SlideShare ist ein Scribd-Unternehmen logo

Dragon lady

Lookout
Lookout
TechnologieBusiness
1 von 52
Downloaden Sie, um offline zu lesen
DRAGON LADY AN INVESTIGATION OF RUSSIAN SMS FRAUD RYAN W SMITH & TIM STRAZZERE Lookout, Inc. Read the report
WHO ARE WE - RYAN W SMITH • Senior Research and Response Engineer @ Lookout • Contributing member of the Honeynet Project for more than 10 years • Worked on automated x86/Windows shellcode deobfuscation and malware sandboxing and before starting Android reversing • Previously spoke about scalable Android reversing @ AppSec USA and IEEE HICSS Read the report
WHO ARE WE - “DIFF” @TIMSTRAZZ • Lead Research & Response Engineer @ Lookout • Reversed the Android Market/Google Play Protocol • Junkie for reversing mobile malware, creating write ups and teaching other to help raise the bar • Spoke previously about anti-/analysis/ decompilation/emulation at BH’11/12, EICAR’12, HiTCON13, SySCAN ’13 etc. Read the report
WHY DEEP DIVE? • Stats are extremely misleading; but get headlines! • Did it just go from 100 samples to 163? 163 / 100 == 1.63 == 163% • Different (zip) hash? Different (unique) sample? • Correlation by SENDS_SMS is not good enough! Read the report
WHY DEEP DIVE? • New hash != new “sample” -- need context! • Impressive... “server-side polymorphism” bebop:alphasms tstrazzere$ shasum *apk e780f49dd81fec4df1496cb4bc1577aac92ade65 mwlqythh.rwbkulojmti-1.apk 8263d3aa255fe75f4d02d08e928a3113fa2f9e17 mwlqythh.rwbkulojmti-2.apk 521d3734e927f47af62e15e9880017609c018373 mwlqythh.rwbkulojmti-3.apk bebop:alphasms tstrazzere$ shasum *.dex* 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-1 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-2 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-3 Read the report
FAMILY INTEL. Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation (non-commercial) ALPHASMS     BADNEWS   CONNECTSMS    DEPOSITMOBI  FAKEBROWS    SMSACTOR   NOTCOMPATIBLE Read the report
FAMILY INTEL. Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation (non-commercial) ALPHASMS     BADNEWS   CONNECTSMS    DEPOSITMOBI  FAKEBROWS    SMSACTOR   NOTCOMPATIBLE FakeInst / SMSSend / Other generic name Read the report
SAMPLE EVOLUTION IS IMPORTANT e6d823... Packaged: 07-30-12 No obfuscation / crypto Debug information available ConnectSMS.a 00f35f... Packaged: 12-13-12 SMS Endpoints / URL crypted Debug info stripped Added contact exfiltration ConnectSMS.f 355d6f... Packaged: 01-11-13 SMS Endpoints / URL crypted Debug info stripped Removed contact exfiltration ConnectSMS.p 383069... Packaged: 04-03-13 SMS / URL remotely pull & decrypted Debug info re-added ConnectSMS.s Same Crypto Read the report
• Underlying code still similar • “Polymorphism” easily confused with “omg sky is falling” • Trends across different distributing organizations DECIPHERING OBFUSCATION AlphaSMS Read the report
AGILE THREAT RELEASES Read the report
BEYOND SMS FRAUD - NOTCOMPATIBLE • Interesting exercise in malware component commoditization • Relates directly to PC malware • Used mass compromised web sites, compromised swaths of accounts (AOL, Yahoo, etc.) for distribution (likely purchased?) • Actively used for evading fraud detection   DRAG + DROP IMAGE HERE   Attacker in Europe Purchasing Service, inside US Block by fraud detection Infected proxy device, inside US Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
Read the report
CONCLUSIONS • Top 10 Russian SMS fraud organizations account for over 30% of worldwide malware detections • SMS Fraud is a diverse threat, and requires careful categorization • SMS Fraud has effectively been commoditized in Russia and has a thriving support system • By taking a “full-stack” approach to tracking these threats we avoid the typical “whack-a- mole” AV strategy Read the report
THE GIANTS ON WHICH WE STAND • Thanks to: • The entire R&R and security team at Lookout • The Honeynet Project • Mila @ Contagio Dump • @jduck @pof @osxreverser @thomas_cannon @adesnos @Gunther_AR @TeamAndIRC @cryptax Read the report
Keep in touch with @lookout /mylookout blog.lookout.com contact@lookout.com http://bit.ly/dragon-lady

Empfohlen

3 Perspectives Around Data Breaches
3 Perspectives Around Data Breaches3 Perspectives Around Data Breaches
3 Perspectives Around Data Breaches
Symantec
 
