Billion Dollar Botnets:

Similar documents
Secure Your Mobile Workplace

How Attackers are Targeting Your Mobile Devices. Wade Williamson

Protecting the Infrastructure: Symantec Web Gateway

BEHIND THE SCENES OF A FAKE TOKEN MOBILE APP OPERATION

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

Dragonfly: Energy Companies Under Sabotage Threat Symantec Security Response

Streamlining Web and Security

Deciphering and Mitigating Blackhole Spam from -borne Threats

Lessons learned: Sinkholing the Zeroaccess botnet. Ross Gibb. Attack Investigations Team Symantec Security Response.

On and off premises technologies Which is best for you?

Securing Endpoints without a Security Expert

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

End to End Security do Endpoint ao Datacenter

Advanced Online Threat Protection: Defending. Malware and Fraud. Andrew Bagnato Senior Systems Engineer


Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Trust Digital Best Practices

#ITtrends #ITTRENDS SYMANTEC VISION

Product Roadmap Symantec Endpoint Protection Suzanne Konvicka & Paul Murgatroyd

Trend Micro Incorporated Research Paper Adding Android and Mac OS X Malware to the APT Toolbox

Unified Security, ATP and more

IBM WebSphere Application Server Communications Enabled Applications

introducing The BlackBerry Collaboration Service

G Data Mobile MalwareReport. Half-Year Report July December G Data SecurityLabs

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

ISB13 Web security deployment options - which is really best for you? Duncan Mills, Piero DePaoli, Stuart Jones

Security strategies to stay off the Børsen front page

Countering Insider Threats Jeremy Ho

Securing the endpoint and your data

Introducing IBM s Advanced Threat Protection Platform

Monitoring mobile communication network, how does it work? How to prevent such thing about that?

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

/Endpoint Security and More Rondi Jamison

IT TRENDS AND FUTURE CONSIDERATIONS. Paul Rainbow CPA, CISA, CIA, CISSP, CTGA

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Altiris Client Management Suite

Security A to Z the most important terms

Risk and threats everywhere, all the time

IC L10: Seamless Encryption of Data Sync'ing to Dropbox Using Symantec File Share Encryption

Reversing Android Malware

SR B17. The Threat Landscape Continues to Change: How are You Keeping Pace? Dean Turner

MOBILE MALWARE REPORT

Agenda. John Veldhuis, Sophos The playing field Threats Mobile Device Management. Pagina 2

A Critical Investigation of Botnet

Cyber intelligence in an online world

The Mobile Malware Problem

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

Smartphone Pentest Framework v0.1. User Guide

CYBERCRIMINAL IN BRAZIL SHARES MOBILE CREDIT CARD STORE APP

BYOD: Should Convenience Trump Security? Francis Tam, Partner Kevin Villanueva, Senior Manager

How To Get A Cloud Service For A Small Business

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

ENTERPRISE VAULT 9.0 FEATURE BRIEFING

Microsoft Security Intelligence Report volume 7 (January through June 2009)

Direct virtual machine creation from backup with BMR

Integrating MSS, SEP and NGFW to catch targeted APTs

EV Feature Briefing

Symantec Intelligence Report: February 2013

The webinar will begin shortly

Choosing Between Managed Security Services or In-house SIEM? Consider the Benefits of both!

Mobile Malware Network View. Kevin McNamee : Alcatel-Lucent

Instant Recovery for VMware

MTP. MTP AirWatch Integration Guide. Release 1.0

ASEC REPORT VOL AhnLab Monthly Security Report. Malicious Code Trend Security Trend Web Security Trend

IBM Security re-defines enterprise endpoint protection against advanced malware

Abila Nonprofit Online. Connection Guide

Security.cloud Configuring DLP on to your flow and applying security to your hosted deployment

Symantec Managed Security Services The Power To Protect

Web. Paul Pajares and Max Goncharov. Connection. Edition. ios platform are also at risk, as. numbers via browser-based social.

Cisco Protects Internal Infrastructure from Web-Based Threats

Lecture Embedded System Security A. R. Darmstadt, Introduction Mobile Security

Components. Key features

Securing the Mobile App Market

Securing OS Legacy Systems Alexander Rau

Protecting against Mobile Attacks

Security Intelligence Services.

