[Maarten Van Horenbeeck] [Information Security] [Resources]


Mobile botnets: an economic and technological assessment

Maarten Vanhorenbeeck
maarten@daemon.be


Abstract

In a number of markets, mobiles seem poised to overtake desktop and laptop computers as the preferred way of connecting to the internet. As with all technology, popularity can be a driver for new functionality and business value. When this leads to new technology such as internet banking, there is incentive for criminals to abuse these technologies for monetary gain.

In wired networking, a recent evolution has been the surge in botnets, which are large groups of internet connected hosts under control of a single attacker. This paper reviews the business case for an attacker to start perusing a mobile computing-enabled botnet. In addition, a vulnerability assessment is completed of current mobile infrastructure, both on the network as on the Mobile Equipment itself, which identifies the vulnerability to this threat. Finally, it reviews which measures need to be taken both .in the cloud. and on the device to prevent mass mobile botnets from arising.

Keywords: Mobile; Botnet; Malicious code; Virus; Malware


Introduction: Botnets and malicious code distribution

Over the last ten years, a significant evolution has taken place in the appearance of organized computer crime using malicious code. This evolution can be tracked by looking at the intended functionality of code involved, and the effects it attempts to generate within a target population.

During the late 80s and nineties, computer crime dominantly consisted of the distribution of computer viruses and the obvious defacement of websites. Both actions did not often lead to direct monetary gain for the cracker, but helped him build out an online reputation. It was very much a social event.

Recently, however, there has been a significant increase in the employment of criminal use of information technology with as direct goal to garner funds. This change has become visible across the board:
In addition, major changes regularly take place in what type of information is most valuable to an attacker. Initially, credit card numbers were a popular target, but recently the appearance of specific Trojans for on-line games such as World of Warcraft account for these types of applications are also in demand.

In such volatile environment, a mechanism that would assist in updating the actual malicious code installed on a compromised client became needed. This would allow an attacker to regularly refocus his information theft efforts to obtain maximum gain from his malicious code deployment.

A botnet, defined by the Honeynet project as a .network of compromised machines that can be remotely controlled by an attacker. (Bacher, Holz et al, 2005) is a solution that allows this type of functionality. In a botnet, machines that are compromised will attempt to get in touch with the attacker, also known as botherder, and await its commands. The botherder is then able to remotely control which information is being acquired by the malware, or he can peruse each individual infected host as a drone to assist in infecting additional machines through the transmission of spam or by scanning the network and attacking vulnerable services.

The connection between botnet member and herder can be set up in many ways. Initially, IRC was a popular means of control. Each individual machine would connect to a specific IRC network, join a specific password-protected channel and await commands from the botherder, who is also active on the channel. This way, the botherder could issue a command to download additional features from a server under his control.

Recently, new methods of connection have been utilized. IRC, while a flexible and scalable connection method, has some distinct disadvantages. Competing botnet herders may be able to garner control over the IRC channel, thereby stealing control over the botnet from its original controller. In addition, IRC traffic uses a specific port and protocol which is easy to identify from a network perspective. Two major alternatives under consideration are the use of instant messaging (IM) clients and peer to peer networks. The first adds as significant advantage that certain IM protocols can be tunnelled over HTTP. This makes that it stands out less on the network. The second adds the ability to distribute commands gradually instead of on a one-to-one basis between control server and infected host.

Up till today, botnets have predominantly consisted of fixed machines, generally on end user, ISP or university networks. Due to the additional filtering taking place in a corporate context, which would have prohibited the use of the IRC ports, these networks are likely to have so far been affected to a more limited degree.

In order to assess to what degree mobile devices, such as mobile phones and PDAs, are likely to be affected by this phenomenon, a number of critical questions need to be answered. These involve establishing a valid business model and assessing the requirements for mobile botnet deployments, as well as establishing whether the technology is in fact equally or perhaps even more, vulnerable than wired computer installations.

