1
00:00:00,000 --> 00:00:02,918
*****    RYAN SMITH: For those of you that don't know me, my name

2
00:00:02,918 --> 00:00:05,542
is Ryan Smith, and this is Tim Strazzere.

3
00:00:05,751 --> 00:00:08,042
We are both security engineers at Lookout.

4
00:00:08,042 --> 00:00:12,834
(Cheers and applause.) Lookout provides mobile security

5
00:00:12,834 --> 00:00:16,667
for both iPhone and Android.

6
00:00:16,667 --> 00:00:18,876
We have about 45 million users around the world, which we get

7
00:00:18,876 --> 00:00:22,000
to see security events and help protect them.

8
00:00:22,417 --> 00:00:24,459
So with this, we see a lot of trends.

9
00:00:24,459 --> 00:00:26,999
We also have another acquisition system where we're able

10
00:00:26,999 --> 00:00:30,584
to acquire essentially all the Android applications that are

11
00:00:30,584 --> 00:00:34,542
in propagation in distribution around the world.

12
00:00:34,834 --> 00:00:36,999
So with this, we see a couple of trends.

13
00:00:44,334 --> 00:00:48,083
One of the trends we've seen is Russian SMS fraud.

14
00:00:48,125 --> 00:00:50,626
SMS fraud is something that's not new.

15
00:00:50,626 --> 00:00:53,417
We've been tracking it for about three years.

16
00:00:53,626 --> 00:00:56,375
But over the last three years we've seen two trends.

17
00:00:56,375 --> 00:00:58,959
One is a rise in sophistication of the code.

18
00:01:07,501 --> 00:01:12,167
So those trends have led us to this talk called Dragonlady.

19
00:01:12,167 --> 00:01:15,083
The title of Dragonlady comes from the code name

20
00:01:15,083 --> 00:01:20,083
for the U 2 aerial vehicle that was used to observe Soviet activities

21
00:01:20,083 --> 00:01:23,542
during the Cold War through adverse conditions,

22
00:01:23,542 --> 00:01:27,542
through weather, and their motto was, "In God we trust,

23
00:01:27,542 --> 00:01:30,125
all others we monitor."

24
00:01:34,375 --> 00:01:37,250
So who are we?

25
00:01:37,250 --> 00:01:40,999
Ryan Smith, I'm a senior security researcher at Lookout.

26
00:01:41,459 --> 00:01:43,250
I've been a member of the Honynet Project

27
00:01:43,250 --> 00:01:46,417
for the past ten years where I've learned a lot of skills and I stand

28
00:01:46,417 --> 00:01:49,999
on the shoulder of many giants within the organization.

29
00:01:49,999 --> 00:01:54,999
And I previously worked on automated shell code unpacking

30
00:01:54,999 --> 00:01:57,999
and malware sandboxing.

31
00:01:58,334 --> 00:02:01,292
Previously I spoke at APSIC and IEEE HIX and this

32
00:02:01,292 --> 00:02:04,250
is my first time at DEF CON.

33
00:02:04,834 --> 00:02:09,459
So, Tim, I'm going to hand the talk off for him for now, but another note,

34
00:02:09,459 --> 00:02:12,250
this is Tim's birthday today.

35
00:02:12,250 --> 00:02:15,167
So if you see this guy around, (( )) (Cheers and applause).

36
00:02:15,167 --> 00:02:24,626
(( )) feel free to give him as many shots as you like.

37
00:02:27,417 --> 00:02:31,167
TIM STRAZZERE: Thanks for throwing me under the bus, Ryan.

38
00:02:31,501 --> 00:02:32,709
So I'm Tim.

39
00:02:32,999 --> 00:02:35,417
Just call me Dif, whatever, when we're going to drink at the bar,

40
00:02:35,417 --> 00:02:38,501
I'll buy you guys a shot if you buy me a shot.

41
00:02:38,501 --> 00:02:40,334
Everyone, that goes out to everyone.

42
00:02:40,667 --> 00:02:43,999
So I'm the lead research and response engineer at Lookout.

43
00:02:43,999 --> 00:02:46,751
Basically we get to take apart malware all the time.

44
00:02:46,751 --> 00:02:47,999
It's basically a dream job.

45
00:02:47,999 --> 00:02:50,999
If you guys are interested, come talk to me afterwards.

46
00:02:50,999 --> 00:02:52,584
We'll hook you up with a dream job.

47
00:02:52,584 --> 00:02:54,083
I'm kind of known for the Android market and bashing my

48
00:02:54,083 --> 00:02:58,751
head against the wall and trying to figure that out for a very long time.

49
00:02:58,918 --> 00:03:00,209
I'm also probably the jerk who's responded to you

50
00:03:00,209 --> 00:03:03,375
on mailing lists if you ever ask questions about this.

51
00:03:03,918 --> 00:03:06,999
I'm the big junkie for reversing mobile malware.

52
00:03:06,999 --> 00:03:10,459
If you guys haven't looked into it, I suggest this to everyone I meet.

53
00:03:10,459 --> 00:03:11,667
It's really interesting because not only

54
00:03:11,667 --> 00:03:15,334
like when people are engineering applications for mobile, they have

55
00:03:15,334 --> 00:03:19,292
to worry about battery, is the connectivity dropping.

56
00:03:19,292 --> 00:03:21,417
It's really interesting from a mobile malware perspective of,

57
00:03:21,417 --> 00:03:24,083
you know, you're trying to create (( )) someone out there

58
00:03:24,083 --> 00:03:26,209
is trying to create a botnet and also trying

59
00:03:26,209 --> 00:03:29,250
to like work through those ebb and flows of is the network down,

60
00:03:29,250 --> 00:03:31,709
where is this person that I've infected, and ends

61
00:03:31,709 --> 00:03:35,584
up being really interesting twists to the problem of malware.

62
00:03:35,584 --> 00:03:38,542
And I've spoken at previous places, mainly about anti analysis,

63
00:03:38,542 --> 00:03:41,125
decompilation, and emulation.

64
00:03:41,999 --> 00:03:46,083
So why are you here and why do you care about what we're talking about?

65
00:03:46,334 --> 00:03:48,999
The deep dive, we really wanted to go do this case study

66
00:03:48,999 --> 00:03:51,999
about Russian malware because you see lots of headlines

67
00:03:51,999 --> 00:03:55,292
out there and they're really misleading, or they're interesting

68
00:03:55,292 --> 00:03:59,709
because there's numbers and percentages, but percentages lie.

69
00:03:59,709 --> 00:04:01,709
You know, if there's an increase of things, like just giving

70
00:04:01,709 --> 00:04:04,083
a percentage of saying like it increased a thousand percent,

71
00:04:04,083 --> 00:04:06,167
what does that even mean?

72
00:04:06,167 --> 00:04:07,292
Does that mean you went from like 0 samples

73
00:04:07,292 --> 00:04:10,375
to having 10 samples or something like that?

74
00:04:10,959 --> 00:04:12,125
So we wanted to quantify and actually dig

75
00:04:12,125 --> 00:04:14,999
down and say like what is the difference.

76
00:04:14,999 --> 00:04:18,417
We're not just basing this off of total numbers of files that we see.

77
00:04:18,417 --> 00:04:20,959
Another thing is when you look at samples in the wild,

78
00:04:20,959 --> 00:04:25,209
AB companies usually distinguish samples by there's a hash.

79
00:04:25,209 --> 00:04:26,999
So when a unique file comes across the table,

80
00:04:26,999 --> 00:04:30,209
they say we have a new sample, but when you look into the code

81
00:04:30,209 --> 00:04:35,083
of those, sometimes there's absolutely no difference in the actual file.

82
00:04:35,083 --> 00:04:36,751
So, you know, if you're just gonna go out there

83
00:04:36,751 --> 00:04:39,709
and grab 10,000 samples, but they do exactly the same thing,

84
00:04:39,709 --> 00:04:42,999
there's really no differences except for maybe a few modified flags,

85
00:04:42,999 --> 00:04:46,626
it kind of makes you (( )) lets you boost up your number if you want to,

86
00:04:46,626 --> 00:04:48,999
but it doesn't really help you solve the problem

87
00:04:48,999 --> 00:04:52,083
at hand or actually understand the problem.

88
00:04:52,334 --> 00:04:55,125
And then another reason was we see a lot of things coming out of Russia

89
00:04:55,125 --> 00:04:58,792
and everyone just says it's Russian toll fraud and it's called Fakenstaller

90
00:04:58,792 --> 00:05:01,667
and throw everything into it, and it's like, well, it sends us

91
00:05:01,667 --> 00:05:04,083
a mess and it's the same thing.

92
00:05:04,083 --> 00:05:06,999
It's not true once you dig into the technicality of it.

93
00:05:07,209 --> 00:05:11,125
So as I said, a new hash is not always a new sample.

94
00:05:11,125 --> 00:05:15,125
This was an example I just pulled up from what we call alpha SMS.

95
00:05:15,125 --> 00:05:19,667
And I had three APK files, which is essentially a zip file, and you get

96
00:05:19,667 --> 00:05:23,999
the (( )) it ends up being something different.

97
00:05:23,999 --> 00:05:26,125
So a lot of people at this point might say I have three

98
00:05:26,125 --> 00:05:29,999
different samples and these are three different infections and now I have

99
00:05:29,999 --> 00:05:32,584
three things instead of one.

100
00:05:32,584 --> 00:05:36,083
But once you start pulling these apart, you end up seeing the classes.decks,

101
00:05:36,083 --> 00:05:38,626
which is essentially where all that code lays

102
00:05:38,626 --> 00:05:42,792
for an Android application, they're all exactly the same.

103
00:05:42,792 --> 00:05:45,751
And Ryan will go into depth on this, but basically if I pull this open

104
00:05:45,751 --> 00:05:48,999
in Hex editor and I'm looking at a zip template, as you can see,

105
00:05:48,999 --> 00:05:51,209
the actual times of when these were packaged

106
00:05:51,209 --> 00:05:52,999
are different.

107
00:05:52,999 --> 00:05:54,999
And that's the only difference in here.

108
00:05:54,999 --> 00:05:55,751
There's also a configuration file for when

109
00:05:55,751 --> 00:05:58,209
the affiliates were going through.

110
00:05:58,459 --> 00:06:01,626
So different affiliates have different affiliate configurations, but the code

111
00:06:01,626 --> 00:06:03,709
is actually identical.

112
00:06:03,709 --> 00:06:06,626
So these samples are exactly identical.

113
00:06:06,751 --> 00:06:08,959
They just belong to different affiliates.

114
00:06:08,959 --> 00:06:10,167
So that's interesting in its own case, but you need

115
00:06:10,167 --> 00:06:13,250
to understand this difference instead of just saying I have three

116
00:06:13,250 --> 00:06:15,959
different pieces of malware here.

117
00:06:16,999 --> 00:06:21,292
The basic families that we went through were we ended up breaking

118
00:06:21,292 --> 00:06:24,918
up the Russian malware into alpha SMS.

119
00:06:24,918 --> 00:06:28,083
Bad news, which is actually a recent one we just blogged about.

120
00:06:28,083 --> 00:06:31,626
This one was specifically interesting because it was basically

121
00:06:31,626 --> 00:06:35,626
around the (( )) it was an ADSDK that these malware authors

122
00:06:35,626 --> 00:06:41,083
were attempting to get developers to use inside their applications.

123
00:06:41,083 --> 00:06:45,459
Then we also have connect SMS, deposit Mobi, fake browse, SMS actor.

124
00:06:45,459 --> 00:06:47,876
We also have at the bottom, this is not a toll fraud, but is it

125
00:06:47,876 --> 00:06:52,334
a Russian malware, not compatible, which I'll touch upon a little bit later.

126
00:06:52,334 --> 00:06:53,584
As you can see, they all send SMS

127
00:06:53,584 --> 00:06:56,501
except for the bottom, but they do have other features

128
00:06:56,501 --> 00:06:59,626
sometimes in there, like downloading applications, trying

129
00:06:59,626 --> 00:07:02,125
to install those applications or suggesting that

130
00:07:02,125 --> 00:07:04,999
a user install that application.

131
00:07:04,999 --> 00:07:08,375
A lot of them exfiltrate personally identifiable information,

132
00:07:08,375 --> 00:07:11,876
so that's stealing your contacts or attempting to look

133
00:07:11,876 --> 00:07:14,626
at your web browser history.

134
00:07:14,709 --> 00:07:15,999
And then it was also interesting to notice that some

135
00:07:15,999 --> 00:07:18,417
of these people were using obfuscation.

136
00:07:18,417 --> 00:07:21,999
It was all not off the shelf obfuscation, so it was all this custom made stuff that

137
00:07:21,999 --> 00:07:25,709
we're seeing and you can actually see that between the different groups

138
00:07:25,709 --> 00:07:28,999
they started sharing obfuscation techniques.

139
00:07:29,167 --> 00:07:32,334
And we thought this was important because as you see, lots

140
00:07:32,334 --> 00:07:35,459
of people just say all those different families that have

141
00:07:35,459 --> 00:07:38,501
different feature sets and they also have different ways

142
00:07:38,501 --> 00:07:42,999
of infecting people and different feature sets, basically a lot of people just say,

143
00:07:42,999 --> 00:07:46,999
well, it's Russian SMS, who cares, like let's just group it all into one,

144
00:07:46,999 --> 00:07:50,999
and you kind of miss the big picture of who's doing this and what they're

145
00:07:50,999 --> 00:07:53,626
actually attempting to go for.

146
00:07:54,999 --> 00:07:58,250
So as we were going through, just specifically I was looking

147
00:07:58,250 --> 00:08:01,584
at connect SMS, and I went through our archives of samples

148
00:08:01,584 --> 00:08:04,999
and I pulled randomly I pulled a sample from A, F, P, and S.

149
00:08:04,999 --> 00:08:09,250
And so these are all different variants of the same family.

150
00:08:09,417 --> 00:08:11,751
And it ended up looking pretty interesting.

151
00:08:11,751 --> 00:08:12,999
You can see the package by date when these were actually

152
00:08:12,999 --> 00:08:15,626
created by the malware author.

153
00:08:15,918 --> 00:08:19,417
And then the first instance actually just had no obfuscation in there.

154
00:08:19,417 --> 00:08:19,999
It was really simple, basically you open

155
00:08:19,999 --> 00:08:24,083
up this application and it just sends an SMS and that's all.

156
00:08:24,209 --> 00:08:26,918
There's a debug information in there which ended up being kind

157
00:08:26,918 --> 00:08:29,250
of interesting because this means they didn't run proguard,

158
00:08:29,250 --> 00:08:32,083
they didn't run Dex guard and they had all this extra metadata sitting

159
00:08:32,083 --> 00:08:34,250
there in their application.

160
00:08:34,334 --> 00:08:36,626
Later on in F, we actually saw (( )) this

161
00:08:36,626 --> 00:08:39,417
is it was packaged a few months afterwards,

162
00:08:39,417 --> 00:08:42,999
they started adding more SMS endpoints.

163
00:08:42,999 --> 00:08:45,999
They actually extracted that into a configuration file.

164
00:08:45,999 --> 00:08:48,834
So it wasn't just sending hard coded SMS and it actually had

165
00:08:48,834 --> 00:08:52,667
all the SMS endpoints and the URLs started becoming encrypted

166
00:08:52,667 --> 00:08:54,999
in that external file.

167
00:08:55,292 --> 00:08:57,751
They also added contact exfiltration, which was interesting

168
00:08:57,751 --> 00:09:00,999
because they aren't actually spamming your contacts but sending that

169
00:09:00,999 --> 00:09:03,292
off to a third party server.

170
00:09:03,292 --> 00:09:06,999
It was an interesting way to see this sample evolve.

171
00:09:07,083 --> 00:09:09,709
Later, down the road, we still see the SMS endpoints and

172
00:09:09,709 --> 00:09:12,250
the URLs encrypted, which is actually being used,

173
00:09:12,250 --> 00:09:15,250
the same cryptography was being used.

174
00:09:15,250 --> 00:09:17,999
They added more obfuscation at this time, so if you just looked

175
00:09:17,999 --> 00:09:19,999
at the two samples next to each other

176
00:09:19,999 --> 00:09:24,292
without digging down deep, you might say this is brand new code.

177
00:09:24,292 --> 00:09:26,918
But you say, wait, they're using the same cryptography, wait,

178
00:09:26,918 --> 00:09:29,209
they're using the same keys, that ends up being

179
00:09:29,209 --> 00:09:32,083
an interesting correlation to draw.

180
00:09:32,542 --> 00:09:37,876
In the actual P sample, they removed the contact exfiltration.

181
00:09:37,876 --> 00:09:39,626
So it was interesting to see that these guys are attempting

182
00:09:39,626 --> 00:09:41,334
to evolve, maybe they decided we're going

183
00:09:41,334 --> 00:09:43,999
to steal everyone's contacts, maybe we're going to spam it,

184
00:09:43,999 --> 00:09:46,959
maybe they tried that technique and it didn't actually work out, so

185
00:09:46,959 --> 00:09:48,999
they ended up removing it.

186
00:09:48,999 --> 00:09:51,125
Maybe they saw like a correlation of people are downloading less things

187
00:09:51,125 --> 00:09:53,834
because they added more permissions.

188
00:09:54,083 --> 00:09:55,876
And then in the last sample that we saw,

189
00:09:55,876 --> 00:09:59,584
and this one is actually pretty recent, they've actually moved the SMS

190
00:09:59,584 --> 00:10:01,542
and URL endpoints.

191
00:10:01,542 --> 00:10:02,999
They're still encrypted, but they're not actually kept

192
00:10:02,999 --> 00:10:04,959
inside the package.

193
00:10:04,959 --> 00:10:06,459
So what they're doing is they're actually contacting

194
00:10:06,459 --> 00:10:09,876
the URL and dynamically retrieving that information.

195
00:10:09,876 --> 00:10:14,542
So now you no longer have actual static configurations in the application.

196
00:10:15,999 --> 00:10:17,999
So another interesting point when we were going

197
00:10:17,999 --> 00:10:20,626
through that obfuscation and here's a little example, this

198
00:10:20,626 --> 00:10:22,876
is actually from alpha SMS.

199
00:10:22,999 --> 00:10:27,334
These people were building custom obfuscation tools.

200
00:10:27,334 --> 00:10:30,999
And if you know what Java code looks like, this is smiley, which

201
00:10:30,999 --> 00:10:35,042
is a reverse engineers basically taking the code and putting it

202
00:10:35,042 --> 00:10:37,999
into human readable format.

203
00:10:37,999 --> 00:10:39,626
This is basically a Java reflection call

204
00:10:39,626 --> 00:10:42,125
and they're decrypting the string, which just looks

205
00:10:42,125 --> 00:10:44,459
like garbage essentially.

206
00:10:44,959 --> 00:10:48,834
And then they're using that decrypted string to reflectively instantiate some

207
00:10:48,834 --> 00:10:50,792
function methods.

208
00:10:50,792 --> 00:10:55,999
So I believe this is actually the start of a send message function.

209
00:10:56,501 --> 00:10:57,999
It ends up being really interesting

210
00:10:57,999 --> 00:11:01,083
because when they're running these tools against all their samples,

211
00:11:01,083 --> 00:11:02,918
almost weekly they were changing their

212
00:11:02,918 --> 00:11:04,792
obfuscation methods.

213
00:11:04,792 --> 00:11:08,999
The patterns were essentially the same, but you couldn't actually look

214
00:11:08,999 --> 00:11:14,083
for the same encrypted sequences or the same exact pattern.

215
00:11:14,083 --> 00:11:15,999
It was very similar, but once you start de obfuscating

216
00:11:15,999 --> 00:11:19,334
all these, the samples end up aligning again and you see that code

217
00:11:19,334 --> 00:11:21,792
similarity coming back out.

218
00:11:21,999 --> 00:11:24,417
A lot of people have looked at this and said that, okay, it's polymorphism,

219
00:11:24,417 --> 00:11:27,125
they're just trying to change it all the time.

220
00:11:27,167 --> 00:11:29,459
It ends up not being as scary once you understand what's

221
00:11:29,459 --> 00:11:31,292
actually going on.

222
00:11:31,459 --> 00:11:34,417
But it is interesting to see that different organizations tend

223
00:11:34,417 --> 00:11:38,250
to start sharing this obfuscation technique and you actually see them

224
00:11:38,250 --> 00:11:41,250
distributing malware that's using the same techniques,

225
00:11:41,250 --> 00:11:45,250
but then different seeds into that actual obfuscation.

226
00:11:45,709 --> 00:11:48,167
One of the really interesting trends, we sat down with our data team

227
00:11:48,167 --> 00:11:50,584
and were looking at detection data.

228
00:11:50,584 --> 00:11:55,417
And this is just a quick cross section of one specific family.

229
00:11:55,417 --> 00:12:01,584
This one I believe was connect SMS and this is a little old for the data.

230
00:12:01,584 --> 00:12:05,751
But it does illustrate the point that each different color

231
00:12:05,751 --> 00:12:10,959
is a specific variant that was getting pushed out.

232
00:12:11,167 --> 00:12:13,334
So essentially what we saw is that there was different package

233
00:12:13,334 --> 00:12:16,083
names getting pushed out every single week.

234
00:12:16,083 --> 00:12:19,375
And once you read through the noise, what was actually happening

235
00:12:19,375 --> 00:12:22,834
is these guys were essentially operating as like a start

236
00:12:22,834 --> 00:12:26,250
up with like an agile type of methodology.

237
00:12:26,250 --> 00:12:31,999
So as you can see, this ends up mapping out to be seven days.

238
00:12:31,999 --> 00:12:34,667
So for seven days they're going to be pushing the same exact piece

239
00:12:34,667 --> 00:12:38,334
of malware to thousands of devices, and they keep just trying to jam it

240
00:12:38,334 --> 00:12:41,751
down the throat using spam techniques or getting infected hosts

241
00:12:41,751 --> 00:12:44,876
to serve this up like infected websites.

242
00:12:44,876 --> 00:12:48,999
And what happens is almost right on midnight in Russian standard time,

243
00:12:48,999 --> 00:12:53,626
which that's not actual standard time, but Russian time.

244
00:12:53,626 --> 00:12:55,083
(Laughter.) So basically at midnight they switch over and

245
00:12:55,083 --> 00:12:57,209
they just stop pushing that old piece of malware and

246
00:12:57,209 --> 00:12:59,417
they start pushing a new one.

247
00:12:59,417 --> 00:13:02,501
So they're incrementally pushing updates.

248
00:13:02,501 --> 00:13:04,584
So this is basically, you know, Russian malware start up 101,

249
00:13:04,584 --> 00:13:07,501
which ends up being really interesting.

250
00:13:08,083 --> 00:13:10,542
So while we're going through this, we actually came

251
00:13:10,542 --> 00:13:12,626
across not compatible.

252
00:13:12,626 --> 00:13:14,792
This isn't actually SMS fraud.

253
00:13:14,792 --> 00:13:17,999
But it is another interesting way to see how this mobile malware

254
00:13:17,999 --> 00:13:20,999
in Russia specifically is being compartmentalized

255
00:13:20,999 --> 00:13:23,459
and actually monetized.

256
00:13:23,459 --> 00:13:27,083
This is an interesting one essentially because if you look at the diagram

257
00:13:27,083 --> 00:13:29,999
at the bottom, they're infecting devices and essentially

258
00:13:29,999 --> 00:13:33,584
using, you know, people inside the U.S., people in different countries

259
00:13:33,584 --> 00:13:36,167
as proxies to hide their traffic.

260
00:13:36,417 --> 00:13:37,918
And then you might think, well, who cares, like what are

261
00:13:37,918 --> 00:13:39,876
they actually using this for.

262
00:13:40,083 --> 00:13:42,876
It looked like what they were doing was they seemed

263
00:13:42,876 --> 00:13:45,709
to be buying up swaths of compromised accounts

264
00:13:45,709 --> 00:13:49,167
or compromised websites, luring victims in through there,

265
00:13:49,167 --> 00:13:52,667
actually getting the devices infected.

266
00:13:52,667 --> 00:13:55,125
And now once you have someone in the U.S., maybe they're starting

267
00:13:55,125 --> 00:14:00,167
to sell these services and actually let other people use that proxy connection.

268
00:14:00,167 --> 00:14:01,918
So what this looks like it's going to be doing,

269
00:14:01,918 --> 00:14:05,417
and we've actually observed traffic of them purchasing tickets online,

270
00:14:05,417 --> 00:14:08,125
so this most likely is to evade actual fraud detection

271
00:14:08,125 --> 00:14:10,626
systems so that, you know, when you see someone

272
00:14:10,626 --> 00:14:13,167
from Romania buying Justin Bieber tickets for L.A.,

273
00:14:13,167 --> 00:14:16,250
that probably triggers a flag and you're like, well, I mean,

274
00:14:16,250 --> 00:14:20,125
everyone loves Justin Bieber, but Romania, I don't know.

275
00:14:20,626 --> 00:14:22,083
It's a pretty long flight.

276
00:14:22,083 --> 00:14:24,083
So they're actually going to go through and they're going

277
00:14:24,083 --> 00:14:26,999
to take a device that's infected in L.A.

278
00:14:26,999 --> 00:14:30,417
and then they're going to just proxy their traffic through there.

