SOCELLBOT: A New Botnet Design to Infect Smartphones via Online Social

Networking

2012 25th IEEE Canadian Conference on Electrical and Computer Engineering(CCECE)

Speaker: 呂映萱102/10/24

Mahammad Reza Faghani and Uyen Trang Nguyen

Outline• Abstract• Introduction• The proposed SoCellBot• Simulation• Results• Conclusion

2/15

Abstract• Smartphone • Online Social network(OSN)• A new cellular botnet named SoCellBot

o Harder to detecto More resilient to bot failureso More cost-effective to cellular bots

• Raising awareness of new mobile botnets• Preventive measures to deter SoCellBot

3/15

Introduction

4/15

OSNs

• Why are OSNs?1. Most cellular network providers offer OSN access to their clients free

of charge.2. Messages exchanged in OSNs are usually encrypted.3. The topology of an OSN-based botnet is more resilient to bot failures

or unavailability thanks to the highly clustered structure of the social network graph.

The proposed SoCellBot

• SoCellBot Infects smartphones with malware• The medium to recruit bots is OSN

o Unlike SMS-based botnets, SoCellBot incurs small monetary costs.• Architecture

o Propagation mechanismo Command and Control channel o Botnet topology maintenance

5/15

The proposed SoCellBot

• Propagation Mechanismo Using social engineering techniques

• Eye-caching web link

• Infiltration

6/15

The proposed SoCellBot

• Command and Control Channelo Online social network messaging system (OSNMS)o Using an algorithm to disguise the commands to be normalo Sending message to a random user in Facebook is possible

• Infected users then infect their friends

7/15

The proposed SoCellBot

• SoCellBot Botnet Topologyo Ensured to be connectedo It is Resilient to bot failures and unavailability

8/15

Simulation• OSN Model and Graphs

• Characteristics of OSNo Degreeo Clustering coefficiento High clusteringo Low average network distance

9/15

Simulation Parameters• Original OSN

o 3 OSNs of size 5000, 10000, 15000o Using the algorithm by Holme and Beom to generate

• Equivalent random graphs(ERG)o Creating ERG by using an algorithm by Viger and Latapy

• Why ERG ?o ERG helps a malware to propagate faster than the original OSN grapho An attacker may be able to obtain the graph of OSN using a tool such

as R[12] or Pajek[2]

10/15

Simulation• Malware Propagation Model

1. Randomly choosing a node(user) for infiltration2. If (the user executes the command)

• The user’s smartphone sends out a message to his/her friends, directing them to the malicious content (adjacent vertices in the social network graph)

• Upon receiving the message, each friend will execute the malware with a probability p

11/15

Simulation• Setting fields to each command

o A unique sequence number (SN)• SNs help to minimize the number of duplicate messages

o Time-to-live (TTL)• A good estimate for the TTL is the diameter of the OSN graph

• How to avoid detection?o After receiving a command, a node checks the SN to see if it has seen the

message before.• if (message is new)

o TTL-1o Forwarding the message to its one-hop neighbors (adjacent

vertices)• else if (message is duplicate)

o The node simply discards it

12/15

Results• ….

13/15The first set of experiments- Scenario 1

As p from 0.5 to 1,the malware propagate faster

Results

14/15

The first set of experiments- Scenario 2 and 3

Results

15/15The second set of experiments

Conclusion• OSNs are more suitable for mobile botnet

communications than the traditional SMS• The highly clustered structure of OSNs make the

botnet immune from random node failures

• Disadvantageo It doesn’t show us the preventive measure

• Cautions is the parent of safety

16/15