Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet...
Transcript of Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet...
![Page 1: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/1.jpg)
USCC
Quarterly Review & Executive Update
• April 2016
Malware Activity in Mobile Networks Kevin McNamee (Nokia Threat Intelligence Lab)
![Page 2: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/2.jpg)
2
Agenda
• How the data is collected
• Threat Intelligence Report
• Android Malware
• Examples of malware
• How to avoid being a victim
• Conclusion
![Page 3: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/3.jpg)
3
Monitoring the Mobile Network
• Monitor Mobile Network Traffic
Malware C&C
Exploits
DDOS
Hacking
RAN
GGSN/PGW
Malware
Detection
Sensor
Alert
Aggregation &
Analysis
MOBILE NETWORK SECURITY ANALYTICS
Forensic Analysis
SGSN
RNC Recommended
Tap (Gn and
S5/8)
NodeB
eNodeB SGW
Internet
10GE
or GE
![Page 4: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/4.jpg)
4
Monitoring the Mobile Network
RAN
GGSN/PGW
Malware
Detection
Sensor
Alert
Aggregation &
Analysis
MOBILE NETWORK SECURITY ANALYTICS
Forensic Analysis
SGSN
RNC Recommended
Tap (Gn and
S5/8)
NodeB
eNodeB SGW
Internet
10GE
or GE
• Analytics Provides
Raw security alerts
Trigger packets
Infection history by device
Infection history by malware
• Reports
Most active malware
Network impact
Infection rates
![Page 5: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/5.jpg)
5
Detection Rules Development Process
MALWARE
SAMPLES
VIRUS VAULT
• 120K+ ANALYZED
PER DAY
• 30M+ Active samples
SANDBOX
MALWARE
TRAFFIC
LIBRARY
RULES REPOSITORY
QUALITY
TESTING
DEPLOYMENT-SPECIFIC
RULE SETS
RULE ACTIVATION
RULES
DEVELOPMENT RULES LIBRARY
FIELD TESTING IN
LIVE NETWORKS
FEEDBACK
FROM FIELD
TESTS
Third Party
Feeds
![Page 6: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/6.jpg)
Nokia Threat Intelligence Report
![Page 7: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/7.jpg)
7
Threat Intelligence Report
• Published by Nokia Threat Intelligence Lab
• Latest edition available in September 1st
• Data aggregated from mobile networks covering close to 100M devices in:
• North America
• Asia/Pacific
• Europe
• Middle East
https://pages.nokia.com/1937.ThreatIntelligenceReport.html
![Page 8: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/8.jpg)
8
Mobile Device Infection Rate
• Smart phone infections up 96% in 1H2016
• Monthly infection rate averaged 0.66%
• Hit new high of 1.06% in April.
• In April 0.82% of smart phone devices exhibited signs of malware infection.
![Page 9: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/9.jpg)
9
Mobile Infections by Device Type
• 74% are Android devices
• 22% are actually Windows PCs &
Laptops
• 4% are iPhone, Blackberry,
Symbian, etc..
![Page 10: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/10.jpg)
10
Mobile Malware Continues to Grow
• An indicator of Android malware
growth is the increase in the number
of samples in our malware database.
• The chart shows numbers since July
2012.
• The number of Android malware
samples in our malware data base
increased by 75% in the first half of
2016.
![Page 11: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/11.jpg)
11
Top Mobile Malware
• Table shows the top mobile malware in
the first half of 2016.
• More that half are new
• Malware includes:
Malware that roots phone
Ransomware
Spyphone Apps
SMS Trojans
Personal information theft
Aggressive adware.
![Page 12: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/12.jpg)
12
Why Android?
• Open Platform
• Side Loading
• Proliferation of 3rd Party Android Stores
• App Hijacking is trivial
• Market Share
![Page 13: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/13.jpg)
Android vs Apple app security
• Signed with self signed certificates that
are created by the developer.
• Available from a large number of third
party app stores
• Signed with certificates issued by Apple
and linked to the developer registration
information.
• Most consumer apps are only available
from Apple.
• Enterprise development program allows
developers to bypass the Apple store
security provisions.
