Smartphones Botnets



Download 28.15 Kb.
Date24.06.2017
Size28.15 Kb.
#21590
Smartphones Botnets

Ehab B. Ashary

Univ. of Colorado at Colorado Springs

CS691 Summer 2011

Email:eashary@uccs.edu

Abstract


Botnets are one of the most serious security dangers on the Internet and personal computer users since botnets can be used to launch more sophisticated attack such as sending spam emails, carrying out DDos attacks, information theft, and more. Moreover, recently the popularity of smartphones those store more personal data and gain more capabilities than earlier generation phones are rapidly growing. Therefore, botnets are expected to move towards this mobile domain, which would cause privacy leakage, extra charges, and reduction of battery power.

This paper will provide an overview of botnets attack on spamrtphones and outline some of the defense technique against this type of attack.


1. Introduction


Recently, mobile phones hold number of features that make them valuable and very vulnerable. A common smartphone security concern is their communication channels. They are more vulnerable than traditional PCs and can be subjected to various attack vectors such as SMS/MMS Bluetooth, WiFi, web browses and email. Moreover, they hold sensitive personal information, which could include contact information, address book, financial information, current location and more. In addition, they can run third parties code and application, which could expand their capabilities. This unique nature and vulnerabilities of smartphones make them a prime target for malware and other hacking attacks.

Cabir was the first malicious code for smart phone appeared in 2004, which was written as a prove of concept virus by a group of virus writers called 29A. The main goal was to demonstrate that is was possible to infect smartphones operating systems and application with viruses, like Symbian OS in this case.



Later on, more damaging malware and viruses, which could speared massively to any phone via Bluetooth and SMS appeared. For example mosquito[4], Duts[12],Pbstealer[14], and more.

2009 was dominated by new variants of know malware cases. One of the most notable malware was Ikee.A, the first ever Jailbroken iPhone worm. Once it infected a device, it changed the wallpaper to an image of Rick Astley. It succeeded in infecting an estimated 21,000 victims within about a week

Two weeks after the Ikee.A incident, on 18 November, a new malware includes command and control logic to render all infected iPhones under the control of a bot master. Moreover, the botmaster was able to executer shell commands on all infected iPhone bot clients, which is programmed to poll a Lithuanian C&C server at 5 minutes intervals for new control logic. This new malware, named Ikee.B was designed to conduct financial fraud and to steal the victim’s SMS database.

During the first quarter of 2011, as the popularity of the Android phones contentious to grow around the world, the Android phone was the second most popular environment for mobile malware after Symbian platform. [8],

This paper highlights the danger that smartphones botnets could bring. In section 2, various attack vectors for compromising and control Smartphones are discussed. In section 3 some of the guidelines and protection mechanisms are provided and in section 4 it concludes.


2. Smartphone Botnets Design


Botnet design requires two main components (1) techniques to spread the bot code to smartphones, (2) a communication channel between the bots and their master in order to issue commands. This section briefly overview the methods that can be used to propagate malicious code and focus on different command and control approaches the can be utilized in order to control the botnets.

2.1. Propagation Methods


The main methods used to propagate malicious code to smartphones are user interaction propagation and vulnerability exploits.

Current smartphones have frequent access to the internet. Therefore, they could be a target for social engineering attackers. In other worlds, spam emails and MMS messages with malicious code attachments or spam emails and SMS messages with embedded links pointing to malicious websites can be easily find their way into the victim’s smartphone. Without enough knowledge, smartphones users are likely to download and execute the malicious code. In addition, another propagation method is Bluetooth. Attackers can use Bluetooth to search for nearby devices and try to send them malicious files.

Exploiting vulnerabilities is another common method since numerous vulnerabilities have been discover by the research community and could be utilized by attackers in order to propagate their botnets. For example Coline Mulliner [9] discovered a method to inject SMS messages into iPhone , Android, and Windows Mobile devices without using the carrier network. Another vulnerability on iPhone was discover in August 2010 by iPhone exploit developer, which known as Star or JailbreakMe 2.0. This new exploit can jailbreak all Apple’s products whichincorporate iOS firmware versions from 3.1.2 to the current 4.0.1. Basically, JailbreakMe is remote browser based jailbreak that used two security vulnerabilities [15]. The first one uses a corrupted font embedded in PDF files to allow arbitrary code execution, and a second vulnerability is in the kernel to escalate the code execution to root privileges. In other words, any IOS mobile device that opens a jailbroken PDF file from a website, email, SMS or Apple’s iBook can be automatically jailbroken[1].

