SlideShare una empresa de Scribd logo

«How to pwn Russian Android botnet» by Dmitriy

0
0xdec0de

0xdec0de01

Ingeniería
1 de 46
Descargar para leer sin conexión
How to pwn a Russian Android botnet by Dima Odessa, Jul 18, 2015
The story ● Interview in a security lab of a big world-wide known company ● Technical “homework”: reverse engineering of Android malware. “Find out everything you can!”, they said.
Steps 1. Reversing the malware 2. Analyzing the malware’s network protocol 3. Hacking the malware’s command & control server 4. Identifying the hacker
Reversing the malware Step number uno :)
Reversing the malware The malware at first glance ● It can’t install itself without user’s help: a user should download and install APK manually… ● ...that’s why the APK looks like another-very- useful-Google-service application :)
Reversing the malware The malware at first glance ● It steals user’s SMS, contacts and accounts (from Android Account Manager) ● It sends SMS/USSD from infected devices ● It DDOS websites from infected devices ● It controls infected devices as a device admin
Reversing the malware IT’S A PART OF A BOTNET AND IT IS NOT DETECTED BY A MOBILE/DESKTOP AV SOFTWARE AND VIRUSTOTAL :(
Reversing the malware The malware code at first glance ● written in Java, obfuscated; ● contains no native methods; ● it is full of mistakes :)
Reversing the malware The malware permissions ● INTERNET and ACCESS_NETWORK_STATE – Internet access ● READ_CONTACTS and GET_ACCOUNTS – access to user accounts (in Account Manager) and contacts ● READ_PHONE_STATE – access to internal system information: device ID, IMEI, device vendor name etc ● SEND_SMS, RECEIVE_SMS, READ_SMS – accessing user's SMS ● CALL_PHONE – making phone calls ● SEND_RESPOND_VIA_MESSAGE – this allows the malware to send a request to other applications to handle the respond-via-message action during incoming calls ● READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE – R/W access to external storages ● RECEIVE_BOOT_COMPLETED and WAKE_LOCK – start the malware as soon as OS booted (autorun) and keep the malware running even if the device goes asleep
Reversing the malware The most important malicious components ● Main (Activity) - the main activity. It started each time a user tap an icon if the malicious APK. It starts DataRegisterService and OutSms services. Then it shows a fake “Google Service” alert to a user (just because user probably expects to see something). ● DataRegisterService (Service) - the service is started by Main activity or LoaderReceiver receiver. It registers an infected Android device on the malware server. If the device is already registered on the server, the service just does nothing. Also, it set alarms for ConnectChecker and AdminBroadcast receivers. ● LoaderReceiver (Receiver) - the receiver is started after Android reboot. It starts DataRegisterService and OutSms services. Also, it starts DeviceAdminActivity if j.u (isAdmin) is false. ● OutSmsListner (Receiver) -- once a minute the receiver checks a list of SMS sent by a user. If it finds any new SMS (here “new” means “new since last check”) in the list, it sends it to the server one-by-one.
Reversing the malware The most important malicious components ● ConnectChecker (Receiver) - the receiver is started periodically by the repeating 3-hours alarm set by DataRegisterService. Every 30 seconds the receiver requests a command from the malware server. ● AdminBroadcast (Receiver) - the receiver is started periodically by the repeating 3-hours alarm set by DataRegisterService. The receiver starts DeviceAdminActivity activity if j.u (isAdmin) flag is not set. ● OutSms (Service) - the service is started by Main activity and LoaderReceiver receiver. It creates one-minute-repeating pending intent to call OutSmsListner receiver. ● DeviceAdminReceiverS (Receiver) - The receiver is started by OS after DeviceAdminActivity has tried to cheat a user (to ask him to add the malware to device administrators). The receiver tells the result to the malware server and change j.u (isAdmin) flag depending on the result.
Reversing the malware Malware lifecycle: first start (simplified) ● Main activity shows a fake this-is-Google- service messagebox ● DataRegisterService service registers the infected device on the malware’s command & control center
Reversing the malware Malware lifecycle: first start (simplified) ● OutSmsListner receiver steals user’s SMS and does background checks (once a min) for new SMS to steal them as well ● ConnectChecker receiver does background checks (every 30 sec) for a new command from the command & control center
Reversing the malware Malware lifecycle: first start (simplified) ● AdminBroadcast receiver starts DeviceAdminActivity, which uses android.app.action.ADD_DEVICE_ADMIN intent to ask a user for the Device Admin permissions (possible for Android > 2.1)
Reversing the malware В целях безопасности устройства Google Play требуются привелегии администратора.
Analyzing the malware’s network protocol Step number zwei