279
00:14:30,417 --> 00:14:31,542
They buy that ticket, most likely with a stolen credit card,

280
00:14:31,542 --> 00:14:34,999
they then have a mule pick it up, maybe they sell that.

281
00:14:34,999 --> 00:14:36,999
They do something with that ticket, but basically they're allowed

282
00:14:36,999 --> 00:14:38,667
to get around that fraud detection system

283
00:14:38,667 --> 00:14:40,999
because they look like they're actually an endpoint that

284
00:14:40,999 --> 00:14:44,209
is a viable endpoint for purchasing that type of ware.

285
00:14:44,542 --> 00:14:46,999
And I'm going to hand it back over to Ryan, which,

286
00:14:46,999 --> 00:14:49,999
please buy him some drinks, too.

287
00:14:49,999 --> 00:14:52,876
(Laughter.)    RYAN SMITH: Thank, Tim.

288
00:14:52,876 --> 00:14:54,542
So I'll step back for a second.

289
00:14:54,542 --> 00:14:58,083
So just to summarize, when we had this large amount (( )) so

290
00:14:58,083 --> 00:15:03,626
these Russian SMS fraud organizations we noticed were accounting for 30%

291
00:15:03,626 --> 00:15:07,292
of our overall detections worldwide.

292
00:15:07,334 --> 00:15:09,083
So that's a huge number.

293
00:15:09,250 --> 00:15:12,792
And it's a huge number of samples of malware to look at.

294
00:15:12,792 --> 00:15:14,167
So when we look at classifying them and doing

295
00:15:14,167 --> 00:15:18,292
the deep analysis, like Tim said, it's important to not just call them all,

296
00:15:18,292 --> 00:15:21,918
oh, this ends in SMS so I'll call it SMS send.

297
00:15:21,999 --> 00:15:23,209
But really categorize it by individuals

298
00:15:23,209 --> 00:15:25,792
because they evolve differently.

299
00:15:25,999 --> 00:15:27,999
Different actors act differently.

300
00:15:27,999 --> 00:15:30,542
And once we started dividing them differently, we noticed certain particular

301
00:15:30,542 --> 00:15:33,501
actors evolving different than the others.

302
00:15:33,542 --> 00:15:36,918
And they appeared to be distributing at higher and higher rates.

303
00:15:37,125 --> 00:15:39,999
And so this led us to find these SMS fraud basically

304
00:15:39,999 --> 00:15:43,459
cottage industries where there's an entire industry built

305
00:15:43,459 --> 00:15:47,209
around SMS fraud and the entire distribution channel has been

306
00:15:47,209 --> 00:15:51,501
commoditized where everybody's getting paid to do their little piece

307
00:15:51,501 --> 00:15:54,959
of the pie and they specialize in that specific thing,

308
00:15:54,959 --> 00:15:59,375
maybe distributing or creating fake websites with realistic looking skins

309
00:15:59,375 --> 00:16:01,834
or themes, or some people specializing

310
00:16:01,834 --> 00:16:05,209
in social media distribution through Twitter or Facebook

311
00:16:05,209 --> 00:16:08,250
or things like that, but each person specializing

312
00:16:08,250 --> 00:16:10,959
in one thing or another, and that has led

313
00:16:10,959 --> 00:16:14,876
to these top ten organizations that we've identified accounting

314
00:16:14,876 --> 00:16:18,125
for over 30% of the overall detections.

315
00:16:18,542 --> 00:16:21,876
And that's quite significant.

316
00:16:21,876 --> 00:16:24,417
So this is DEF CON after all, so this is an investigation

317
00:16:24,417 --> 00:16:27,125
of Russian SMS fraud, but it could also be called

318
00:16:27,125 --> 00:16:30,999
if you happen to find yourself in the Moscow international transit

319
00:16:30,999 --> 00:16:33,125
area, saving up for a permanent vacation

320
00:16:33,125 --> 00:16:36,999
in a South American country, which we all know there's other outs,

321
00:16:36,999 --> 00:16:40,250
here's how you might find some extra cash.

322
00:16:41,584 --> 00:16:43,584
(Laughter.) But please don't.

323
00:16:43,667 --> 00:16:45,125
I'm not advocating that.

324
00:16:45,792 --> 00:16:48,083
So you might go to a chat room like this.

325
00:16:48,083 --> 00:16:50,584
There's plenty of chat rooms, or forums, rather,

326
00:16:50,584 --> 00:16:54,626
in Russia that are specialized in what they call Black SEO

327
00:16:54,626 --> 00:16:58,999
or web monetization, some more gray than others.

328
00:16:59,083 --> 00:17:01,167
There's lots of ways to monetize in Russia,

329
00:17:01,167 --> 00:17:03,999
as I'm sure you guys are well aware.

330
00:17:03,999 --> 00:17:06,250
And so this one you might be searching for Android WAP,

331
00:17:06,250 --> 00:17:10,292
the wireless application protocol, and that's basically what Russians call

332
00:17:10,292 --> 00:17:13,584
the data channel over a cellular network.

333
00:17:13,584 --> 00:17:16,918
So anything that has to deal with mobile data they call WAP.

334
00:17:16,918 --> 00:17:20,751
So these systems are typically called WAP click or WAP this WAP that.

335
00:17:20,834 --> 00:17:25,292
So you find one and it says that it has unique landing pages and it's

336
00:17:25,292 --> 00:17:27,792
the best of the best.

337
00:17:27,918 --> 00:17:30,250
You click on it and it tells you a few things.

338
00:17:30,250 --> 00:17:32,709
It tells you they pay out every Thursday.

339
00:17:32,834 --> 00:17:35,125
It says they will help you.

340
00:17:35,125 --> 00:17:37,667
They have the best successful landing pages.

341
00:17:37,999 --> 00:17:39,999
They'll help you distribute.

342
00:17:40,083 --> 00:17:42,959
And essentially what this is, this is an advertisement

343
00:17:42,959 --> 00:17:47,584
for an affiliate system where you can sign up and if you have mobile traffic,

344
00:17:47,584 --> 00:17:50,999
you can sign up and they will help you distribute these

345
00:17:50,999 --> 00:17:54,834
Android malware that they'll custom package for you and deliver

346
00:17:54,834 --> 00:17:57,999
to your victims transparent to you.

347
00:17:57,999 --> 00:18:00,999
So you just set up websites, you drive traffic, you get money.

348
00:18:00,999 --> 00:18:02,792
And to see how easy that is.

349
00:18:02,792 --> 00:18:05,459
I don't know if this video will play, but yeah.

350
00:18:05,459 --> 00:18:07,751
So they make it seem like child's play.

351
00:18:07,751 --> 00:18:09,459
Like you, sitting out on the beach riding on top

352
00:18:09,459 --> 00:18:12,999
of mobile phones, coins dropping out of the sky.

353
00:18:13,834 --> 00:18:17,626
(Laughter.) You have to do a little work, but we'll take care of the rest.

354
00:18:17,626 --> 00:18:20,375
And that's essentially what these organizations are.

355
00:18:20,375 --> 00:18:22,292
They take care of the technical parts.

356
00:18:22,292 --> 00:18:22,751
They take care of the campaign running and things

357
00:18:22,751 --> 00:18:25,250
like that, and you just have to deal with building out websites

358
00:18:25,250 --> 00:18:27,083
and making money.

359
00:18:28,375 --> 00:18:30,999
So we have a life cycle.

360
00:18:30,999 --> 00:18:32,959
I'll go around it piece by piece.

361
00:18:32,959 --> 00:18:35,375
So individually I'll talk about the HQ organizations,

362
00:18:35,375 --> 00:18:37,999
is what we're calling them.

363
00:18:37,999 --> 00:18:41,292
But they're basically these affiliate marketing headquarters.

364
00:18:41,292 --> 00:18:43,584
These are the guys that say we'll take care of building Android malware

365
00:18:43,584 --> 00:18:45,626
for you, we'll take care of helping you run

366
00:18:45,626 --> 00:18:48,250
a successful campaign, we'll tell you which campaigns are

367
00:18:48,250 --> 00:18:49,999
more successful.

368
00:18:50,209 --> 00:18:53,584
So some of the themes that they'll look like, and I'll show you this later,

369
00:18:53,584 --> 00:18:58,125
they look like Opera, they look like Skype, they look like ICQ or Flash.

370
00:18:58,125 --> 00:19:00,083
So they'll tell you which ones work and in which countries and

371
00:19:00,083 --> 00:19:01,959
in which markets.

372
00:19:02,292 --> 00:19:04,501
And they'll take care of all that for you.

373
00:19:04,501 --> 00:19:06,959
They also take care of one of the things that that post said

374
00:19:06,959 --> 00:19:09,999
in the forum, is that they also have good relationships

375
00:19:09,999 --> 00:19:12,584
with the billing companies, with these SMS fraud

376
00:19:12,584 --> 00:19:14,626
billing companies.

377
00:19:14,626 --> 00:19:17,250
So for those of you that don't know, I'm not sure if there's people

378
00:19:17,250 --> 00:19:19,375
in the room that don't know, but SMS fraud

379
00:19:19,375 --> 00:19:22,584
is essentially you download an Android application and as soon

380
00:19:22,584 --> 00:19:25,792
as it fires up, as soon as you launch the application, it sends

381
00:19:25,792 --> 00:19:27,999
off three text messages.

382
00:19:27,999 --> 00:19:29,459
It can send off any number of text messages,

383
00:19:29,459 --> 00:19:31,999
but in most cases it's three individual text messages,

384
00:19:31,999 --> 00:19:35,417
usually distributed among different numbers so that if one doesn't succeed,

385
00:19:35,417 --> 00:19:37,125
the others might.

386
00:19:37,250 --> 00:19:39,918
And then they get a response back and say I've sent the messages,

387
00:19:39,918 --> 00:19:42,792
and typically it will either close down or maybe they give you

388
00:19:42,792 --> 00:19:45,959
a coupon or a link or something, but not what you were anticipating

389
00:19:45,959 --> 00:19:47,584
on downloading.

390
00:19:48,083 --> 00:19:51,083
So these organizations, they have the business relationships

391
00:19:51,083 --> 00:19:53,334
with the SMS registrars.

392
00:19:53,334 --> 00:19:55,334
And that's what they provide.

393
00:19:55,334 --> 00:19:57,542
So they handle the business on the back end and technical side

394
00:19:57,542 --> 00:20:00,999
of building out the Android applications and I'll walk through what some

395
00:20:00,999 --> 00:20:03,709
of that looks like in just a second.

396
00:20:03,709 --> 00:20:05,999
So what these organizations look like if you went to their sites, some

397
00:20:05,999 --> 00:20:08,999
of them look like fairly legitimate businesses.

398
00:20:08,999 --> 00:20:10,542
Now, this one looks like it's maybe from the 1980s, so you'd be

399
00:20:10,542 --> 00:20:12,459
a little bit skeptical.

400
00:20:12,584 --> 00:20:14,918
But some of them are a little bit flashier, they're more HTML5,

401
00:20:14,918 --> 00:20:17,667
something you'd be more comfortable with.

402
00:20:17,999 --> 00:20:20,667
Some have a nice milk man look to them.

403
00:20:21,667 --> 00:20:23,334
But some of them don't.

404
00:20:23,334 --> 00:20:24,459
Not all of them do.

405
00:20:24,918 --> 00:20:27,792
(Laughter.) So some guys don't try to hide what they're doing,

406
00:20:27,792 --> 00:20:30,709
but because of that, so these other organizations that

407
00:20:30,709 --> 00:20:33,167
I showed you that appear to look squeaky clean,

408
00:20:33,167 --> 00:20:35,792
they had open registration.

409
00:20:35,792 --> 00:20:38,292
So anybody can sign up with a web money account and

410
00:20:38,292 --> 00:20:41,667
an ICQ number and e mail address.

411
00:20:41,667 --> 00:20:44,000
Now, these guys are a little bit more skeptical.

412
00:20:44,000 --> 00:20:45,626
They want to talk to you on ICQ.

413
00:20:45,626 --> 00:20:46,626
They want to know how much traffic you have,

414
00:20:46,626 --> 00:20:49,999
because they do (( )) so what Dif was talking about earlier, not

415
00:20:49,999 --> 00:20:52,584
all SMS malware is made equal.

416
00:20:52,584 --> 00:20:54,999
These guys actually do a lot of PII theft and they'll run botnet

417
00:20:54,999 --> 00:20:58,459
commands through your (( )) through the infection.

418
00:20:58,459 --> 00:21:00,584
So they do a lot more than what the other guys do,

419
00:21:00,584 --> 00:21:03,584
and their look should show that.

420
00:21:04,459 --> 00:21:09,167
So what they also do is they try to promote affiliate distribution.

421
00:21:09,167 --> 00:21:11,834
So they promote whoever is the top affiliate, they try

422
00:21:11,834 --> 00:21:14,999
to encourage you to distribute more.

423
00:21:14,999 --> 00:21:17,334
And they have (( )) all of them have top 20.

424
00:21:17,542 --> 00:21:20,542
So they'll have like a listing of who their top affiliates.

425
00:21:20,542 --> 00:21:22,501
These have badges of honor of your top affiliates and

426
00:21:22,501 --> 00:21:25,375
they show you rankings like how many places you've moved

427
00:21:25,375 --> 00:21:26,999
up and down.

428
00:21:27,542 --> 00:21:30,459
And here's another one that looks quite similar.

429
00:21:30,459 --> 00:21:33,709
Here you get the big chair, if you won it's a little classier.

430
00:21:33,751 --> 00:21:37,626
And this is one of the top, those two are the top distributors

431
00:21:37,626 --> 00:21:41,167
as far as the HQ organizations as a whole.

432
00:21:41,626 --> 00:21:44,751
And some of the other things that they do, we saw that

433
00:21:44,751 --> 00:21:49,417
they run quarterly competitions also on top of the regular rates.

434
00:21:49,417 --> 00:21:53,417
And, again, if you're a top affiliate, most times you get additional payout.

435
00:21:53,417 --> 00:21:55,125
So the percentage will increase as you bump up to the top,

436
00:21:55,125 --> 00:21:59,334
once you become a top affiliate, because they don't want to lose you.

437
00:22:00,292 --> 00:22:04,959
And so some of the other things they do is run quarterly competitions.

438
00:22:04,959 --> 00:22:06,459
So they have a summer competition that we just saw

439
00:22:06,459 --> 00:22:10,501
an announcement for that they were advertising 300,000 U.S.

440
00:22:10,501 --> 00:22:13,876
dollars in cash and prizes.

441
00:22:13,999 --> 00:22:16,999
So it's significant amounts of money.

442
00:22:17,334 --> 00:22:20,626
And individual affiliates we've seen have made

443
00:22:20,626 --> 00:22:25,999
up to $12,000 per month sustained over multiple months.

444
00:22:26,542 --> 00:22:29,999
So this is a fairly significant industry for both the affiliates

445
00:22:29,999 --> 00:22:32,626
and these HQ organizations.

446
00:22:32,709 --> 00:22:36,999
And so I mentioned before, affiliates can leave if they want to.

447
00:22:36,999 --> 00:22:41,375
They're not tied to one of these distributor HQ organizations.

448
00:22:41,375 --> 00:22:43,667
So they also provide news feeds.

449
00:22:43,667 --> 00:22:45,501
They also provide customer service.

450
00:22:45,501 --> 00:22:50,083
And some of the top affiliates actually go out and force rank these websites

451
00:22:50,083 --> 00:22:56,209
in like customer service, payout, timeliness, and things like that.

452
00:22:56,250 --> 00:22:58,959
So they operate like Dif said, as a start up, and they're pushing

453
00:22:58,959 --> 00:23:01,918
out new code and new features every two weeks because they want

454
00:23:01,918 --> 00:23:04,959
to keep their affiliates happy and engaged.

455
00:23:05,083 --> 00:23:06,834
So as an affiliate, you would come

456
00:23:06,834 --> 00:23:09,626
along and you could use these tools that they've built and

457
00:23:09,626 --> 00:23:12,751
with almost no technical knowledge, no knowledge of how to build

458
00:23:12,751 --> 00:23:15,125
an Android application, you could go through a step

459
00:23:15,125 --> 00:23:18,542
by step process of building one of them for you.

460
00:23:18,999 --> 00:23:22,083
And I'll go through that step by step process with you right now.

461
00:23:22,083 --> 00:23:23,542
You name your campaign.

462
00:23:23,542 --> 00:23:25,834
So you can set up campaign A and campaign B and you can test one

463
00:23:25,834 --> 00:23:28,918
on one set of web sites and another on another set of websites

464
00:23:28,918 --> 00:23:31,999
and see which one does better because these guys take it seriously

465
00:23:31,999 --> 00:23:34,083
like a business and they want to see which

466
00:23:34,083 --> 00:23:37,083
of their investments are doing the best.

467
00:23:37,292 --> 00:23:40,083
So, second, you choose your targets.

468
00:23:40,083 --> 00:23:43,709
So this site provides Android, iOS and Symbian support.

