SlideShare a Scribd company logo

Mobile Malware Trends

Jimmy Shah
Jimmy Shah

This document discusses mobile botnets and rootkits. It begins by introducing the author and their work in mobile malware analysis. Various examples of existing mobile malware are provided, including botnets that coordinate infected devices and rootkits that hide on phones. The document outlines characteristics of botnets like command and control and how they are used for attacks. It also defines rootkits and provides examples found in the wild for Symbian and other mobile platforms. Finally, it discusses the potential for future mobile botnets and rootkits as the capabilities of smartphones increase.

Mobile
1 of 35
Download to read offline
Smartphone Ownage: The State of Mobile Botnets and Rootkits Jimmy Shah Antivirus Researcher
Smartphone Ownage: The State of Mobile Botnets and Rootkits2 Contents • Who we are • Mobile malware • Definitions • Mobile Botnets • Mobile Rootkits
Smartphone Ownage: The State of Mobile Botnets and Rootkits3 Who we are
Smartphone Ownage: The State of Mobile Botnets and Rootkits4 Who we are • Mobile Antivirus Researchers • My team and I specialize in mobile malware and threat analysis on existing(J2ME, SymbOS,WM, iPhone OS, Android) and upcoming mobile platforms. • We work with a number of large mobile network operators.
Smartphone Ownage: The State of Mobile Botnets and Rootkits5 Mobile malware In the Wild Comparison to PC malware Trends
Smartphone Ownage: The State of Mobile Botnets and Rootkits6 In the Wild SymbOS J2ME WinCE Python MSIL VBS Linux 740+ variants
Smartphone Ownage: The State of Mobile Botnets and Rootkits7 Mobile malware In the Wild Comparison to PC malware Trends
Smartphone Ownage: The State of Mobile Botnets and Rootkits8 Comparison to PC malware PCs Mobile Examples Worms ● SymbOS/Commwarrior family ● MSIL/Xrove.A ● SymbOS/Cabir.A Viruses ● WinCE/Duts.1536 ● SymbOS/Lasco.A Trojan Horses ● J2ME Trojans ● SymbOS Trojans ● WinCE Trojans Spyware ● Commercial spyware – jailbroken/rooted devices ● txbbspy – Blackberry ● PhoneSpy – iPhone
Smartphone Ownage: The State of Mobile Botnets and Rootkits9 Mobile malware In the Wild Comparison to PC malware Trends
Smartphone Ownage: The State of Mobile Botnets and Rootkits10 Trends – Mobile Malware Lifecycle
Smartphone Ownage: The State of Mobile Botnets and Rootkits11 Definitions Botnets Rootkits
Smartphone Ownage: The State of Mobile Botnets and Rootkits12 Botnets • Network – Clients - Infected machines, “bots”, “zombies” , “bot clients”, etc. – Server(s) - Command & control, “bot master”, “herd master”, etc. • Uses – Stealing PII, confidential information, etc. – Attacks(DDoS, Spam, phishing)
Smartphone Ownage: The State of Mobile Botnets and Rootkits13 Definitions Botnets Rootkits
Smartphone Ownage: The State of Mobile Botnets and Rootkits14 Rootkits • Originally used on UNIX systems to assist in gaining/keeping root access – Scripts and rigged binaries • Essentially, rootkits do a few things – Evasion – Reduce or maintain reduced security – Self-Protection First one on the machine wins.
Smartphone Ownage: The State of Mobile Botnets and Rootkits15 Mobile Rootkits Examples in the wild Precursors Actual
Smartphone Ownage: The State of Mobile Botnets and Rootkits16 SymbOS/Commwarrior Variant Feature Type A-B Delete other malware Self-protection C Copies itself to the memory card Evasion/Self-protection C Self-repair, protection from being deleted Self-protection D Encrypts internal strings Evasion D Infects other programs' installation files Evasion D Deletes Antivirus programs Evasion/Self-protection
Smartphone Ownage: The State of Mobile Botnets and Rootkits17 WinCE/Infojack.A • Self-protection – Installing as an autorun program on the memory card – installing itself to the phone when an infected memory card is inserted – protecting itself from deletion, copying itself back to disk • Reduce security/bypass protection – allows unsigned applications to install without warning WinCE/InfoJack is installed with a collection of legitimate games WinCE/InfoJack installs silently along with other applications WinCE/InfoJack installs as an autorun program on the memory card
Smartphone Ownage: The State of Mobile Botnets and Rootkits18 Mobile Rootkits Examples in the wild Precursors Actual
Smartphone Ownage: The State of Mobile Botnets and Rootkits19 Linux Mobile Phone Rootkits • Rutgers University Researchers Bickford, et al developed a set of mobile rootkits • Perform attacks – Dial attacker on alarm – Dial attacker on SMS – GPS coords. Sent to attacker via SMS – Battery drain attack • Evasion/Self-protection – Evade user-mode detection • Port to N900 in the works Openmoko Neo1973 (Photo Credit: Ryan Baumann)
Smartphone Ownage: The State of Mobile Botnets and Rootkits20 Mobile Rootkits Future Research
Smartphone Ownage: The State of Mobile Botnets and Rootkits21 Android on iPhone/iPhone Linux • Spinoff/side project from one of the iPhone dev team developers • Security reduced – Requires jailbroken phone – Entirely different OS runs • Self-protection – Custom iboot designed to load linux
