi Lengkap ASUS Vivobook Go 14Spesifikasi Lengkap ASUS Vivobook Go 14
Spesifikasi Lengkap ASUS Vivobook Go 14
Dot Semarang35 views
Transcript: The Details of Description Techniques tips and tangents on altern... by BookNet Canada
Transcript: The Details of Description Techniques tips and tangents on altern...Transcript: The Details of Description Techniques tips and tangents on altern...
Transcript: The Details of Description Techniques tips and tangents on altern...
BookNet Canada130 views
Java Platform Approach 1.0 - Picnic Meetup by Rick Ossendrijver
Java Platform Approach 1.0 - Picnic MeetupJava Platform Approach 1.0 - Picnic Meetup
Java Platform Approach 1.0 - Picnic Meetup
Rick Ossendrijver25 views
AI: mind, matter, meaning, metaphors, being, becoming, life values by Twain Liu 刘秋艳
AI: mind, matter, meaning, metaphors, being, becoming, life valuesAI: mind, matter, meaning, metaphors, being, becoming, life values
AI: mind, matter, meaning, metaphors, being, becoming, life values
Twain Liu 刘秋艳35 views
[2023] Putting the R! in R&D.pdf by Eleanor McHugh
[2023] Putting the R! in R&D.pdf[2023] Putting the R! in R&D.pdf
[2023] Putting the R! in R&D.pdf
Eleanor McHugh38 views
Web Dev - 1 PPT.pdf by gdsczhcet
Web Dev - 1 PPT.pdfWeb Dev - 1 PPT.pdf
Web Dev - 1 PPT.pdf
gdsczhcet55 views
Empathic Computing: Delivering the Potential of the Metaverse by Mark Billinghurst
Empathic Computing: Delivering the Potential of the MetaverseEmpathic Computing: Delivering the Potential of the Metaverse
Empathic Computing: Delivering the Potential of the Metaverse
Mark Billinghurst470 views

Transparent Botnet C&C for Smartphones over SMS

Editor's Notes

  1. Nearly 62 million smartphones sold in Q2 2010Development is similar to standard platformsAndroid = LinuxiPhone = OSXWindows Mobile = WindowsTechnical specs not as good as top of the linedesktops. They are capable and improving rapidly.
  2. Battery Management: IP runs down batteryquicklyFault Tolerant: If SMS fails it will queue and retryDifficult for security researchers to monitor
  3. Bot receives all communication from modemIf SMS (code CMT) continue analysisIf not SMS pass up to user space
  4. Moves through PDU to User DataDecode 7 bit GSM to plaintext
  5. Bot checks for secret key in messageIf bot message continue analysis and swallowsmessage (user never sees it)If not bot message passed to user space
  6. Bot reads functionality request in messageIf found perform functionalityIf not found fail silently
  7. Impersonation:Use cryptographic keys to authenticatemaster bot and sentinel botsReplay:SMS timestampsSequence numbers/ one time keysElliptic Curve Algorithm
  8. Possibility of detection from phone billsUser Data is limited to 160 characters(instructions and keys must fit in this space)On some platforms only the modem knows thephone number
  9. Regular Users:App + Local Root Exploit (Sendpage etc.)Example: John Oberheide's TwilightAndroid BotnetDefconSkytalks 2010Root-level/Jailbroken Users:Root level app using proxy function forAWESOME + BotExample: flashlight + tether for iPhoneRemote: Remote root exploit (rooted and nonrooted)Example: iKee-B “Duh” Worm for iPhone
  10. SpamCreating SMS-Send PDUs and passing them to themodemExample: SMS adsDDOSMillions of smartphones vs. a serverLoading New FunctionalitySend URL in payloadDownload the module into known payloadsDegrading GSM serviceOverloading the network with bogus requests