469
00:23:43,709 --> 00:23:47,918
So Symbian and iOS are very basic, whereas Android is very clearly

470
00:23:47,918 --> 00:23:49,999
the key target.

471
00:23:50,667 --> 00:23:52,999
So then you pick a theme.

472
00:23:52,999 --> 00:23:55,292
So here these guys have maybe 50 different themes that you can

473
00:23:55,292 --> 00:23:56,999
choose from.

474
00:23:56,999 --> 00:24:00,292
You have your typical porn and porn videos and then you have

475
00:24:00,292 --> 00:24:03,999
MP3s, free MP3s, those always do well.

476
00:24:03,999 --> 00:24:06,501
But lately there's been a rise in things like Adobe Flash,

477
00:24:06,501 --> 00:24:10,375
the pop ups that say update your Flash or download the newest version

478
00:24:10,375 --> 00:24:12,999
of Skype or download Opera.

479
00:24:13,292 --> 00:24:15,999
So you can choose the theme, and here, this site even gives you

480
00:24:15,999 --> 00:24:20,626
a pop up that will tell you what the effectiveness of that theme is.

481
00:24:20,626 --> 00:24:22,125
So they'll tell you what the payout has been, what

482
00:24:22,125 --> 00:24:24,209
the success of the conversion ratio has been,

483
00:24:24,209 --> 00:24:27,542
in what countries is it most successful, how is it best distributed, and

484
00:24:27,542 --> 00:24:29,709
they give you all sorts of tips so you can pick

485
00:24:29,709 --> 00:24:32,209
out the best theme for your market.

486
00:24:32,626 --> 00:24:34,584
Once you have that, they essentially give you copy

487
00:24:34,584 --> 00:24:36,083
and paste code.

488
00:24:36,083 --> 00:24:38,542
You take some Java script, put it into your landing page, build

489
00:24:38,542 --> 00:24:40,542
out some websites, and the Java script

490
00:24:40,542 --> 00:24:44,876
will automatically redirect your users to their download page.

491
00:24:44,999 --> 00:24:47,250
Because these are custom built Android applications,

492
00:24:47,250 --> 00:24:51,999
they don't just build them and give the code out, give the APKs out.

493
00:24:52,083 --> 00:24:54,501
They build everything dynamically.

494
00:24:54,501 --> 00:24:55,999
So they redirect all the traffic back to them,

495
00:24:55,999 --> 00:24:59,083
to these headquarters organizations, and when the users or

496
00:24:59,083 --> 00:25:01,292
the victims come along, they download and

497
00:25:01,292 --> 00:25:05,167
they custom compile things, and like Dif said, that's what leads to a lot

498
00:25:05,167 --> 00:25:07,667
of this individual hashes.

499
00:25:07,667 --> 00:25:08,501
So you see different hashes, but that's

500
00:25:08,501 --> 00:25:11,667
because every victim that comes along is getting a unique version,

501
00:25:11,667 --> 00:25:13,999
even though the entire (( )) the code is the same,

502
00:25:13,999 --> 00:25:16,999
the time stamps are going to be different and maybe the theme

503
00:25:16,999 --> 00:25:18,999
is going to be different because everything

504
00:25:18,999 --> 00:25:22,167
is extremely customizable in these applications.

505
00:25:22,167 --> 00:25:26,792
These guys don't waste any time hard coding the information in there.

506
00:25:26,792 --> 00:25:29,167
So all the SMS registration information, all the themes, everything

507
00:25:29,167 --> 00:25:32,083
is custom configurable and templated.

508
00:25:35,999 --> 00:25:38,709
So once you have these sites, once you have

509
00:25:38,709 --> 00:25:43,292
the Android campaign built out, you need to distribute it.

510
00:25:43,292 --> 00:25:44,999
And so you need to build convincing sites, you need

511
00:25:44,999 --> 00:25:49,626
to register convincing domain names, and you need to lure in some traffic.

512
00:25:49,626 --> 00:25:52,083
And this is where the affiliates really go to work.

513
00:25:52,125 --> 00:25:53,292
These are the sort of the foot soldiers

514
00:25:53,292 --> 00:25:55,417
of these HQ organizations.

515
00:25:55,417 --> 00:25:56,083
So they put them out, put them to work going

516
00:25:56,083 --> 00:25:58,918
out and registering these little accounts.

517
00:25:58,918 --> 00:26:00,626
That way, if they use any bad tactics that happen

518
00:26:00,626 --> 00:26:03,501
to work like spamming, they can say, well, we told them not

519
00:26:03,501 --> 00:26:05,999
to spam and you can just shut down those domains,

520
00:26:05,999 --> 00:26:09,792
but the big domain and all the other affiliates are safe.

521
00:26:10,999 --> 00:26:13,292
So the individual affiliates will build out pages, some

522
00:26:13,292 --> 00:26:15,999
of the pages we've seen look like this.

523
00:26:15,999 --> 00:26:19,292
So this one is SEO optimized to look like a search query for Opera.

524
00:26:19,292 --> 00:26:22,334
So you might search in Google and then be redirected to a page

525
00:26:22,334 --> 00:26:24,999
like this to download Opera.

526
00:26:24,999 --> 00:26:27,375
Then when you click anywhere on here, you would be redirected

527
00:26:27,375 --> 00:26:30,751
to what looks like an Opera download page.

528
00:26:30,792 --> 00:26:32,918
And once you download that, that would install on your phone

529
00:26:32,918 --> 00:26:34,834
and you'd be charged money.

530
00:26:34,834 --> 00:26:38,125
One of the other popular scams is Google Play.

531
00:26:38,876 --> 00:26:41,999
Obviously this doesn't look exactly like Google Play.

532
00:26:41,999 --> 00:26:43,250
It's called Android Play.

533
00:26:43,250 --> 00:26:48,292
But it's fairly convincing and generates a lot of revenue for these guys, also.

534
00:26:48,375 --> 00:26:51,375
And then if you want to download the Google Play market,

535
00:26:51,375 --> 00:26:55,501
you can do that and, again, this looks convincing.

536
00:26:55,501 --> 00:26:58,501
The domain is even convincing and that's how these guys generate

537
00:26:58,501 --> 00:27:03,083
the traffic to then push people to download these applications.

538
00:27:03,083 --> 00:27:05,876
And then they're getting anywhere between 3 and $18 per download

539
00:27:05,876 --> 00:27:07,501
and install.

540
00:27:08,999 --> 00:27:11,999
So once you've built out your web sites as an affiliate,

541
00:27:11,999 --> 00:27:14,999
you need to drive traffic to those sites.

542
00:27:14,999 --> 00:27:18,417
So some of the ways that we've seen is through social media.

543
00:27:18,417 --> 00:27:20,334
Twitter happens to be a common theme that's used

544
00:27:20,334 --> 00:27:22,083
by these guys.

545
00:27:22,334 --> 00:27:23,834
Another common theme that we've seen

546
00:27:23,834 --> 00:27:26,876
is in the Russian network specifically.

547
00:27:26,876 --> 00:27:29,417
They've started building rogue ad networks.

548
00:27:29,417 --> 00:27:31,459
So Dif mentioned bad news.

549
00:27:31,459 --> 00:27:34,999
This was an ad network that was built expressed (( ))

550
00:27:34,999 --> 00:27:38,876
with the express intent of pushing malicious links

551
00:27:38,876 --> 00:27:42,209
to these SMS fraud applications.

552
00:27:42,250 --> 00:27:43,751
And so when a user would buy some sort

553
00:27:43,751 --> 00:27:45,834
of game application, they would see a pop

554
00:27:45,834 --> 00:27:49,375
up ad and it would say, you know, urgent, you need to update your Skype,

555
00:27:49,375 --> 00:27:51,918
it's out of date, and when they would click on it

556
00:27:51,918 --> 00:27:55,083
they would download one of these, they would be redirected to one

557
00:27:55,083 --> 00:27:58,334
of these pages and download an application that would charge them

558
00:27:58,334 --> 00:28:02,083
anywhere between 3 and $18 and then not give them Skype.

559
00:28:02,999 --> 00:28:04,292
So what are some of these Twitter (( )) what do some

560
00:28:04,292 --> 00:28:06,167
of these Twitter accounts like like?

561
00:28:06,167 --> 00:28:10,918
We found over 50,000 Twitter accounts that were distributing spam type

562
00:28:10,918 --> 00:28:16,250
messages linking back to these Russian advertising networks.

563
00:28:16,250 --> 00:28:18,459
Some of them were more obvious than other.

564
00:28:18,501 --> 00:28:21,876
This guy was (( )) I think he was tweeting out links to only

565
00:28:21,876 --> 00:28:25,918
the same domain and then just changing the page.

