Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail...
-
Upload
colleen-chambers -
Category
Documents
-
view
215 -
download
2
Transcript of Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail...
CROSS-PLATFORM MALWARE
CONTAMINATION
MSc Information Security Project 2013/2014Author: Nicholas Aquilina
Supervisor: Dr Konstantinos Markantonakis
Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and
new revenue channels being exploited Review malware concealment and detection strategies Carry out an infection between Android device and
Windows, analysing in detail what is happening Propose an efficient and practical way in which cross-
contamination across platforms can be restricted Challenges and barriers to the implementation of our
proposal
Agenda Malware history Mobile malware timeline, attack vectors
and new revenue channels created Malware concealment and detection
strategies Analysis of cross-platform malware Limiting cross-platform malware Challenges and barriers to implementation Concluding remarks
Malware history Definition of malware - A general term used
to refer to any software that is installed on a machine and performs unwanted (malicious) tasks (Christodorescu et al, 2007)
Different classifications have been attempted, mostly based upon the payload type, vulnerabilities exploited and propagation mechanisms used
Malware history Became known to many computer users
through the Melissa virus in 1999 and the LoveLetter worm in 2000 (Dunham et al, 2009)
Mobile malware timeline2000
• Timofonica (targeted at Movistar mobile operator)
2004
• Cabir (first worm to target mobile phones)• Duts (malware targeted at Windows Mobile)
2010
• FakePlayer (first SMS trojan for Android devices)
2013
• Obad (spread via alien botnets)
2014
• FakeBank (Windows trojan attacks Android devices)
Mobile malware attack vectors
Attack Vectors
SMS/MMS
Bluetooth
WiFi
Limited Resources
Processing power
Storage capacity
Battery autonomy
Network
Mobility issues
Network coverage
User Interface Limitation
Screen size
Screen resolution
Visual indicators
Mobile malware revenue channels
New revenue channels exploited by mobile malware:
Billed events○ Premium-rate numbers still being used to target
mobile devices – malicious users can force mobile devices to send premium-rate SMS messages
Payment systems○ Mobile devices being used as physical payment
devices○ Proximity payments (such as NFC) has opened up
new possibilities for malicious attackers e.g. inject malicious URL through NFC tags
Cross-platform contamination First example of cross-platform malware
contamination was the Morris Worm (Orman, 2003)
Released in 1988In less than 24 hours, caused great damageSlowed thousands of systemsExploited vulnerabilities on VAX and SUN
Microsystems platforms; and the Sendmail email delivery software
Cross-platform contamination Following the Morris worm, other multi-
platform malware emerged:
1999 – W32/W97M Coke2000 – W32/HLP Dream and Pluma2001 – W32/Linux Peelf2010 – StuxNet2011 – Duqu2014 – FakeBank
Cross-platform contamination Proof-of-concept by Wang and Stavrou using
USB in 2010 (Z. Wang and A. Stavrou, 2010)
USB commonly used as a means to charge, communicate and synchronise
Malware exploits this connection to propagate itself
In 2010, Wang and Stavrou demonstrated how a PC can use USB connection to unlock and flash software of a mobile device
Cross-platform contamination Proof-of-concept breaking Mobile Transaction
Authentication Numbers (Dmitrienko et al, 2012)
Attack was divided into three phasesFirst phase, malware installed on the terminal
steals the user’s credentialsSecond phase involves cross-platform infectionThird phase, the malicious attacker performs
transaction with the user’s bank, mimicking the user
Malware concealment strategies
Malware concealment strategies serve one purpose, namely survival of the code
The longer malware can protect itself from detection, the more time it has available for replication and infection
Malware concealment strategies
Aim to increase the span of time between infection and detection phases
Phase 1 Infect
Phase 2 Detect
Phase 3 Analyse
Phase 4 Eradicate
Malware concealment strategies
Passive strategies to evade detection:Malware which implements a set of
techniques to hide itself from detection, such as bypassing anti‐virus or anti‐malware signature detection
Active strategies to evade detection:Malware that, apart from concealing their
presence, actively tries to hinder the detection and analysis of the code
Malware detection strategies
Using static techniques:
Signature analysis and hashingExtracting system callsStatic taint analysis
Using dynamic techniques:
Dynamic taint analysisBehavioural analysis
Malware detection strategies Using heuristics:
Monitoring API and system callsOpCode analysisUsing N-GramsControl flow graphs
Using hybrid techniques
Analysis of cross-platform malware
Practical implementation of cross-platform infection for detailed analysis
Used a physical Android 4.1.1 tablet connected via USB Device Filter to a host running a virtual machine with Windows XP SP3
