![Page 1: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/1.jpg)
Transparent Botnet Command and Control for Smartphones over Text Messages
Georgia Weidman
![Page 2: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/2.jpg)
Why Smartphone Botnets
• Ubiquitous smartphones
• Common development platforms
• Strong technical specs
![Page 3: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/3.jpg)
Why Text Messages?
• Battery managements
• Difficult to monitor
• Fault Tolerant
![Page 4: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/4.jpg)
4
How an SMS is sent and received
![Page 5: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/5.jpg)
© Georgia Weidman 2011 5
How an SMS is sent and received
![Page 6: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/6.jpg)
© Georgia Weidman 2011 6
How an SMS is sent and received
![Page 7: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/7.jpg)
© Georgia Weidman 2011 7
How an SMS is sent and received
![Page 8: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/8.jpg)
© Georgia Weidman 2011 8
How an SMS is sent and received
![Page 9: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/9.jpg)
© Georgia Weidman 2011 9
How an SMS is sent and received
![Page 10: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/10.jpg)
© Georgia Weidman 2011 10
How an SMS is sent and received
![Page 11: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/11.jpg)
© Georgia Weidman 2011 11
How an SMS is sent and received
![Page 12: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/12.jpg)
© Georgia Weidman 2011 12
How an SMS is sent and received
![Page 13: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/13.jpg)
© Georgia Weidman 2011 13
How an SMS is sent and received
![Page 14: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/14.jpg)
© Georgia Weidman 2011 14
Previous Work: SMS Fuzzing
At Blackhat 2009, Charlie Miller & Collin Mulliner proxied the application layer and modem to crash smartphones with SMS.
http://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf
![Page 15: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/15.jpg)
© Georgia Weidman 2011 15
Previous Work: SMS Fuzzing
![Page 16: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/16.jpg)
© Georgia Weidman 2011 16
Previous Work: SMS Fuzzing
![Page 17: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/17.jpg)
© Georgia Weidman 2011 17
Previous Work: SMS Fuzzing
![Page 18: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/18.jpg)
© Georgia Weidman 2011 18
My Work: SMS Botnet C&C
![Page 19: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/19.jpg)
© Georgia Weidman 2011 19
My Work: SMS Botnet C&C
![Page 20: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/20.jpg)
© Georgia Weidman 2011 20
SMS-Deliver PDU
Field Value
Length of SMSC 07
Type of Address (SMSC) 91
Service Center Address (SMSC) 41 40 54 05 10 F1
SMS Deliver Info 04
Length of Sender Number 0B
Type of Sender Number 91
Sender Number 51 17 34 45 88 F1
Protocol Identifier 00
Data Coding Scheme 00
Time Stamp 01 21 03 71 40 04 4A
User Data Length 0A
User Data E8 32 9B FD 46 97 D9 EC 37
07914140540510F1040B916117345476F100000121037140044A0AE8329BFD4697D9EC37
http://www.dreamfabric.com/sms/
![Page 21: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/21.jpg)
© Georgia Weidman 2011 21
SMS-Deliver PDU
Field Value
Length of SMSC 07
Type of Address (SMSC) 91
Service Center Address (SMSC) 41 40 54 05 10 F1
SMS Deliver Info 04
Length of Sender Number 0B
Type of Sender Number 91
Sender Number 61 17 34 54 76 F1
Protocol Identifier 00
Data Coding Scheme 00
Time Stamp 01 21 03 71 40 04 4A
User Data Length 0A
User Data E8 32 9B FD 46 97 D9 EC 37
07914140540510F1040B916117345476F100000121037140044A0AE8329BFD4697D9EC37
![Page 22: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/22.jpg)
How the Botnet Works
1. Bot Receives Message
2. Bot Decodes User Data
3. Bot Checks for Bot Key
4. Bot Performs Payload Functionality
![Page 23: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/23.jpg)
How the Botnet Works
1. Bot Receives Message
2. Bot Decodes User Data
3. Bot Checks for Bot Key
4. Bot Performs Payload Functionality
![Page 24: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/24.jpg)
How the Botnet Works
1. Bot Receives Message
2. Bot Decodes User Data
3. Bot Checks for Bot Key
4. Bot Performs Payload Functionality
![Page 25: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/25.jpg)
How the Botnet Works
1. Bot Receives Message
2. Bot Decodes User Data
3. Bot Checks for Bot Key
4. Bot Performs Payload Functionality
![Page 26: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/26.jpg)
How the Botnet Works
1. Bot Receives Message
2. Bot Decodes User Data
3. Bot Checks for Bot Key
4. Bot Performs Payload Functionality
![Page 27: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/27.jpg)
© Georgia Weidman 2011 27
Botnet Structure
![Page 28: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/28.jpg)
© Georgia Weidman 2011 28
Master Bot
![Page 29: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/29.jpg)
© Georgia Weidman 2011 29
Sentinel Bots
![Page 30: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/30.jpg)
© Georgia Weidman 2011 30
Slave Bots
![Page 31: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/31.jpg)
Security Concerns
• Impersonation
• Replay
• Cryptographic solutions
![Page 32: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/32.jpg)
Limitations
• Possible detection methods
• User data length
![Page 33: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/33.jpg)
Getting the Bot Installed
• Regular Users
• Rooted/Jailbroken Users
• Remote
![Page 34: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/34.jpg)
Example Payloads
• Spam
• Denial of service
• Load new functionality
• Degrading cell service
![Page 35: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/35.jpg)
What This Really Means
• If attackers can get the bot installed they can remotely control a user's phone without giving any sign of compromise to the user.
![Page 36: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/36.jpg)
Mitigations
•Integrity checks
•Liability for smartphone applications
•User awareness
![Page 37: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/37.jpg)
Demo
• Android Bot with Spam Payload
![Page 38: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/38.jpg)
Contact
•Georgia Weidman •Company: Neohapsis Inc. •Email: [email protected]
[email protected]•Website: http://www.grmn00bs.com•Twitter: vincentkadmon
![Page 39: Transparent Botnet C&C for Smartphones over SMS](https://reader034.vdocuments.us/reader034/viewer/2022051322/546c2137af79596c298b4e7e/html5/thumbnails/39.jpg)
Selected Bibliography
•SMS fuzzing: http://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf•Cell bots attack GSM core: http://www.patrickmcdaniel.org/pubs/ccs09b.pdf•Twilight botnet: http://jon.oberheide.org/files/summercon10-androidhax-jonoberheide.pdf•SMS/P2P iPhone bots: http://mulliner.org/collin/academic/publications/ibots_malware10_mulliner_seifert.pdf