566
00:28:25,918 --> 00:28:27,375
So that was a bit obvious.

567
00:28:27,375 --> 00:28:29,999
Also, he was sending out tweets, three in one minute, so

568
00:28:29,999 --> 00:28:32,999
he was very bursty and he was very greedy and you can see

569
00:28:32,999 --> 00:28:36,083
he sent out 3600 tweets in a very short amount of time,

570
00:28:36,083 --> 00:28:38,834
and it maybe like six months, but you can notice

571
00:28:38,834 --> 00:28:42,918
he doesn't have very many followers, he's not following that many people,

572
00:28:42,918 --> 00:28:46,751
so that's a lot of tweets for a guy with no friends.

573
00:28:48,083 --> 00:28:52,083
(Laughter.) So some, like I said, are not as obvious.

574
00:28:52,083 --> 00:28:53,876
The only thing obvious here is that this guy has

575
00:28:53,876 --> 00:28:56,209
the default profile picture.

576
00:28:56,209 --> 00:28:59,417
So a lot of the Twitter accounts, because they're being bought

577
00:28:59,417 --> 00:29:02,083
up in blocks of like 10,000 Twitter accounts,

578
00:29:02,083 --> 00:29:05,999
they won't bother to customize the (( )) sorry (( )) to customize

579
00:29:05,999 --> 00:29:10,501
the profile picture, so they'll leave the default profile picture up there,

580
00:29:10,501 --> 00:29:13,292
and that's usually a fairly good indicator that

581
00:29:13,292 --> 00:29:18,250
they may be up to no good, but not necessarily the only indicator.

582
00:29:18,834 --> 00:29:20,999
So this guy you can see is more distributed.

583
00:29:20,999 --> 00:29:24,334
He's even re tweeting, he's talking about lawyersonline.rue,

584
00:29:24,334 --> 00:29:26,709
legitimate traffic.

585
00:29:26,709 --> 00:29:29,751
So he's interspersing normal conversations with his malware,

586
00:29:29,751 --> 00:29:33,876
so he's trying to evade a little bit more cleverly, but (( ))

587
00:29:33,876 --> 00:29:38,584
and he's only sending 130 tweets with only one follower.

588
00:29:38,751 --> 00:29:40,751
So he was caught because he was related

589
00:29:40,751 --> 00:29:44,083
to somebody else who was not so quiet.

590
00:29:45,459 --> 00:29:50,209
So, next, again, once you've built out this traffic,

591
00:29:50,209 --> 00:29:53,918
you've sent people through Twitter back

592
00:29:53,918 --> 00:29:56,999
to these landing pages.

593
00:29:57,626 --> 00:30:00,501
From the victim's perspective, you know, they would go click one

594
00:30:00,501 --> 00:30:02,626
of the advertisements, they would click on one

595
00:30:02,626 --> 00:30:05,083
of the Twitter links, then they would go to the web page,

596
00:30:05,083 --> 00:30:06,918
the landing page, they would download

597
00:30:06,918 --> 00:30:09,918
the application and it would look like this.

598
00:30:09,999 --> 00:30:12,334
So you see Google Play in the bottom left.

599
00:30:12,375 --> 00:30:14,667
That doesn't really stand out as suspicious,

600
00:30:14,667 --> 00:30:17,542
and that's basically the only thing that's real

601
00:30:17,542 --> 00:30:19,959
about the application.

602
00:30:19,999 --> 00:30:22,876
So you open it up and at the top (( )) so I'll do some quasi

603
00:30:22,876 --> 00:30:24,999
translation for you.

604
00:30:24,999 --> 00:30:27,459
At the top it's saying that this is important update and then it says

605
00:30:27,459 --> 00:30:30,459
that it's the new version of Android Market.

606
00:30:30,667 --> 00:30:33,999
And then down at the second, it says that it's installing.

607
00:30:34,083 --> 00:30:37,999
And then here it says that it's installed and please click run.

608
00:30:37,999 --> 00:30:40,000
And then the bottom button says "run."

609
00:30:40,459 --> 00:30:43,792
If you notice, there is some fine print on the bottom.

610
00:30:43,792 --> 00:30:45,709
I don't know how many people actually read it, but in this case it's kind

611
00:30:45,709 --> 00:30:47,501
of important because it tells you how much they're

612
00:30:47,501 --> 00:30:49,167
going to charge you.

613
00:30:49,250 --> 00:30:51,584
(Laughter.) But, again, when you downloaded it,

614
00:30:51,584 --> 00:30:56,334
there was nothing telling you that they were going to charge you.

615
00:30:56,334 --> 00:30:58,459
So if you notice from these landing pages, in order

616
00:30:58,459 --> 00:31:01,626
to comply with what these affiliate HQ organizations say,

617
00:31:01,626 --> 00:31:05,083
they say their policy is you can't tell somebody that it's free,

618
00:31:05,083 --> 00:31:08,083
but you also don't have to tell them that they're going

619
00:31:08,083 --> 00:31:10,250
to be charged for it.

620
00:31:10,250 --> 00:31:12,709
Just putting this terms of service somewhere

621
00:31:12,709 --> 00:31:15,999
in the application is good enough.

622
00:31:16,083 --> 00:31:18,792
And so in this case, there was a link at the bottom,

623
00:31:18,792 --> 00:31:22,209
maybe that's caveat emptor, you should have known.

624
00:31:22,209 --> 00:31:24,876
But in other cases it's not as obvious.

625
00:31:24,876 --> 00:31:28,334
So in this, I don't know if you can tell, but there's no links and all it says

626
00:31:28,334 --> 00:31:32,584
is if you're ready, click here to go to the next screen.

627
00:31:32,959 --> 00:31:36,083
And if you look in the code, you would see that there's a lot

628
00:31:36,083 --> 00:31:39,083
of breaks, there's a lot of new lines.

629
00:31:39,375 --> 00:31:42,542
And they've essentially pushed the terms of service so far down,

630
00:31:42,542 --> 00:31:45,999
it's down there at the bottom, that you would have to scroll

631
00:31:45,999 --> 00:31:48,501
down for about two minutes before you ever get

632
00:31:48,501 --> 00:31:50,959
to the terms of service.

633
00:31:50,959 --> 00:31:52,999
(Laughter.) But technically it's there.

634
00:31:55,083 --> 00:31:57,792
So again, instantly, once you've downloaded these

635
00:31:57,792 --> 00:32:01,751
applications, the only reason that install bar is up there, which by the way

636
00:32:01,751 --> 00:32:06,083
is just a Java script loop, it's not actually tied to any progress.

637
00:32:06,334 --> 00:32:09,250
The only progress it may be tied to is ensuring they have enough time

638
00:32:09,250 --> 00:32:10,999
to send out the three text messages

639
00:32:10,999 --> 00:32:13,542
before the application closes.

640
00:32:13,918 --> 00:32:16,375
So the money goes directly out to the carriers.

641
00:32:16,626 --> 00:32:20,125
In some cases you have some time to negotiate with the carriers and say,

642
00:32:20,125 --> 00:32:23,918
hey, that's not (( )) that wasn't a charge that I was expecting,

643
00:32:23,918 --> 00:32:26,167
and depending on the carrier and depending

644
00:32:26,167 --> 00:32:29,876
on which country you're in, these windows of time that you have

645
00:32:29,876 --> 00:32:31,751
to dispute vary.

646
00:32:31,751 --> 00:32:32,876
So in the U.S.

647
00:32:32,876 --> 00:32:36,626
it's 60 days, up to 60 days, but in other countries it's very slim

648
00:32:36,626 --> 00:32:40,999
and maybe potentially none, in some cases it may go directly

649
00:32:40,999 --> 00:32:43,459
into their accounts.

650
00:32:43,959 --> 00:32:45,792
And so once the money goes into the accounts

651
00:32:45,792 --> 00:32:48,083
of the SMS registration, the HQ organizations

652
00:32:48,083 --> 00:32:50,417
will take that money out and distribute it

653
00:32:50,417 --> 00:32:53,083
to the individual affiliates that were responsible

654
00:32:53,083 --> 00:32:55,918
for generating those downloads.

655
00:32:56,083 --> 00:32:57,999
And they have ways of tracking individual downloads

656
00:32:57,999 --> 00:33:00,876
if they're rewarding the right peoples.

657
00:33:01,417 --> 00:33:05,125
And so, again, here's evidence of how much one person can make

658
00:33:05,125 --> 00:33:06,959
in a month.

