SlideShare a Scribd company logo

«How to pwn Russian Android botnet» by Dmitriy

0
0xdec0de

This document describes how to analyze and take down a Russian Android botnet. The steps included: 1) Reversing the malware to understand its functions and network protocol; 2) Analyzing the malware's network protocol which used HTTPS and JSON; 3) Hacking the malware's command and control server by feeding it malformed data and accessing its database; 4) Identifying the hacker who was a 29-year-old Russian PhD student. Over 50,000 devices were infected, and the botnet was used to steal passwords, SMS messages, and launch DDoS attacks before it was destroyed in April 2014.

1 of 46
Download to read offline
How to pwn a Russian Android botnet by Dima Odessa, Jul 18, 2015
The story ● Interview in a security lab of a big world-wide known company ● Technical “homework”: reverse engineering of Android malware. “Find out everything you can!”, they said.
Steps 1. Reversing the malware 2. Analyzing the malware’s network protocol 3. Hacking the malware’s command & control server 4. Identifying the hacker
Reversing the malware Step number uno :)
Reversing the malware The malware at first glance ● It can’t install itself without user’s help: a user should download and install APK manually… ● ...that’s why the APK looks like another-very- useful-Google-service application :)
Reversing the malware The malware at first glance ● It steals user’s SMS, contacts and accounts (from Android Account Manager) ● It sends SMS/USSD from infected devices ● It DDOS websites from infected devices ● It controls infected devices as a device admin
Reversing the malware IT’S A PART OF A BOTNET AND IT IS NOT DETECTED BY A MOBILE/DESKTOP AV SOFTWARE AND VIRUSTOTAL :(
Reversing the malware The malware code at first glance ● written in Java, obfuscated; ● contains no native methods; ● it is full of mistakes :)
Reversing the malware The malware permissions ● INTERNET and ACCESS_NETWORK_STATE – Internet access ● READ_CONTACTS and GET_ACCOUNTS – access to user accounts (in Account Manager) and contacts ● READ_PHONE_STATE – access to internal system information: device ID, IMEI, device vendor name etc ● SEND_SMS, RECEIVE_SMS, READ_SMS – accessing user's SMS ● CALL_PHONE – making phone calls ● SEND_RESPOND_VIA_MESSAGE – this allows the malware to send a request to other applications to handle the respond-via-message action during incoming calls ● READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE – R/W access to external storages ● RECEIVE_BOOT_COMPLETED and WAKE_LOCK – start the malware as soon as OS booted (autorun) and keep the malware running even if the device goes asleep
Reversing the malware The most important malicious components ● Main (Activity) - the main activity. It started each time a user tap an icon if the malicious APK. It starts DataRegisterService and OutSms services. Then it shows a fake “Google Service” alert to a user (just because user probably expects to see something). ● DataRegisterService (Service) - the service is started by Main activity or LoaderReceiver receiver. It registers an infected Android device on the malware server. If the device is already registered on the server, the service just does nothing. Also, it set alarms for ConnectChecker and AdminBroadcast receivers. ● LoaderReceiver (Receiver) - the receiver is started after Android reboot. It starts DataRegisterService and OutSms services. Also, it starts DeviceAdminActivity if j.u (isAdmin) is false. ● OutSmsListner (Receiver) -- once a minute the receiver checks a list of SMS sent by a user. If it finds any new SMS (here “new” means “new since last check”) in the list, it sends it to the server one-by-one.
Reversing the malware The most important malicious components ● ConnectChecker (Receiver) - the receiver is started periodically by the repeating 3-hours alarm set by DataRegisterService. Every 30 seconds the receiver requests a command from the malware server. ● AdminBroadcast (Receiver) - the receiver is started periodically by the repeating 3-hours alarm set by DataRegisterService. The receiver starts DeviceAdminActivity activity if j.u (isAdmin) flag is not set. ● OutSms (Service) - the service is started by Main activity and LoaderReceiver receiver. It creates one-minute-repeating pending intent to call OutSmsListner receiver. ● DeviceAdminReceiverS (Receiver) - The receiver is started by OS after DeviceAdminActivity has tried to cheat a user (to ask him to add the malware to device administrators). The receiver tells the result to the malware server and change j.u (isAdmin) flag depending on the result.
Reversing the malware Malware lifecycle: first start (simplified) ● Main activity shows a fake this-is-Google- service messagebox ● DataRegisterService service registers the infected device on the malware’s command & control center
Reversing the malware Malware lifecycle: first start (simplified) ● OutSmsListner receiver steals user’s SMS and does background checks (once a min) for new SMS to steal them as well ● ConnectChecker receiver does background checks (every 30 sec) for a new command from the command & control center
Reversing the malware Malware lifecycle: first start (simplified) ● AdminBroadcast receiver starts DeviceAdminActivity, which uses android.app.action.ADD_DEVICE_ADMIN intent to ask a user for the Device Admin permissions (possible for Android > 2.1)
