smartphone botnets ehab ashary cs691-summer 2011 university of colorado, colorado springs dr....

Smartphone Botnets

Ehab AsharyCS691-Summer 2011University of Colorado, Colorado Springs Dr. C.Edward Chow Ehab Ashary

Introduction

• A botnet (also known as a zombie army) is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions to other computers on the Internet. Any such computer is referred to as a zombie

Ehab AsharyCS691-Summer 2011 University of Colorado, Colorado Springs

Introduction


Introduction

• Most bot software uses one of three protocols for herder-bot communication “Command and Control (C&C)“

– Internet Relay Chat (IRC)

– HTTP

– Peer-to-Peer (P2P) • communication between peers without the need for

a central server, and herders take advantage of these nodal systems by using them to deliver infections or instructions directly to any computer connected to the network


Do we need to worry about our phones?

• Cell phones are used for the same functions and have the same capabilities as PCs.

• Smartphones are rapidly replacing feature phones. Analyst predictions state that by 2012, 65% of all cell phone sales will be smartphones.

• Usually they contain lots of sensitive information, like a list of contacts, text messages, a calendar of our schedule, emails, our current position.

• While most PCs have at least some security software in place, smartphones commonly do not have any security software installed


Do we need to worry about our phones?

• “As the smartphone sales is predicted to outdo the PC sales by 2012, mobile devices are expected to become even better cybercrime targets in the near future” A Trend Micro Monthly Report I February 2011

• The Google Android Market – the Android equivalent of Apple's iTunes – has been subverted by a range of infected versions of legitimate apps, which have been downloaded by as many as 200,000 smartphone

users.”Android Police portal”,


The main players


Going back into time

Ikee.a:changes wallpaper to Rick Astley


Command and Control (C&C)

• Is the most challenging part in botnet design since it is the control channel for the botmaster– Needs to be robust against attack.– Stealthy.– low-cost (i.e., low battery power consumption,

low traffic consumption and low money cost)

• Major paths for C&C– SMS/MMS-based approach– Peer-to-Peer approach


Command and Control (C&C)

• Major paths for C&C– Local wireless-based “WIFI/Bluetooth” approach– Hybrid approach.

• Mobile Botnet Payload– Data / identify theft– DoS a single cell or cell are– DoS emergency number– DoS company hotline– SMS flooding


Security Features of Mobile Operating System

• Sandboxing– Sandboxing, or virtualization, implements a computing

environment within another computing environment.– The virtual machine provides resources and acts as if

it were running directly on hardware though it is fully contained by the host system.

– The host prevents the guest from accessing critical files and data on the host system.



• Application Signing– All installed applications be digitally signed with a

certificate whose private key is held by the application's developer

– All applications must be signed. The system will not install an application that is not signed

– Ensure the integrity of the code; that is, that it has not been altered

– Identify the code as coming from a specific source (the developer or signer)

– It can’t guarantee that the code is free of security vulnerabilities.

– It can’t guarantee that a program will not load unsafe or altered code—such as untrusted plug-ins—during execution.


Introducing SpyPhone


An analysis of the iKee.B (duh)

• In early November 2009, Dutch users of jailbroken iPhones in T-

Mobile's 3G IP range began experiencing extortion popup windows – Jailbroken iPhones have been configured with a secure shell

(SSH) network service with a known default root password of

'alpine'. • around the week of 8 November, a second iPhone malware outbreak

began in Australia

– convert the iPhone into a self-propagating worm – It succeeded in infecting an estimated 21,000 victims within about

a week – Ashley Towns was subsequently offered a job by a leading

Australian Software company, Mogeneration



• Two weeks after the iKee.A incident, on 18 November – New malware includes command and control

(C&C) logic to render all infected iPhones under the control of a bot master

– The botmaster was able to upload and execute shell commands on all infected iPhone bot clients

– Very simple HTTP-based C&C– Each bot is programmed to poll a Lithuanian

C&C server at 5 minute intervals for new control logic (iPhone shell scripts)

– Main payload was to steel SMS database



• Installation Logic• Propagation Logic• Botnet Control Logic


Installation Logic

• A randomly generated ID

for the bot client • Installs the preference

files • Compresses all SMS

message on the local iPhone into a single

archive. • changes the default SSH

password from 'alpine' to a new fixed password

value


Propagation Logic


Botnet Control Logic

It has been reported that iKee.B was used to monitor

and redirect Dutch ING Direct customers to a phishing site

to steal user account information


iSAM: An iPhone Stealth Airborne Malware

• Jailbreaking allows to create and execute third-party software without an official SDK from Apple

• Bypass SIM-Lock.• Jailbreak or Unlock are legal as long as they obey the

copyright law. On July 2010, the United States government and the new Digital Millenium Copyright Act (DMCA)

• The software installs a version of Cydia, a SSH server.• JailbreakMe, is a remote browser-based jailbreak that

uses two security flaws– The first one, uses a corrupted font embedded in

PDF files that allow arbitrary code execution– the secondone uses a vulnerability in kernel to

escalate the code execution to unsandboxed root privileges

– Once Cydia is installed in the iPhone, any file with the “.deb” extension stored in the folder “/var/root/Media/Cydia/AutoInstall”



• Once the PDF is opened, a dynamic library (dylib) named “installui.dylib” provides graphic interface and downloads from the corresponding website a file named “wad.bin”.