Smartphone Ownage: The State of Mobile Botnets and Rootkits22 Mobile Botnets Examples in the wild Precursors Actual
Smartphone Ownage: The State of Mobile Botnets and Rootkits23 OSX/iPHSponey.A • Network Communication – Exfiltrate data via email • Not hardcoded or updated in PoC • Data gathering(including PII) – Acquire data from • interesting apps(Safari, YouTube) • keyboard cache
Smartphone Ownage: The State of Mobile Botnets and Rootkits24 OSX/RRoll.C/OSX/iPHDownloader.A - “botnet” • Reduce Security – Enable phishing via hosts file entry – Unlike previous variant does not disable sshd – Alters password of user 'mobile' (not root) • Data gathering – Attempts to send SMS DB to attacker • C & C – /etc/hosts changing script downloaded • Redirects Dutch bank site to attacker's server • More of an intended botnet – OSX/RRoll.C propagates OSX/iPHDownloader.A, but neither propagate on their own – C & C server taken down
Smartphone Ownage: The State of Mobile Botnets and Rootkits25 SymbOS/XMJTC - “sexy view” worm • Self-protection/evasion – Signed installation file • No warning to user during installation – Silent install of updates • Kills processes of 3rd party task managers • C&C via SMS messages – Download and install update from supplied URL – Writes a “serial number” to disk – Ping the attacker's server/phone via SMS • Perform attacks – spamming links to malware via SMS
Smartphone Ownage: The State of Mobile Botnets and Rootkits26 “Rise of the iBots: 0wning a telco network” • Security researchers Collin Mulliner and Jean-Pierre Seifert developed a PoC iPhone botnet – Research concentrated on evading detection • C&C over SMS and P2P network – Encrypted commands • Tested in lab – “Installed bot(s) on a number of iPhones in the lab.” • No “spreading functionality” – Experiments were testing the feasibility of the C&C channels • Presented at the 5th International Conference on Malicious and Unwanted Software(MALWARE 2010)
Smartphone Ownage: The State of Mobile Botnets and Rootkits27 “Rise of the iBots: 0wning a telco network” Signature Length ECDSA Signature Sequence Number Command Type Command 1 <variable> 4 1 <variable> Command Function Add phone number(s) Adds numbers to the forwarding list. Commands are forwarded to all bots on the list. Set sleep interval Sets how long the client waits before searching the P2P network for a command Execute shell sequence Run a command in the shell( e.g. ls, ping, etc.) Download URL Downloads a command file from the botmaster
Smartphone Ownage: The State of Mobile Botnets and Rootkits28 Mobile Botnets Examples in the wild Precursors Actual
Smartphone Ownage: The State of Mobile Botnets and Rootkits29 WeatherFistBadMonkey – iPhone/Android botnet • PoC created by Security Researchers – Derek Brown and Daniel Tijerina(Tipping Point DV Labs) • Evasion – Performs nominal function – connects to legitimate weather site • Bot capability – Clients available for multiple platforms – Jailbroken iPhone – Stock Android • C & C Server – Spamming – provide reverse shell – perform DDoS Screenshot Weather Underground site
Smartphone Ownage: The State of Mobile Botnets and Rootkits30 Rootstrap & Eclipsetrap • PoC created by Security Researcher Jon Oberheide of Scio Security • Evasion – Pretends to be “Twilight Eclipse Preview” app • Updates/Commands – Downloads new native binaries regularly Despite being only nominally a movie preview app and receiving bad reviews, the PoC garnered over 200 downloads.
Smartphone Ownage: The State of Mobile Botnets and Rootkits31 • Zeus trojan on the PC puts up a dialog asking for the victims phone model and mobile number – Uses number to send download link to victim – Download is a signed installation file pretending to be a “Nokia update” • Zitmo.A is spyware used to forward incoming SMS to the attacker – Unlike other more common Symbian spyware, forwarded SMS are not logged to an account on a central server SymbOS/Zitmo.A
Smartphone Ownage: The State of Mobile Botnets and Rootkits32 SymbOS/Zitmo.A, cont. Command Function set admin/ SET ADMIN Setting the C&C phone number(in memory or in the config file)[case-sensitive] [ON/OFF] Starting/Stopping the forwarding of SMS messages BLOCK [ON|OFF] Ignore SMS commands SET SENDER <number> ADD SENDER <number1>,…,<number n> ADD SENDER ALL Add sender's number to the forwarding list REM SENDER <number1>,…,<number n> REM SENDER ALL Remove specific/all senders' numbers
Smartphone Ownage: The State of Mobile Botnets and Rootkits33 SymbOS/Zitmo.A, cont. • Used for stealing mTAN/mTAC(Mobile Transaction Authorization Number/Code) – mTAN/mTAC are not used by all banks • Not written from scratch – Cracked version of commercial spyware “SMS Monitor” Installation of the commercial spyware (images from dTarasov.ru documentation) The original program required payment. (images from dTarasov.ru documentation)
Smartphone Ownage: The State of Mobile Botnets and Rootkits34 Questions/Comments?
Mobile Malware Trends

