Конференция UISG #7The Pocket Botnet Jart ArminHostExploit – CyberDefcon DeepEnd Research Org Kiev – Ukraine – USIG December 2011
Specialist international team via HostExploit and CyberDefcon that provides cybercrime analysis and quarterly reports on all the world’s hosts and Internet servers. Quarterly series of Top 50 Bad Hosts & Networks. CSF (Cyber Security Foundation) Team member of DeepEnd Research Конференция UISG #7 - Jart Armin UNICRI, ENISA, APWG
Конференция UISG #7 - Jart Armin3rd Quarter World Host Report – Oct 2011
Overview Botnets - Problem? What Problem? The Market Конференция UISG #7 - Jart Armin Mobile Malware The Pocket Botnet
Botnets in General - A Problem – What Problem? Currently around 5,720 measurably active botnets • IRC (still around 30%), Jabber, I2P, P2P, HTTP, mini, Pocket Botnet Конференция UISG #7 - Jart Armin DDoS, RFI, vulnerability scanning, spam, phishing, malware, data exfiltration…. APT Covert channels Bad guys & gray guys?
Smartphone Market Oct 2011 (a) Конференция UISG #7 - Jart Armin 468 million units by the end of 2011, a rise of 60% compared 2010 (296m)
Smartphone Shipping – 2010 /2015 PC Ref: Est. 500m PCs sold 2011, and 2 Конференция UISG #7 - Jart Armin billion PCs in use around the world, in 2015
Mobile Security Habits – Oct 2011 • People choose convenience over security practices • Towards 50% use to connect to banks or financial accounts • 97% use to connect to email accounts either work or Конференция UISG #7 - Jart Armin personal • 87% of phones are not supplied by an employer • One third leave apps/accounts constantly logged in • Best example – Reported as a major hack against USA – A US contractor for SCADA (Illinois water authority) login and maintaining data while on trip to Egypt & Russia via his mobile phone !!!
Android.SmsSend family – 6 to 60 in 2011 Конференция UISG #7 - Jart ArminPrimarily the same deception as fake A/V
ANSERVER.A Конференция UISG #7 - Jart ArminPermissions Using a C&C server
Pocket Botnet - ThemeInstaller.A –(zombie – China) • Infected 1 million Symbian smartphones in 1 week & Конференция UISG #7 - Jart Armin slower propagation (CNcert) • Concealment – clear logs, self destruction, acts when phone not used • Defence – attacks security software • Transmission – infects other devices via SMS, downloads new malware from C&C
The Pocket BotnetКонференция UISG #7 - Jart Armin
Pocket Botnet Takedown – US Telco & GG tracker GG tracker (abusing premium SMS by malware) • Signup via website, SMS used to authenticate Конференция UISG #7 - Jart Armin • Subscriber pays $9.99 / call • Operator pays SMS aggregator • Aggregator pays to content provider • Content provider pays spammers etc. • Around 30,000 victims mid 2011
Pocket Botnet, another method to infect the PC? Конференция UISG #7 - Jart Armin Note: recent SpyEye banking SMS hijacking (blended threat)
The Pocket Botnet - Discussion• With market growth increasing target is Android, but all O/S vulnerable• Different to pc based botnets, shorter lived but as a wildfire Конференция UISG #7 - Jart Armin• The ‘free app’ & similar to PCs‘fake A/V’ syndrome.• Telcos’ have an advantage to strike down, but example of China Telecom only method was to block & takedown C&Cs / download servers
Action Perspective • The main effort for manufacturers is to prevent smartphones from becoming mini ISPs/re-broadcasting hubs. • Avoid the unit becoming a router and using PPP (Point- Конференция UISG #7 - Jart Armin to-Point Protocol); through using “mgetty” or similar commands; or in Microsoft Windows RAS (Remote Access Service). • Best if the platform reveals the phone number of the device only to the smartphone’s modem • Issue an IPv6 IP and public encryption for each smartphone
The Pocket Botnet Contact presenter at firstname.lastname@example.org if you have further interest: CyberDefcon – Cybercrime Clearing House & Early warning Coalition DeepEndResearch.org - fostering collaborative security research and analysis efforts UNICRI - United Nations Interregional Crime and Justice Research Institute ENISA -the European Network and Information Security Agency The opinions hereby expressed are those of the Authors and do not necessarily represent the ideas and opinions of the United Nations, the UN agency “UNICRI”, ENISA, ENISA PSG, nor others.
Useful Community Sources• Eicar 2011 - New type of threat: Mobile botnets on Symbian - Cao Yang, Zou Shihong, Li Wei• Niebezpiecznik (Pl) http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/• Collin Mulliner and Jean-Pierre Seifert IEEE (Fr) http://mulliner.org/collin/academic/publications/ibots_MALWARE2010.pdf Конференция UISG #7 - Jart Armin• Georgia Weider ShmooCon http://www.grmn00bs.com/GeorgiaW_Smartphone_Bots_SLIDES_Shmoocon2011.pdf• AnserverBot - AnserverBot_Analysis.pdf• HostExploit (hosts)• DeependResearch.org (botnets+)• Contagio.Blogspot (mobile malware samples)• Commercial: Trend Micro, Damballa, Lookout Mobile Security, Symantec