Analyzing the malware’s protocol The protocol at first glance ● it is built over HTTPS ● it uses JSON for sending data / receiving commands ● it does not encrypt / sign traffic
Analyzing the malware’s protocol Posting data to malware C&C center (headers) ● Method: POST ● URL: <domain>/marry4/set/<DeviceID>/ ● Custom headers: no
Analyzing the malware’s protocol Posting data to malware C&C center (body) type=<request type> json={ "<key1>": <value1>, "<key2>": <value2>, ... "<keyN>": <valueN> }
Analyzing the malware’s protocol Answer from the C&C center: ● {'registred':'complited'} (this means “got your request, have no commands for you at the moment”)... ● ...or a command for infected device (see next slides)
Analyzing the malware’s protocol Asking the C&C center for a command ● Method: GET ● URL: <domain>/marry4/get/<DeviceID>/ ● Custom headers: no
Analyzing the malware’s protocol Answer from the C&C center: ● {'registred':'complited'} (this means “got your request, have no commands for you at the moment”)... ● ...or a command for infected device (see next slides)
Analyzing the malware’s protocol A command from the C&C center (format): { 'type':task, 'task': [ "<Task type>, <DeviceID>, < ...data for the task (depends on the task) ... > ] }
Analyzing the malware’s protocol A command from the C&C center (example): {'type':task, 'task': ["sms",359930048604909,"900","BALANCE","2 014-03- 27T15:33:00+04:00","0e205bf823a00ac9e900b 116d99f1b561b167b92"]} Legend: DeviceID Number to send to SMS text Date Unique ID of the task
Hacking the malware’s command & control server Step number 3 ;-)
Hacking the C&C center Our first move: we feed malformed links and data to the C&C server, after several tries, we crashes it
Hacking the C&C center Now we know two important things: ● The exact script URL is <domain>/ontasks.php ● On the server, the PHP setting display_errors allows to see script errors in browser
Hacking the C&C center Our second move: call the script directly
Hacking the C&C center As result, we know that the script needs base and imei (probably, they are script parameters).
Hacking the C&C center Our third move: call the script directly with arbitrary base parameter
Hacking the C&C center We crashed the script, again, but this time we got login/password :) Well, OK, how to use it?
Hacking the C&C center Let’s just try the most commonly used subdomains: mail.*, ftp.* etc. Are we lucky?
Hacking the C&C center YES, WE ARE! :)))))))))))
Hacking the C&C center With the login/password we enter the C&C control panel...
Hacking the C&C center ...and the C&C center database
Hacking the C&C center Some fact about the botnet’s frontend: ● The botnet started in Nov 2013 ● The botnet is not the first try, but probably most successful ● The botnet’s frontend is written with PHP+MySQL
Hacking the C&C center Some facts from the botnet’s database: ● Over 50 000 active infected devices, mostly from exUSSR ● Over 1.000.000 stolen user’s SMS (including passwords and TFA SMS) ● Traces of at least 3 massive DDOS attacks with the botnet
Hacking the C&C center SMS examples (пароли): ● Ваш логин: 79123248600nВаш новый пароль: 92pubelunВаша заявка на восстановление доступа к странице на сайте ВКонтакте одобрена. ● Доступ к сайту mp3poisk.ru: логин - fkiwpxgf, пароль - lRe4XXrj ● Для доступа к WEB-сервисам систем самообслуживания "МегаФон" используйте логин: 9285693647 и пароль: XOSBHG.
Hacking the C&C center SMS examples (пароли к порносайтам): ● Доступ к сайту blontex.net: логин - j26445, пароль – 10752 ● Доступ к russiangirlsvideo.com: логин 160528 и пароль 11264 ● Доступ к сайту mobzoneoo.com: логин - upopuamd, пароль - JL28qOJa
Hacking the C&C center SMS examples (любовная переписка): ● Я люблю тебя ты самый лучший для меня нодеюсь у нас все будет зае... я уже не могу без тебя )***** ● Ааа.:* любимый мой, лысое счастье ты моё, люблю тебя;*) ● Я не збоченец :-( я очень люблю тебя :-*
Hacking the C&C center SMS examples (Крым, SMS-ки контрактника из РФ): ● Привет.уже в крыме,но до места не доехали ещё.войска стягивают.мы тоже едем на границу. ● Симфер гос дума. аэропорты. Телеграфы. Выезд в крым на море корабли .. 160 тыс бойцов. Уралы .вертушки ка>заки Все... На хохляедии бендеры и бандиты . Просят нато вмешаться
Hacking the C&C center SMS examples (наркотики): ● Хотел тебе дать наркотиков но теперь точно хуй ● Кому я должен всех прощаю:-) И по наркотикам мне больше завязывай звонить ● Миша, я еще с тобой поговорю на счет травки что ты привозил и курил!!!! Ты хочешь поругаться?
Identifying the hacker The last step “Bad boys, bad boys, what you gonna do? What you gonna do then they come for you?” --
Identifying the hacker ● Male, 29 y.o., not married ● Russian, lives in Siberia ● PhD student in Computer Science ● No crime records ● Full name, phone, email, home address, photo are KNOWN!
Finally, what missed? ● Details which can broke privacy of the customer and/or the hacker (thanks for your understanding!) ● Hacking hacker’s email, his sites in i2p ‘darknet’, and other related accounts ● ‘Economics’ of the botnet: prices, black cashout etc.
P.S. AT THE BEGINNING OF APRIL 2014 THE BOTNET WAS DESTROYED ;)