Recommended

Mobile security
Mobile securityMobile security
Mobile securityNaveen Kumar
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityMarketingArrowECS_CZ
 
Mobile protection
Mobile protection Mobile protection
Mobile protection preetpatel72
 
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYJASHU JASWANTH
 
Mobile security
Mobile securityMobile security
Mobile securitydilipdubey5
 
cellphone virus and security
cellphone virus and securitycellphone virus and security
cellphone virus and securityAkhil Kumar
 
Mobile security by Tajwar khan
Mobile security by Tajwar khanMobile security by Tajwar khan
Mobile security by Tajwar khanTajwar khan
 
Mobile security
Mobile securityMobile security
Mobile securityMphasis
 

Recommended

Mobile security
Mobile securityMobile security
Mobile securityNaveen Kumar
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityMarketingArrowECS_CZ
 
Mobile protection
Mobile protection Mobile protection
Mobile protection preetpatel72
 
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYJASHU JASWANTH
 
Mobile security
Mobile securityMobile security
Mobile securitydilipdubey5
 
cellphone virus and security
cellphone virus and securitycellphone virus and security
cellphone virus and securityAkhil Kumar
 
Mobile security by Tajwar khan
Mobile security by Tajwar khanMobile security by Tajwar khan
Mobile security by Tajwar khanTajwar khan
 
Mobile security
Mobile securityMobile security
Mobile securityMphasis
 
Authentication service security
Authentication service securityAuthentication service security
Authentication service securityG Prachi
 
cell phone viruses and security
cell phone viruses and securitycell phone viruses and security
cell phone viruses and securityPRIYANKA944
 