Reversing the malware В целях безопасности устройства Google Play требуются привелегии администратора.
Analyzing the malware’s network protocol Step number zwei
Analyzing the malware’s protocol The protocol at first glance ● it is built over HTTPS ● it uses JSON for sending data / receiving commands ● it does not encrypt / sign traffic
Analyzing the malware’s protocol Posting data to malware C&C center (headers) ● Method: POST ● URL: <domain>/marry4/set/<DeviceID>/ ● Custom headers: no
Analyzing the malware’s protocol Posting data to malware C&C center (body) type=<request type> json={ "<key1>": <value1>, "<key2>": <value2>, ... "<keyN>": <valueN> }
Analyzing the malware’s protocol Answer from the C&C center: ● {'registred':'complited'} (this means “got your request, have no commands for you at the moment”)... ● ...or a command for infected device (see next slides)
Analyzing the malware’s protocol Asking the C&C center for a command ● Method: GET ● URL: <domain>/marry4/get/<DeviceID>/ ● Custom headers: no
Analyzing the malware’s protocol Answer from the C&C center: ● {'registred':'complited'} (this means “got your request, have no commands for you at the moment”)... ● ...or a command for infected device (see next slides)
Analyzing the malware’s protocol A command from the C&C center (format): { 'type':task, 'task': [ "<Task type>, <DeviceID>, < ...data for the task (depends on the task) ... > ] }
Analyzing the malware’s protocol A command from the C&C center (example): {'type':task, 'task': ["sms",359930048604909,"900","BALANCE","2 014-03- 27T15:33:00+04:00","0e205bf823a00ac9e900b 116d99f1b561b167b92"]} Legend: DeviceID Number to send to SMS text Date Unique ID of the task
Hacking the malware’s command & control server Step number 3 ;-)
Hacking the C&C center Our first move: we feed malformed links and data to the C&C server, after several tries, we crashes it
Hacking the C&C center Now we know two important things: ● The exact script URL is <domain>/ontasks.php ● On the server, the PHP setting display_errors allows to see script errors in browser
Hacking the C&C center Our second move: call the script directly
Hacking the C&C center As result, we know that the script needs base and imei (probably, they are script parameters).
Hacking the C&C center Our third move: call the script directly with arbitrary base parameter
Hacking the C&C center We crashed the script, again, but this time we got login/password :) Well, OK, how to use it?
Hacking the C&C center Let’s just try the most commonly used subdomains: mail.*, ftp.* etc. Are we lucky?
Hacking the C&C center YES, WE ARE! :)))))))))))
Hacking the C&C center With the login/password we enter the C&C control panel...
Hacking the C&C center ...and the C&C center database
Hacking the C&C center Some fact about the botnet’s frontend: ● The botnet started in Nov 2013 ● The botnet is not the first try, but probably most successful ● The botnet’s frontend is written with PHP+MySQL
Hacking the C&C center Some facts from the botnet’s database: ● Over 50 000 active infected devices, mostly from exUSSR ● Over 1.000.000 stolen user’s SMS (including passwords and TFA SMS) ● Traces of at least 3 massive DDOS attacks with the botnet
Hacking the C&C center SMS examples (пароли): ● Ваш логин: 79123248600nВаш новый пароль: 92pubelunВаша заявка на восстановление доступа к странице на сайте ВКонтакте одобрена. ● Доступ к сайту mp3poisk.ru: логин - fkiwpxgf, пароль - lRe4XXrj ● Для доступа к WEB-сервисам систем самообслуживания "МегаФон" используйте логин: 9285693647 и пароль: XOSBHG.
Hacking the C&C center SMS examples (пароли к порносайтам): ● Доступ к сайту blontex.net: логин - j26445, пароль – 10752 ● Доступ к russiangirlsvideo.com: логин 160528 и пароль 11264 ● Доступ к сайту mobzoneoo.com: логин - upopuamd, пароль - JL28qOJa
Hacking the C&C center SMS examples (любовная переписка): ● Я люблю тебя ты самый лучший для меня нодеюсь у нас все будет зае... я уже не могу без тебя )***** ● Ааа.:* любимый мой, лысое счастье ты моё, люблю тебя;*) ● Я не збоченец :-( я очень люблю тебя :-*
Hacking the C&C center SMS examples (Крым, SMS-ки контрактника из РФ): ● Привет.уже в крыме,но до места не доехали ещё.войска стягивают.мы тоже едем на границу. ● Симфер гос дума. аэропорты. Телеграфы. Выезд в крым на море корабли .. 160 тыс бойцов. Уралы .вертушки ка>заки Все... На хохляедии бендеры и бандиты . Просят нато вмешаться
Hacking the C&C center SMS examples (наркотики): ● Хотел тебе дать наркотиков но теперь точно хуй ● Кому я должен всех прощаю:-) И по наркотикам мне больше завязывай звонить ● Миша, я еще с тобой поговорю на счет травки что ты привозил и курил!!!! Ты хочешь поругаться?
Identifying the hacker The last step “Bad boys, bad boys, what you gonna do? What you gonna do then they come for you?” --
Identifying the hacker ● Male, 29 y.o., not married ● Russian, lives in Siberia ● PhD student in Computer Science ● No crime records ● Full name, phone, email, home address, photo are KNOWN!
Finally, what missed? ● Details which can broke privacy of the customer and/or the hacker (thanks for your understanding!) ● Hacking hacker’s email, his sites in i2p ‘darknet’, and other related accounts ● ‘Economics’ of the botnet: prices, black cashout etc.
P.S. AT THE BEGINNING OF APRIL 2014 THE BOTNET WAS DESTROYED ;)