Recomendados

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
Revealing Unique MitB Builder C&C Server
Revealing Unique MitB Builder C&C ServerRevealing Unique MitB Builder C&C Server
Revealing Unique MitB Builder C&C ServerSenad Aruc
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptManjuAppukuttan2
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
Insert coin to continue - Ransomware in the gaming industry.pdf
Insert coin to continue - Ransomware in the gaming industry.pdfInsert coin to continue - Ransomware in the gaming industry.pdf
Insert coin to continue - Ransomware in the gaming industry.pdfStefano Maccaglia
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online bankingJakub Kałużny
 

Recomendados

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
Revealing Unique MitB Builder C&C Server
Revealing Unique MitB Builder C&C ServerRevealing Unique MitB Builder C&C Server
Revealing Unique MitB Builder C&C ServerSenad Aruc
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptManjuAppukuttan2
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answers[OWASP Poland Day] Application security - daily questions & answers
[OWASP Poland Day] Application security - daily questions & answersOWASP
 
Insert coin to continue - Ransomware in the gaming industry.pdf
Insert coin to continue - Ransomware in the gaming industry.pdfInsert coin to continue - Ransomware in the gaming industry.pdf
Insert coin to continue - Ransomware in the gaming industry.pdfStefano Maccaglia
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online bankingJakub Kałużny
 
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelBSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelJakub "Kuba" Sendor
 
Taming botnets
Taming botnetsTaming botnets
Taming botnetsf00d
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisPositive Hack Days
 
Detecting Windows horizontal password guessing attacks in near real-time
Detecting Windows horizontal password guessing attacks in near real-timeDetecting Windows horizontal password guessing attacks in near real-time
Detecting Windows horizontal password guessing attacks in near real-timePortcullis Computer Security
 
Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Senad Aruc
 
Hacking
HackingHacking
HackingSweta Leena Panda
 
Detecting windows horizontal password blog
Detecting windows horizontal password blogDetecting windows horizontal password blog
Detecting windows horizontal password blogPortcullis Computer Security
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
80133823 backdor-nectcat-through-smb
80133823 backdor-nectcat-through-smb80133823 backdor-nectcat-through-smb
80133823 backdor-nectcat-through-smbjeweh
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
How to remove Backdoor.Streamex
How to remove Backdoor.StreamexHow to remove Backdoor.Streamex
How to remove Backdoor.Streamexdeniallorance65
 
Www usenix-org
Www usenix-orgWww usenix-org
Www usenix-orgOuzza Brahim
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
UNIT 5 (2).pptx
UNIT 5 (2).pptxUNIT 5 (2).pptx
UNIT 5 (2).pptxjanani603976
 
Auditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackAuditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackVishal Kumar
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101v_raj
 
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxmydrynan
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleAlluxio, Inc.
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Más contenido relacionado

Similar a «How to pwn Russian Android botnet» by Dmitriy

CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
 
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelBSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelJakub "Kuba" Sendor
 
Taming botnets
Taming botnetsTaming botnets
Taming botnetsf00d
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisPositive Hack Days
 
Detecting Windows horizontal password guessing attacks in near real-time
Detecting Windows horizontal password guessing attacks in near real-timeDetecting Windows horizontal password guessing attacks in near real-time
Detecting Windows horizontal password guessing attacks in near real-timePortcullis Computer Security
 
Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Senad Aruc
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
80133823 backdor-nectcat-through-smb
80133823 backdor-nectcat-through-smb80133823 backdor-nectcat-through-smb
80133823 backdor-nectcat-through-smbjeweh
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
How to remove Backdoor.Streamex
How to remove Backdoor.StreamexHow to remove Backdoor.Streamex
How to remove Backdoor.Streamexdeniallorance65
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
Auditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackAuditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackVishal Kumar
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101v_raj
 
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxmydrynan
 

Similar a «How to pwn Russian Android botnet» by Dmitriy (20)

CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsCONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocols
 
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate levelBSidesSF 2016 - A year in the wild: fighting malware at the corporate level
BSidesSF 2016 - A year in the wild: fighting malware at the corporate level
 
Taming botnets
Taming botnetsTaming botnets
Taming botnets
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
 
Detecting Windows horizontal password guessing attacks in near real-time
Detecting Windows horizontal password guessing attacks in near real-timeDetecting Windows horizontal password guessing attacks in near real-time
Detecting Windows horizontal password guessing attacks in near real-time
 
Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.
 
Hacking
HackingHacking
Hacking
 
Detecting windows horizontal password blog
Detecting windows horizontal password blogDetecting windows horizontal password blog
Detecting windows horizontal password blog
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
80133823 backdor-nectcat-through-smb
80133823 backdor-nectcat-through-smb80133823 backdor-nectcat-through-smb
80133823 backdor-nectcat-through-smb
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
How to remove Backdoor.Streamex
How to remove Backdoor.StreamexHow to remove Backdoor.Streamex
How to remove Backdoor.Streamex
 
Www usenix-org
Www usenix-orgWww usenix-org
Www usenix-org
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
 
UNIT 5 (2).pptx
UNIT 5 (2).pptxUNIT 5 (2).pptx
UNIT 5 (2).pptx
 
Auditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrackAuditing System Password Using L0phtcrack
Auditing System Password Using L0phtcrack
 
Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101Cryptojacking - by Vishwaraj101
Cryptojacking - by Vishwaraj101
 
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
 

Último

Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleAlluxio, Inc.
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - GuideGOPINATHS437943
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
Vishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsVishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsSachinPawar510423
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionMebane Rash
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfROCENODodongVILLACER
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfme23b1001
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...Chandu841456
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvLewisJB
 
lifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptxlifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptxsomshekarkn64
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitterShivangiSharma879191
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.eptoze12
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm Systemirfanmechengr
 

Último (20)

Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at Scale
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - Guide
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
Vishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsVishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documents
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of Action
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdf
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdf
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvv
 
lifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptxlifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptx
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter
 
Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.Oxy acetylene welding presentation note.
Oxy acetylene welding presentation note.
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm System
 