Smartphone security
Smartphone securitySmartphone security
Smartphone securityManish Gupta
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber SecurityGeo Marian
 
Cell Phone Viruses & Security
Cell Phone Viruses & SecurityCell Phone Viruses & Security
Cell Phone Viruses & Securityguestc03f28
 
Mobile phone security
Mobile phone securityMobile phone security
Mobile phone securityEr aditya kumar jha
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile securityPushkar Pashupat
 
CTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David TurahiCTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David TurahiCommonwealth Telecommunications Organisation
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101Lookout
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
Mobile security
Mobile securityMobile security
Mobile securityTapan Khilar
 
Smartphone security
Smartphone securitySmartphone security
Smartphone securityMuthu Kumar
 
Cyber security
Cyber securityCyber security
Cyber securitySanthoshKumar2614
 
Mobile security
Mobile securityMobile security
Mobile securityhome
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device securityCAS
 
Smartphone security issues
Smartphone security issuesSmartphone security issues
Smartphone security issuesAleksandra Gavrilovska
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityKevin Lee
 
Mobile security
Mobile security Mobile security
Mobile security Himmatsingh Rajpurohit
 
Digital Security Slide Show
Digital Security Slide ShowDigital Security Slide Show
Digital Security Slide Showzed_o07
 
Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data Secure
Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data SecureSmartphone Security Guide: The Easiest Way to Keep Your Phone & Data Secure
Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data SecureHeimdal Security
 
“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”iosrjce
 
P01761113118
P01761113118P01761113118
P01761113118IOSR Journals
 

More Related Content

What's hot

Authentication service security
Authentication service securityAuthentication service security
Authentication service securityG Prachi
 
cell phone viruses and security
cell phone viruses and securitycell phone viruses and security
cell phone viruses and securityPRIYANKA944
 
Smartphone security
Smartphone securitySmartphone security
Smartphone securityManish Gupta
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber SecurityGeo Marian
 
Cell Phone Viruses & Security
Cell Phone Viruses & SecurityCell Phone Viruses & Security
Cell Phone Viruses & Securityguestc03f28
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile securityPushkar Pashupat
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101Lookout
 
Smartphone security
Smartphone securitySmartphone security
Smartphone securityMuthu Kumar
 
Mobile security
Mobile securityMobile security
Mobile securityhome
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device securityCAS
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityKevin Lee
 
Digital Security Slide Show
Digital Security Slide ShowDigital Security Slide Show
Digital Security Slide Showzed_o07
 
Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data Secure
Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data SecureSmartphone Security Guide: The Easiest Way to Keep Your Phone & Data Secure
Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data SecureHeimdal Security
 

What's hot (20)

Authentication service security
Authentication service securityAuthentication service security
Authentication service security
 
cell phone viruses and security
cell phone viruses and securitycell phone viruses and security
cell phone viruses and security
 
Smartphone security
Smartphone securitySmartphone security
Smartphone security
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
 
Cell Phone Viruses & Security
Cell Phone Viruses & SecurityCell Phone Viruses & Security
Cell Phone Viruses & Security
 
Mobile phone security
Mobile phone securityMobile phone security
Mobile phone security
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile security
 
CTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David TurahiCTO Cybersecurity Forum 2013 David Turahi
CTO Cybersecurity Forum 2013 David Turahi
 
Mobile Security 101
Mobile Security 101Mobile Security 101
Mobile Security 101
 
Mobile security
Mobile securityMobile security
Mobile security
 
Mobile security
Mobile securityMobile security
Mobile security
 
Smartphone security
Smartphone securitySmartphone security
Smartphone security
 
Cyber security
Cyber securityCyber security
Cyber security
 
Mobile security
Mobile securityMobile security
Mobile security
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device security
 
Smartphone security issues
Smartphone security issuesSmartphone security issues
Smartphone security issues
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Mobile security
Mobile security Mobile security
Mobile security
 
