Design of SMS Commanded-and-Controlled and P2P-Structured Mobile Botnets Yuanyuan Zeng Kang G. Shin Xin Hu Perimeter E-Security University of Michigan IBM Research Raleigh, North Carolina Ann Arbor, Michigan Hawthorne, New York [email protected] [email protected] [email protected] ABSTRACT A drastic increase in downloading and sharing of third-party Botnets are one of the most serious security threats to the applications and user-generated content makes smartphones Internet and personal computer (PC) users. Although bot- vulnerable to various types of malware. Smartphone-based nets have not yet caused major outbreaks in the mobile banking services have also become popular without protec- world, with the rapidly-growing popularity of smartphones tion features comparable to those on PCs, enticing cyber such as Apple's iPhone and Android-based phones that store crimes. There are already a number of reports on malicious more personal data and gain more capabilities than earlier- applications in the Android Market [1]. Although the An- generation handsets, botnets are expected to become a se- droid platform requires that applications should be certified vere threat to smartphones soon. In this paper, we propose before their installation, its control policy is rather loose| the design of a mobile botnet that makes the most of mobile allowing developers to sign their own applications|so that services and is resilient to disruption. The mobile botnet attackers can easily get their malware into the Android Mar- utilizes SMS messages for C&C and a P2P structure as its ket. The iPhone's application store controls its content more topology. Our simulation results demonstrate that a modi- tightly, but it fails to contain jailbroken iPhones which can fied Kademlia|a structured architecture|is a better choice install any application and even run processes in the back- for the mobile botnet's topology. In addition, we discuss po- ground. As smartphones are increasingly used to handle tential countermeasures to defend against this mobile botnet more private information with more computing power and threat. capabilities, but without adequate security and privacy pro- tection, attacks targeting mobile devices are becoming more sophisticated. Since the appearance of the first, proof-of- Categories and Subject Descriptors concept mobile worm, Cabir, in 2004, we have witnessed C.2.0 [Computer-Communication Networks]: General| a significant evolution of mobile malware. The early mal- Security and Protection; D.4.6 [Operating Systems]: Se- ware performed tasks, such as infecting files, replacing sys- curity and Protection|Invasive Software tem applications and sending out SMS or MMS messages. One malicious program is usually capable of only one or two functions. Although the number of mobile malware families General Terms and their variants has been growing steadily in recent years, Security their functionalities have remained simple until recently. SymbOS.Exy.A trojan [2] was discovered in early 2009 Keywords and its variant SymbOS.Exy.C resurfaced in July 2009. This mobile worm, which is said to have \botnet-esque" behavior Smartphone Security, Malware, Mobile Botnets patterns, differs from other mobile malware, because after infection, it connects back to a malicious HTTP server and 1. INTRODUCTION reports information of the device and its user. The Ikee.B Botnets are one of the most serious security threats to worm [3] that appeared late 2009 targets jailbroken iPhones, the Internet and the personal computer (PC) world, but and has behavior similar to SymbOS.Exy. Ikee.B also con- they are still rare for the mobile world. Recently, with nects to a control server via HTTP, downloads additional the rapidly-growing popularity of smartphones, such as the components and sends back the user's information. With iPhone and Android-based phones, attacks on cellular net- this remote connection, it is possible for attackers to pe- works and devices have grown in number and sophistication. riodically issue commands to and coordinate the infected devices to launch large-scale attacks. In March 2011, over 50 applications found to contain a type of malware called \DroidDream"were removed from the Android Market. This Permission to make digital or hard copies of all or part of this work for malware is able to root the infected device and steal sensi- personal or classroom use is granted without fee provided that copies are tive information. It was speculated that the end goal of not made or distributed for profit or commercial advantage and that copies DroidDream was to create a botnet [4]. In February 2012, bear this notice and the full citation on the first page. To copy otherwise, to RootSmart [5], a malicious application in third party An- republish, to post on servers or to redistribute to lists, requires prior specific droid markets in China, was reported to create a botnet con- permission and/or a fee. WiSec’12, April 16–18, 2012, Tucson, Arizona, USA. taining thousands of Android devices. Once started, RootS- Copyright 2012 ACM 978-1-4503-1265-3/12/04 ...