«How to pwn Russian Android botnet» by Dmitriy

  • 1. How to pwn a Russian Android botnet by Dima Odessa, Jul 18, 2015
  • 2. The story ● Interview in a security lab of a big world-wide known company ● Technical “homework”: reverse engineering of Android malware. “Find out everything you can!”, they said.
  • 3. Steps 1. Reversing the malware 2. Analyzing the malware’s network protocol 3. Hacking the malware’s command & control server 4. Identifying the hacker
  • 5. Reversing the malware The malware at first glance ● It can’t install itself without user’s help: a user should download and install APK manually… ● ...that’s why the APK looks like another-very- useful-Google-service application :)
  • 6. Reversing the malware The malware at first glance ● It steals user’s SMS, contacts and accounts (from Android Account Manager) ● It sends SMS/USSD from infected devices ● It DDOS websites from infected devices ● It controls infected devices as a device admin
  • 7. Reversing the malware IT’S A PART OF A BOTNET AND IT IS NOT DETECTED BY A MOBILE/DESKTOP AV SOFTWARE AND VIRUSTOTAL :(
  • 8. Reversing the malware The malware code at first glance ● written in Java, obfuscated; ● contains no native methods; ● it is full of mistakes :)
  • 9. Reversing the malware The malware permissions ● INTERNET and ACCESS_NETWORK_STATE – Internet access ● READ_CONTACTS and GET_ACCOUNTS – access to user accounts (in Account Manager) and contacts ● READ_PHONE_STATE – access to internal system information: device ID, IMEI, device vendor name etc ● SEND_SMS, RECEIVE_SMS, READ_SMS – accessing user's SMS ● CALL_PHONE – making phone calls ● SEND_RESPOND_VIA_MESSAGE – this allows the malware to send a request to other applications to handle the respond-via-message action during incoming calls ● READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE – R/W access to external storages ● RECEIVE_BOOT_COMPLETED and WAKE_LOCK – start the malware as soon as OS booted (autorun) and keep the malware running even if the device goes asleep
  • 10. Reversing the malware The most important malicious components ● Main (Activity) - the main activity. It started each time a user tap an icon if the malicious APK. It starts DataRegisterService and OutSms services. Then it shows a fake “Google Service” alert to a user (just because user probably expects to see something). ● DataRegisterService (Service) - the service is started by Main activity or LoaderReceiver receiver. It registers an infected Android device on the malware server. If the device is already registered on the server, the service just does nothing. Also, it set alarms for ConnectChecker and AdminBroadcast receivers. ● LoaderReceiver (Receiver) - the receiver is started after Android reboot. It starts DataRegisterService and OutSms services. Also, it starts DeviceAdminActivity if j.u (isAdmin) is false. ● OutSmsListner (Receiver) -- once a minute the receiver checks a list of SMS sent by a user. If it finds any new SMS (here “new” means “new since last check”) in the list, it sends it to the server one-by-one.
  • 11. Reversing the malware The most important malicious components ● ConnectChecker (Receiver) - the receiver is started periodically by the repeating 3-hours alarm set by DataRegisterService. Every 30 seconds the receiver requests a command from the malware server. ● AdminBroadcast (Receiver) - the receiver is started periodically by the repeating 3-hours alarm set by DataRegisterService. The receiver starts DeviceAdminActivity activity if j.u (isAdmin) flag is not set. ● OutSms (Service) - the service is started by Main activity and LoaderReceiver receiver. It creates one-minute-repeating pending intent to call OutSmsListner receiver. ● DeviceAdminReceiverS (Receiver) - The receiver is started by OS after DeviceAdminActivity has tried to cheat a user (to ask him to add the malware to device administrators). The receiver tells the result to the malware server and change j.u (isAdmin) flag depending on the result.
  • 12. Reversing the malware Malware lifecycle: first start (simplified) ● Main activity shows a fake this-is-Google- service messagebox ● DataRegisterService service registers the infected device on the malware’s command & control center
  • 13. Reversing the malware Malware lifecycle: first start (simplified) ● OutSmsListner receiver steals user’s SMS and does background checks (once a min) for new SMS to steal them as well ● ConnectChecker receiver does background checks (every 30 sec) for a new command from the command & control center
  • 14. Reversing the malware Malware lifecycle: first start (simplified) ● AdminBroadcast receiver starts DeviceAdminActivity, which uses android.app.action.ADD_DEVICE_ADMIN intent to ask a user for the Device Admin permissions (possible for Android > 2.1)
  • 15. Reversing the malware В целях безопасности устройства Google Play требуются привелегии администратора.
  • 16. Analyzing the malware’s network protocol Step number zwei
  • 17. Analyzing the malware’s protocol The protocol at first glance ● it is built over HTTPS ● it uses JSON for sending data / receiving commands ● it does not encrypt / sign traffic