TLS 1.2 Internet Security Protocol: What it Means & Why You Should Give a ¢®@ϸ
TLS 1.2 Internet Security Protocol: What it Means & Why You Should Give a ¢®@ϸTLS 1.2 Internet Security Protocol: What it Means & Why You Should Give a ¢®@ϸ
TLS 1.2 Internet Security Protocol: What it Means & Why You Should Give a ¢®@ϸ
AppointmentPlus
 
Dragon Lady
Dragon LadyDragon Lady
Dragon Lady
Lookout
 
5 Types of Shady Apps
5 Types of Shady Apps5 Types of Shady Apps
5 Types of Shady Apps
Lookout
 
Trial by Fire: Security @ DEF CON 21
Trial by Fire: Security @ DEF CON 21Trial by Fire: Security @ DEF CON 21
Trial by Fire: Security @ DEF CON 21
Lookout
 
03 estrategia-ddos
03 estrategia-ddos03 estrategia-ddos
03 estrategia-ddos
Pavel Odintsov
 
DDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner MaiaDDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner Maia
Pavel Odintsov
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_voss
Pavel Odintsov
 

Empfohlen

3 Perspectives Around Data Breaches
3 Perspectives Around Data Breaches3 Perspectives Around Data Breaches
3 Perspectives Around Data Breaches
Symantec
 
TLS 1.2 Internet Security Protocol: What it Means & Why You Should Give a ¢®@ϸ
TLS 1.2 Internet Security Protocol: What it Means & Why You Should Give a ¢®@ϸTLS 1.2 Internet Security Protocol: What it Means & Why You Should Give a ¢®@ϸ
TLS 1.2 Internet Security Protocol: What it Means & Why You Should Give a ¢®@ϸ
AppointmentPlus
 
Dragon Lady
Dragon LadyDragon Lady
Dragon Lady
Lookout
 
5 Types of Shady Apps
5 Types of Shady Apps5 Types of Shady Apps
5 Types of Shady Apps
Lookout
 
Trial by Fire: Security @ DEF CON 21
Trial by Fire: Security @ DEF CON 21Trial by Fire: Security @ DEF CON 21
Trial by Fire: Security @ DEF CON 21
Lookout
 
03 estrategia-ddos
03 estrategia-ddos03 estrategia-ddos
03 estrategia-ddos
Pavel Odintsov
 
DDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner MaiaDDoS detection at small ISP by Wardner Maia
DDoS detection at small ISP by Wardner Maia
Pavel Odintsov
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_voss
Pavel Odintsov
 
GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPd
Pavel Odintsov
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmon
Pavel Odintsov
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Pavel Odintsov
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigation
Pavel Odintsov
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Pavel Odintsov
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
Pavel Odintsov
 
9534715
95347159534715
9534715
Pavel Odintsov
 
Jon Nield FastNetMon
Jon Nield FastNetMonJon Nield FastNetMon
Jon Nield FastNetMon
Pavel Odintsov
 
Netflix security monkey overview
Netflix security monkey overviewNetflix security monkey overview
Netflix security monkey overview
Ryan Hodgin
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And Mitigation
Pavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
Pavel Odintsov
 
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...
Ontico
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
Pavel Odintsov
 
pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf
064ChetanWani
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to Know
Skycure
 
Stop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designStop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by design
Patrick Walsh
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
Jared Roberts
 
Cisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attack
Cisco Canada
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
Advanced monitoring
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
NormShield, Inc.
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Canada
 
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Canada
 

Weitere ähnliche Inhalte

Andere mochten auch

Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...
Ontico
 

Andere mochten auch (13)

GoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPdGoBGP : yet another OSS BGPd
GoBGP : yet another OSS BGPd
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmon
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigation
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
 
9534715
95347159534715
9534715
 
Jon Nield FastNetMon
Jon Nield FastNetMonJon Nield FastNetMon
Jon Nield FastNetMon
 
Netflix security monkey overview
Netflix security monkey overviewNetflix security monkey overview
Netflix security monkey overview
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And Mitigation
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...
Борьба с DDoS в хостинге - по обе стороны баррикад / Константин Новаковский (...
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
 

Ähnlich wie Dragon lady

CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018
Steve Poole
 
Amphion Forum 2013: What to Do About Attacks Against MDMs
Amphion Forum 2013: What to Do About Attacks Against MDMsAmphion Forum 2013: What to Do About Attacks Against MDMs
Amphion Forum 2013: What to Do About Attacks Against MDMs
Lacoon Mobile Security
 

Ähnlich wie Dragon lady (20)

pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to Know
 
Stop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by designStop expecting magic fairy dust: Make apps secure by design
Stop expecting magic fairy dust: Make apps secure by design
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
 
Cisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attackCisco connect winnipeg 2018 anatomy of an attack
Cisco connect winnipeg 2018 anatomy of an attack
 
Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.Безопасность данных мобильных приложений. Мифы и реальность.
Безопасность данных мобильных приложений. Мифы и реальность.
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attack
 
Cisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of AttackCisco Connect Vancouver 2017 - Anatomy of Attack
Cisco Connect Vancouver 2017 - Anatomy of Attack
 
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of AlertsA Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
A Vision for Shared, Central Intelligence to Ebb a Growing Flood of Alerts
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
Blueprint for Security Architecture & Strategy.pdf
Blueprint for Security Architecture & Strategy.pdfBlueprint for Security Architecture & Strategy.pdf
Blueprint for Security Architecture & Strategy.pdf
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill ChainHands-On Security Breakout Session- Disrupting the Kill Chain
Hands-On Security Breakout Session- Disrupting the Kill Chain
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
 
Amphion Forum 2013: What to Do About Attacks Against MDMs
Amphion Forum 2013: What to Do About Attacks Against MDMsAmphion Forum 2013: What to Do About Attacks Against MDMs
Amphion Forum 2013: What to Do About Attacks Against MDMs
 
Anatomy of an Attack
Anatomy of an AttackAnatomy of an Attack
Anatomy of an Attack
 

Mehr von Lookout

2015 Cybersecurity Predictions
2015 Cybersecurity Predictions2015 Cybersecurity Predictions
2015 Cybersecurity Predictions
Lookout
 

Mehr von Lookout (20)

The New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
The New Assembly Line: 3 Best Practices for Building (Secure) Connected CarsThe New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
The New Assembly Line: 3 Best Practices for Building (Secure) Connected Cars
 
Looking Forward and Looking Back: Lookout's Cybersecurity Predictions
Looking Forward and Looking Back: Lookout's Cybersecurity PredictionsLooking Forward and Looking Back: Lookout's Cybersecurity Predictions
Looking Forward and Looking Back: Lookout's Cybersecurity Predictions
 
5 Ways to Protect your Mobile Security
5 Ways to Protect your Mobile Security5 Ways to Protect your Mobile Security
5 Ways to Protect your Mobile Security
 
Feds: You have a BYOD program whether you like it or not
Feds: You have a BYOD program whether you like it or notFeds: You have a BYOD program whether you like it or not
Feds: You have a BYOD program whether you like it or not
 
What Is Spyware?
What Is Spyware?What Is Spyware?
What Is Spyware?
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
 
2015 Cybersecurity Predictions
2015 Cybersecurity Predictions2015 Cybersecurity Predictions
2015 Cybersecurity Predictions
 
The New NotCompatible
The New NotCompatibleThe New NotCompatible
The New NotCompatible
 
Relentless Mobile Threats to Avoid
Relentless Mobile Threats to AvoidRelentless Mobile Threats to Avoid
Relentless Mobile Threats to Avoid
 
When Android Apps Go Evil
When Android Apps Go EvilWhen Android Apps Go Evil
When Android Apps Go Evil
 
Scaling Mobile Development
Scaling Mobile DevelopmentScaling Mobile Development
Scaling Mobile Development
 
Visualizing Privacy
Visualizing PrivacyVisualizing Privacy
Visualizing Privacy
 
Hiring Hackers
Hiring HackersHiring Hackers
Hiring Hackers
 
How to (Safely) Cut the Cord With Your Old iPhone
How to (Safely) Cut the Cord With Your Old iPhoneHow to (Safely) Cut the Cord With Your Old iPhone
How to (Safely) Cut the Cord With Your Old iPhone
 
3 Ways to Protect the Data in Your Google Account
3 Ways to Protect the Data in Your Google Account3 Ways to Protect the Data in Your Google Account
3 Ways to Protect the Data in Your Google Account
 
3 Ways to Protect the Data in Your Apple Account
3 Ways to Protect the Data in Your Apple Account3 Ways to Protect the Data in Your Apple Account
3 Ways to Protect the Data in Your Apple Account
 
The Back to School Smartphone Guide
The Back to School Smartphone GuideThe Back to School Smartphone Guide
The Back to School Smartphone Guide
 
Mobile Security at the World Cup
Mobile Security at the World CupMobile Security at the World Cup
Mobile Security at the World Cup
 
Spring Cleaning for Your Smartphone
Spring Cleaning for Your SmartphoneSpring Cleaning for Your Smartphone
Spring Cleaning for Your Smartphone
 
Mobile Threats, Made to Measure
Mobile Threats, Made to MeasureMobile Threats, Made to Measure
Mobile Threats, Made to Measure
 