A valid business model for mobile botnet deployments

Generally, crackers will not be interested in investing time and effort in extending their attack software to support these devices unless these would either endanger their business model or allow significant opportunity to increase profits. Recent industry analysis has indicated that mobile phones are .poised to overtake the PC as the dominant internet platform in some markets. (IPSOS, 2006). The study specifically makes this prediction for France, the UK and Japan, based on very high mobile phone ownership combined with an active interest in accessing the internet from these devices.

At this point in time, most information stored on mobile devices is still synchronized with desktop PCs. This means that an attacker can still gain access to most confidential information such as e-mail by compromising a desktop machine. However, should this prediction come to fruition, it would be likely that some information is exclusively stored on the mobile devices themselves. As the device is always available, it would make sense to store potentially sensitive calendar or password information purely on this device.

Another evolution of interest is the rise of internet banking on mobile devices. Many banks, such as Nationwide in the UK, now allow mobile internet banking through a WAP website from a PDA or mobile phone (Nationwide, 2007). Many banks have also started an SMS banking program, which allows clients to perform banking transactions through the use of the short message system (BankIslam, 2007).

These latter systems generally work through the deployment of an SMS server at the mobile provider, which exchanges transactions with an SSL enabled web server running at the bank (Shetty, 2005). While the transaction from mobile provider to the bank is as such protected against attacks against confidentiality and integrity, security of the actual short message between the mobile device and the cell phone provider depends on the security features it chooses to deploy. Average deployments seem to consist of no more than a cyclic redundancy check in combination with the IA5 encoding format (Nichols, Lekkas, 2002). More importantly, there is no end-to-end encryption between the mobile user and the banking application. Solutions such as Secure SMS have been developed (Chicomo, Chong et Al, 2005) but are not yet in widespread use.

In cases where additional network encryption applies to SMS, it could still be possible for an attacker to intercept text messages by introducing a malicious base station into a specific area. However, such attack would only cover a limited area which is likely to contain an even more limited amount of SMS banking users. An attack focusing on the mobile end points, in comparison, would be targeted and more difficult to detect and trace. Even where applications would use end-to-end encryption between a Java banking application on the mobile device and the banking provider, a client-side attack could still prove effective.

Vulnerability of mobile technology against these threats

The vulnerability of mobile technologies and protocols against this new threat needs to be understood. Are they more or less protected than wired machines against the different components of these types of botnet-based attacks?

In order to assess vulnerability, one would first need to consider a complete botnet implementation as an end-to-end system. An evaluation of each component of that system against existing hardware would offer better understanding of the threat.

The use of botnets consists of four major components:
  1. Infection of a machine with malicious botnet code;
  2. Connection to the command & control channel set up by the attacker;
  3. Downloading of secondary payload on command of the attacker;
  4. Performing an attack or additional scanning, gathering information.
These events usually happen sequentially, with a loop between the attack execution and the command & control channel. For example, data gathered during a scan initiated by the secondary payload may be transferred back to the attacker through the command & control channel, or a new command may be triggered through the command & control channel to have the host download and execute additional attack payload.



A typical example of this type of botnet-enabled malicious code is SDBot. This family of Trojan horses has been observed dating back to 2002. Its main code does not actively attack other machines, but merely installs on the local system and builds a connection to an Internet Relay Chat (IRC) server where it joins fellow infected machines. Upon connecting, it then listens for commands by the human responsible for the distribution of the malicious code. This user then has the ability to dynamically update the Trojan's code, perform distributed denial of service attacks and have system information delivered (Symantec, 2002).

The modularity of this type of malicious software makes it highly difficult to combat. Initially distributed by e-mail, this type of software is now often installed through use of compromised websites and certain browser vulnerabilities. Once the e-mail vector became more protected, by internet service providers offering malicious code scanning and perhaps more importantly, by blocking executables attached to e-mail, attackers changed methodology to use a vector more difficult to protect, the web. Where e-mail is a relatively mature and well-understood technology, new web application software makes it harder to identify malicious sites.

In April of 2007, security researchers reported that W32/Rinbot, a piece of malicious code exhibiting behaviour very similar to SDBot, was the first worm to incorporate an exploit for a Microsoft RPC/DNS vulnerability (Van Horenbeeck, 2007b). The specific vulnerability was reported only three days after Microsoft officially acknowledged the vulnerability in their software and merely two days after public exploit code became available.