![Page 14: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/14.jpg)
Android vs Apple OS Software Updates
• Only one version (Apple)
• Distributed by Apple
• Installed by phone owner
• Patches created by Google
• Integrated by phone manufacturers
• Custom builds for individual operators
• Variety of distribution mechanisms
![Page 15: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/15.jpg)
Examples of Mobile Malware
![Page 16: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/16.jpg)
SMS Trojans
![Page 17: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/17.jpg)
17
SMS Trojans
• Sends premium SMS message
Trojan.SMS.FakeInst
Trojan.SMS.Agent
Trojan.SMS.Rufraud
Trojan.SMS.Opfake
Trojan.SMS.Boxer
• SMS Banking Trojans
Intercepts SMS messages
Looking for one-time banking access codes
Send codes to attacker who is also monitoring
banking transactions
![Page 18: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/18.jpg)
Malware that roots the phone
![Page 19: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/19.jpg)
19
Viking Horde
• This malware family gets its name from the Viking Jump
game that was distributed through Google Play.
• Infected apps include:
Viking Jump
Wifi Plus
Memory Booster
Parrot Copter
• Turn the phone into a transparent web proxy used in Ad-
Click Fraud.
• Roots the phone to establish a persistent hold on the
device.
Installs components in the root directory so they are hard to uninstall.
Sets up a watchdog service that reinstalls the malware, if it is removed.
![Page 20: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/20.jpg)
20
Malware Survives Factory Reset
• An Android factory reset operation
does not reset the /system partition.
• So any apps stored in /system/app
directory will survive a factory reset.
• Malware can take advantage of this by
rooting the phone and installing apps in
the /system directory.
• This happened to one our lab phones...
![Page 21: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/21.jpg)
21
Malware Survives Factory Reset
1. Malware from Chinese app store was run on
one of our test phones.
2. It had almost every of permissions possible
3. It included a library with known root exploits.
4. Over time a number of additional “system”
apps appeared in the /system/app directory.
5. We noticed the problem after we did a factory
reset and the phone started reloading apps
from China.
6. Only solution was to root the phone and delete
the apps manually.
![Page 22: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/22.jpg)
Spyphone Apps
![Page 23: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/23.jpg)
23
Mobile Spyware
• Tracks
the phone’s location
monitor ingoing and outgoing calls
monitor and text messages & email
track the victim’s web browsing.
• Used by
individuals
private investigators
cyber espionage
![Page 24: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/24.jpg)
24 http://www.top10spysoftware.com/
![Page 25: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/25.jpg)
Ransomware
![Page 26: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/26.jpg)
26
Ransomware & Lockers
• This malware claims to
have locked your phone
and/or encrypted your
data.
• It demands a ransom to
restore it.
• Often data is not really
encrypted
![Page 27: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/27.jpg)
27
Permissions used by Lockers
• SYSTEM_ALERT_WINDOW
Allows app to display a window on top of everything else
You can’t interact with the phone
Usually combined with auto start on BOOT
Effectively locks the phone
• Device Administration
Provides additional permissions
Must be activated by user
Can block “Settings” app until user OKs the activation
Can’t uninstall an app with the permission
Also combined with auto start on BOOT
Solution: Start Phone in “safe mode” and delete the app.
![Page 28: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/28.jpg)
28
Android.Locker.B
• This looks like an Norton AntiVirus app
• Finds problems with your phone
• Asks to activate “device admin”
• Gives you the bad news
• Tells you how to fix it
![Page 29: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/29.jpg)
29
Android.SLocker.A
• Looks like the Adobe Flash Player
• Immediately asks for Device Admin
• Disappears from APPS screen
• Can’t be stopped or uninstalled
• Has all sorts of permissions
• Communicates with C&C
• Uses “alert window” to:
Lock phone
Ask for Google Wallet credentials
Ask for credit card credentials
• Goal is to get your credit card info
![Page 30: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/30.jpg)
Infected Games
![Page 31: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/31.jpg)
31
Pokimon Go Infected
• Originally released in only US, Australia, New Zealand
markets.
• Gaming web sites provided instructions on how users in
other locations could side load bootleg copies.
• This provided an unprecedented opportunity for hackers.
• Within hours, Nokia Threat Intelligence Lab found copies
of the game that had been injected with malware and
made available for download from third-party sites.
![Page 32: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/32.jpg)
32
Pokimon Go Infected
• One sample was infected with a Remote Access Trojan called
DroidJack.
• This allows the attacker to:
track the phone’s location
record calls
take pictures
steal information and files from the phone.
• To the user, it is identical to the Pokemon Go game except that
the first time you run it, it asks for permissions.
