smartphone ownage: the state of mobile botnets and rootkits
DESCRIPTION
Symbian Botnet? Mobile Linux Rootkits? iPhone Botnets? Millions of phones at risk? The press coverage on smart phone threats is at times somewhat accurate, distant, and occasionally (if unintentionally) misleading. They tend to raise questions such as: How close to PC levels (100,000+ to millions of nodes) have mobile botnets reached? Have mobile rootkits reached the complexity of those on the PC? This talk covered the state of rootkits and botnets on smart phones from the perspective of anti-malware researchers, including demystification of the threat from mobile rootkits and mobile botnets, the differences (if any) between mobile rootkits and mobile botnets vs. their PC counterparts, and a look at how samples seen in the wild and researcher PoCs function.TRANSCRIPT
Smartphone Ownage:The State of Mobile Botnets and Rootkits
Jimmy ShahAntivirus Researcher
Smartphone Ownage: The State of Mobile Botnets and Rootkits2
Contents
• Who we are• Mobile malware• Definitions• Mobile Botnets• Mobile Rootkits
Smartphone Ownage: The State of Mobile Botnets and Rootkits3
Who we are
Smartphone Ownage: The State of Mobile Botnets and Rootkits4
Who we are
• Mobile Antivirus Researchers• My team and I specialize in mobile malware and threat analysis on
existing(J2ME, SymbOS,WM, iPhone OS, Android) and upcoming mobile platforms.
• We work with a number of large mobile network operators.
Smartphone Ownage: The State of Mobile Botnets and Rootkits5
Mobile malware
In the WildComparison to PC malwareTrends
Smartphone Ownage: The State of Mobile Botnets and Rootkits6
In the Wild
SymbOSJ2MEWinCEPythonMSILVBSLinux
740+ variants
Smartphone Ownage: The State of Mobile Botnets and Rootkits7
Mobile malware
In the Wild
Comparison to PC malwareTrends
Smartphone Ownage: The State of Mobile Botnets and Rootkits8
Comparison to PC malware
PCs Mobile Examples
Worms● SymbOS/Commwarrior family● MSIL/Xrove.A● SymbOS/Cabir.A
Viruses● WinCE/Duts.1536● SymbOS/Lasco.A
Trojan Horses● J2ME Trojans ● SymbOS Trojans ● WinCE Trojans
Spyware● Commercial spyware – jailbroken/rooted devices ● txbbspy – Blackberry ● PhoneSpy – iPhone
Smartphone Ownage: The State of Mobile Botnets and Rootkits9
Mobile malware
In the WildComparison to PC malware
Trends
Smartphone Ownage: The State of Mobile Botnets and Rootkits10
Trends – Mobile Malware Lifecycle
Smartphone Ownage: The State of Mobile Botnets and Rootkits11
Definitions
BotnetsRootkits
Smartphone Ownage: The State of Mobile Botnets and Rootkits12
Botnets
• Network– Clients - Infected machines, “bots”, “zombies” , “bot clients”, etc.– Server(s) - Command & control, “bot master”, “herd master”, etc.
• Uses– Stealing PII, confidential information, etc.– Attacks(DDoS, Spam, phishing)
Smartphone Ownage: The State of Mobile Botnets and Rootkits13
Definitions
Botnets
Rootkits
Smartphone Ownage: The State of Mobile Botnets and Rootkits14
Rootkits
• Originally used on UNIX systems to assist in gaining/keeping root access
– Scripts and rigged binaries• Essentially, rootkits do a few things
– Evasion– Reduce or maintain reduced security– Self-Protection
First one on the machine wins.
Smartphone Ownage: The State of Mobile Botnets and Rootkits15
Mobile Rootkits
Examples in the wildPrecursorsActual
Smartphone Ownage: The State of Mobile Botnets and Rootkits16
SymbOS/Commwarrior
Variant Feature Type
A-B Delete other malware Self-protection
C Copies itself to the memory card Evasion/Self-protection
C Self-repair, protection from being deleted Self-protection
D Encrypts internal strings Evasion
D Infects other programs' installation files Evasion
D Deletes Antivirus programs Evasion/Self-protection
Smartphone Ownage: The State of Mobile Botnets and Rootkits17
WinCE/Infojack.A
• Self-protection– Installing as an autorun program on the memory card– installing itself to the phone when an infected memory card is inserted– protecting itself from deletion, copying itself back to disk
• Reduce security/bypass protection– allows unsigned applications to install without warning
WinCE/InfoJack is installed with a collection of legitimate games
WinCE/InfoJack installs silently along with other applications
WinCE/InfoJack installs as an autorun program on the memory card
Smartphone Ownage: The State of Mobile Botnets and Rootkits18
Mobile Rootkits
Examples in the wildPrecursors
Actual
Smartphone Ownage: The State of Mobile Botnets and Rootkits19
Linux Mobile Phone Rootkits
• Rutgers University Researchers Bickford, et al developed a set of mobile rootkits
• Perform attacks– Dial attacker on alarm– Dial attacker on SMS– GPS coords. Sent to attacker via SMS– Battery drain attack
• Evasion/Self-protection– Evade user-mode detection
• Port to N900 in the works
Openmoko Neo1973 (Photo Credit: Ryan Baumann)
Smartphone Ownage: The State of Mobile Botnets and Rootkits20
Mobile Rootkits
Future Research
Smartphone Ownage: The State of Mobile Botnets and Rootkits21
Android on iPhone/iPhone Linux
• Spinoff/side project from one of the iPhone dev team developers• Security reduced
