Mobile malware criminal command-and-control activity

Criminal operators continue to hone their craft in 2011 using crimeware that can be repurposed for multiple fraud opportunities, sold or leased to other criminals, and that is now successfully infiltrating the mobile space, according to Gunter Ollmann, VP of research for Damballa.

As the arms race rages on between the criminals, their increasingly federated crime-as-a-service ecosystem, and the security professionals tasked with combating them, it has become increasingly important that the defenders obtain advanced knowledge of the existence and behavior of new criminal operators and their network of infected assets.

Over the first six months of 2011, the number of infected devices engaging in “live’ communications with criminal operators grew to nearly 40,000. In weeks 10 and 11 of the year, an outbreak peaked at over 20,000 devices, but infections seemed to be quickly eradicated.

We should expect to see these type of trends in the mobile space as devices and applications can be “remotely’ wiped by providers and app-stores should malicious applications be identified. It is our belief that is likely what occurred in this case.

The numbers here are compelling for several reasons:

• As predicted, 2011 is shaping up to be the year that mobile malware will begin to be an issue for consumers and enterprises alike in North America. Other countries (China being a great case in point) have already had to deal with significant outbreaks of mobile device infections.
• Many of these devices connect to the corporate WiFi when brought to work. They come into the network infected, and traditional security systems designed to protect traditional computing assets will not detect these infected mobile devices.
• Until recently, mobile malware abuse has been limited, to some extent, to premium SMS service fraud or other tactics that did not make use of a command-and-control architecture now common in botnet and crimeware attacks. Having mobile malware contact the criminal operator and establish two-way internet communication now opens the mobile device up to all the same campaigns and crime as their deskbound brethren.

The prevalence of improved DIY crimeware construction kits and associated exploit packs is visible in the makeup of the results for the first half of 2011; with 8 out of the top 10 largest botnets utilizing popular “off-the-shelf” construction kits.

Not surprisingly, the most popular TLDs (.com, .info, .net, .org and .biz) are among the top 10 most abused by criminals.

The TLD “.in” (India) ranked as the fifth most popular TLD for C&C use. This country code TLD has not historically been considered to be heavily abused.