• After that it proceeds to jailbreak the iOS and install Cydia using a second dylib named “install.dylib”.

• The file “wad.bin” is a binary file that contains any type of data; in this case it contains the “install.dylib” and the Cydia package.



• iSAM consists of a main daemon written in Objective-C

• Six subroutines written as Objective-C functions

• iSAMScanner is activated during the device boot

• iSAMUpdate is activated once per day and only if an Internet connection is available

• the rest four subroutines are activated once per week but at random times


• They decided to pack their malware as a Debian package.• It was necessary to modify the source file “installui.m”

which is used to build the dylib named “installui.dylib” to deactivated all displayed graphics interfaces making the exploit behave stealthily

• They inject their malware into the “wad.bin”. This means that once the jailbreaking procedure ends, Cydia and their malware will be both installed in the iPhone.

• iSAM Infection Methods– iSAMScanner– iSMSBomber



• iSAMScanner: Scan, Connect, Infect

– Infector downloads the iSAM.deb package to the directory “/private/var/root/” of the target-device.

– Infector installs the package using the command

dpkg -i–refuse-downgrade –skip-same-version iSAM.deb

• iSAMUpdate: Update, Command, Control

– Every time iSAMUpdate is activated, it retrieves some useful information from the device and sends them as a textmessage to iSAMS to be stored in the local database

– The message is consisted of the iSAM version, the Unique Device Identifier (UDID), the IP address from the WiFi connection on the iPhone and the GPS coordinates, as long as a GPS is enabled

– {version016||3bdf7jc607h1j7te441sc02f5h5j6229db66hh63||62.217.70.167||26.700039||37.794186}



• iCollector: Gathers Private Information from the Device– iPhone stores all user’s data in SQLite databases and

plist files without providing any encryption mechanism to secure their contents.

– Storing them into a new database named iCollection.db

• iSMSBomber: Sends Malicious SMS Messages in Stealth Mode– sends silently 1000 malicious SMS messages– iSMSBomber makes an SQL query to the iPhone’s

address book database to retrieve telephone numbers from user contacts or random number begins with the standard “003069” digit sequence.

– “Hello, how are you? I have found an interesting website: 195.251.166.50 - Please send it to all’!’


• iDoSApp: Denial of Application Service– One of the main iOS applications is SpringBoard that

manages the iOS home screen by displaying all icons of the available applications, starts the WindowServer and launches and bootstraps other applications.

– SBApplicationIcon is a system function responsible for the behavior of all icons displayed by the SpringBoard

– Every time the user touches on an application icon, a launch message is sent to SBApplicationIcon to load the application

– In our case, once the iDoSApp is activated, it blocks all launch messages that are sent to SBApplicationIcon causing DoS

• iDoSNet: Denial of Network Services• The aim of iDoSNet subroutine is to cause DoS by

deactivating for - say 30 seconds all communication services


How to eat an apple…

• Tools:– Nmap– Putty/SSH Secure Shell client – WinSCP



root: alpinemobile: alpineDon’t forget to change both of them


Defenses

• Anti-malware – Pros: Well-known; extensively used in other platforms;

low false positives. – Cons: Detects only known malware; not effective at

this time on mobile devices; requires frequent updates.

• Firewall – Pros: Well-known; extensively used in other platforms;

highly effective. – Cons: Will not protect against attacks on browser,

email, Bluetooth, SMS/MMS. • IDS/IPS

– Pros: May detect new and isolated attacks; may be adapted easily for any task.

– Cons: May consume high resources; high miss rate and false positive.


DefensesDefenses

• Permissions management application.

• Data encryption. • Application certification and trust level. • No more default root passwords PLEASE!!.


References

• Rise of the iBots: 0wning a telco network• iPhone Privacy Black Hat DC 2010

• iSAM: An iPhone Stealth Airborne Malware • An Analysis of the iKee.B iPhone Botnet

• Google Android: A State-of-the-Art Review of Security Mechanisms


Questions


smartphone botnets ehab ashary cs691-summer 2011 university of colorado, colorado springs dr....

Documents

university of colorado

view menuheader

zombieehab asharycs691summer

smartphone sales

cell phones

control ccis

control channel

feature phones