– Requires jailbroken phone– Entirely different OS runs
• Self-protection– Custom iboot designed to load linux
Smartphone Ownage: The State of Mobile Botnets and Rootkits22
Mobile Botnets
Examples in the wildPrecursorsActual
Smartphone Ownage: The State of Mobile Botnets and Rootkits23
OSX/iPHSponey.A
• Network Communication– Exfiltrate data via email
• Not hardcoded or updated in PoC • Data gathering(including PII)
– Acquire data from • interesting apps(Safari, YouTube) • keyboard cache
Smartphone Ownage: The State of Mobile Botnets and Rootkits24
OSX/RRoll.C/OSX/iPHDownloader.A - “botnet”
• Reduce Security– Enable phishing via hosts file entry– Unlike previous variant does not disable sshd– Alters password of user 'mobile' (not root)
• Data gathering– Attempts to send SMS DB to attacker
• C & C– /etc/hosts changing script downloaded
• Redirects Dutch bank site to attacker's server • More of an intended botnet
– OSX/RRoll.C propagates OSX/iPHDownloader.A, but neither propagate on their own
– C & C server taken down
Smartphone Ownage: The State of Mobile Botnets and Rootkits25
SymbOS/XMJTC - “sexy view” worm
• Self-protection/evasion– Signed installation file
• No warning to user during installation– Silent install of updates
• Kills processes of 3rd party task managers• C&C via SMS messages
– Download and install update from supplied URL– Writes a “serial number” to disk– Ping the attacker's server/phone via SMS
• Perform attacks– spamming links to malware via SMS
Smartphone Ownage: The State of Mobile Botnets and Rootkits26
“Rise of the iBots: 0wning a telco network”
• Security researchers Collin Mulliner and Jean-Pierre Seifert developed a PoC iPhone botnet
– Research concentrated on evading detection• C&C over SMS and P2P network
– Encrypted commands• Tested in lab
– “Installed bot(s) on a number of iPhones in the lab.”• No “spreading functionality”
– Experiments were testing the feasibility of the C&C channels• Presented at the 5th International Conference on Malicious and
Unwanted Software(MALWARE 2010)
Smartphone Ownage: The State of Mobile Botnets and Rootkits27
“Rise of the iBots: 0wning a telco network”
Signature Length
ECDSA Signature
SequenceNumber
Command Type
Command
1 <variable> 4 1 <variable>
Command Function
Add phone number(s) Adds numbers to the forwarding list. Commands are forwarded to all bots on the list.
Set sleep interval Sets how long the client waits before searching the P2P network for a command
Execute shell sequence Run a command in the shell( e.g. ls, ping, etc.)
Download URL Downloads a command file from the botmaster
Smartphone Ownage: The State of Mobile Botnets and Rootkits28
Mobile Botnets
Examples in the wildPrecursors
Actual
Smartphone Ownage: The State of Mobile Botnets and Rootkits29
WeatherFistBadMonkey – iPhone/Android botnet
• PoC created by Security Researchers – Derek Brown and Daniel Tijerina(Tipping Point DV Labs)
• Evasion– Performs nominal function – connects to legitimate weather site
• Bot capability– Clients available for multiple platforms– Jailbroken iPhone– Stock Android
• C & C Server– Spamming – provide reverse shell– perform DDoS
Screenshot Weather Underground site
Smartphone Ownage: The State of Mobile Botnets and Rootkits30
Rootstrap & Eclipsetrap
• PoC created by Security Researcher Jon Oberheide of Scio Security• Evasion
– Pretends to be “Twilight Eclipse Preview” app• Updates/Commands
– Downloads new native binaries regularly
Despite being only nominally a movie preview app and receiving bad reviews, the PoC garnered over 200 downloads.
Smartphone Ownage: The State of Mobile Botnets and Rootkits31
• Zeus trojan on the PC puts up a dialog asking for the victims phone model and mobile number
– Uses number to send download link to victim– Download is a signed installation file pretending to be a “Nokia update”
• Zitmo.A is spyware used to forward incoming SMS to the attacker– Unlike other more common Symbian spyware, forwarded SMS are not
logged to an account on a central server
SymbOS/Zitmo.A
Smartphone Ownage: The State of Mobile Botnets and Rootkits32
SymbOS/Zitmo.A, cont.
Command Function
set admin/ SET ADMIN
Setting the C&C phone number(in memory or in the config file)[case-sensitive]
[ON/OFF] Starting/Stopping the forwarding of SMS messages
BLOCK [ON|OFF] Ignore SMS commands
SET SENDER <number> ADD SENDER <number1>,…,<number n> ADD SENDER ALL
Add sender's number to the forwarding list
REM SENDER <number1>,…,<number n> REM SENDER ALL
Remove specific/all senders' numbers
Smartphone Ownage: The State of Mobile Botnets and Rootkits33
SymbOS/Zitmo.A, cont.
• Used for stealing mTAN/mTAC(Mobile Transaction Authorization Number/Code)
– mTAN/mTAC are not used by all banks• Not written from scratch
– Cracked version of commercial spyware “SMS Monitor”
Installation of the commercial spyware (images from dTarasov.ru documentation)
The original program required payment. (images from dTarasov.ru documentation)
Smartphone Ownage: The State of Mobile Botnets and Rootkits34
Questions/Comments?