The document discusses the growing threat of mobile botnets and their potential to infect smartphones on a massive scale. It outlines how existing Android and Symbian botnets have infected over a million devices and describes how future mobile botnets could utilize SMS and hijacked phone functions like tethering to spread. The presentation warns that without security improvements to platforms, smartphones risk becoming "mini ISPs" that amplify botnet attacks. It advocates restricting phone functions and revealing only device IDs to prevent proliferation of these "pocket botnets".
1. Конференция UISG #7
The Pocket Botnet
Jart Armin
HostExploit – CyberDefcon
DeepEnd Research Org
Kiev – Ukraine – USIG
December 2011
2. Specialist international team via HostExploit and CyberDefcon that
provides cybercrime analysis and quarterly reports on all the world’s
hosts and Internet servers.
Quarterly series of Top 50 Bad Hosts & Networks.
CSF (Cyber Security Foundation)
Team member of DeepEnd Research
Конференция UISG #7 - Jart Armin
UNICRI, ENISA, APWG
4. Overview
Botnets - Problem? What Problem?
The Market
Конференция UISG #7 - Jart Armin
Mobile Malware
The Pocket Botnet
5. Botnets in General - A Problem – What Problem?
Currently around 5,720
measurably active botnets
• IRC (still around 30%),
Jabber, I2P, P2P, HTTP,
mini, Pocket Botnet
Конференция UISG #7 - Jart Armin
DDoS, RFI, vulnerability
scanning, spam, phishing,
malware, data
exfiltration…. APT
Covert channels
Bad guys & gray guys?
6. Smartphone Market Oct 2011 (a)
Конференция UISG #7 - Jart Armin
468 million units by the end of 2011, a rise of 60% compared 2010 (296m)
9. Smartphone Shipping – 2010 /
2015 PC Ref:
Est. 500m
PCs sold
2011, and 2
Конференция UISG #7 - Jart Armin
billion PCs in
use around
the world, in
2015
10. Mobile Security Habits – Oct 2011
• People choose convenience over security practices
• Towards 50% use to connect to banks or financial
accounts
• 97% use to connect to email accounts either work or
Конференция UISG #7 - Jart Armin
personal
• 87% of phones are not supplied by an employer
• One third leave apps/accounts constantly logged in
• Best example – Reported as a major hack against USA –
A US contractor for SCADA (Illinois water authority) login
and maintaining data while on trip to Egypt & Russia via
his mobile phone !!!
16. Pocket Botnet Takedown – US Telco & GG tracker
GG tracker (abusing premium SMS by malware)
• Signup via website, SMS used to authenticate
Конференция UISG #7 - Jart Armin
• Subscriber pays $9.99 / call
• Operator pays SMS aggregator
• Aggregator pays to content provider
• Content provider pays spammers etc.
• Around 30,000 victims mid 2011
17. Pocket Botnet, another method to infect the PC?
Конференция UISG #7 - Jart Armin
Note: recent SpyEye banking SMS hijacking (blended threat)
23. The Pocket Botnet - Discussion
• With market growth increasing target is
Android, but all O/S vulnerable
• Different to pc based botnets, shorter
lived but as a wildfire
Конференция UISG #7 - Jart Armin
• The ‘free app’ & similar to PCs‘fake
A/V’ syndrome.
• Telcos’ have an advantage to strike
down, but example of China Telecom
only method was to block & takedown
C&Cs / download servers
24. Action Perspective
• The main effort for manufacturers is to prevent
smartphones from becoming mini ISPs/re-broadcasting
hubs.
• Avoid the unit becoming a router and using PPP (Point-
Конференция UISG #7 - Jart Armin
to-Point Protocol); through using “mgetty” or similar
commands; or in Microsoft Windows RAS (Remote
Access Service).
• Best if the platform reveals the phone number of the
device only to the smartphone’s modem
• Issue an IPv6 IP and public encryption for each
smartphone
25. The Pocket Botnet
Contact presenter at jart@cyberdefcon.com if you
have further interest:
CyberDefcon – Cybercrime Clearing House & Early warning
Coalition
DeepEndResearch.org - fostering collaborative security
research and analysis efforts
UNICRI - United Nations Interregional Crime and Justice
Research Institute
ENISA -the European Network and Information Security
Agency
The opinions hereby expressed are those of the Authors and
do not necessarily represent the ideas and opinions of the
United Nations, the UN agency “UNICRI”, ENISA, ENISA PSG,
nor others.
26. Useful Community Sources
• Eicar 2011 - New type of threat: Mobile botnets on Symbian - Cao Yang, Zou Shihong, Li
Wei
• Niebezpiecznik (Pl) http://niebezpiecznik.pl/post/zeus-straszy-polskie-banki/
• Collin Mulliner and Jean-Pierre Seifert IEEE (Fr)
http://mulliner.org/collin/academic/publications/ibots_MALWARE2010.pdf
Конференция UISG #7 - Jart Armin
• Georgia Weider ShmooCon
http://www.grmn00bs.com/GeorgiaW_Smartphone_Bots_SLIDES_Shmoocon2011.pdf
• AnserverBot - AnserverBot_Analysis.pdf
• HostExploit (hosts)
• DeependResearch.org (botnets+)
• Contagio.Blogspot (mobile malware samples)
• Commercial: Trend Micro, Damballa, Lookout Mobile Security, Symantec