Malware sample used was DroidCleaner, served via another virtual machine running Kali Linux and Apache
Analysis of cross-platform malware
Tablet device connected to our web server, downloaded and installed the malicious application
Analysis of cross-platform malware Shark for Root was launched and kept in
listening mode DroidCleaner application launched and
‘Default Cleanup’ was selected
Analysis of cross-platform malware Following the hypothetical clean-up,
DroidCleaner was closed Shark Reader was then used to review the
logs generated by Shark for Root Two IPs were noted:
54.235.185.74 – host located on the Amazon Cluster
173.194.70.95 – reported by virustotal.com as serving a number of known malware files
Analysis of cross-platform malware
All latest Windows XP updates were installed but the default installation settings were left enabled
Autorun feature was kept enabled for the purpose of our analysis
Launched two applications on our Windows XP machine, Process Hacker and Wire Shark
Analysis of cross-platform malware Upon connecting the tablet to the Windows
XP machine, Process Hacker detected two unknown applications namely ‘pwd.exe’ and ‘Start.exe’
A short while afterwards, the application ‘Start.exe’ generated an application error message
Analysis of cross-platform malware
Analysis of cross-platform malware Wire Shark was stopped and proceeded
to analyse the logs generated We noted that our XP machine was
trying to connect to IP 190.93.253.132 using SSLv3
This IP address was checked again using virustotal.com
Reported to resolve to minecraft.org
Analysis of cross-platform malware
Analysis of cross-platform malware
ILSpy was launched and file ‘svchosts.exe’ analysed
File contains the NAudio library, launched upon program execution
NAudio is an open source .NET audio and MIDI library
Confirmed our initial thoughts that this malware will record, and upload, voice recordings to the attacker
Analysis of cross-platform malware
To further the analysis, the function ‘XControl’ was opened and the following details were noted:
the attacker’s server (hostname) the FTP user name and password the destination port number to use
Analysis of cross-platform malware
Analysis of cross-platform malware The file was then uploaded to an online
sandbox analysis facility Two anti-debugging techniques were found
namely:
Guard pages – used to protect against reverse engineering and debugging, returning an exception
SystemKernelDebuggerInformation – a feature used to check for kernel debuggers attached to the system
Analysis of cross-platform malware
We then analysed the Android application using various tools found within the Kali Linux distribution
Of particular interest are the various commands which the attacker can use once the mobile device is infected
Analysis of cross-platform malware
Analysis of cross-platform malware Registration of the Android device was
made using config file ConnectorService The device was instructed to send the
command string:
‘|NEW_HELLOW|’ followed by ‘ACCT + PORT’
On successful connection, the device would then download three files ‘svchost.exe’, ‘Kst.exe’ and ‘Controller.exe’
Analysis of cross-platform malware Summary
The unsuspecting user downloads a rogue application
When the user launches the application, it communicates with a remote command‐and‐control server
The user then proceeds to connect his Android device to the computer
The malware on the Android device propagates to the victim’s computer
Limiting cross-platform malware
Malware creators are being craftier in evading anti-malware engines
Through our research, it was noted that detection through anti-malware engines is carried out from within the operating system
The actual anti-malware engine is running as a process in itself which can be easily subverted and inherits weaknesses in the operating system
Zero-day exploits and other advanced persistent threats are a daily occurrence
Limiting cross-platform malware
Proposal of adding a new layer between the hardware layer and the operating system/kernel layers
Security layer denoted as hypervisor Can be used to monitor and protect the
whole system Must be lightweight in resources
consumed, transparent to the operating system and compatible across multiple platforms
Limiting cross-platform malware
We still need some sort of malware detection technique in order to detect the presence of malicious intentions during programme execution
Malware using polymorphism or metamorphism can easily evade static malware detection
Limiting cross-platform malware
In addition, static detection is largely based on signatures
These systems are equipped with a database of known signatures or instructions that are considered malicious
Such a setup imposes a restriction on the frequency when this signature database is updated e.g. out of (3G) data reception
Limiting cross-platform malware
During our malware analysis, we showed how DroidCleaner attacked both Android and Windows
Through registration of our Android device to the attacker’s server, access to the various hardware components was made available.