![Page 33: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/33.jpg)
Remote Access Trojans (RATs)
![Page 34: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/34.jpg)
34
DroidJack
• Inject DroidJack into
Pokemon
• Fill in name of C&C
• Select Pokemon APK
• Select “Bind”
• APK built…
![Page 35: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/35.jpg)
35
DroidJack Operation
• Trick user into installing
the infected game…
• Device pops up in GUI
• Right click for features
Browse files
Browser History
Location
Contacts
Audio
Video
![Page 36: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/36.jpg)
iPhone Malware
![Page 37: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/37.jpg)
37
iPhone not immune
• KeyRaider steals over 225,000 Apple accounts
• xCodeGhost infiltrates Chinese app
development
• AceDeceiver exploits iOS DRM to install
malware on iPhones
• Yispector malware exploits Apple sandboxing
on non-jail broken phones.
Install other malware
Conceal its presence
KeyRaider Apps on Cydia
YiSpector
![Page 38: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/38.jpg)
38
iPhone – Pegasus Spyware
• Professional spyware from NSO Group costing $25000 per target.
• Uses three (Trident) exploits to get into phone
Phishing leads to exploit web link
CVE-2016-4655 exploit against Safari WebKit gets remote execution
CVE-2016-4556 & CVE-2026-4657 jailbreak the device
Spyware has complete control of the device
• Spys on social media and communication apps
Gmail, Facetime, Facebook, Skype, WhatsApp, etc
• Monitors
Phone calls, SMS messages, call logs
• Allows remote audio and video recording
• Has stealth protection and a built in self-destruct mechanism
![Page 39: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/39.jpg)
DDOS
![Page 40: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/40.jpg)
• Attacks impact any carrier
network where public Internet IP
addresses are used.
• Attacks typically leverage mobile
WiFi devices that act as DNS
resolvers.
• Spark’s network (major carrier in
New Zealand) was crippled for
two days in 2014 by this.
• Attacks have Internet wide
impact (see following slide)
DNS-DDOS
40
1. Attacker tells Internet based botnet to launch attack. 2. Bots send spoofed DNS request to mobile devices. 3. Mobile devices forward DNS requests to the carriers
DNS servers for resolution. 4. DNS servers respond with amplified response traffic. 5. Mobile devices flood the victim server with this
response traffic.
![Page 41: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/41.jpg)
Coordinated Attack Impacts the Internet
41
Customer in Asia
Customer in North America
65K spoofed IP addresses from a Russian subnet send DNS request to 3000 mobile devices in carrier’s network generating over
100 million security events per day.
![Page 42: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/42.jpg)
42
Mirai Botnet (IoT devices)
• Responsible for 600Gbps attach against Brian Krebs web
site (Sept 2016)
• Responsible for 1.5Tbps attack against French web hosting
provider (Oct 2016)
• Reponsible for Friday Oct 21st attack on DYNDNS that
caused impacted Spotify, Twitter & Netfix.
• Operation Phase 1:
Bot scans for vulnerable devices (Mifi & IoT)
Brute force login against open Telnet & SSH ports
• Operation Phase 2:
Infected device joins botnet and scans for other victims
Reported to have created a 130K device botnet in one day
• Operation Phase 3:
Botnet attacks victim
![Page 43: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/43.jpg)
Remote exploits
![Page 44: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/44.jpg)
44
StageFright
• Vulnerabilities in Android’s media display software
announced July 2015 with a proof of concept
exploit via MMS message preview.
• Forced a serious look at how to improve getting
Android patches deployed in the field.
• No known exploits seen in the wild (July 2016)
• New exploit available for Metasploit can exploit
the vulnerability through the phone’s browser on
29 different device/firmware versions (Aug 2016)
![Page 45: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/45.jpg)
45
Conclusion
• Android and iPhone malware focuses on things that work well in the mobile
environment.
Spyphone Apps & Trojans
SMS Trojans
Scareware
Adware
• However we are starting to see:
Systematic rooting of the device
Hooking into privileged apps
Advanced persistence
Stealth
Sophisticated C&C
Remote exploits
![Page 46: Quarterly Review & Executive Update...RNC Recommended Tap (Gn and S5/8) NodeB eNodeB SGW Internet 10GE or GE . 4 Monitoring the Mobile Network RAN GGSN/PGW Malware Detection Sensor](https://reader030.fdocuments.us/reader030/viewer/2022040320/5e4a5e2a56d4bc54bf5bec55/html5/thumbnails/46.jpg)
Questions ?