Short 1100 Jart Armin - The Pocket Botnet

Конференция UISG #7
The Pocket Botnet

Jart Armin
HostExploit – CyberDefcon
DeepEnd Research Org

Kiev – Ukraine – USIG
December 2011

 Specialist international team via HostExploit and CyberDefcon that
provides cybercrime analysis and quarterly reports on all the world’s
hosts and Internet servers.
 Quarterly series of Top 50 Bad Hosts & Networks.
 CSF (Cyber Security Foundation)
Team member of DeepEnd Research

Конференция UISG #7 - Jart Armin


 UNICRI, ENISA, APWG

3rd Quarter World Host Report – Oct 2011

Overview

Botnets - Problem? What Problem?

The Market

Mobile Malware

The Pocket Botnet

Botnets in General - A Problem – What Problem?
 Currently around 5,720
measurably active botnets

• IRC (still around 30%),
Jabber, I2P, P2P, HTTP,
mini, Pocket Botnet

 DDoS, RFI, vulnerability
scanning, spam, phishing,
malware, data
exfiltration…. APT

 Covert channels

 Bad guys & gray guys?

Smartphone Market Oct 2011 (a)

468 million units by the end of 2011, a rise of 60% compared 2010 (296m)

Smartphone Market (a) O/S 2012


Smartphone Market (b)
O/S – 2010 / 2015


Smartphone Shipping – 2010 /
2015 PC Ref:

Est. 500m
PCs sold
2011, and 2

billion PCs in
use around
the world, in
2015

Mobile Security Habits – Oct 2011
• People choose convenience over security practices
• Towards 50% use to connect to banks or financial
accounts
• 97% use to connect to email accounts either work or

personal
• 87% of phones are not supplied by an employer
• One third leave apps/accounts constantly logged in
• Best example – Reported as a major hack against USA –
A US contractor for SCADA (Illinois water authority) login
and maintaining data while on trip to Egypt & Russia via
his mobile phone !!!

Mobile Malware – Pocket Botnet Ready
• 1,700 versions (NetQin)
• 113 samples (Contagio / Deepend)
• 1410% increase in mobile malware
samples (Trend Micro)

• Zitmo Android Edition (Zeus for
mobile)
• SpyEye – SMS banking hijacks
(mTANs)
• Premium SMS, root kits, data stealers,
click fraud, spyware, malware

Android.SmsSend family – 6 to 60 in 2011

Primarily the same deception as fake A/V

ANSERVER.A

Permissions Using a C&C server

Pocket Botnet - ThemeInstaller.A –
(zombie – China)

• Infected 1 million Symbian smartphones in 1 week &

slower propagation (CNcert)

• Concealment – clear logs, self destruction, acts when
phone not used
• Defence – attacks security software
• Transmission – infects other devices via SMS,
downloads new malware from C&C

The Pocket Botnet


Pocket Botnet Takedown – US Telco & GG tracker

GG tracker (abusing premium SMS by malware)

• Signup via website, SMS used to authenticate

• Subscriber pays $9.99 / call
• Operator pays SMS aggregator
• Aggregator pays to content provider
• Content provider pays spammers etc.
• Around 30,000 victims mid 2011

Pocket Botnet, another method to infect the PC?

Note: recent SpyEye banking SMS hijacking (blended threat)

Pocket Botnet - DDoS
DDoS– partly smart phone based


The Pocket Botnet – Build your Own? -
Android.Pjapps


The Pocket Botnet - Android.Pjapps
Trojan C&C building manifest


The Pocket Botnet – Build Your Own?
Hijacking Android or Symbian - Example
Establish a dial in server - based on modem configuration for mgetty
• Establish: #/AutoPPP/ - a_ppp /usr/sbin/pppd auth -chap +pap
login debug

• Change to = /AutoPPP/ - a_ppp /usr/sbin/pppd auth -chap +pap
login debug
• Setup PPP options e.g. ms-dns 3.4.5.6 #replace 3.4.5.6 with DNS
address Slave
• Add users (zombies) to pap-secrets
• Create Linux users
• Broadcast

Pocket Botnet – warning notice :


The Pocket Botnet - Discussion
• With market growth increasing target is
Android, but all O/S vulnerable
• Different to pc based botnets, shorter
lived but as a wildfire

• The ‘free app’ & similar to PCs‘fake
A/V’ syndrome.
• Telcos’ have an advantage to strike
down, but example of China Telecom
only method was to block & takedown
C&Cs / download servers

Action Perspective
• The main effort for manufacturers is to prevent
smartphones from becoming mini ISPs/re-broadcasting
hubs.
• Avoid the unit becoming a router and using PPP (Point-

to-Point Protocol); through using “mgetty” or similar
commands; or in Microsoft Windows RAS (Remote
Access Service).
• Best if the platform reveals the phone number of the
device only to the smartphone’s modem
• Issue an IPv6 IP and public encryption for each
smartphone

The Pocket Botnet
Contact presenter at jart@cyberdefcon.com if you
have further interest:

CyberDefcon – Cybercrime Clearing House & Early warning
Coalition

DeepEndResearch.org - fostering collaborative security
research and analysis efforts

UNICRI - United Nations Interregional Crime and Justice
Research Institute

ENISA -the European Network and Information Security
Agency

The opinions hereby expressed are those of the Authors and
do not necessarily represent the ideas and opinions of the
United Nations, the UN agency “UNICRI”, ENISA, ENISA PSG,
nor others.

Useful Community Sources
• Eicar 2011 - New type of threat: Mobile botnets on Symbian - Cao Yang, Zou Shihong, Li
Wei
• Niebezpiecznik (Pl) http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
• Collin Mulliner and Jean-Pierre Seifert IEEE (Fr)
http://mulliner.org/collin/academic/publications/ibots_MALWARE2010.pdf

• Georgia Weider ShmooCon
http://www.grmn00bs.com/GeorgiaW_Smartphone_Bots_SLIDES_Shmoocon2011.pdf
• AnserverBot - AnserverBot_Analysis.pdf
• HostExploit (hosts)
• DeependResearch.org (botnets+)
• Contagio.Blogspot (mobile malware samples)

• Commercial: Trend Micro, Damballa, Lookout Mobile Security, Symantec

Short 1100 Jart Armin - The Pocket Botnet

Recommended

Recommended

More Related Content

What's hot

What's hot (15)

Viewers also liked

Viewers also liked (13)

Similar to Short 1100 Jart Armin - The Pocket Botnet

Similar to Short 1100 Jart Armin - The Pocket Botnet (20)

More from UISGCON

More from UISGCON (20)

Recently uploaded

Recently uploaded (20)

Short 1100 Jart Armin - The Pocket Botnet