Whatever method is used, the main goal is to infect the victim’s smartphone and take control of it.


2.2. Command and Control


Command and control (C&C) is the most challenging part in botnet design since it is the control channel for the botmaster. C&C has to be stealthy and resilient to most of public known defense techniques suck as DNS sinkholes, IP blacklist and C&C server shutdown. However, the main challenges are connectivity, power consumption, communication cost, and computational power. In addition, smartphones have many possibilities to communicate such as WiFi, Bluetooth, SMS, and packet data service, which have to be considered when designing a smartphone botnet.

This section discuses different command and control approaches


2.2.1. SMS Based Approach


There are many advantages for using SMS as a C&C channel. First, SMS is the most widely used data application on mobile phones since 74% of all mobile phones users sending and receiving messages on their phones [16].Moreover, SMS can hold offline bots command easily. For example if a phone is turned off, its SMS messages will be stored in the service center and delivered with the embedded commands once the phone is turned back on . However, on the other hand, the telecom operators could easily monitor SMS messages and they may cost money. Sending too many messages will make the botnet detected on both the service provider side and the user side. In addition, SMS has a limited payload that can be collected from the victim’s smartphone.

Collin Mulliner and Jean-Pierre Seifert [10] proposed several methods to build mobile botnets . one of which is using SMS-only C&C and SMS-HTTP hybrid C&C, which the encrypted and signed command file is uploaded to a website and the URL is distributed via SMS. Jingyu Hua_ and Kouichi Sakurai [3] proposed another SMS based mobile botnet using floofing algorithm. In their design, they show that their botnet can be covertly propagated to over 90% of the total 20000 bots within 20 minutes even though each bot sends no more than four SMS messages.

.

2.2.2. Peer-To-Peer Based Approach


In P2P approach, the communication is between peers without the need for a central server. The botmaster take advantage of these nodal systems by using them to deliver infection or instructions directly to any smartphone connected to the network vie packet data service. In a traditional P2P based botnet, an infected smartphone regularly initiates an IP connection to the P2P network in order to check for new instructions from its master. However, IP based communication have the side effect of draining the smartphone battery, which runs a significant risk of detection.

In Collin Mulliner and Jean-Pierre Seifert [10] P2P botnets, Kademlia [11]have been picked as the protocol and Overnet as the P2P network to join instead of building their own P2P network. Another research by Yuanyuan Zeng recommend the use of P2P as C&C channel however instead of using IP based P2P, they proposed using SMS to implement a Kademila like P2P network. Conversely, too many SMS messages are required to send in order to build such a network.[18]



2.2.3. Bluetooth Based Approach


In this approach, bonnet command are propagated via Bluetooth when those infected mobile phones move into each other‘s radio range.

Kapil Singh and others evaluate the use of Bluetooth as a medium for botnet command and control [13] and according to their simulations, a command can only reach 2/3 of the bots even after 24 hour


2.2.4. WiFi Based Approach


In this approach, botnet is wirelessly infected, controlled by making use of the built in wireless driver in most of the current smartphones.

Dimitrios Damopoulos and others build their airborne self-propagated botnet on jailbroken iPhone systems, which is a modified version of the open source of Star exploit. Andnot [2], is another HTTP-Wifi bassed approach on Android smartphons that is based on the name convention of Domain Flux. In a Domain Flux scheme, bots most hard code a public key and a Domain Generation Algorithm. Botrs try to connect to and download a command file from generated domains one by one, and then authenticate the downloaded command file using the hard coded public key.


3. Defense Strategies


This section discusses different protection strategies and detection methods in order to protect smartphons from being abused.

3.1. Anti-virus and Anti-Malware


Anti-virus and Anti-malware applications are a well-know solution that is already used in other platforms. Such a signature-based solution would provide low false positives. However, it will detect known malware. In addition, it needs continuous updating and power consuming.

3.2. Firewall


Firewalls are another solution that could be used to limit Internet based attacks to and from other networks. However, such a solution will not protect against attacks via SMS/MMS, Bluetooth, email, or browsers.

