Billion dollar botnets

Cathal Mullaney Symantec

  download slides (PDF)

At the start of February 2012, we came across an interesting example of a fully functional Android botnet. When we first began analysing the malware, it seemed like a relatively pedestrian Android remote administration tool (RAT). After further analysis, we noticed some unusual functionality written into the RAT and began to investigate the command-and-control (C&C) server used to control compromised devices. We found a very large, revenue-generating botnet targeting users in mainland China. Upon analysis of the revenue data, we estimated the potential turnover of the botnet was millions of dollars, annually.

More recently, we have investigated a variant of Android.Backscript (MDK Botnet). This appears to be an even bigger botnet infrastructure operating out of mainland China.

In this paper I will provide the following:

• An overview of revenue-generating Android botnets, focusing on Android.Bmaster and Android.Backscript.
• An analysis of the revenue-generation functionality and the infection vector used by these botnets.
• An in-depth technical analysis of the Android.Bmaster botnet and associated C&C server functionality.
• An analysis of the revenue generated by Android.Bmaster over its full lifecycle.

In addition, I will show and demonstrate features of the C&C server, which will be shown for the first time, including snapshots of activity from compromised devices.

The number of end-users that currently own Android smartphones makes this an attractive attack vector for malware authors. When coupled with targeted infections, like Android users in mainland China, this type of botnet can be extremely lucrative.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference.