View
238
Download
0
Category
Preview:
Citation preview
8/14/2019 Mobile Worms and Viruses
1/39
Seminar onSeminar on
Mobile viruses & wormsMobile viruses & worms
by Viven Rajendra Guide : Prof. Bernard
Menezes
8/14/2019 Mobile Worms and Viruses
2/39
CONTENT
Introduction
Survey of current mobile malware
Malware propagation in mobilephone networks.(Experiments)
Futuristic threats Conclusions
Brief case studies
8/14/2019 Mobile Worms and Viruses
3/39
Why is this study important ?
Private photos MMSed.Message outbox empty.
Image courtesy Hypponen[1].
Unknown calls made.
Unknown MMS sent.
Background pictureis a skull :X
8/14/2019 Mobile Worms and Viruses
4/39
Brief Malware PrimerTrojan - Designed to appear innocent,
causes malicious activity or provides a backdoor.
Cannotreplicate itself or spread on its own.
Virus- When run, has the ability to self-replicate byinfecting otherexecutables. Does nothave the
ability to spread to another computer on its own.
Worm - Ability to spread to other computers on its
own using either mass-mailing to email addresses
on our com uter or b usin the Internet.
8/14/2019 Mobile Worms and Viruses
5/39
Comparing PC and mobilemalware
Software Patches
Mobility
Ignorance andsecurity concerns.
Device
characteristics.
8/14/2019 Mobile Worms and Viruses
6/39
Vulnerabilities
8/14/2019 Mobile Worms and Viruses
7/39
1) Social engineering based attacks.
Congratulations! You Are The Millionth Visitor.I Have A Free Gift For You
Secret admirer ?? :)
8/14/2019 Mobile Worms and Viruses
8/39
2) Attacks exploiting software
vulnerabilities.
2 a) Protocol Complexity
2 b) Cryptographic vulnerability
Image courtesy Su et al[2]
2 c) OS vulnerability (buffer overflow).
8/14/2019 Mobile Worms and Viruses
9/39
Current threats Cause financial loss to user.
Unknown calls made, sms sent. Losing confidentiality of data stored on the phone.
Excessive Bluetooth usage.
Continuous scanning, spreading via bluetooth
Make Phone unusable. Devices crash frequently or work miserably slow.
Infect system files. Hence, some applications do not
work.
Data loss Delete address book entries.
Miscellaneous
Replace icons.
Install malicious application on device.(trojan)
8/14/2019 Mobile Worms and Viruses
10/39
Experiments : Studyingpropagation of mobile malware
Rather than wait to react to widespread outbreaks,
it is imortant to investigate their characteristics and propagationas a basis for proactively defending against them.
8/14/2019 Mobile Worms and Viruses
11/39
To explore the range of malware
propagation on mobile phone networks, weneed to :
Characterize its speed and severity
Understand how network provisioningimpacts propagation
Understand how malware propagation
impacts the networkHighlight the implications of network-
based defenses against malware
Goals
8/14/2019 Mobile Worms and Viruses
12/39
Investigations by Su et al[3]Collected three different traces ofBluetooth activity.
Two of the traces are gathered inside Pacific Mall andEaton Centre, two malls in Toronto, Canada.
The third trace while riding the Toronto subway system.
These three locations provide a broad coverage of differentdensity and mobility characteristics one might find in
various urban destinations.
Image courtesy BluebagProject [5]
8/14/2019 Mobile Worms and Viruses
13/39
Feasibility of a bluetooth worminfection
Their results suggest an outbreakis viable today :
1) Discoverable bluetoothenabled devices are prevalent
today.
2) The device population is relatively homogenous.
3) Most devices remain within scanners' Bluetooth
range long enough for an infection to occur.
Si l ti bl t th
8/14/2019 Mobile Worms and Viruses
14/39
Simulating bluetooth wormpropagation by Su et al.
Their simulator takes four inputs :device population size,
fraction of vulnerable devices,
number of infection seeds,input trace of bluetooth events.
Important limitations of their simulator :
1) Does not capture physical proximity and
geographical disribution of devices.
2) It assumes that an infection occurs immediately
when any two devices are in contact.
8/14/2019 Mobile Worms and Viruses
15/39
Conclusions by Su et al.
I augment my opinions along with their conclusions:
1) Human-mediated counter response solutions ?
2) Outbreak is viable once a vulnerability is
exploited.
3) Placing monitoring systems at public locations
like malls.
8/14/2019 Mobile Worms and Viruses
16/39
Investigations by Fleizach et al
8/14/2019 Mobile Worms and Viruses
17/39
To accomplish these goals :
Created a realistic network topology
generator.
Modeled address books of cell phone users.
Created an event-driven simulator:
Model two attack vectors: Voice-over IP
and MMS
Investigate ways to speed up the spread of
malware
Examine network-based defenses
Methodology
8/14/2019 Mobile Worms and Viruses
18/39
Modeling social networks
Existing viruses in cell phones (e.g.Commwarrior) use the entries in the addressbook to spread
The implication is that there is an underlyingsocial network topology
How are nodes connected?
Used various degree distributions
models for address book. (Erlang)
8/14/2019 Mobile Worms and Viruses
19/39
Node Attachment
The probability that one person was connectedto another was inversely proportional to thenumber of people between them
),(
1),(
yxdyxp
P(x,y) = probability
person x is a friend
with person y
d(x,y) = number of
people between
person x and person y
8/14/2019 Mobile Worms and Viruses
20/39
Congestion in VoIP scenarioMajor bottleneck
is at the RNC ->SGSN link.
