smartphone ownage: the state of mobile botnets and rootkits

Smartphone Ownage:The State of Mobile Botnets and Rootkits

Jimmy ShahAntivirus Researcher

Smartphone Ownage: The State of Mobile Botnets and Rootkits2

Contents

• Who we are• Mobile malware• Definitions• Mobile Botnets• Mobile Rootkits


Who we are


Who we are

• Mobile Antivirus Researchers• My team and I specialize in mobile malware and threat analysis on

existing(J2ME, SymbOS,WM, iPhone OS, Android) and upcoming mobile platforms.

• We work with a number of large mobile network operators.


Mobile malware

In the WildComparison to PC malwareTrends


In the Wild

SymbOSJ2MEWinCEPythonMSILVBSLinux

740+ variants


Mobile malware

In the Wild

Comparison to PC malwareTrends


Comparison to PC malware

PCs Mobile Examples

Worms● SymbOS/Commwarrior family● MSIL/Xrove.A● SymbOS/Cabir.A

Viruses● WinCE/Duts.1536● SymbOS/Lasco.A

Trojan Horses● J2ME Trojans ● SymbOS Trojans ● WinCE Trojans

Spyware● Commercial spyware – jailbroken/rooted devices ● txbbspy – Blackberry ● PhoneSpy – iPhone


Mobile malware

In the WildComparison to PC malware

Trends


Trends – Mobile Malware Lifecycle


Definitions

BotnetsRootkits


Botnets

• Network– Clients - Infected machines, “bots”, “zombies” , “bot clients”, etc.– Server(s) - Command & control, “bot master”, “herd master”, etc.

• Uses– Stealing PII, confidential information, etc.– Attacks(DDoS, Spam, phishing)


Definitions

Botnets

Rootkits


Rootkits

• Originally used on UNIX systems to assist in gaining/keeping root access

– Scripts and rigged binaries• Essentially, rootkits do a few things

– Evasion– Reduce or maintain reduced security– Self-Protection

First one on the machine wins.


Mobile Rootkits

Examples in the wildPrecursorsActual


SymbOS/Commwarrior

Variant Feature Type

A-B Delete other malware Self-protection

C Copies itself to the memory card Evasion/Self-protection

C Self-repair, protection from being deleted Self-protection

D Encrypts internal strings Evasion

D Infects other programs' installation files Evasion

D Deletes Antivirus programs Evasion/Self-protection


WinCE/Infojack.A

• Self-protection– Installing as an autorun program on the memory card– installing itself to the phone when an infected memory card is inserted– protecting itself from deletion, copying itself back to disk

• Reduce security/bypass protection– allows unsigned applications to install without warning

WinCE/InfoJack is installed with a collection of legitimate games

WinCE/InfoJack installs silently along with other applications

WinCE/InfoJack installs as an autorun program on the memory card


Mobile Rootkits

Examples in the wildPrecursors

Actual


Linux Mobile Phone Rootkits

• Rutgers University Researchers Bickford, et al developed a set of mobile rootkits

• Perform attacks– Dial attacker on alarm– Dial attacker on SMS– GPS coords. Sent to attacker via SMS– Battery drain attack

• Evasion/Self-protection– Evade user-mode detection

• Port to N900 in the works

Openmoko Neo1973 (Photo Credit: Ryan Baumann)


Mobile Rootkits

Future Research


Android on iPhone/iPhone Linux

• Spinoff/side project from one of the iPhone dev team developers• Security reduced

– Requires jailbroken phone– Entirely different OS runs

• Self-protection– Custom iboot designed to load linux


Mobile Botnets

Examples in the wildPrecursorsActual


OSX/iPHSponey.A

• Network Communication– Exfiltrate data via email

• Not hardcoded or updated in PoC • Data gathering(including PII)

– Acquire data from • interesting apps(Safari, YouTube) • keyboard cache


OSX/RRoll.C/OSX/iPHDownloader.A - “botnet”