Recommended

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
Source Conference
 
Revealing Unique MitB Builder C&C Server
Revealing Unique MitB Builder C&C ServerRevealing Unique MitB Builder C&C Server
Revealing Unique MitB Builder C&C Server
Senad Aruc
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
ManjuAppukuttan2
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
Insert coin to continue - Ransomware in the gaming industry.pdf
Insert coin to continue - Ransomware in the gaming industry.pdfInsert coin to continue - Ransomware in the gaming industry.pdf
Insert coin to continue - Ransomware in the gaming industry.pdf
Stefano Maccaglia
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
EC-Council
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online banking
Jakub Kałużny
 

Recommended

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
Source Conference
 
Revealing Unique MitB Builder C&C Server
Revealing Unique MitB Builder C&C ServerRevealing Unique MitB Builder C&C Server
Revealing Unique MitB Builder C&C Server
Senad Aruc
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
ManjuAppukuttan2
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
Jakub Kałużny
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers
OWASP
 
Insert coin to continue - Ransomware in the gaming industry.pdf
Insert coin to continue - Ransomware in the gaming industry.pdfInsert coin to continue - Ransomware in the gaming industry.pdf
Insert coin to continue - Ransomware in the gaming industry.pdf
Stefano Maccaglia
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
EC-Council
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online banking
Jakub Kałużny
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
PROIDEA
 