Malicious code installation

In order for malicious code to infect an end user device, one of two conditions needs to be fulfilled:


Provisioning executable files to end users has long been correlated with e-mail worms. An e-mail is sent to a user containing an attachment. The user is then invited to execute this code. As this attack mechanism is still not well understood by users, it remains surprisingly effective. Corporate information security policies have long included messages to educate users on this threat, and more recently, organizations have started blocking e-mail attachments that might contain executable content. However, the vulnerability remains, as it is inherently linked to how people respond to incoming information. If the message is convincing enough, the attacker will be able to convince the recipient of his message to execute certain information through loopholes that are not yet considered for scanning.

One such example was the Bagle-KL worm which spread in 2006. It attached a password-encrypted archive file to the e-mails it spammed, requesting the user to unencrypt the zip file and execute the information it contained (Sophos, 2006). As the file embedded in the archive was unreadable to any content scanning solution, it could not be stopped by automated security solutions, except by filtering all incoming password encrypted archives.

The first example of the latter code was the so-called Morris worm, a piece of software released by Robert Morris in 1988. It exploited a number of known vulnerabilities in critical internet software such as Sendmail to automatically replicate and install across the network (Page, 1988). More recently, even vulnerabilities in trusted applications such as Symantec anti-virus or intrusion detection software have proven dangerous and usable for worm replication.

In addition, a combination of the above two risks has also become apparent. As users have come to trust certain file formats such as JPG, SCR and DOC, vulnerabilities in the parsing of these file formats have been identified and used in attacks. While these files do not execute code themselves, the standard parsers - often operating system dependent and thus shared by all applications - may not handle unexpected contents correctly, resulting in the execution of arbitrary code. In 2007, Microsoft warned of active attacks using a yet unknown and unpatched vulnerability in the Word file format. Only weeks before, a vulnerability was identified in the parsing of ANI files, so-called animated cursors. As the platform identifies these files based on their .magic. value . a byte sequence at the beginning of the file . these files could even be renamed to the common JPG file extension and still be used in attacks (Microsoft, 2007).

In the wired world, while all platforms have certain security drawbacks, the more dominant platforms in the market have proven to be more likely to be targeted by malicious code writers. On mobile devices, at this point in time there is no 'single. operating system environment. Mobile phones can be running a version of Symbian, Linux, Windows Mobile, or a number of other technologies. As recently as April 12th, 2007, Sun announced its acquisition of SavaJe technologies, an organization producing the SavaJe XE mobile operating system (SavaJe, 2007).

Should the market move in a way similar to stationary computing, the threat for mobile computing malicious code, and as such botnets, would likely increase. At this point in time however, market research is showing a gradual decrease in the currently dominant Symbian OS. market share, predicting heavy competition from Linux and Windows Mobile (ABI Research, 2007)

Current mobile operating systems have not proven to be significantly more resilient than those deployed on wired devices. Early 2007, a stack overflow vulnerabilities were identified in the Windows Mobile operating system that could cause the mobile phones to crash when visiting a malicious web page or opening a malicious JPEG file (Trend Micro, 2007). A 2005 vulnerability in Symbian allowed remote Bluetooth users to reboot a telephone (NIST, 2005).

In addition to these operating system specific threats, most of these new Smartphone operating systems allow users to install freeware programs available on the internet. An attacker compromising the distribution point for popular mobile software could also have a significant impact on the mobile population.


Setting up and maintaining a connection to the Command & Control channel

The ability to connect to a command and control channel depends less on vulnerability than it does on means of connectivity. In general, it can be expected a command and control channel connection will peruse the internet or wide area network connectivity of the device.

In stationary computing, most command & control connections occurred through the use of Internet Relay Chat (IRC). This however requires the unfettered access of the device to port 6667 on the internet. In addition, as this protocol is rarely used by average users, it is easy to detect through network monitoring.

Two recent trends have emerged: the use of instant messaging and peer to peer protocols to connect to the command & control channel, as well as the use of HTTP. Using these very common protocols avoids detection and simplifies the attack. While AIM and MSN has been the topic of public research (Lysa Myers, 2006), but are not yet common, some organizations are reporting a shift towards HTTP based botnets (Panda Software, 2007).