• Reduce Security– Enable phishing via hosts file entry– Unlike previous variant does not disable sshd– Alters password of user 'mobile' (not root)

• Data gathering– Attempts to send SMS DB to attacker

• C & C– /etc/hosts changing script downloaded

• Redirects Dutch bank site to attacker's server • More of an intended botnet

– OSX/RRoll.C propagates OSX/iPHDownloader.A, but neither propagate on their own

– C & C server taken down


SymbOS/XMJTC - “sexy view” worm

• Self-protection/evasion– Signed installation file

• No warning to user during installation– Silent install of updates

• Kills processes of 3rd party task managers• C&C via SMS messages

– Download and install update from supplied URL– Writes a “serial number” to disk– Ping the attacker's server/phone via SMS

• Perform attacks– spamming links to malware via SMS


“Rise of the iBots: 0wning a telco network”

• Security researchers Collin Mulliner and Jean-Pierre Seifert developed a PoC iPhone botnet

– Research concentrated on evading detection• C&C over SMS and P2P network

– Encrypted commands• Tested in lab

– “Installed bot(s) on a number of iPhones in the lab.”• No “spreading functionality”

– Experiments were testing the feasibility of the C&C channels• Presented at the 5th International Conference on Malicious and

Unwanted Software(MALWARE 2010)


“Rise of the iBots: 0wning a telco network”

Signature Length

ECDSA Signature

SequenceNumber

Command Type

Command

1 <variable> 4 1 <variable>

Command Function

Add phone number(s) Adds numbers to the forwarding list. Commands are forwarded to all bots on the list.

Set sleep interval Sets how long the client waits before searching the P2P network for a command

Execute shell sequence Run a command in the shell( e.g. ls, ping, etc.)

Download URL Downloads a command file from the botmaster


Mobile Botnets

Examples in the wildPrecursors

Actual


WeatherFistBadMonkey – iPhone/Android botnet

• PoC created by Security Researchers – Derek Brown and Daniel Tijerina(Tipping Point DV Labs)

• Evasion– Performs nominal function – connects to legitimate weather site

• Bot capability– Clients available for multiple platforms– Jailbroken iPhone– Stock Android

• C & C Server– Spamming – provide reverse shell– perform DDoS

Screenshot Weather Underground site


Rootstrap & Eclipsetrap

• PoC created by Security Researcher Jon Oberheide of Scio Security• Evasion

– Pretends to be “Twilight Eclipse Preview” app• Updates/Commands

– Downloads new native binaries regularly

Despite being only nominally a movie preview app and receiving bad reviews, the PoC garnered over 200 downloads.


• Zeus trojan on the PC puts up a dialog asking for the victims phone model and mobile number

– Uses number to send download link to victim– Download is a signed installation file pretending to be a “Nokia update”

• Zitmo.A is spyware used to forward incoming SMS to the attacker– Unlike other more common Symbian spyware, forwarded SMS are not

logged to an account on a central server

SymbOS/Zitmo.A


SymbOS/Zitmo.A, cont.

Command Function

set admin/ SET ADMIN

Setting the C&C phone number(in memory or in the config file)[case-sensitive]

[ON/OFF] Starting/Stopping the forwarding of SMS messages

BLOCK [ON|OFF] Ignore SMS commands

SET SENDER <number> ADD SENDER <number1>,…,<number n> ADD SENDER ALL

Add sender's number to the forwarding list

REM SENDER <number1>,…,<number n> REM SENDER ALL

Remove specific/all senders' numbers


SymbOS/Zitmo.A, cont.

• Used for stealing mTAN/mTAC(Mobile Transaction Authorization Number/Code)

– mTAN/mTAC are not used by all banks• Not written from scratch

– Cracked version of commercial spyware “SMS Monitor”

Installation of the commercial spyware (images from dTarasov.ru documentation)

The original program required payment. (images from dTarasov.ru documentation)


Questions/Comments?