Kürzlich hochgeladen

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Kürzlich hochgeladen (20)

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Dragon lady

  • 1. DRAGON LADY AN INVESTIGATION OF RUSSIAN SMS FRAUD RYAN W SMITH & TIM STRAZZERE Lookout, Inc. Read the report
  • 2. WHO ARE WE - RYAN W SMITH • Senior Research and Response Engineer @ Lookout • Contributing member of the Honeynet Project for more than 10 years • Worked on automated x86/Windows shellcode deobfuscation and malware sandboxing and before starting Android reversing • Previously spoke about scalable Android reversing @ AppSec USA and IEEE HICSS Read the report
  • 3. WHO ARE WE - “DIFF” @TIMSTRAZZ • Lead Research & Response Engineer @ Lookout • Reversed the Android Market/Google Play Protocol • Junkie for reversing mobile malware, creating write ups and teaching other to help raise the bar • Spoke previously about anti-/analysis/ decompilation/emulation at BH’11/12, EICAR’12, HiTCON13, SySCAN ’13 etc. Read the report
  • 4. WHY DEEP DIVE? • Stats are extremely misleading; but get headlines! • Did it just go from 100 samples to 163? 163 / 100 == 1.63 == 163% • Different (zip) hash? Different (unique) sample? • Correlation by SENDS_SMS is not good enough! Read the report
  • 5. WHY DEEP DIVE? • New hash != new “sample” -- need context! • Impressive... “server-side polymorphism” bebop:alphasms tstrazzere$ shasum *apk e780f49dd81fec4df1496cb4bc1577aac92ade65 mwlqythh.rwbkulojmti-1.apk 8263d3aa255fe75f4d02d08e928a3113fa2f9e17 mwlqythh.rwbkulojmti-2.apk 521d3734e927f47af62e15e9880017609c018373 mwlqythh.rwbkulojmti-3.apk bebop:alphasms tstrazzere$ shasum *.dex* 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-1 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-2 14e46f0330535cb5e8f377a6c2bb2c858de6f414 classes.dex-3 Read the report
  • 6. FAMILY INTEL. Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation (non-commercial) ALPHASMS     BADNEWS   CONNECTSMS    DEPOSITMOBI  FAKEBROWS    SMSACTOR   NOTCOMPATIBLE Read the report
  • 7. FAMILY INTEL. Threat Sends SMS Downloads Apps Exfiltrates PII Obfuscation (non-commercial) ALPHASMS     BADNEWS   CONNECTSMS    DEPOSITMOBI  FAKEBROWS    SMSACTOR   NOTCOMPATIBLE FakeInst / SMSSend / Other generic name Read the report
  • 8. SAMPLE EVOLUTION IS IMPORTANT e6d823... Packaged: 07-30-12 No obfuscation / crypto Debug information available ConnectSMS.a 00f35f... Packaged: 12-13-12 SMS Endpoints / URL crypted Debug info stripped Added contact exfiltration ConnectSMS.f 355d6f... Packaged: 01-11-13 SMS Endpoints / URL crypted Debug info stripped Removed contact exfiltration ConnectSMS.p 383069... Packaged: 04-03-13 SMS / URL remotely pull & decrypted Debug info re-added ConnectSMS.s Same Crypto Read the report
  • 9. • Underlying code still similar • “Polymorphism” easily confused with “omg sky is falling” • Trends across different distributing organizations DECIPHERING OBFUSCATION AlphaSMS Read the report
  • 11. BEYOND SMS FRAUD - NOTCOMPATIBLE • Interesting exercise in malware component commoditization • Relates directly to PC malware • Used mass compromised web sites, compromised swaths of accounts (AOL, Yahoo, etc.) for distribution (likely purchased?) • Actively used for evading fraud detection   DRAG + DROP IMAGE HERE   Attacker in Europe Purchasing Service, inside US Block by fraud detection Infected proxy device, inside US Read the report
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
  • 46.
  • 49.
  • 50. CONCLUSIONS • Top 10 Russian SMS fraud organizations account for over 30% of worldwide malware detections • SMS Fraud is a diverse threat, and requires careful categorization • SMS Fraud has effectively been commoditized in Russia and has a thriving support system • By taking a “full-stack” approach to tracking these threats we avoid the typical “whack-a- mole” AV strategy Read the report
  • 51. THE GIANTS ON WHICH WE STAND • Thanks to: • The entire R&R and security team at Lookout • The Honeynet Project • Mila @ Contagio Dump • @jduck @pof @osxreverser @thomas_cannon @adesnos @Gunther_AR @TeamAndIRC @cryptax Read the report
  • 52. Keep in touch with @lookout /mylookout blog.lookout.com contact@lookout.com http://bit.ly/dragon-lady