A botnet is a set of compromised computers, or bot clients, running malicious software that enables a “botherder” or “botmaster” to control these computers remotely. A botherder or botmaster can design a botnet to perform certain actions, such as information stealing or launching a denial of service, and issues commands to the bot clients from a command and control (C2) server. Since mobile networks are now well integrated with the Internet, botnets are beginning to migrate to mobile devices, as seen with Ikee.B.
Zeus (also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber) is a Trojan horse that steals banking information bykeystroke logging. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009, security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster, ABC, Oracle, Cisco, Amazon, and BusinessWeek.
Rich content exploit
Due to their ability to support rich content, MMS messages have a body field where Extensible Markup Language (XML) messages can be hidden.13 Waledac, a web-based Internet botnet, uses XML messages to communicate. Unlike with Internet communication, Internet Protocol (IP) addresses are not used when exchanging SMS or MMS messages. Instead, mobile devices have an International Mobile Subscriber Identity (IMSI) and Mobile Subscriber Integrated Services Digital Network Number (MSISDN).
These numbers are used to authenticate, register, and identify mobile network subscriptions by mapping the device to a phone number. The IMSI is embedded in the device hardware or contained on a removable card such as a Removable-User Identity Module (R-UIM) card in Code Division Multiple Access (CDMA) networks or a Subscriber Identity Module (SIM) card in Global System for Mobile Communications (GSM) networks.
The MSISDN represents a phone number and is used to route communication to the subscriber. Domain Name System (DNS) also does not exist on mobile networks, making the use of advanced networking techniques such as fast flux and multi-homing impossible in mobile networks.14 However, since mobile devices can have constant connections to the Internet, they can potentially be utilized like any other computer while maintaining all of their functionality within a mobile network. Mobile devices using the Internet may be assigned dynamic private IP addresses that are inaccessible from the Internet, preventing a botmaster from communicating directly with a compromised host. Web-based botnets circumvent this obstacle by having bot clients poll web servers for further instructions. Any additional obstacles presented by using SMS or MMS messages to communicate could also be circumvented by adapting a web server to accommodate SMS and MMS functionality by creating a proxy that understands this type of communication and has a connection to the Internet.
Capability of a botnet
The capability to run a web server on the iPhone has existed since at least mid-2007.15 Compromised text messaging services could have severe consequences. In the aftermath of the recent earthquakes in Haiti, reputable charity organizations experienced a massive surge in text message donations. For example, a mobile device user could donate $10 to the American Red Cross by texting HAITI to 90999. In less than 48 hours, donations reached $5 million and accumulated at a rate of $200,000 per hour.
A mobile botnet could be configured to send text messages to a donation number set up for nefarious purposes. The donations could be small enough that a victim may not recognize the extra charge on his or her bill.
The same concept could potentially be exploited in voting scenarios that leverage mobile devices or to carry out distributed denial of service attacks.