$10.00. mart connects to a remote server to send various informa- structure requirements are different, in view of unique ser- tion of the infected phone and fetches a root exploit from vices and resource constraints on smartphones. Dagon et the server to obtain escalated privilege to the phone. The in- al. [12] proposed key metrics to measure botnets' utility for fected phone is configured to send premium SMS messages conducting malicious activities and considered the ability of and use other premium telephony services without users' different response techniques to disrupt botnets. knowledge, generating profits for the botmaster. Observing There are numerous efforts on mobile malware focusing the trend of recent mobile malware, we expect that mobile on vulnerability analysis and attack measurements. The botnets will become a serious threat to smartphones soon. former investigates ways of exploiting vulnerable mobile ser- In this paper, we propose the design of a mobile botnet vices, such as Bluetooth and MMS [13, 14], while the latter that makes the most of mobile services and is resilient to characterizes the feasibility and impact of large-scale attacks disruption. Within this mobile botnet, all C&C communi- targeting mobile networks, mostly Denial of Service (DoS) cations are done via SMS messages since SMS is available attacks [15]. There are a few recent papers treating the idea to almost every mobile phone. To hide the identity of the of mobile botnets. In [16], the focus is on the attack aspect| botmaster, there are no central servers dedicated to com- whether compromised mobile phones can generate sufficient mand dissemination that is easy to be identified and then traffic to launch a DoS attack. Singh et al. [17] investigated removed. Instead, we adopt a P2P topology that allows using Bluetooth as a C&C to construct mobile botnets with- botmasters and bots to publish and search for commands out any analysis on their network structure. Hua et al. [18] in a P2P fashion, making their detection and disruption proposed a SMS-based mobile botnet using a flooding algo- much harder. Our contributions are three-fold. First, to rithm to propagate commands with the help of an internet the best of our knowledge, we are the first to design mo- server. The use of the central server, however, may lead to bile botnets with focuses on both C&C protocol and topol- single-point-of-failure. Mulliner et al. [19] demonstrated the ogy by integrating the SMS service and the P2P topology. ways to command and control botnets via SMS or IP-based The main purpose of this work is to shed light on potential P2P networks using a tree topology. Under such topology, botnet threats targeting smartphones. Since current tech- when a node fails, all of its subnodes will be isolated from niques against PC botnets may not be applied directly to the botnet, difficult to get commands. Weidman [20] also mobile botnets, our proposed mobile botnet design makes it considered utilizing SMS messages for botnet C&C and pre- possible for security researchers to investigate and develop sented a method to conceal malicious SMS messages from new countermeasures before mobile botnets become a major users on smartphones. It is worth noting that, different threat. Second, we present a method to carefully disguise from all these works, our SMS-based botnet is built upon C&C content in spam-looking SMS messages. Using this a decentralized P2P topology, without assistance from any approach, the botnet can stealthily transmit C&C messages central servers. The integration of SMS and P2P makes our without being noticed by phone users. Third, we test and botnet stealthy and resilient to disruption. compare two P2P architectures that can be used to construct the topology of our mobile botnet on an overlay simulation 3. MOBILE BOTNET DESIGN framework, and finally propose the architecture that best We now present the detailed design of a proof-of-concept suits mobile botnets. mobile botnet. The botnet design requires three main com- The remainder of the paper is organized as follows. Sec- ponents: (1) vectors to spread the bot code to smartphones; tion 2 describes the related work. Section 3 details the proof- (2) a channel to issue commands; (3) a topology to organize of-concept design of our mobile botnet. Section 4 presents the botnet. We will briefly overview approaches that can be our simulation and evaluation results. Section 5 discusses used to propagate malicious code and then focus on C&C potential countermeasures against the mobile botnets. The and topology construction. paper concludes with Section 6. 3.1 Propagation 2. RELATED WORK The main approaches used to propagate malicious code to The research areas most relevant to our work are P2P- smartphones are user-involved propagation and vulnerabil- based botnets and botnet C&C evaluation.