This actually places botnets on a convergence path with the evolution of mobile internet access. When mobile internet service initially became available, through the development of the Wireless Application Protocol (WAP), availability of internet services was initially very limited. Internet sites needed to pass through a WAP gateway for conversion from HTML to WML content and to provide content compression (Maxim & Pollino, 2002). With newer, high speed networks such as UTMS and EDGE being deployed, less such filtering needs to take place and mobile devices are gradually moving towards direct IP internet access.

As botnet command & control traffic generally is not malicious in itself, it is difficult to filter on the gateway. While the use of perimeter proxies allows the provider to filter out requests it deems unacceptable, this would be a dominantly reactive measure. New Trojans that establish botnets would need to be analysed first, after which patterns can be deducted that are to be filtered on the provider's proxy appliance.

Instant messaging remains a viable platform on most smartphones. Messaging applications compatible with the Microsoft MSN standard exist for both Windows Mobile and Symbian.


Downloading of secondary payloads

Similar to the above, download of secondary payload occurs predominantly through the WAN connection of the device. The current mechanism employed on the internet is usually the hypertext transfer protocol (HTTP). An additional executable file is downloaded and then executed by the Trojan installed, once it receives a command through the available command and control channel to do so.

While this code is malicious, it can be written for this specific attack and as such will not be known to anti-virus vendors. Application proxies may not be able to block the attack, unless it contains malicious code that can be picked up through heuristics scanning.

From the cloud, such download would not be different from any other download by a legitimate browser on the mobile device. As such, filtering efforts are unlikely to be successful, unless the target download is known. However, performance may be a wireless-specific issue here. Some attack code, especially when it is related to fairly complex attacks such as replacing local drivers (e.g. to facilitate logging of key entries) or brute forcing (where it would require a dictionary) may be relatively large. For other attack code however, this may not matter at all . such as any code instigating relatively simple bandwidth depletion attacks.


Executing an attack

Within a botnet, attack can be a broad concept. Botnets have often been affiliated with large distributed denial of service attacks. In 2006, media reported on a Florida man being arrested for releasing a crafted version of the GaoBot worm which performed a DDoS attack on the servers of Akamai, a global content provider (Lemos, 2006). These types of network based attacks are unlikely to be observed from mobile devices in the near future due to the limited bandwidth available. In addition, continuous traffic from a mobile device would still be relatively easy to pick up using network traffic anomaly detection: mobile devices are usually used for messaging purposes, and still less for high volume activities such as multiple large file transfers or streaming.

Specifically due to the messaging function these devices currently have within our society, attacks are likely to take place in the field of privacy and information theft. In October 2006, the US Department of Homeland Security sponsored a report on crimeware: 'software that performs illegal actions unanticipated by a user running the software, which are intended to yield financial benefits for the distributor of the software. (APWG, 2006). In May 2006, they identified 215 unique keylogging applications being distributed and discovered on the internet. This was up from 154 in the month of June 2005.

The success rate of these types of attacks is highly dependent on the embedded security features of the wireless operating systems and applications. Symbian, for one, in 2005 did not yet have a concept of roles or users, nor did it employ access controls on the file system (De Haas, 2005). In version 9, Symbian did however add segregation between application's data files. This prevents one application, for example attack code, from accessing files belonging to another application (Shackman, 2005). Additional features added by this version include support for capabilities, which is a significant security improvement. Applications are assigned certain capabilities, or functionalities they can use, which cannot change once the application is started. Well implemented, this could for example prevent a vulnerability in a document editor from spawning malicious code with access to the network.

The current reality of mobile botnets

The concept of mobile botnets was first coined by Job de Haas in his 2005 Black Hat presentation. He coined the idea of multiple mobile devices under control of a central attacker. At this point in time, there have not yet been reports of an actual implementation.

However, one of the two primary requirements for a botnet, the technical viability, is coming to a close. In June of 2004, a first Bluetooth-propagating piece of mobile malware was privately released to anti-virus labs. Kaspersky labs has published data that shows how from that point in time to August 2006, a total of 170 mobile viruses were processed, within 31 families. The vast majority of these viruses were released for the Symbian operating system (Gostev, 2006).