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelBSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
Jakub "Kuba" Sendor
 
Taming botnets
Taming botnetsTaming botnets
Taming botnets
f00d
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Positive Hack Days
 
Detecting Windows horizontal password guessing attacks in near real-time
Detecting Windows horizontal password guessing attacks in near real-timeDetecting Windows horizontal password guessing attacks in near real-time
Detecting Windows horizontal password guessing attacks in near real-time
Portcullis Computer Security
 
Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.
Senad Aruc
 
Hacking
HackingHacking
Hacking
Sweta Leena Panda
 
Detecting windows horizontal password blog
Detecting windows horizontal password blogDetecting windows horizontal password blog
Detecting windows horizontal password blog
Portcullis Computer Security
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
80133823 backdor-nectcat-through-smb
80133823 backdor-nectcat-through-smb80133823 backdor-nectcat-through-smb
80133823 backdor-nectcat-through-smb
jeweh
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
 
How to remove Backdoor.Streamex
How to remove Backdoor.StreamexHow to remove Backdoor.Streamex
How to remove Backdoor.Streamex
deniallorance65
 
Www usenix-org
Www usenix-orgWww usenix-org
Www usenix-org
Ouzza Brahim
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
CTruncer
 
UNIT 5 (2).pptx
UNIT 5 (2).pptxUNIT 5 (2).pptx
UNIT 5 (2).pptx
janani603976
 
Auditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackAuditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrack
Vishal Kumar
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101
v_raj
 
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
mydrynan
 
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
shadow0702a
 
学校原版美国波士顿大学毕业证学历学位证书原版一模一样
学校原版美国波士顿大学毕业证学历学位证书原版一模一样学校原版美国波士顿大学毕业证学历学位证书原版一模一样
学校原版美国波士顿大学毕业证学历学位证书原版一模一样
171ticu
 

More Related Content

Similar to «How to pwn Russian Android botnet» by Dmitriy

CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
PROIDEA
 
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelBSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
Jakub "Kuba" Sendor
 
Taming botnets
Taming botnetsTaming botnets
Taming botnets
f00d
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Positive Hack Days
 
Detecting Windows horizontal password guessing attacks in near real-time
Detecting Windows horizontal password guessing attacks in near real-timeDetecting Windows horizontal password guessing attacks in near real-time
Detecting Windows horizontal password guessing attacks in near real-time
Portcullis Computer Security
 
Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.
Senad Aruc
 
Hacking
HackingHacking
Hacking
Sweta Leena Panda
 
Detecting windows horizontal password blog
Detecting windows horizontal password blogDetecting windows horizontal password blog
Detecting windows horizontal password blog
Portcullis Computer Security
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
80133823 backdor-nectcat-through-smb
80133823 backdor-nectcat-through-smb80133823 backdor-nectcat-through-smb
80133823 backdor-nectcat-through-smb
jeweh
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
 
How to remove Backdoor.Streamex
How to remove Backdoor.StreamexHow to remove Backdoor.Streamex
How to remove Backdoor.Streamex
deniallorance65
 
Www usenix-org
Www usenix-orgWww usenix-org
Www usenix-org
Ouzza Brahim
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
CTruncer
 
UNIT 5 (2).pptx
UNIT 5 (2).pptxUNIT 5 (2).pptx
UNIT 5 (2).pptx
janani603976
 
Auditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackAuditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrack
Vishal Kumar
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101
v_raj
 
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
mydrynan
 

Similar to «How to pwn Russian Android botnet» by Dmitriy (20)

CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelBSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
 
Taming botnets
Taming botnetsTaming botnets
Taming botnets
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
 
Detecting Windows horizontal password guessing attacks in near real-time
Detecting Windows horizontal password guessing attacks in near real-timeDetecting Windows horizontal password guessing attacks in near real-time
Detecting Windows horizontal password guessing attacks in near real-time
 
Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.
 