  • 18. Analyzing the malware’s protocol Posting data to malware C&C center (headers) ● Method: POST ● URL: <domain>/marry4/set/<DeviceID>/ ● Custom headers: no
  • 19. Analyzing the malware’s protocol Posting data to malware C&C center (body) type=<request type> json={ "<key1>": <value1>, "<key2>": <value2>, ... "<keyN>": <valueN> }
  • 20. Analyzing the malware’s protocol Answer from the C&C center: ● {'registred':'complited'} (this means “got your request, have no commands for you at the moment”)... ● ...or a command for infected device (see next slides)
  • 21. Analyzing the malware’s protocol Asking the C&C center for a command ● Method: GET ● URL: <domain>/marry4/get/<DeviceID>/ ● Custom headers: no
  • 22. Analyzing the malware’s protocol Answer from the C&C center: ● {'registred':'complited'} (this means “got your request, have no commands for you at the moment”)... ● ...or a command for infected device (see next slides)
  • 23. Analyzing the malware’s protocol A command from the C&C center (format): { 'type':task, 'task': [ "<Task type>, <DeviceID>, < ...data for the task (depends on the task) ... > ] }
  • 24. Analyzing the malware’s protocol A command from the C&C center (example): {'type':task, 'task': ["sms",359930048604909,"900","BALANCE","2 014-03- 27T15:33:00+04:00","0e205bf823a00ac9e900b 116d99f1b561b167b92"]} Legend: DeviceID Number to send to SMS text Date Unique ID of the task
  • 25. Hacking the malware’s command & control server Step number 3 ;-)
  • 26. Hacking the C&C center Our first move: we feed malformed links and data to the C&C server, after several tries, we crashes it
  • 27. Hacking the C&C center Now we know two important things: ● The exact script URL is <domain>/ontasks.php ● On the server, the PHP setting display_errors allows to see script errors in browser
  • 28. Hacking the C&C center Our second move: call the script directly
  • 29. Hacking the C&C center As result, we know that the script needs base and imei (probably, they are script parameters).
  • 30. Hacking the C&C center Our third move: call the script directly with arbitrary base parameter
  • 31. Hacking the C&C center We crashed the script, again, but this time we got login/password :) Well, OK, how to use it?
  • 32. Hacking the C&C center Let’s just try the most commonly used subdomains: mail.*, ftp.* etc. Are we lucky?
  • 33. Hacking the C&C center YES, WE ARE! :)))))))))))
  • 34. Hacking the C&C center With the login/password we enter the C&C control panel...
  • 35. Hacking the C&C center ...and the C&C center database
  • 36. Hacking the C&C center Some fact about the botnet’s frontend: ● The botnet started in Nov 2013 ● The botnet is not the first try, but probably most successful ● The botnet’s frontend is written with PHP+MySQL
  • 37. Hacking the C&C center Some facts from the botnet’s database: ● Over 50 000 active infected devices, mostly from exUSSR ● Over 1.000.000 stolen user’s SMS (including passwords and TFA SMS) ● Traces of at least 3 massive DDOS attacks with the botnet
  • 38. Hacking the C&C center SMS examples (пароли): ● Ваш логин: 79123248600nВаш новый пароль: 92pubelunВаша заявка на восстановление доступа к странице на сайте ВКонтакте одобрена. ● Доступ к сайту mp3poisk.ru: логин - fkiwpxgf, пароль - lRe4XXrj ● Для доступа к WEB-сервисам систем самообслуживания "МегаФон" используйте логин: 9285693647 и пароль: XOSBHG.
  • 39. Hacking the C&C center SMS examples (пароли к порносайтам): ● Доступ к сайту blontex.net: логин - j26445, пароль – 10752 ● Доступ к russiangirlsvideo.com: логин 160528 и пароль 11264 ● Доступ к сайту mobzoneoo.com: логин - upopuamd, пароль - JL28qOJa
  • 40. Hacking the C&C center SMS examples (любовная переписка): ● Я люблю тебя ты самый лучший для меня нодеюсь у нас все будет зае... я уже не могу без тебя )***** ● Ааа.:* любимый мой, лысое счастье ты моё, люблю тебя;*) ● Я не збоченец :-( я очень люблю тебя :-*
  • 41. Hacking the C&C center SMS examples (Крым, SMS-ки контрактника из РФ): ● Привет.уже в крыме,но до места не доехали ещё.войска стягивают.мы тоже едем на границу. ● Симфер гос дума. аэропорты. Телеграфы. Выезд в крым на море корабли .. 160 тыс бойцов. Уралы .вертушки ка>заки Все... На хохляедии бендеры и бандиты . Просят нато вмешаться
  • 42. Hacking the C&C center SMS examples (наркотики): ● Хотел тебе дать наркотиков но теперь точно хуй ● Кому я должен всех прощаю:-) И по наркотикам мне больше завязывай звонить ● Миша, я еще с тобой поговорю на счет травки что ты привозил и курил!!!! Ты хочешь поругаться?
  • 43. Identifying the hacker The last step “Bad boys, bad boys, what you gonna do? What you gonna do then they come for you?” --
  • 44. Identifying the hacker ● Male, 29 y.o., not married ● Russian, lives in Siberia ● PhD student in Computer Science ● No crime records ● Full name, phone, email, home address, photo are KNOWN!
  • 45. Finally, what missed? ● Details which can broke privacy of the customer and/or the hacker (thanks for your understanding!) ● Hacking hacker’s email, his sites in i2p ‘darknet’, and other related accounts ● ‘Economics’ of the botnet: prices, black cashout etc.
  • 46. P.S. AT THE BEGINNING OF APRIL 2014 THE BOTNET WAS DESTROYED ;)