SOCELLBOT: A New Botnet Design to Infect Smartphones via Online Social
Networking
2012 25th IEEE Canadian Conference on Electrical and Computer Engineering(CCECE)
Speaker: 呂映萱102/10/24
Mahammad Reza Faghani and Uyen Trang Nguyen
Abstract• Smartphone • Online Social network(OSN)• A new cellular botnet named SoCellBot
o Harder to detecto More resilient to bot failureso More cost-effective to cellular bots
• Raising awareness of new mobile botnets• Preventive measures to deter SoCellBot
3/15
Introduction
4/15
OSNs
• Why are OSNs?1. Most cellular network providers offer OSN access to their clients free
of charge.2. Messages exchanged in OSNs are usually encrypted.3. The topology of an OSN-based botnet is more resilient to bot failures
or unavailability thanks to the highly clustered structure of the social network graph.
The proposed SoCellBot
• SoCellBot Infects smartphones with malware• The medium to recruit bots is OSN
o Unlike SMS-based botnets, SoCellBot incurs small monetary costs.
• Architectureo Propagation mechanismo Command and Control channel o Botnet topology maintenance
5/15
The proposed SoCellBot
• Propagation Mechanismo Using social engineering techniques
• Eye-caching web link
• Infiltration
6/15
The proposed SoCellBot
• Command and Control Channelo Online social network messaging system (OSNMS)o Using an algorithm to disguise the commands to be normalo Sending message to a random user in Facebook is possible
• Infected users then infect their friends
7/15
The proposed SoCellBot
• SoCellBot Botnet Topologyo Ensured to be connectedo It is Resilient to bot failures and unavailability
8/15
Simulation• OSN Model and Graphs
• Characteristics of OSNo Degreeo Clustering coefficiento High clusteringo Low average network distance
9/15
Simulation Parameters• Original OSN
o 3 OSNs of size 5000, 10000, 15000o Using the algorithm by Holme and Beom to generate
• Equivalent random graphs(ERG)o Creating ERG by using an algorithm by Viger and Latapy
• Why ERG ?o ERG helps a malware to propagate faster than the original OSN grapho An attacker may be able to obtain the graph of OSN using a tool such
as R[12] or Pajek[2]
10/15
Simulation• Malware Propagation Model
1. Randomly choosing a node(user) for infiltration2. If (the user executes the command)
• The user’s smartphone sends out a message to his/her friends, directing them to the malicious content (adjacent vertices in the social network graph)
• Upon receiving the message, each friend will execute the malware with a probability p
11/15
Simulation• Setting fields to each command
o A unique sequence number (SN)• SNs help to minimize the number of duplicate messages
o Time-to-live (TTL)• A good estimate for the TTL is the diameter of the OSN graph
• How to avoid detection?o After receiving a command, a node checks the SN to see if it has seen the
message before.• if (message is new)
o TTL-1o Forwarding the message to its one-hop neighbors (adjacent
vertices)• else if (message is duplicate)
o The node simply discards it
12/15
Results• ….
13/15The first set of experiments- Scenario 1
As p from 0.5 to 1,the malware propagate faster