Hacking
HackingHacking
Hacking
 
Detecting windows horizontal password blog
Detecting windows horizontal password blogDetecting windows horizontal password blog
Detecting windows horizontal password blog
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
80133823 backdor-nectcat-through-smb
80133823 backdor-nectcat-through-smb80133823 backdor-nectcat-through-smb
80133823 backdor-nectcat-through-smb
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
How to remove Backdoor.Streamex
How to remove Backdoor.StreamexHow to remove Backdoor.Streamex
How to remove Backdoor.Streamex
 
Www usenix-org
Www usenix-orgWww usenix-org
Www usenix-org
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
 
UNIT 5 (2).pptx
UNIT 5 (2).pptxUNIT 5 (2).pptx
UNIT 5 (2).pptx
 
Auditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackAuditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrack
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101
 
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
 

Recently uploaded

Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
shadow0702a
 
学校原版美国波士顿大学毕业证学历学位证书原版一模一样
学校原版美国波士顿大学毕业证学历学位证书原版一模一样学校原版美国波士顿大学毕业证学历学位证书原版一模一样
学校原版美国波士顿大学毕业证学历学位证书原版一模一样
171ticu
 
AI assisted telemedicine KIOSK for Rural India.pptx
AI assisted telemedicine KIOSK for Rural India.pptxAI assisted telemedicine KIOSK for Rural India.pptx
AI assisted telemedicine KIOSK for Rural India.pptx
architagupta876
 
artificial intelligence and data science contents.pptx
artificial intelligence and data science contents.pptxartificial intelligence and data science contents.pptx
artificial intelligence and data science contents.pptx
GauravCar
 
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
Yasser Mahgoub
 
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
ecqow
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
kandramariana6
 
Software Quality Assurance-se412-v11.ppt
Software Quality Assurance-se412-v11.pptSoftware Quality Assurance-se412-v11.ppt
Software Quality Assurance-se412-v11.ppt
TaghreedAltamimi
 
ISPM 15 Heat Treated Wood Stamps and why your shipping must have one
ISPM 15 Heat Treated Wood Stamps and why your shipping must have oneISPM 15 Heat Treated Wood Stamps and why your shipping must have one
ISPM 15 Heat Treated Wood Stamps and why your shipping must have one
Las Vegas Warehouse
 
International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning an...International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning an...
gerogepatton
 
BRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdfBRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdf
LAXMAREDDY22
 
Manufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptxManufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptx
Madan Karki
 
Certificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi AhmedCertificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi Ahmed
Mahmoud Morsy
 
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECT
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECTCHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECT
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECT
jpsjournal1
 
Seminar on Distillation study-mafia.pptx
Seminar on Distillation study-mafia.pptxSeminar on Distillation study-mafia.pptx
Seminar on Distillation study-mafia.pptx
Madan Karki
 
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
Gino153088
 
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Sinan KOZAK
 
Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...
bijceesjournal
 
Null Bangalore | Pentesters Approach to AWS IAM
Null Bangalore | Pentesters Approach to AWS IAMNull Bangalore | Pentesters Approach to AWS IAM
Null Bangalore | Pentesters Approach to AWS IAM
Divyanshu
 
CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1
PKavitha10
 

Recently uploaded (20)

Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...
 
学校原版美国波士顿大学毕业证学历学位证书原版一模一样
学校原版美国波士顿大学毕业证学历学位证书原版一模一样学校原版美国波士顿大学毕业证学历学位证书原版一模一样
学校原版美国波士顿大学毕业证学历学位证书原版一模一样
 
AI assisted telemedicine KIOSK for Rural India.pptx
AI assisted telemedicine KIOSK for Rural India.pptxAI assisted telemedicine KIOSK for Rural India.pptx
AI assisted telemedicine KIOSK for Rural India.pptx
 
artificial intelligence and data science contents.pptx
artificial intelligence and data science contents.pptxartificial intelligence and data science contents.pptx
artificial intelligence and data science contents.pptx
 