3.2. IDS/IPS


Host-based intrusion detection systems includes an agent to collect different features from the device and then applying various machine learning algorithms to classify the behavior of the system in order to detect any odd behaviors. For example Kim [6] and Liu [7] examined power anomaly monitoring that detects malwares by observing the extra power consumption caused by malicious behaviors. This detection technique is based on the assumption that greedy malwares keep repeating the power consuming behaviors. Another solution based on the implementation of user message challenge when a third party application attempts to send any outgoing communication, e.g SMS/MMS/Bluetooth [5][17]

3.3. Application Protection


Two of the most application protection techniques that have been implemented by Android, Blackberry, iPhone, Symbian , and Windows are sandboxing and application signing.

Sandboxing implements a computing environment within another computing environment. The virtual machine provides resources and acts as if it were running directly on hardware though it is fully contained by the host system. Moreover, the host prevents the guest from accessing critical files or data on the host system.

In application signing, all installed applications be digitally signed with a certificate whose private key is held by the application’s developer. All applications must be signed since that the system will not install an application that is not signed. The main goal behind application signing is to identify the code as coming from a specific source. On the other hand, it cannot guarantee that the code is free of security vulnerabilities or that a program will not load unsafe code or plug-ins during execution. Moreover, the author of the program can sign his own certificate without the need to Certificate Authorities (CA)

I believe application signing should be enhanced by adding an application trust level. Once a programmer finish his/her program and before it posted on the application market the application should be signed and the number of used services should be checked and based on that the application is assigned a trust level (e.g, allowed to initiate out going network connection, sending SMS/MMS/ email, or any other defined services). Whenever the application is installed, its certificate is validated. If the application is not signed, the installation will be terminated. If there is a valid certification, then the trust level will be checked. If the trust level is correct, then the software will be installed and monitored. Whenever the approved application tries to change its trust level, it should be stopped from running and reported to the application market to stop it from being downloaded from others .I believe this mechanism can be used to help protecting against botnets attack. However, that needs each application to be signed by a CA and approved by an authorized application market




3. Conclusion


Security researchers have shown that attacks against smartphones can be done. Moreover, security experts are finding a growing number of threats that target smartphones . Even though, none of the attacks has done extensive damage in the wide, it is only a matter of time before this happen. Therefore, a practical solutions should be supported and implemented before it is too late

4. References

  1. Comex/Star.


https://github.com/comex/star

  1. Damopoulo, D. iSAM: An iPhone Stealth Airborne Malware
  2. Hua , J. , Sakurai, K. A SMS-Based Mobile Botnet Using Flooding Algorithm

  1. informIT website


http://www.informit.com/articles/article.aspx?p=327994
  1. Jeter, L. Mani, M, Reinschmid, T. Smart Phone Malware: The danger and protective strategies

  1. Kim, H., Smith, J., Shin, K.G.: Detecting energy-greedy anomalies and mobile malware variants

  1. Liu, L., Yan, G., Zhang, X., Chen, S.: Virusmeter: Preventing your cellphone from spies

  1. McAfee Threats Report First Quarter 2011

  1. Mulliner, C. Fuzzing the Phone in your Phone

  1. Mulliner, C., SeifertRise, J.P.: Rise of the iBots: 0wning a telco network

  1. P. Maymounkov and D. Mazi‘eres, “Kademlia: A Peer-to-peer Information System Based on the XOR Metric,”

  1. Search mobile computing. Website


http://searchmobilecomputing.techtarget.com/tip/Is-malware-coming-to-a-smartphone-near-you
  1. Singh, K., Sangal, S., Jain, N., Traynor, P., Lee, W.: Evaluating Bluetooth as a Medium for Botnet Command and Control




  1. Symantec website


http://www.symantec.com/security_response/writeup.jsp?docid=2006-010315-4838-99
  1. Technical analysis on iPhone jailbreaking


http://community.websense.com/blogs/securitylabs/archive/2010/08/06/

  1. Wikipedia: The free encyclopedia

http://en.wikipedia.org/wiki/SMS

  1. Xie, L and others Designing System-level Defenses against Cellphone Malware

  2. Zeng, Y., Hu, X., Shin, K.G.: Design of SMS Commanded-and-Controlled and P2P-Structured Mobile Botnets



Download 28.15 Kb.

Share with your friends:




The database is protected by copyright ©ininet.org 2024
send message

    Main page