iBots & Smartphone Slavery: How to Prevent It
As the sale of smartphones continues to jump by leaps and bounds (vendors shipped a total of 302.6 million smartphones worldwide in 2010), cyber-criminals are finding the lure of a potentially lucrative market too much of a temptation.
First we saw the recent emergence of smartphone-based malware and other badness, such as click fraud, over the last few months. Now comes a partner in crime, smartphone botnets, or iBots -- anonymous, automated, and effective as a means of distributing malware. As with any botnet, iBots can be controlled from a solitary smartphone, which is the “Master Bot.”
This week saw the first notable appearance of “man-in-the-mobile” combined malware and iBot attacks in Poland, where ING Bank customers had their bank-issued smartphone authentication numbers hijacked.
Basically, a new strain of the infamous ZeuS bank-robbing malware, “Mitmo,” is injected as a rootkit on the victim's smartphone via an SMS message that prompts the user to download a misleading app. The malware, once installed, can modify the bank’s mobile Website, snatch the client’s login and password... and that is not all. From then on, the infected smartphone monitors all incoming SMS messages, redirecting any bank SMS or mTan (mobile TAN, for Transaction Authentication Number) back via the iBot to a ZeuS bot herder.
The iBots transporting the mobile malware are remarkably close to a description provided by Georgia Weidman at the East Coast Hacker event, ShmooCon, in January 2011. This is a variation on the SMS/HTTP version showcased by security researchers Mulliner and Seifert at an IEEE International Conference in France last October in their presentation, “Rise of the iBots.” They demonstrated just how easy it is to build an iBot by installing a rootkit on a smartphone via a corrupted Webpage or via specially modified jail-breaking software.
The process begins with the sending of an SMS message containing an infected URL that leads to a file containing a list of phone numbers and a set of commands. The malware sets to work by extracting the information from the file and carrying out the payload instructions, whether those involve DDoS (distributed denial of service), spam... whatever. The smartphone becomes a slave/zombie and part of the bot, receiving instructions from the C&C (bot herder) and in turn passing those on to other phones.
The iBot operation is for all intents and purpose totally anonymous and untraceable, as it is based on a three-level cell structure of a master bot, sentinels, and slaves. The master bot, i.e., the attacker or bot herder’s smartphone, would use only prepaid SIM cards and OCR devices such as Kleptomania. The “sentinel” bots receive instructions from the master bot and exchange data with the “slave” bots. With this simple form of structure, many thousands of smartphones could make up the iBot. Of course once in full control, such devices can be used, not only for banking credential hijacking, but also DDoS, spam, and all the other nefarious cybercrime activities.
Use of SMS for controlling the iBots is pretty inspired, as this has the advantage of being fairly light on power and battery usage; it's designed for fault tolerance (i.e., if the message fails it can be simply queued for retries later); and, most importantly from a security perspective, it is very difficult to monitor. Once infected, the smartphone user would not even know his smartphone is part of an iBot.
There are, of course, limitations, which also lead to ways to mitigate the threat of iBot-controlled malware. For example, all the bidirectional user data must be limited to 160 characters, and this needs to include any keys and instructions. Also, although the SMS messages are hidden from the user, they are recorded within the phone bill by the mobile ISP.
To keep smartphones from becoming slaves in the first place, the main effort for manufacturers is to prevent smartphones from becoming mini ISPs/re-broadcasting hubs. This can happen in Linux through the unit becoming a router and using PPP (Point-to-Point Protocol); through using “mgetty” or similar commands; or in Microsoft Windows RAS (Remote Access Service). To avoid problems, it is best if the platform reveals the phone number of the device only to the smartphone’s modem, which is difficult even for the rootkit to capture automatically.
Although all this malware is currently aimed at Android (Linux) and Windows Mobile smartphones, Apple users should not feel left out, as there is also an “iKee-B” worm specially designed for Apple iPhones and OSX that is rapidly gaining ground.
By jart armin