Digital Security Slide Show
Digital Security Slide ShowDigital Security Slide Show
Digital Security Slide Show
 
Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data Secure
Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data SecureSmartphone Security Guide: The Easiest Way to Keep Your Phone & Data Secure
Smartphone Security Guide: The Easiest Way to Keep Your Phone & Data Secure
 

Similar to Mobile Malware Trends

“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”iosrjce
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesTyler Shields
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2Santosh Satam
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Aniq Eastrarulkhair
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Jimmy Shah
 
Short 1100 Jart Armin - The Pocket Botnet
Short 1100 Jart Armin - The Pocket BotnetShort 1100 Jart Armin - The Pocket Botnet
Short 1100 Jart Armin - The Pocket BotnetUISGCON
 
Short 11-00 Jart Armin - The Pocket Botnet
Short 11-00 Jart Armin - The Pocket BotnetShort 11-00 Jart Armin - The Pocket Botnet
Short 11-00 Jart Armin - The Pocket BotnetUISGCON
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksMichael Davis
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsVince Verbeke
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)Vince Verbeke
 
Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptxmalikmuzammil2326
 
NewsByte Mumbai October 2017
NewsByte Mumbai October 2017NewsByte Mumbai October 2017
NewsByte Mumbai October 2017chauhananand17
 
CNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareCNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareSam Bowne
 
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...Qazi Anwar
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer ConferenceFabio Pietrosanti
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovEric Vanderburg
 

Similar to Mobile Malware Trends (20)

“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”
 
P01761113118
P01761113118P01761113118
P01761113118
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
 
C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2C0c0n 2011 mobile security presentation v1.2
C0c0n 2011 mobile security presentation v1.2
 
News Bytes - May 2015
News Bytes - May 2015News Bytes - May 2015
News Bytes - May 2015
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_
 
Short 1100 Jart Armin - The Pocket Botnet
Short 1100 Jart Armin - The Pocket BotnetShort 1100 Jart Armin - The Pocket Botnet
Short 1100 Jart Armin - The Pocket Botnet
 
Short 11-00 Jart Armin - The Pocket Botnet
Short 11-00 Jart Armin - The Pocket BotnetShort 11-00 Jart Armin - The Pocket Botnet
Short 11-00 Jart Armin - The Pocket Botnet
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
 
Unit-3.pptx
Unit-3.pptxUnit-3.pptx
Unit-3.pptx
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
 
Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptx
 
NewsByte Mumbai October 2017
NewsByte Mumbai October 2017NewsByte Mumbai October 2017
NewsByte Mumbai October 2017
 
CNIT 128 5: Mobile malware
CNIT 128 5: Mobile malwareCNIT 128 5: Mobile malware
CNIT 128 5: Mobile malware
 
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
 
2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference2010: Mobile Security - WHYMCA Developer Conference
2010: Mobile Security - WHYMCA Developer Conference
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
 

More from Jimmy Shah

Brick all the internet of things!(with notes)
Brick all the internet of things!(with notes)Brick all the internet of things!(with notes)
Brick all the internet of things!(with notes)Jimmy Shah
 
There's no S(ecurity) in IoT: This is why we can't sleep
There's no S(ecurity) in IoT: This is why we can't sleepThere's no S(ecurity) in IoT: This is why we can't sleep
There's no S(ecurity) in IoT: This is why we can't sleepJimmy Shah
 
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APTBYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APTJimmy Shah
 
Solar Powered Parking Meters - An IoT thought experiment
Solar Powered Parking Meters - An IoT thought experimentSolar Powered Parking Meters - An IoT thought experiment
Solar Powered Parking Meters - An IoT thought experimentJimmy Shah
 
Mobile malware analysis with the a.r.e. vm
Mobile malware analysis with the a.r.e. vmMobile malware analysis with the a.r.e. vm
Mobile malware analysis with the a.r.e. vmJimmy Shah
 