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
 
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
 
Software Quality Assurance-se412-v11.ppt
Software Quality Assurance-se412-v11.pptSoftware Quality Assurance-se412-v11.ppt
Software Quality Assurance-se412-v11.ppt
 
ISPM 15 Heat Treated Wood Stamps and why your shipping must have one
ISPM 15 Heat Treated Wood Stamps and why your shipping must have oneISPM 15 Heat Treated Wood Stamps and why your shipping must have one
ISPM 15 Heat Treated Wood Stamps and why your shipping must have one
 
International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning an...International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning an...
 
BRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdfBRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdf
 
Manufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptxManufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptx
 
Certificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi AhmedCertificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi Ahmed
 
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECT
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECTCHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECT
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECT
 
Seminar on Distillation study-mafia.pptx
Seminar on Distillation study-mafia.pptxSeminar on Distillation study-mafia.pptx
Seminar on Distillation study-mafia.pptx
 
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
 
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024
 
Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...
 
Null Bangalore | Pentesters Approach to AWS IAM
Null Bangalore | Pentesters Approach to AWS IAMNull Bangalore | Pentesters Approach to AWS IAM
Null Bangalore | Pentesters Approach to AWS IAM
 
CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1
 

«How to pwn Russian Android botnet» by Dmitriy

  • 1. How to pwn a Russian Android botnet by Dima Odessa, Jul 18, 2015
  • 2. The story ● Interview in a security lab of a big world-wide known company ● Technical “homework”: reverse engineering of Android malware. “Find out everything you can!”, they said.
  • 3. Steps 1. Reversing the malware 2. Analyzing the malware’s network protocol 3. Hacking the malware’s command & control server 4. Identifying the hacker
  • 5. Reversing the malware The malware at first glance ● It can’t install itself without user’s help: a user should download and install APK manually… ● ...that’s why the APK looks like another-very- useful-Google-service application :)
  • 6. Reversing the malware The malware at first glance ● It steals user’s SMS, contacts and accounts (from Android Account Manager) ● It sends SMS/USSD from infected devices ● It DDOS websites from infected devices ● It controls infected devices as a device admin
  • 7. Reversing the malware IT’S A PART OF A BOTNET AND IT IS NOT DETECTED BY A MOBILE/DESKTOP AV SOFTWARE AND VIRUSTOTAL :(
  • 8. Reversing the malware The malware code at first glance ● written in Java, obfuscated; ● contains no native methods; ● it is full of mistakes :)
  • 9. Reversing the malware The malware permissions ● INTERNET and ACCESS_NETWORK_STATE – Internet access ● READ_CONTACTS and GET_ACCOUNTS – access to user accounts (in Account Manager) and contacts ● READ_PHONE_STATE – access to internal system information: device ID, IMEI, device vendor name etc ● SEND_SMS, RECEIVE_SMS, READ_SMS – accessing user's SMS ● CALL_PHONE – making phone calls ● SEND_RESPOND_VIA_MESSAGE – this allows the malware to send a request to other applications to handle the respond-via-message action during incoming calls ● READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE – R/W access to external storages ● RECEIVE_BOOT_COMPLETED and WAKE_LOCK – start the malware as soon as OS booted (autorun) and keep the malware running even if the device goes asleep