Congestion also
decreases overtime
- Phones finish
enumerating
their contacts,start randomly
dialing
Image coutesy [2]
8/14/2019 Mobile Worms and Viruses
21/39
Image coutesy [2]
Combining Strategies
Transferringcontacts andavoidingcongestion can be
very effective
Infection reaches
90% rate 4x fasterthan the standard
scenario
8/14/2019 Mobile Worms and Viruses
22/39
Image coutesy [2]
Speeding up MMSUse an out-of-band channel (Internet) to
coordinate. Malware can quickly build aglobal address book
The infectionrate using an
Internet serverreaches 48infections/s(nearly
optimal)
Standard
malware only
8/14/2019 Mobile Worms and Viruses
23/39
Network based Defenses
Since the infrastructure is centrally managed andowned, defenses can be inserted at critical points toaffect the spread
However, the fact that the end nodes (phones) canbe hard to disinfect introduces challenges
A few defensive scenarios:
Blacklisting
Rate limiting
Filtering
Removing the infected reduces congestion!
Removing the infected reduces congestion!
Can be effective for MMS. But difficult, for VoIP
8/14/2019 Mobile Worms and Viruses
24/39
Futuristics threats
1) Location Tracking.
2) Espionage bug.
3) Loss of security.
4) DDOS attack.
8/14/2019 Mobile Worms and Viruses
25/39
Common protection against mobile malware
1) Non-discoverable mode.
2) Install antivirus/IDS.
3) Firmware Updates.
4) Untrusted sites & softwares.
5) Filtering out malware at MSP.
6) Infection Scanners at public locations.
Image courtesy FSecure Corp.
8/14/2019 Mobile Worms and Viruses
26/39
Thank You
8/14/2019 Mobile Worms and Viruses
27/39
Questions and Answers
8/14/2019 Mobile Worms and Viruses
28/39
References[1] Hypponen, M.Malware goes mobile. Scientific American 295,
5 (Nov 2006)[2] SU, J., CHAN, K. K. W., MIKLAS, A. G., PO, K., A KHAVAN ,
A., SAROIU , S., DELARA , E., AND GOEL , A.
A preliminary investigation of worm infections in a
Bluetooth environment. In Proc. of ACM WORM06 (Nov. 2006).
[3] C Fleizach, M Liljenstan, Per J., G.M.Voelkar,
Can you infect me now? Malware propagation in Mobile phone
networks. In proc of WORM, 2 (Nov 2007)
[4] F-S ECURE. F-Secure Virus Information Pages: Cabir.
http://www.f-secure.com/v-descs/cabir.shtml[5] F-S ECURE. F-Secure Virus Information Pages:Commwarrior.
http://www.f-secure.com/v-descs/commwarrior.shtml
[6] A.Gostev, Kaspersky Labs.(Oct 2006). Mobile Malware Evolution:
An overview Part 1 & 2. http://www.viruslist/en/analysis
http://www.f-secure.com/v-descs/commwarrior.shtmlhttp://www.f-secure.com/v-descs/commwarrior.shtml8/14/2019 Mobile Worms and Viruses
29/39
Future work
There is a need to redesign the technology. The protectionmechanisms can be broadly classified on the basis of the
requirements of the protection systems.
1) System Level Security : MOSES Architecture System levelsecurity aims to make the system more secure by restricting the
execution of unauthorised applications.
2) Network Level Security : Proactive Approach Network level
security aims to provide a basis of filtering out malware
transitioning over the network beween various devices.
8/14/2019 Mobile Worms and Viruses
30/39
Case StudiesCabir (bluetooth : worm)
CommWarrior (MMS : worm)
Skuller (Most numerous family, OS vulnerability : Trojans)
8/14/2019 Mobile Worms and Viruses
31/39
8/14/2019 Mobile Worms and Viruses
32/39
Mobile Virus Families
Image Courtesy: http://www.viruslist.com?pubid=204791922
8/14/2019 Mobile Worms and Viruses
33/39
Cabir Detected June 2004.
First network worm capable ofspreading through bluetooth.
Intended to demonstrate how toexploit bluetooth.
caribe.sis : worm as a system file.
Continuous scanning for mobiledevices using bluetooth. Causesbattery drainage.
No real harm, however code freelyavailable and well documented.Hence, has 15 variants.
8/14/2019 Mobile Worms and Viruses
34/39
CommWarrriorFirst network worm capable ofpropagating via MMS, also bluetooth.
Worm searches for active bluetoothdevices.
When found sends .sis infected file whenthe receiver agrees.
Also sends infected file to all contacts inaddress book.
Financial harm to the user and batterydrainage.
Currently we know of 7 modifications.Four of them have the author'ssignature.
CommWarrior v1.0b 2005 by e10d0r. CommWarrior is freeware
product. You may freely distribute it in its original unmodified form.
8/14/2019 Mobile Worms and Viruses
35/39
Image courtesy M.Hypponen [1]
8/14/2019 Mobile Worms and Viruses
36/39
Image courtesy M.Hypponen [1]
8/14/2019 Mobile Worms and Viruses
37/39
Image courtesy M.Hypponen [1]
8/14/2019 Mobile Worms and Viruses
38/39
Image courtesy M.Hypponen [1]
8/14/2019 Mobile Worms and Viruses
39/39
SkullerMost primitive malicious programs for
symbian OS., trojan.Overwrite any files including system
files, system becomes unstable.
The .aif files are malicious; these createskull icons and block access to theapplication for which the skulls act asan icon.
Once a mobile has been infected it canonly be used to make calls; SMS, MMS,
camera, organiser functions etc. will nolonger work.
Is the most numerous family of mobiletrojans till date. ( 31 variants )
Recommended