Mobile malware heuristics the path from 'eh' to pretty good'
Mobile malware heuristics the path from 'eh' to pretty good'Mobile malware heuristics the path from 'eh' to pretty good'
Mobile malware heuristics the path from 'eh' to pretty good'Jimmy Shah
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareJimmy Shah
 

More from Jimmy Shah (7)

Brick all the internet of things!(with notes)
Brick all the internet of things!(with notes)Brick all the internet of things!(with notes)
Brick all the internet of things!(with notes)
 
There's no S(ecurity) in IoT: This is why we can't sleep
There's no S(ecurity) in IoT: This is why we can't sleepThere's no S(ecurity) in IoT: This is why we can't sleep
There's no S(ecurity) in IoT: This is why we can't sleep
 
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APTBYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
 
Solar Powered Parking Meters - An IoT thought experiment
Solar Powered Parking Meters - An IoT thought experimentSolar Powered Parking Meters - An IoT thought experiment
Solar Powered Parking Meters - An IoT thought experiment
 
Mobile malware analysis with the a.r.e. vm
Mobile malware analysis with the a.r.e. vmMobile malware analysis with the a.r.e. vm
Mobile malware analysis with the a.r.e. vm
 
Mobile malware heuristics the path from 'eh' to pretty good'
Mobile malware heuristics the path from 'eh' to pretty good'Mobile malware heuristics the path from 'eh' to pretty good'
Mobile malware heuristics the path from 'eh' to pretty good'
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
 

Recently uploaded

CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceanilsa9823
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7Pooja Nehwal
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPsychicRuben LoveSpells
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRnishacall1
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceanilsa9823
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Pooja Nehwal
 

Recently uploaded (7)

CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
 

Mobile Malware Trends

  • 1. Smartphone Ownage: The State of Mobile Botnets and Rootkits Jimmy Shah Antivirus Researcher
  • 2. Smartphone Ownage: The State of Mobile Botnets and Rootkits2 Contents • Who we are • Mobile malware • Definitions • Mobile Botnets • Mobile Rootkits
  • 3. Smartphone Ownage: The State of Mobile Botnets and Rootkits3 Who we are
  • 4. Smartphone Ownage: The State of Mobile Botnets and Rootkits4 Who we are • Mobile Antivirus Researchers • My team and I specialize in mobile malware and threat analysis on existing(J2ME, SymbOS,WM, iPhone OS, Android) and upcoming mobile platforms. • We work with a number of large mobile network operators.
  • 5. Smartphone Ownage: The State of Mobile Botnets and Rootkits5 Mobile malware In the Wild Comparison to PC malware Trends
  • 6. Smartphone Ownage: The State of Mobile Botnets and Rootkits6 In the Wild SymbOS J2ME WinCE Python MSIL VBS Linux 740+ variants
  • 7. Smartphone Ownage: The State of Mobile Botnets and Rootkits7 Mobile malware In the Wild Comparison to PC malware Trends
  • 8. Smartphone Ownage: The State of Mobile Botnets and Rootkits8 Comparison to PC malware PCs Mobile Examples Worms ● SymbOS/Commwarrior family ● MSIL/Xrove.A ● SymbOS/Cabir.A Viruses ● WinCE/Duts.1536 ● SymbOS/Lasco.A Trojan Horses ● J2ME Trojans ● SymbOS Trojans ● WinCE Trojans Spyware ● Commercial spyware – jailbroken/rooted devices ● txbbspy – Blackberry ● PhoneSpy – iPhone
  • 9. Smartphone Ownage: The State of Mobile Botnets and Rootkits9 Mobile malware In the Wild Comparison to PC malware Trends
  • 10. Smartphone Ownage: The State of Mobile Botnets and Rootkits10 Trends – Mobile Malware Lifecycle
  • 11. Smartphone Ownage: The State of Mobile Botnets and Rootkits11 Definitions Botnets Rootkits
  • 12. Smartphone Ownage: The State of Mobile Botnets and Rootkits12 Botnets • Network – Clients - Infected machines, “bots”, “zombies” , “bot clients”, etc. – Server(s) - Command & control, “bot master”, “herd master”, etc. • Uses – Stealing PII, confidential information, etc. – Attacks(DDoS, Spam, phishing)
  • 13. Smartphone Ownage: The State of Mobile Botnets and Rootkits13 Definitions Botnets Rootkits
  • 14. Smartphone Ownage: The State of Mobile Botnets and Rootkits14 Rootkits • Originally used on UNIX systems to assist in gaining/keeping root access – Scripts and rigged binaries • Essentially, rootkits do a few things – Evasion – Reduce or maintain reduced security – Self-Protection First one on the machine wins.
  • 15. Smartphone Ownage: The State of Mobile Botnets and Rootkits15 Mobile Rootkits Examples in the wild Precursors Actual
  • 16. Smartphone Ownage: The State of Mobile Botnets and Rootkits16 SymbOS/Commwarrior Variant Feature Type A-B Delete other malware Self-protection C Copies itself to the memory card Evasion/Self-protection C Self-repair, protection from being deleted Self-protection D Encrypts internal strings Evasion D Infects other programs' installation files Evasion D Deletes Antivirus programs Evasion/Self-protection
  • 17. Smartphone Ownage: The State of Mobile Botnets and Rootkits17 WinCE/Infojack.A • Self-protection – Installing as an autorun program on the memory card – installing itself to the phone when an infected memory card is inserted – protecting itself from deletion, copying itself back to disk • Reduce security/bypass protection – allows unsigned applications to install without warning WinCE/InfoJack is installed with a collection of legitimate games WinCE/InfoJack installs silently along with other applications WinCE/InfoJack installs as an autorun program on the memory card
  • 18. Smartphone Ownage: The State of Mobile Botnets and Rootkits18 Mobile Rootkits Examples in the wild Precursors Actual
  • 19. Smartphone Ownage: The State of Mobile Botnets and Rootkits19 Linux Mobile Phone Rootkits • Rutgers University Researchers Bickford, et al developed a set of mobile rootkits • Perform attacks – Dial attacker on alarm – Dial attacker on SMS – GPS coords. Sent to attacker via SMS – Battery drain attack • Evasion/Self-protection – Evade user-mode detection • Port to N900 in the works Openmoko Neo1973 (Photo Credit: Ryan Baumann)
  • 20. Smartphone Ownage: The State of Mobile Botnets and Rootkits20 Mobile Rootkits Future Research
  • 21. Smartphone Ownage: The State of Mobile Botnets and Rootkits21 Android on iPhone/iPhone Linux • Spinoff/side project from one of the iPhone dev team developers • Security reduced – Requires jailbroken phone – Entirely different OS runs • Self-protection – Custom iboot designed to load linux
  • 22. Smartphone Ownage: The State of Mobile Botnets and Rootkits22 Mobile Botnets Examples in the wild Precursors Actual
