Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Transparent Botnet Command andControl for Smartphones over Text             Messages         Georgia Weidman
Why Smartphone Botnets• Ubiquitous smartphones• Common development platforms• Strong technical specs
Why Text Messages?• Battery managements• Difficult to monitor• Fault Tolerant
How an SMS is sent and received                                  4
How an SMS is sent and received            © Georgia Weidman 2011   5
How an SMS is sent and received            © Georgia Weidman 2011   6
How an SMS is sent and received           © Georgia Weidman 2011   7
How an SMS is sent and received           © Georgia Weidman 2011   8
How an SMS is sent and received           © Georgia Weidman 2011   9
How an SMS is sent and received           © Georgia Weidman 2011   10
How an SMS is sent and received           © Georgia Weidman 2011   11
How an SMS is sent and received           © Georgia Weidman 2011   12
How an SMS is sent and received           © Georgia Weidman 2011   13
Previous Work: SMS Fuzzing    At Blackhat 2009, Charlie Miller & Collin    Mulliner proxied the application layer and    m...
Previous Work: SMS Fuzzing         © Georgia Weidman 2011   15
Previous Work: SMS Fuzzing         © Georgia Weidman 2011   16
Previous Work: SMS Fuzzing         © Georgia Weidman 2011   17
My Work: SMS Botnet C&C        © Georgia Weidman 2011   18
My Work: SMS Botnet C&C        © Georgia Weidman 2011   19
SMS-Deliver PDU07914140540510F1040B916117345476F100000121037140044A0AE8329BFD4697D9EC37                       Field       ...
SMS-Deliver PDU07914140540510F1040B916117345476F100000121037140044A0AE8329BFD4697D9EC37                       Field       ...
How the Botnet Works1. Bot Receives Message2. Bot Decodes User Data3. Bot Checks for Bot Key4. Bot Performs Payload Functi...
How the Botnet Works1. Bot Receives Message2. Bot Decodes User Data3. Bot Checks for Bot Key4. Bot Performs Payload Functi...
How the Botnet Works1. Bot Receives Message2. Bot Decodes User Data3. Bot Checks for Bot Key4. Bot Performs Payload Functi...
How the Botnet Works1. Bot Receives Message2. Bot Decodes User Data3. Bot Checks for Bot Key4. Bot Performs Payload Functi...
How the Botnet Works1. Bot Receives Message2. Bot Decodes User Data3. Bot Checks for Bot Key4. Bot Performs Payload Functi...
Botnet Structure    © Georgia Weidman 2011   27
Master Bot © Georgia Weidman 2011   28
Sentinel Bots  © Georgia Weidman 2011   29
Slave Bots © Georgia Weidman 2011   30
Security Concerns• Impersonation• Replay• Cryptographic solutions
Limitations• Possible detection methods• User data length
Getting the Bot Installed• Regular Users• Rooted/Jailbroken Users• Remote
Example Payloads• Spam• Denial of service• Load new functionality• Degrading cell service
What This Really Means• If attackers can get the bot installed they can  remotely control a users phone without  giving an...
Mitigations•Integrity checks•Liability for smartphone applications•User awareness
Demo• Android Bot with Spam Payload
Contact•Georgia Weidman•Company: Neohapsis Inc.•Email: Georgia@grmn00bs.com       Georgia.weidman@neohapsis.com•Website: h...
Selected Bibliography•SMS fuzzing:http://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER...
Upcoming SlideShare
Loading in …5
×

