Upload File

transparent botnet c&c for smartphones over sms

39
Transparent Botnet Command and Control for Smartphones over Text Messages Georgia Weidman

Upload: georgia-weidman

Post on 18-Nov-2014

1.756 views

Category:

Technology


0 download

Report

DESCRIPTION

 

TRANSCRIPT

Page 1: Transparent Botnet C&C for Smartphones over SMS

Transparent Botnet Command and Control for Smartphones over Text Messages

Georgia Weidman

Page 2: Transparent Botnet C&C for Smartphones over SMS

Why Smartphone Botnets

• Ubiquitous smartphones

• Common development platforms

• Strong technical specs

Page 3: Transparent Botnet C&C for Smartphones over SMS

Why Text Messages?

• Battery managements

• Difficult to monitor

• Fault Tolerant

Page 4: Transparent Botnet C&C for Smartphones over SMS

4

How an SMS is sent and received

Page 5: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 5

How an SMS is sent and received

Page 6: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 6

How an SMS is sent and received

Page 7: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 7

How an SMS is sent and received

Page 8: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 8

How an SMS is sent and received

Page 9: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 9

How an SMS is sent and received

Page 10: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 10

How an SMS is sent and received

Page 11: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 11

How an SMS is sent and received

Page 12: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 12

How an SMS is sent and received

Page 13: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 13

How an SMS is sent and received

Page 14: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 14

Previous Work: SMS Fuzzing

At Blackhat 2009, Charlie Miller & Collin Mulliner proxied the application layer and modem to crash smartphones with SMS.

http://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf

Page 15: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 15

Previous Work: SMS Fuzzing

Page 16: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 16

Previous Work: SMS Fuzzing

Page 17: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 17

Previous Work: SMS Fuzzing

Page 18: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 18

My Work: SMS Botnet C&C

Page 19: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 19

My Work: SMS Botnet C&C

Page 20: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 20

SMS-Deliver PDU

Field Value

Length of SMSC 07

Type of Address (SMSC) 91

Service Center Address (SMSC) 41 40 54 05 10 F1

SMS Deliver Info 04

Length of Sender Number 0B

Type of Sender Number 91

Sender Number 51 17 34 45 88 F1

Protocol Identifier 00

Data Coding Scheme 00

Time Stamp 01 21 03 71 40 04 4A

User Data Length 0A

User Data E8 32 9B FD 46 97 D9 EC 37

07914140540510F1040B916117345476F100000121037140044A0AE8329BFD4697D9EC37

http://www.dreamfabric.com/sms/

Page 21: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 21

SMS-Deliver PDU

Field Value

Length of SMSC 07

Type of Address (SMSC) 91

Service Center Address (SMSC) 41 40 54 05 10 F1

SMS Deliver Info 04

Length of Sender Number 0B

Type of Sender Number 91

Sender Number 61 17 34 54 76 F1

Protocol Identifier 00

Data Coding Scheme 00

Time Stamp 01 21 03 71 40 04 4A

User Data Length 0A

User Data E8 32 9B FD 46 97 D9 EC 37

07914140540510F1040B916117345476F100000121037140044A0AE8329BFD4697D9EC37

Page 22: Transparent Botnet C&C for Smartphones over SMS

How the Botnet Works

1. Bot Receives Message

2. Bot Decodes User Data

3. Bot Checks for Bot Key

4. Bot Performs Payload Functionality

Page 23: Transparent Botnet C&C for Smartphones over SMS

How the Botnet Works

1. Bot Receives Message

2. Bot Decodes User Data

3. Bot Checks for Bot Key

4. Bot Performs Payload Functionality

Page 24: Transparent Botnet C&C for Smartphones over SMS

How the Botnet Works

1. Bot Receives Message

2. Bot Decodes User Data

3. Bot Checks for Bot Key

4. Bot Performs Payload Functionality

Page 25: Transparent Botnet C&C for Smartphones over SMS

How the Botnet Works

1. Bot Receives Message

2. Bot Decodes User Data

3. Bot Checks for Bot Key

4. Bot Performs Payload Functionality

Page 26: Transparent Botnet C&C for Smartphones over SMS

How the Botnet Works

1. Bot Receives Message

2. Bot Decodes User Data

3. Bot Checks for Bot Key

4. Bot Performs Payload Functionality

Page 27: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 27

Botnet Structure

Page 28: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 28

Master Bot

Page 29: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 29

Sentinel Bots

Page 30: Transparent Botnet C&C for Smartphones over SMS

© Georgia Weidman 2011 30

Slave Bots

Page 31: Transparent Botnet C&C for Smartphones over SMS

Security Concerns

• Impersonation

• Replay

• Cryptographic solutions

Page 32: Transparent Botnet C&C for Smartphones over SMS

Limitations

• Possible detection methods

• User data length

Page 33: Transparent Botnet C&C for Smartphones over SMS

Getting the Bot Installed

• Regular Users

• Rooted/Jailbroken Users

• Remote

Page 34: Transparent Botnet C&C for Smartphones over SMS

Example Payloads

• Spam

• Denial of service

• Load new functionality

• Degrading cell service

Page 35: Transparent Botnet C&C for Smartphones over SMS

What This Really Means

• If attackers can get the bot installed they can remotely control a user's phone without giving any sign of compromise to the user.