On Windows, the attacker could install an open source audio library that controlled microphone activation and the local storage
Limiting cross-platform malware
Limiting cross-platform malware
We propose two configuration sets
One set, S1, will contain hardware features to be monitored e.g. GPS sensor, WiFi, microphone, camera
The other set, S2, will contain the permissions requested for S1 e.g. take a picture, enable WiFi, access microphone
Limiting cross-platform malware
By way of example:
If hypervisor detects a request to access camera (S1) for taking a snapshot (S2), the request will be allowed if a previous user activity took place within a configured timeout in seconds
Limiting cross-platform malware
Start Device
Launch Hypervisor
Monitor Requests
Check User Activity
Load Dataset
If timeout is > than limit set
If timeout is < than limit set
Allow Access, Update Dataset
Deny Access, Update Dataset
Challenges to implementation
Access to hardware drivers and source code due to diversification of the Android platform (ARM, Intel to name a few)
Power management and battery life are a critical factor – possible use of ‘wakelocks’ in Android to avoid constant polling (allow apps to notify the kernel that they are doing something, and that the kernel should not put the device to sleep)
Challenges to implementation
Functionality is a critical factor – added benefits of security are seen as extra burden, limiting use of their device
Security review – cannot be software with an unknown internal structure; opening the system to the security community allows independent assessment of its exposure to risk
Concluding remarks Significance of our research
Gain a better understanding of the way cross‐platform malware contamination occurs in practice
An attempt was made to come up with a new framework that can assist us in limiting such contamination, moving away from traditional detection
Future research
The weaknesses affecting current malware detection strategies lie at the basis of our departure from the traditional view of how we can protect devices in favour of new methods designed to amplify the effectiveness of existing detection techniques
Practical hints for your project
Liaise with your personal adviser to discuss your interests and direct you to relevant tutor sharing your interests
Make early contact and try to come up with two to three areas of interest
Prepare a solid timetable, defining the chapters, amount of pages to write and set deadlines
Adjust your timetable schedule where necessary but try not to diverge too much
References M. Christodorescu, S. Jha, D. Maughan, D. Song and C. Wang,
"Introduction to Malware Detection," in Malware Detection, New York, USA, Springer Science and Business Media, 2007, p. IX
K. Dunham, S. Abu‐Nimeh, S. Fogie, B. Hernacki, J. A. Morales and C. Wright, Mobile
Malware Attacks and Defense, Syngress Publishing Inc, 2009
H. Orman, "The Morris Worm: A Fifteen‐Year Perpective," Security & Privacy, IEEE, vol. 1, no. 5, pp. 35‐43, November 2003
Z. Wang and A. Stavrou, "Exploiting Smart‐Phone USB Connectivity for Fun and Profit," in Preceedings of the 26th Annual Computer Security Applications Conference (ACSAC), 6‐10 December pp. 357‐366, Austin, Texas, USA, 2010
A. Dmitrienko, L. Davi, A.‐R. Sadeghi and C. Liebchen, "Over‐the‐Air Cross‐platform Infection for Breaking mTAN‐based Online Banking Authentication," in Black Hat 2012, Abu Dhabi, UAE, 2012
Thank you
http://mt.linkedin.com/[email protected]