This virus, Cabir, made its first major public appearance in Finland during the 2005 World Athletics Championships (Reuters, 2005). Due to the large amount of people attending the event, in a relatively small area, the virus got its first chance to really propagate. Due to its benign payload however, the virus merely caused cell phone batteries to be consumed rapidly.

In 2005, a mobile Trojan with malicious payload was identified. While it did not replicate, once installed by a user on a Symbian phone, it installed a corrupted font file. During boot, the phone attempts to load this file, which fails, and halts the boot process. The only way to recover if the phone has already been reloaded is to fully restore factory settings (F-Secure, 2005).

One more propagation vector that has proven highly viable appears to be the MMS service. MMS is an extension to the SMS (or text message) system. MMS allows the transmission of rich data such as images and videos in addition to regular text. CommWarrior, a piece of mobile malware that was released early 2005, uses it as a propagation vector in addition to Bluetooth (Töyssy & Helenius, 2006). It transmits an MMS to a random number in the phone book, and attaches itself to the message. The user is prompted whether he wants to execute CommWarrior. If he accepts this offer, the software then propagates further. Due to the nature of these MMS messages, network operators are able to count the propagation of this threat. In a 2006 presentation by Orange, data was provided which indicated ongoing propagation during the October 2005-2006 timeframe (Waldron, 2006).

Preventive and responsive measures to mobile malicious code

In 2000, Mikko Hyppönen stated that .the industry is in a unique position to benefit from past experience and proactively prevent the type of weaknesses in infrastructure that caught us unaware with past computer incidents. on malware and mobile computing (Hyppönen, 2005, p.41). His words still hold true, as there are many actions that can be taken to pre-empt the rise of mobile botnets.

Conclusion

This paper reviewed the structure and methodology of botnets, specifically from a wireless context. Botnets are a relatively complex implementation of an information security attack. In order to assess the vulnerability of mobile phone networks, this research broke down this type of attack in its four main components and assessed the current state of the art of this component in overall wired networking, and how the component has already or is likely to be implemented onto mobile networks.

While some of the underlying technology may be drastically different, the implementation of internet support on mobile networks and the increasingly similar nature of mobile operating systems as compared to desktop operating systems have increased the threat of mobile malicious code. This research has shown that there has been an evolution in such mobile malware, with a wide range of families currently active.

Further evolution of such malicious code is currently being limited due to the wide range of operating systems available for mobile devices. This prevents wide propagation of the code. An exception however has proven to be those events where large amounts of users with very similar mobile phones gather. In such circumstances, viruses are likely to propagate.

As there have not yet been reports of functional mobile botnets in the wild, it would be easy to believe they do not pose a threat. However, as both increasingly potent technology and financial applications converge on these devices, there is a definite increase of the likelihood of mobile malicious code.

References

ABI Research (2007) Nokia Leading Smartphone Market with 56%, while Symbian's Share of OS Market is Set to Fall. ABI Research: London.

APWC (2006) The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond. Anti-Phishing Working Group. URL: http://www.antiphishing.org/reports/APWG_CrimewareReport.pdf [Accessed May 2nd, 2007]

BankIslam (2007) SMS Banking. URL: http://www.bankislam.com.my/includes/check_bimb_scripting.asp?drop_down_menuID=42 [Accessed May 9th, 2007]

Chikomo, Chong, Arnab & Hutchison (2006). Security of Mobile Banking. Technical Report CS06-05-00. University of Cape Town: Cape Town. URL: http://www.cs.uct.ac.za/Research/DNA/microweb/mobilebank/ [Accessed May 10th, 2007]

De Haas (2005) Symbian Phone Security. ITSX: Amsterdam. URL: https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-deHaas.pdf [Accessed May 10th, 2007]

F-Secure (2007) Trojan Information Pages: Blankfont.C. URL: http://www.f-secure.com/v-descs/blankfont_c'shtml [Accessed May 15th, 2007]

Gostev, A. (2006) Mobile Malware Evolution: An Overview. Kaspersky Lab: Moscow, Russia. URL: http://www.viruslist.com/en/analysis?pubid=200119916 [Accessed May 15th, 2007]

Hyppönen, M. (2000) WAP and viruses . can your mobile phone get infected? In Proceedings of the Virus Bulletin Conference, September 2000. Virusbulletin, Oxfordshire, UK.

