Post on 15-Jan-2015
description
DRAGON LADYAN INVESTIGATION OFRUSSIAN SMS FRAUD
RYAN W SMITH & TIM STRAZZERE
Lookout, Inc.
Read the re
port
WHO ARE WE - RYAN W SMITH
• Senior Research and Response Engineer @ Lookout
• Contributing member of the Honeynet Project for more than 10 years
• Worked on automated x86/Windows shellcode deobfuscation and malware sandboxing and before starting Android reversing
• Previously spoke about scalable Android reversing @ AppSec USA and IEEE HICSS
Read the re
port
WHO ARE WE - “DIFF” @TIMSTRAZZ
• Lead Research & Response Engineer @ Lookout
• Reversed the Android Market/Google Play Protocol
• Junkie for reversing mobile malware, creating write ups and teaching other to help raise the bar
• Spoke previously about anti-/analysis/decompilation/emulation at BH’11/12, EICAR’12, HiTCON13, SySCAN ’13 etc.
Read the re
port
WHY DEEP DIVE?
• Stats are extremely misleading; but get headlines!
• Did it just go from 100 samples to 163?163 / 100 == 1.63 == 163%
• Different (zip) hash? Different (unique) sample?
• Correlation by SENDS_SMS is not good enough!
Read the re
port
WHY DEEP DIVE?• New hash != new “sample” -- need context!
• Impressive... “server-side polymorphism”
bebop:alphasms tstrazzere$ shasum *apke780f49dd81fec4df1496cb4bc1577aac92ade65 mwlqythh.rwbkulojmti-1.apk8263d3aa255fe75f4d02d08e928a3113fa2f9e17 mwlqythh.rwbkulojmti-2.apk521d3734e927f47af62e15e9880017609c018373 mwlqythh.rwbkulojmti-3.apkbebop:alphasms tstrazzere$ shasum *.dex*14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-114e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-214e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-3
Read the re
port
FAMILY INTEL.Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation
(non-commercial)
ALPHASMS BADNEWS
CONNECTSMS DEPOSITMOBI FAKEBROWS SMSACTOR
NOTCOMPATIBLE
Read the re
port
FAMILY INTEL.Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation
(non-commercial)
ALPHASMS BADNEWS
CONNECTSMS DEPOSITMOBI FAKEBROWS SMSACTOR
NOTCOMPATIBLE
FakeInst / SMSSend /Other generic name
Read the re
port
SAMPLE EVOLUTION IS IMPORTANT
e6d823...Packaged: 07-30-12
No obfuscation / cryptoDebug information available
ConnectSMS.a
00f35f...Packaged: 12-13-12
SMS Endpoints / URL cryptedDebug info stripped
Added contact exfiltration
ConnectSMS.f
355d6f...Packaged: 01-11-13
SMS Endpoints / URL cryptedDebug info stripped
Removed contact exfiltration
ConnectSMS.p
383069...Packaged: 04-03-13
SMS / URL remotely pull & decryptedDebug info re-added
ConnectSMS.s
SameCrypto
Read the re
port
• Underlying code still similar
• “Polymorphism” easily confused with “omg sky is falling”
• Trends across different distributing organizations
DECIPHERING OBFUSCATION
AlphaSMS
Read the re
port
AGILE THREAT RELEASES
Read the re
port
BEYOND SMS FRAUD - NOTCOMPATIBLE• Interesting exercise in malware component
commoditization
• Relates directly to PC malware
• Used mass compromised web sites, compromised swaths of accounts (AOL, Yahoo, etc.) for distribution (likely purchased?)
• Actively used for evading fraud detection
DRAG + DROPIMAGE HERE
Attacker
in Europe
Purchasing Service,inside US
Block by fraud detection
Infected proxy device, inside USRead th
e report
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
Read the re
port
CONCLUSIONS
• Top 10 Russian SMS fraud organizations account for over 30% of worldwide malware detections
• SMS Fraud is a diverse threat, and requires careful categorization
• SMS Fraud has effectively been commoditized in Russia and has a thriving support system
• By taking a “full-stack” approach to tracking these threats we avoid the typical “whack-a-mole” AV strategy
Read the re
port
THE GIANTS ON WHICH WE STAND
• Thanks to:
• The entire R&R and security team at Lookout
• The Honeynet Project
• Mila @ Contagio Dump
• @jduck @pof @osxreverser @thomas_cannon @adesnos @Gunther_AR @TeamAndIRC @cryptax
Read the re
port
Keep in touch with
@lookout
/mylookout
blog.lookout.com
contact@lookout.com
http://bit.ly/dragon-lady