Transparent Botnet C&C for Smartphones over SMS

2,510 views

Published on

Published in: Technology, Business
  • Be the first to comment

Transparent Botnet C&C for Smartphones over SMS

  1. 1. Transparent Botnet Command andControl for Smartphones over Text Messages Georgia Weidman
  2. 2. Why Smartphone Botnets• Ubiquitous smartphones• Common development platforms• Strong technical specs
  3. 3. Why Text Messages?• Battery managements• Difficult to monitor• Fault Tolerant
  4. 4. How an SMS is sent and received 4
  5. 5. How an SMS is sent and received © Georgia Weidman 2011 5
  6. 6. How an SMS is sent and received © Georgia Weidman 2011 6
  7. 7. How an SMS is sent and received © Georgia Weidman 2011 7
  8. 8. How an SMS is sent and received © Georgia Weidman 2011 8
  9. 9. How an SMS is sent and received © Georgia Weidman 2011 9
  10. 10. How an SMS is sent and received © Georgia Weidman 2011 10
  11. 11. How an SMS is sent and received © Georgia Weidman 2011 11
  12. 12. How an SMS is sent and received © Georgia Weidman 2011 12
  13. 13. How an SMS is sent and received © Georgia Weidman 2011 13
  14. 14. Previous Work: SMS Fuzzing At Blackhat 2009, Charlie Miller & Collin Mulliner proxied the application layer and modem to crash smartphones with SMS.http://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf © Georgia Weidman 2011 14
  15. 15. Previous Work: SMS Fuzzing © Georgia Weidman 2011 15
  16. 16. Previous Work: SMS Fuzzing © Georgia Weidman 2011 16
  17. 17. Previous Work: SMS Fuzzing © Georgia Weidman 2011 17
  18. 18. My Work: SMS Botnet C&C © Georgia Weidman 2011 18
  19. 19. My Work: SMS Botnet C&C © Georgia Weidman 2011 19
  20. 20. SMS-Deliver PDU07914140540510F1040B916117345476F100000121037140044A0AE8329BFD4697D9EC37 Field Value Length of SMSC 07 Type of Address (SMSC) 91 Service Center Address (SMSC) 41 40 54 05 10 F1 SMS Deliver Info 04 Length of Sender Number 0B Type of Sender Number 91 Sender Number 51 17 34 45 88 F1 Protocol Identifier 00 Data Coding Scheme 00 Time Stamp 01 21 03 71 40 04 4A User Data Length 0A User Data E8 32 9B FD 46 97 D9 EC 37 © Georgia Weidman 2011 20 http://www.dreamfabric.com/s
  21. 21. SMS-Deliver PDU07914140540510F1040B916117345476F100000121037140044A0AE8329BFD4697D9EC37 Field Value Length of SMSC 07 Type of Address (SMSC) 91 Service Center Address (SMSC) 41 40 54 05 10 F1 SMS Deliver Info 04 Length of Sender Number 0B Type of Sender Number 91 Sender Number 61 17 34 54 76 F1 Protocol Identifier 00 Data Coding Scheme 00 Time Stamp 01 21 03 71 40 04 4A User Data Length 0A User Data E8 32 9B FD 46 97 D9 EC 37 © Georgia Weidman 2011 21
  22. 22. How the Botnet Works1. Bot Receives Message2. Bot Decodes User Data3. Bot Checks for Bot Key4. Bot Performs Payload Functionality
  23. 23. How the Botnet Works1. Bot Receives Message2. Bot Decodes User Data3. Bot Checks for Bot Key4. Bot Performs Payload Functionality
  24. 24. How the Botnet Works1. Bot Receives Message2. Bot Decodes User Data3. Bot Checks for Bot Key4. Bot Performs Payload Functionality
  25. 25. How the Botnet Works1. Bot Receives Message2. Bot Decodes User Data3. Bot Checks for Bot Key4. Bot Performs Payload Functionality
  26. 26. How the Botnet Works1. Bot Receives Message2. Bot Decodes User Data3. Bot Checks for Bot Key4. Bot Performs Payload Functionality
  27. 27. Botnet Structure © Georgia Weidman 2011 27
  28. 28. Master Bot © Georgia Weidman 2011 28
  29. 29. Sentinel Bots © Georgia Weidman 2011 29
  30. 30. Slave Bots © Georgia Weidman 2011 30
  31. 31. Security Concerns• Impersonation• Replay• Cryptographic solutions
  32. 32. Limitations• Possible detection methods• User data length
  33. 33. Getting the Bot Installed• Regular Users• Rooted/Jailbroken Users• Remote
  34. 34. Example Payloads• Spam• Denial of service• Load new functionality• Degrading cell service
  35. 35. What This Really Means• If attackers can get the bot installed they can remotely control a users phone without giving any sign of compromise to the user.
  36. 36. Mitigations•Integrity checks•Liability for smartphone applications•User awareness
  37. 37. Demo• Android Bot with Spam Payload
  38. 38. Contact•Georgia Weidman•Company: Neohapsis Inc.•Email: Georgia@grmn00bs.com Georgia.weidman@neohapsis.com•Website: http://www.grmn00bs.com•Twitter: vincentkadmon
  39. 39. Selected Bibliography•SMS fuzzing:http://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf•Cell bots attack GSM core:http://www.patrickmcdaniel.org/pubs/ccs09b.pdf•Twilight botnet:http://jon.oberheide.org/files/summercon10-androidhax-jonoberheide.pdf•SMS/P2P iPhone bots:http://mulliner.org/collin/academic/publications/ibots_malware10_mulliner_seifert.pdf

×