  • 10. Reversing the malware The most important malicious components ● Main (Activity) - the main activity. It started each time a user tap an icon if the malicious APK. It starts DataRegisterService and OutSms services. Then it shows a fake “Google Service” alert to a user (just because user probably expects to see something). ● DataRegisterService (Service) - the service is started by Main activity or LoaderReceiver receiver. It registers an infected Android device on the malware server. If the device is already registered on the server, the service just does nothing. Also, it set alarms for ConnectChecker and AdminBroadcast receivers. ● LoaderReceiver (Receiver) - the receiver is started after Android reboot. It starts DataRegisterService and OutSms services. Also, it starts DeviceAdminActivity if j.u (isAdmin) is false. ● OutSmsListner (Receiver) -- once a minute the receiver checks a list of SMS sent by a user. If it finds any new SMS (here “new” means “new since last check”) in the list, it sends it to the server one-by-one.
  • 11. Reversing the malware The most important malicious components ● ConnectChecker (Receiver) - the receiver is started periodically by the repeating 3-hours alarm set by DataRegisterService. Every 30 seconds the receiver requests a command from the malware server. ● AdminBroadcast (Receiver) - the receiver is started periodically by the repeating 3-hours alarm set by DataRegisterService. The receiver starts DeviceAdminActivity activity if j.u (isAdmin) flag is not set. ● OutSms (Service) - the service is started by Main activity and LoaderReceiver receiver. It creates one-minute-repeating pending intent to call OutSmsListner receiver. ● DeviceAdminReceiverS (Receiver) - The receiver is started by OS after DeviceAdminActivity has tried to cheat a user (to ask him to add the malware to device administrators). The receiver tells the result to the malware server and change j.u (isAdmin) flag depending on the result.
  • 12. Reversing the malware Malware lifecycle: first start (simplified) ● Main activity shows a fake this-is-Google- service messagebox ● DataRegisterService service registers the infected device on the malware’s command & control center
  • 13. Reversing the malware Malware lifecycle: first start (simplified) ● OutSmsListner receiver steals user’s SMS and does background checks (once a min) for new SMS to steal them as well ● ConnectChecker receiver does background checks (every 30 sec) for a new command from the command & control center
  • 14. Reversing the malware Malware lifecycle: first start (simplified) ● AdminBroadcast receiver starts DeviceAdminActivity, which uses android.app.action.ADD_DEVICE_ADMIN intent to ask a user for the Device Admin permissions (possible for Android > 2.1)
  • 15. Reversing the malware В целях безопасности устройства Google Play требуются привелегии администратора.
  • 16. Analyzing the malware’s network protocol Step number zwei
  • 17. Analyzing the malware’s protocol The protocol at first glance ● it is built over HTTPS ● it uses JSON for sending data / receiving commands ● it does not encrypt / sign traffic
  • 18. Analyzing the malware’s protocol Posting data to malware C&C center (headers) ● Method: POST ● URL: <domain>/marry4/set/<DeviceID>/ ● Custom headers: no
  • 19. Analyzing the malware’s protocol Posting data to malware C&C center (body) type=<request type> json={ "<key1>": <value1>, "<key2>": <value2>, ... "<keyN>": <valueN> }
  • 20. Analyzing the malware’s protocol Answer from the C&C center: ● {'registred':'complited'} (this means “got your request, have no commands for you at the moment”)... ● ...or a command for infected device (see next slides)
  • 21. Analyzing the malware’s protocol Asking the C&C center for a command ● Method: GET ● URL: <domain>/marry4/get/<DeviceID>/ ● Custom headers: no
  • 22. Analyzing the malware’s protocol Answer from the C&C center: ● {'registred':'complited'} (this means “got your request, have no commands for you at the moment”)... ● ...or a command for infected device (see next slides)
  • 23. Analyzing the malware’s protocol A command from the C&C center (format): { 'type':task, 'task': [ "<Task type>, <DeviceID>, < ...data for the task (depends on the task) ... > ] }