659
00:33:06,959 --> 00:33:10,459
And in this one case, this is just a one month, could be a one off,

660
00:33:10,459 --> 00:33:15,834
but he made 600,000 rubles, which is roughly equivalent to 20,000 U.S.

661
00:33:15,834 --> 00:33:17,083
dollars in one month.

662
00:33:18,083 --> 00:33:20,876
So you could save up for a pretty good vacation.

663
00:33:21,501 --> 00:33:23,709
So some conclusions.

664
00:33:23,709 --> 00:33:27,167
So we found ten Russian SMS fraud sites that accounted for over 30%

665
00:33:27,167 --> 00:33:30,417
of the worldwide malware detections.

666
00:33:30,417 --> 00:33:32,999
As Dif pointed out and I think I've kind of pointed out,

667
00:33:32,999 --> 00:33:35,501
also, the number of these detections can be

668
00:33:35,501 --> 00:33:37,334
often inflated.

669
00:33:37,584 --> 00:33:40,167
So in some cases we see over 100,000 unique samples,

670
00:33:40,167 --> 00:33:42,999
but when we classify them the way that we do,

671
00:33:42,999 --> 00:33:45,918
we can condense them down into only 100 variants

672
00:33:45,918 --> 00:33:47,999
of the same malware.

673
00:33:47,999 --> 00:33:50,876
So reduce it, you know, significantly and track exactly what

674
00:33:50,876 --> 00:33:52,709
they're doing.

675
00:33:52,709 --> 00:33:53,999
And by classifying it this way, we've been able

676
00:33:53,999 --> 00:33:56,959
to follow these individual malware that's being distributed

677
00:33:56,959 --> 00:34:00,584
up through the distribution channels through the affiliates and some people

678
00:34:00,584 --> 00:34:02,709
may have stopped there.

679
00:34:02,709 --> 00:34:04,792
So sometimes you might say, hey, we know where these download links

680
00:34:04,792 --> 00:34:07,083
are coming from, we can just shut down those domains

681
00:34:07,083 --> 00:34:09,083
for these landing pages.

682
00:34:09,083 --> 00:34:11,375
But then you'd be spending your time in the Whac A Mole game

683
00:34:11,375 --> 00:34:14,167
because you'd be knocking down one affiliate and another one

684
00:34:14,167 --> 00:34:15,918
would pop up.

685
00:34:15,918 --> 00:34:16,999
And then you'd knock down another affiliate and another one

686
00:34:16,999 --> 00:34:18,417
would pop up.

687
00:34:18,417 --> 00:34:21,999
But by seeing all the way back to the headquarters organizations,

688
00:34:21,999 --> 00:34:24,542
you can see the entire picture and step

689
00:34:24,542 --> 00:34:27,584
out of the Whac A Mole game a bit and see where

690
00:34:27,584 --> 00:34:30,334
the key lynchpin pieces are.

691
00:34:31,334 --> 00:34:33,999
And so SMS fraud is a very diverse threat,

692
00:34:33,999 --> 00:34:36,959
requires careful categorization.

693
00:34:36,959 --> 00:34:40,334
Just because it sends an SMS does not make it the same.

694
00:34:40,334 --> 00:34:42,918
As Dif pointed out, some applications will try

695
00:34:42,918 --> 00:34:48,292
to steal more data and try to do more harm than just SMS fraud.

696
00:34:49,083 --> 00:34:51,334
And we've seen commoditization.

697
00:34:51,334 --> 00:34:53,083
So here we're seeing commodotization, similar

698
00:34:53,083 --> 00:34:57,125
to how we've seen PC crimeware happening in Russia.

699
00:34:57,125 --> 00:34:59,459
And this is the first big instance of commoditization

700
00:34:59,459 --> 00:35:01,751
in actual industry around mobile malware,

701
00:35:01,751 --> 00:35:04,792
and so that's a significant development that this isn't

702
00:35:04,792 --> 00:35:08,626
just one guy developing software, but it's one guy developing software,

703
00:35:08,626 --> 00:35:12,626
selling it to a larger organization who has connections to SMS registrars

704
00:35:12,626 --> 00:35:15,999
and have maybe thousands of affiliates distributing the malware

705
00:35:15,999 --> 00:35:20,083
for them, and then those affiliates have people building websites for them

706
00:35:20,083 --> 00:35:23,584
and generating social media traffic for them.

707
00:35:23,584 --> 00:35:26,083
And so there's a fairly large and broad industry involved

708
00:35:26,083 --> 00:35:28,250
in the distribution of these very few

709
00:35:28,250 --> 00:35:30,626
organizations malware.

710
00:35:33,334 --> 00:35:36,667
And so I'll let Dif come up and thank a few people, but I'd

711
00:35:36,667 --> 00:35:40,918
like to thank the entire R&R and security team at Lookout.

712
00:35:40,918 --> 00:35:42,918
There's a lot of people in the background that did a lot

713
00:35:42,918 --> 00:35:44,417
of work here.

714
00:35:44,417 --> 00:35:45,417
Dif and I are just the people lucky enough

715
00:35:45,417 --> 00:35:48,209
to be standing up in front of you, but certainly there's a lot

716
00:35:48,209 --> 00:35:51,999
of others doing a lot of hard work on our team at Lookout.

717
00:35:51,999 --> 00:35:54,083
I'd like to also thank the Honynet Project.

718
00:35:54,083 --> 00:35:55,751
There's a lot of people in that organization that I've stood

719
00:35:55,751 --> 00:35:57,459
on the shoulders of and certainly learned

720
00:35:57,459 --> 00:36:00,501
a lot especially in this type of investigation.

721
00:36:00,709 --> 00:36:01,709
And then Dif.

722
00:36:01,959 --> 00:36:04,459
TIM STRAZZERE: A lot of the samples that we actually went

723
00:36:04,459 --> 00:36:07,834
through and we submit a lot of samples to Mali, which thank you

724
00:36:07,834 --> 00:36:10,999
to Mali for running the mini Contagio dump.

725
00:36:14,459 --> 00:36:18,292
She also has lots of crimeware kits up there, but there's lots

726
00:36:18,292 --> 00:36:20,999
of actual mobile malware.

727
00:36:21,083 --> 00:36:23,626
If there's any other specific samples that aren't up there, feel free

728
00:36:23,626 --> 00:36:26,626
to reach out us to, we're always in the mood for sharing and trying to,

729
00:36:26,626 --> 00:36:30,083
you know, make new friends and share techniques and whatnot.

730
00:36:30,334 --> 00:36:32,999
Also, just for Android reversing in general, you should follow a lot

731
00:36:32,999 --> 00:36:36,459
of these guys, these are all their Twitter handles.

732
00:36:36,501 --> 00:36:42,417
JDUC did interesting stuff, and Vaio Forensics, really smart guys.

733
00:36:42,542 --> 00:36:45,501
Anthony Desnos, the creator of Androguard.

734
00:36:45,501 --> 00:36:47,459
A really interesting guy.

735
00:36:48,501 --> 00:36:52,792
This is a guy based out of Portugal, you should follow him,

736
00:36:52,792 --> 00:36:56,334
he did interesting stuff based around the economics

737
00:36:56,334 --> 00:37:02,209
of (( )) he's always making fun of hack team for crisis and whatnot.

738
00:37:02,209 --> 00:37:05,167
So he's showing people how to make better rootkits and he's done

739
00:37:05,167 --> 00:37:07,999
some really interesting stuff.

740
00:37:07,999 --> 00:37:09,834
And, like I said, it's a really interesting perspective looking

741
00:37:09,834 --> 00:37:12,375
at the economics of malware and what the return on investment

742
00:37:12,375 --> 00:37:14,083
is for all that.

743
00:37:14,083 --> 00:37:17,292
Other than that, Justin Case and Gunther and cryptogirl from 40 net,

744
00:37:17,292 --> 00:37:20,501
really great people to follow and you'll be able to stay

745
00:37:20,501 --> 00:37:24,167
up to date on the most really interesting Android malware and just

746
00:37:24,167 --> 00:37:26,959
the rooting scene in general.

747
00:37:27,292 --> 00:37:28,709
Then if you'd like to see more information,

748
00:37:28,709 --> 00:37:31,999
we actually post it on our blog, so blog.lookout.com.

749
00:37:32,375 --> 00:37:34,999
There is a (( )) it's about like a ten page almost

750
00:37:34,999 --> 00:37:38,292
like a white paper and has a lot more technical details that we kind

751
00:37:38,292 --> 00:37:40,334
of tried to skim over to prevent you guys

752
00:37:40,334 --> 00:37:43,375
from getting pre lunch, post lunch coma.

753
00:37:43,876 --> 00:37:44,876
Thank you.