Page 36: Transparent Botnet C&C for Smartphones over SMS

Mitigations

•Integrity checks

•Liability for smartphone applications

•User awareness

Page 37: Transparent Botnet C&C for Smartphones over SMS

Demo

• Android Bot with Spam Payload

Page 38: Transparent Botnet C&C for Smartphones over SMS

Contact

•Georgia Weidman •Company: Neohapsis Inc. •Email: [email protected]

[email protected]•Website: http://www.grmn00bs.com•Twitter: vincentkadmon

mailto:[email protected]
mailto:[email protected]
http://www.grmn00bs.com/
Page 39: Transparent Botnet C&C for Smartphones over SMS

Selected Bibliography

•SMS fuzzing: http://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf•Cell bots attack GSM core: http://www.patrickmcdaniel.org/pubs/ccs09b.pdf•Twilight botnet: http://jon.oberheide.org/files/summercon10-androidhax-jonoberheide.pdf•SMS/P2P iPhone bots: http://mulliner.org/collin/academic/publications/ibots_malware10_mulliner_seifert.pdf


Your Botnet is My Botnet: Analysis of a Botnet Takeover

Botnet detection using correlated anomalies · deals with machine learning techniques and algorithms used for training botnet ... Botnet detection faces a number of ... Botnet detection

Botnet ppt

Botnet Tutorial

Your Botnet is My Botnet: Analysis of a Botnet TakeoverWhile botnets have been “hijacked” and studied previously, the Torpig botnet exhibits certain properties that make the analysis

Spamhaus Botnet Threat Report 2019 - Amazon Web Services...Malware associated with botnet C&Cs in 2018 5 ... SPAMHAUS BOTNET THREAT REPORT 2019. Welcome to the Spamhaus Botnet Threat

OpenDNS Whitepaper: DNS's Role in Botnet C&C

Your Botnet is My Botnet : Analysis of a Botnet Takeover

Botnet Architecture

Spamhaus Botnet Threat Update · 2020. 8. 7. · a Virtual Private Server (VPS) or a dedicated server, for the sole purpose of using it for hosting a botnet C&C. In the second quarter

Towards Automated Botnet Detection & Mitigation · Towards Automated Botnet Detection & Mitigation ... • sch_generic_createprocess ... In Win d o w s n e a rly a ll a c c e sse

Botnet Infiltration

Symbian OS Explained - Effective C++ Programming for Smartphones (2005)

Conficker Botnet

Spamhaus Botnet Threat Update€¦ · a dedicated server, for the sole purpose of using it for hosting a botnet C&C. In the second quarter of 2020, Spamhaus Malware Labs identified

Sounds Like Botnet

Transparent Botnet Control for Smartphones over SMS€¦ · Transparent Botnet Control for Smartphones over SMS ... At Blackhat 2009, Charlie Miller & Collin Mulliner proxied the

Anton Alexanenkov - Tor and Botnet C&C

Botnet Dection system. Introduction Botnet problem Challenges for botnet detection

Infostealer Botnet Reveal

Million Browser Botnet

Your Botnet is My Botnet: Analysis of a Botnet Takeover · Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin

Anatomy of a Botnet - تواناAnatomy of a Botnet 1 Executive Summary ... Fueled by innovations like do-it-yourself botnet construction kits and rent-a-botnet business models, the

Offensive Anti-Botnet - So you want to take over a botnet... (PDF)

Botnet Threat Report 2019 - The Spamhaus Project · fire up a new virtual private server (VPS), load the botnet C&C kit, and immediately be back in contact with their botnet after

BotMiner: Clustering Analysis of Network Traffic for Protocol ......botnet detection approaches work only on specific botnet command and control (C&C) protocols (e.g., IRC) and structures

Your Botnet is My Botnet: Analysis of a Botnet Takeoverchris/research/doc/ccs09_botnet.pdf · Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett ... (such as bank account

Storm Worm & Botnet

Botnet Yongdae Kim KAIST. Towards Systematic Evaluation of the evadability of bot/botnet detection methods Elizabeth Stinson, John C. Mitchell 1

Botnet Detection on TCP Tra c Using Supervised Machine

Botnet C&C Data Feeds - Kaspersky Internet Security · 2016-09-06 · Botnet C&C Data Feeds Primer on Botnet Attacks and Related Threats Today, cyber attacks and infections often

Mariposa Botnet

Detection of SIP BoTnet based on C&C Communications

BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt ... · IoT Botnet of High-Wattage Devices Smart appliances’ power usage The Mirai botnet →600,000 bots A Mirai sized botnet

Transparent Botnet Control for Smartphones over SMScaptf.com/conferences/TakeDownCon Dallas/Transparent Botnet Co… · Why Smartphone Botnets? Nearly 62 million smartphones sold