Symantec Mobile Management for Configuration Manager

Android Commercial Spyware Disease and Medication

Symantec Mobile Management 7.2 MR1Quick-start Guide

CITADEL TROJAN OUTGROWING ITS ZEUS ORIGINS

Better Together: Microsoft Office 365 & Symantec Office 365

NUIT Tech Talk. Peeking Behind the Curtain of Security. Jeff Holland Security Vulnerability Analyst Information & Systems Security/Compliance

Junos Pulse for Google Android

CA Service Desk Manager - Mobile Enabler 2.0

Enterprise Mobile Security Survey

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

Acronis Backup & Recovery 11.5 Quick Start Guide

A number of factors contribute to the diminished regard for security:

Symantec Advanced Threat Protection: Network

Cloud Based Secure Web Gateway

How To Secure An Rsa Authentication Agent

Cisco Advanced Services for Network Security

A number of factors contribute to the diminished regard for security:

Best Practices for a BYOD World

What s New with Enterprise Vault 11? Symantec Enterprise Vault 11 - What's New?

Learn about each tool in parental controls and find out how you can use them to secure you and your family.

Securing Your Software for the Mobile Application Market

Dr. David Turahi Director for IT&IMS - MOICT Uganda

Transcription:

Billion Dollar Botnets: An Examination of the Current Trend in Android Botnets Cathal Mullaney Senior Software Engineer @threatintel Symantec Security Response 1

Presentation agenda 1 2 Android botnets overview Bmaster botnet in-depth 3 4 Bmaster revenue generation Demonstration of C&C infrastructure Symantec Security Response 2

Introduction Android Botnets Trending on devices now MDK Botnet 1 million active infections. Android.Bmaster Botnet with a lot of telemetry! Symantec Security Response 3

Android Malware 3 rd Party markets with lax security. Proliferation of smart phones. Simple to write Trojanized applications. Simple to write powerful malware. Android program model suited to writing low profile Daemon processes. Symantec Security Response 4

Just install my malware already! Screen capture taken from thehuffpost UK Comedy - http://www.huffingtonpost.co.uk Symantec Security Response 5

Android Malware Simple to make revenue from infected devices. Permissions are quickly becoming software EULA. Charging for one or two transactions a day may not be noticed immediately. Mobile banking applications are on the increase. *Looking at you Hesperbot! Symantec Security Response 6

Android.Bmaster Ghost in the (mobile) machine. @threatintel Symantec Security Response 7

2 Trojanised APK downloaded to victim s phone. 1 Smartphone user contacts app store. 4 C&C sends Exploit/RAT 3 Trojanised APK registers with C&C. Symantec Security Response 8

Hosted/Spammed on 3rd party, Chinese, Android market place Legitimate software trojanized with the malware. Infected 3 rd party software Trojanized applications are a common infection vector Trojanized application was a loader/downloader for the larger botnet/exploit program. Symantec Security Response 9

Seems legit... But actually... Bmaster Loader 1 Registers with C&C 2 Exploits Device 3 Installs Malware 4 Tracks Phone 5 Charges user Symantec Security Response 10

1 After decryption malware contacts the remote URL, downloads and executes the GingerBreak exploit. 2 Exploit may fail, but regardless the malware will then attempt to download a RAT (Remote Administration Tool). 3 4 RAT registers with CnC, Depending on configuration Assigned to a channel. Main functionality is for revenue generation. Symantec Security Response 11

Return of the RAT Registered three main services and several intent filters/broadcast receivers. Services used to generate revenue for the Botmaster. Send an SMS to a number. Connect to a URL. Connect to an IVR. Poll the C&C for new commands. Intent filters to capture/block SMS messages received, outgoing calls made and boot of the compromised device. Among many others. Symantec Security Response 12

3 Infected device is charged and attacker gets paid. 1 C&C Issues command to device. 2 Device contacts premium services Symantec Security Response 13

C&C Server Communication between device and server using KSOAP. Poorly secured servers. Server contained a complete C&C infrastructure interface. Maintained data on infected devices. Infection rates. Successful Revenue generation. A complete picture of the Botnet and potential revenue generation emerged. Symantec Security Response 14

Android Botnet Judging by available timestamps we estimated the Botnet operating from September 2011 to present? C&C infrastructure went dark. Infected devices numbered in the hundreds of thousands. All devices that were capable of revenue generation were stored for potential activation. Sleeper cell phones. Symantec Security Response 15

Revenue Generation All infected devices broken up into channels. Channels allowed the Botnet master to control huge amounts of devices by issuing a few commands. Revenue is generated by sending SMS to premium numbers, contacting PPV websites and premium telephony services (voice chat lines). The Botnet master can also configure how many times per day these services are contacted (default to three). Symantec Security Response 16

Botnet management interface demonstration. Symantec Security Response 17

Conclusions Android malware is simple to disseminate to a wide user base. Huge new markets for Malware writers emerging. Potential revenue in the millions of dollars. Entering the age of the billion dollar Botnet. Real question is: Why wouldn t malware writers target aggressively? Symantec Security Response 18

Questions? Symantec Security Response 19

Thank you! Copyright 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Symantec Security Response 20

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information