  • 23. Smartphone Ownage: The State of Mobile Botnets and Rootkits23 OSX/iPHSponey.A • Network Communication – Exfiltrate data via email • Not hardcoded or updated in PoC • Data gathering(including PII) – Acquire data from • interesting apps(Safari, YouTube) • keyboard cache
  • 24. Smartphone Ownage: The State of Mobile Botnets and Rootkits24 OSX/RRoll.C/OSX/iPHDownloader.A - “botnet” • Reduce Security – Enable phishing via hosts file entry – Unlike previous variant does not disable sshd – Alters password of user 'mobile' (not root) • Data gathering – Attempts to send SMS DB to attacker • C & C – /etc/hosts changing script downloaded • Redirects Dutch bank site to attacker's server • More of an intended botnet – OSX/RRoll.C propagates OSX/iPHDownloader.A, but neither propagate on their own – C & C server taken down
  • 25. Smartphone Ownage: The State of Mobile Botnets and Rootkits25 SymbOS/XMJTC - “sexy view” worm • Self-protection/evasion – Signed installation file • No warning to user during installation – Silent install of updates • Kills processes of 3rd party task managers • C&C via SMS messages – Download and install update from supplied URL – Writes a “serial number” to disk – Ping the attacker's server/phone via SMS • Perform attacks – spamming links to malware via SMS
  • 26. Smartphone Ownage: The State of Mobile Botnets and Rootkits26 “Rise of the iBots: 0wning a telco network” • Security researchers Collin Mulliner and Jean-Pierre Seifert developed a PoC iPhone botnet – Research concentrated on evading detection • C&C over SMS and P2P network – Encrypted commands • Tested in lab – “Installed bot(s) on a number of iPhones in the lab.” • No “spreading functionality” – Experiments were testing the feasibility of the C&C channels • Presented at the 5th International Conference on Malicious and Unwanted Software(MALWARE 2010)
  • 27. Smartphone Ownage: The State of Mobile Botnets and Rootkits27 “Rise of the iBots: 0wning a telco network” Signature Length ECDSA Signature Sequence Number Command Type Command 1 <variable> 4 1 <variable> Command Function Add phone number(s) Adds numbers to the forwarding list. Commands are forwarded to all bots on the list. Set sleep interval Sets how long the client waits before searching the P2P network for a command Execute shell sequence Run a command in the shell( e.g. ls, ping, etc.) Download URL Downloads a command file from the botmaster
  • 28. Smartphone Ownage: The State of Mobile Botnets and Rootkits28 Mobile Botnets Examples in the wild Precursors Actual
  • 29. Smartphone Ownage: The State of Mobile Botnets and Rootkits29 WeatherFistBadMonkey – iPhone/Android botnet • PoC created by Security Researchers – Derek Brown and Daniel Tijerina(Tipping Point DV Labs) • Evasion – Performs nominal function – connects to legitimate weather site • Bot capability – Clients available for multiple platforms – Jailbroken iPhone – Stock Android • C & C Server – Spamming – provide reverse shell – perform DDoS Screenshot Weather Underground site
  • 30. Smartphone Ownage: The State of Mobile Botnets and Rootkits30 Rootstrap & Eclipsetrap • PoC created by Security Researcher Jon Oberheide of Scio Security • Evasion – Pretends to be “Twilight Eclipse Preview” app • Updates/Commands – Downloads new native binaries regularly Despite being only nominally a movie preview app and receiving bad reviews, the PoC garnered over 200 downloads.
  • 31. Smartphone Ownage: The State of Mobile Botnets and Rootkits31 • Zeus trojan on the PC puts up a dialog asking for the victims phone model and mobile number – Uses number to send download link to victim – Download is a signed installation file pretending to be a “Nokia update” • Zitmo.A is spyware used to forward incoming SMS to the attacker – Unlike other more common Symbian spyware, forwarded SMS are not logged to an account on a central server SymbOS/Zitmo.A
  • 32. Smartphone Ownage: The State of Mobile Botnets and Rootkits32 SymbOS/Zitmo.A, cont. Command Function set admin/ SET ADMIN Setting the C&C phone number(in memory or in the config file)[case-sensitive] [ON/OFF] Starting/Stopping the forwarding of SMS messages BLOCK [ON|OFF] Ignore SMS commands SET SENDER <number> ADD SENDER <number1>,…,<number n> ADD SENDER ALL Add sender's number to the forwarding list REM SENDER <number1>,…,<number n> REM SENDER ALL Remove specific/all senders' numbers
  • 33. Smartphone Ownage: The State of Mobile Botnets and Rootkits33 SymbOS/Zitmo.A, cont. • Used for stealing mTAN/mTAC(Mobile Transaction Authorization Number/Code) – mTAN/mTAC are not used by all banks • Not written from scratch – Cracked version of commercial spyware “SMS Monitor” Installation of the commercial spyware (images from dTarasov.ru documentation) The original program required payment. (images from dTarasov.ru documentation)
  • 34. Smartphone Ownage: The State of Mobile Botnets and Rootkits34 Questions/Comments?