  • 24. Analyzing the malware’s protocol A command from the C&C center (example): {'type':task, 'task': ["sms",359930048604909,"900","BALANCE","2 014-03- 27T15:33:00+04:00","0e205bf823a00ac9e900b 116d99f1b561b167b92"]} Legend: DeviceID Number to send to SMS text Date Unique ID of the task
  • 25. Hacking the malware’s command & control server Step number 3 ;-)
  • 26. Hacking the C&C center Our first move: we feed malformed links and data to the C&C server, after several tries, we crashes it
  • 27. Hacking the C&C center Now we know two important things: ● The exact script URL is <domain>/ontasks.php ● On the server, the PHP setting display_errors allows to see script errors in browser
  • 28. Hacking the C&C center Our second move: call the script directly
  • 29. Hacking the C&C center As result, we know that the script needs base and imei (probably, they are script parameters).
  • 30. Hacking the C&C center Our third move: call the script directly with arbitrary base parameter
  • 31. Hacking the C&C center We crashed the script, again, but this time we got login/password :) Well, OK, how to use it?
  • 32. Hacking the C&C center Let’s just try the most commonly used subdomains: mail.*, ftp.* etc. Are we lucky?
  • 33. Hacking the C&C center YES, WE ARE! :)))))))))))
  • 34. Hacking the C&C center With the login/password we enter the C&C control panel...
  • 35. Hacking the C&C center ...and the C&C center database
  • 36. Hacking the C&C center Some fact about the botnet’s frontend: ● The botnet started in Nov 2013 ● The botnet is not the first try, but probably most successful ● The botnet’s frontend is written with PHP+MySQL
  • 37. Hacking the C&C center Some facts from the botnet’s database: ● Over 50 000 active infected devices, mostly from exUSSR ● Over 1.000.000 stolen user’s SMS (including passwords and TFA SMS) ● Traces of at least 3 massive DDOS attacks with the botnet
  • 38. Hacking the C&C center SMS examples (пароли): ● Ваш логин: 79123248600nВаш новый пароль: 92pubelunВаша заявка на восстановление доступа к странице на сайте ВКонтакте одобрена. ● Доступ к сайту mp3poisk.ru: логин - fkiwpxgf, пароль - lRe4XXrj ● Для доступа к WEB-сервисам систем самообслуживания "МегаФон" используйте логин: 9285693647 и пароль: XOSBHG.
  • 39. Hacking the C&C center SMS examples (пароли к порносайтам): ● Доступ к сайту blontex.net: логин - j26445, пароль – 10752 ● Доступ к russiangirlsvideo.com: логин 160528 и пароль 11264 ● Доступ к сайту mobzoneoo.com: логин - upopuamd, пароль - JL28qOJa
  • 40. Hacking the C&C center SMS examples (любовная переписка): ● Я люблю тебя ты самый лучший для меня нодеюсь у нас все будет зае... я уже не могу без тебя )***** ● Ааа.:* любимый мой, лысое счастье ты моё, люблю тебя;*) ● Я не збоченец :-( я очень люблю тебя :-*
  • 41. Hacking the C&C center SMS examples (Крым, SMS-ки контрактника из РФ): ● Привет.уже в крыме,но до места не доехали ещё.войска стягивают.мы тоже едем на границу. ● Симфер гос дума. аэропорты. Телеграфы. Выезд в крым на море корабли .. 160 тыс бойцов. Уралы .вертушки ка>заки Все... На хохляедии бендеры и бандиты . Просят нато вмешаться
  • 42. Hacking the C&C center SMS examples (наркотики): ● Хотел тебе дать наркотиков но теперь точно хуй ● Кому я должен всех прощаю:-) И по наркотикам мне больше завязывай звонить ● Миша, я еще с тобой поговорю на счет травки что ты привозил и курил!!!! Ты хочешь поругаться?
  • 43. Identifying the hacker The last step “Bad boys, bad boys, what you gonna do? What you gonna do then they come for you?” --
  • 44. Identifying the hacker ● Male, 29 y.o., not married ● Russian, lives in Siberia ● PhD student in Computer Science ● No crime records ● Full name, phone, email, home address, photo are KNOWN!
  • 45. Finally, what missed? ● Details which can broke privacy of the customer and/or the hacker (thanks for your understanding!) ● Hacking hacker’s email, his sites in i2p ‘darknet’, and other related accounts ● ‘Economics’ of the botnet: prices, black cashout etc.
  • 46. P.S. AT THE BEGINNING OF APRIL 2014 THE BOTNET WAS DESTROYED ;)