IPSOS (2006) Mobile Phones Could Soon Rival the PC As World's Dominant Internet Platform. IPSOS. URL: http://www.ipsos-na.com/news/pressrelease.cfm?id=3049 [Accessed May 2nd, 2007]

Maxim, M. & Pollino, D. (2001) Wireless Security. McGraw Hill-Osborne: Berkeley, California.

Microsoft (2007) Microsoft Security Bulletin: MS07-017. Vulnerabilities in GDI Could Allow Remote Code Execution (925902). Microsoft: Redmond, WA.

Myers, L. (2006) AIM for Bot Coordination. In Proceedings of the 2006 Virus Bulletin Conference (VB2006), October 2006.

Nationwide (2007) Internet Banking Support. URL: http://www.nationwide.co.uk/internet_banking/support/mobilephone.htm [Accessed May 8th, 2007]

Nichols, R. & Lekkas, P. (2002) Wireless Security: Models, Threats and Solutions. McGraw Hill: Berkeley, California.

NIST (2005) Vulnerability Summary CVE-2005-0681. National Institute for Standards and Technology. Gaithersburg, MD. URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-0681 [Accessed May 13th, 2007]

Panda Software (2007) Quarterly Report PandaLabs (January-March 2007). Panda Software: Bilbao, Spain.

Page, B. (1988) A report on the Internet Worm. University of Massachussets: Lowell.

Shetty (2005) SMS Banking. Palisade: Application Security Intelligence. [Accessed May 15th, 2007] URL: http://palisade.plynt.com/issues/2005Sep/sms-banking/ [Accessed May 10th, 2007]

Symantec (2007) Backdoor.SDBot. Symantec Security Response. URL: http://www'symantec.com/security_response/writeup.jsp?docid=2002-051312-3628-99&tabid=2 (Symantec, 2002) [Accessed May 14th, 2007]

Sophos (2007) Bagle-KL email worm spreading via encrypted Zip file. URL: http://www'sophos.com/pressoffice/news/articles/2006/06/baglekl.html [Accessed May 15th, 2007]

Trend Micro (2007) Vulnerability in Internet Explorer for Windows Mobile. Trend Micro, Cupertino, CA. URL: http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VName=Vulnerability+in+Internet+Explorer+for+Windows+Mobile [Accessed May 15th, 2007]

Lemos, R. (2006) Man arrested for bot net, Akamai attack. Securityfocus: Calgary, Canada.

Kötter, M. & Wicherski, G. (2005) Know your Enemy: Tracking Botnets - Using honeynets to learn more about Bots. The Honeynet Project & Research Alliance: Naperville, IL.

Reuters (2005) Cabir outbreak in Finland. London: Reuters. URL: http://news.zdnet.co.uk/security/0,1000000189,39213100,00.htm [Accessed May 17th, 2007]

Shackman, M. (2005) Symbian OS v9 . Platform Security. URL: http://www'symbian.com/files/rx/file3202.pdf [Accessed May 10th, 2007]

Sun (2007) Press Release: Sun Microsystems to Acquire Assets from SavaJe Technologies. Sun Microsystems: Santa Clara, USA.

Töyssy S. & Helenius M. (2006) About malicious software in smartphones. Journal in Computer Virology, Volume 2, Number 2. pp. 109-119. Springer, Paris.

Van Horenbeeck (2007a) New malware spreading through compromised sites. Internet Storm Center, Bethesda. URL: http://isc.sans.org/diary.html?storyid=2397 [Accessed May 4th, 2007]

Van Horenbeeck (2007b) New Rinbot scanning for port 1025 DNS/RPC. Internet Storm Center, Bethesda. URL: http://isc.sans.org/diary.html?storyid=2643 [Accessed May 12th, 2007]