Mobile Worms and Viruses

8/14/2019 Mobile Worms and Viruses

1/39

Seminar onSeminar on

Mobile viruses & wormsMobile viruses & worms

by Viven Rajendra Guide : Prof. Bernard

Menezes


2/39

CONTENT

Introduction

Survey of current mobile malware

Malware propagation in mobilephone networks.(Experiments)

Futuristic threats Conclusions

Brief case studies


3/39

Why is this study important ?

Private photos MMSed.Message outbox empty.

Image courtesy Hypponen[1].

Unknown calls made.

Unknown MMS sent.

Background pictureis a skull :X


4/39

Brief Malware PrimerTrojan - Designed to appear innocent,

causes malicious activity or provides a backdoor.

Cannotreplicate itself or spread on its own.

Virus- When run, has the ability to self-replicate byinfecting otherexecutables. Does nothave the

ability to spread to another computer on its own.

Worm - Ability to spread to other computers on its

own using either mass-mailing to email addresses

on our com uter or b usin the Internet.


5/39

Comparing PC and mobilemalware

Software Patches

Mobility

Ignorance andsecurity concerns.

Device

characteristics.


6/39

Vulnerabilities


7/39

1) Social engineering based attacks.

Congratulations! You Are The Millionth Visitor.I Have A Free Gift For You

Secret admirer ?? :)


8/39

2) Attacks exploiting software

vulnerabilities.

2 a) Protocol Complexity

2 b) Cryptographic vulnerability

Image courtesy Su et al[2]

2 c) OS vulnerability (buffer overflow).


9/39

Current threats Cause financial loss to user.

Unknown calls made, sms sent. Losing confidentiality of data stored on the phone.

Excessive Bluetooth usage.

Continuous scanning, spreading via bluetooth

Make Phone unusable. Devices crash frequently or work miserably slow.

Infect system files. Hence, some applications do not

work.

Data loss Delete address book entries.

Miscellaneous

Replace icons.

Install malicious application on device.(trojan)


10/39

Experiments : Studyingpropagation of mobile malware

Rather than wait to react to widespread outbreaks,

it is imortant to investigate their characteristics and propagationas a basis for proactively defending against them.


11/39

To explore the range of malware

propagation on mobile phone networks, weneed to :

Characterize its speed and severity

Understand how network provisioningimpacts propagation

Understand how malware propagation

impacts the networkHighlight the implications of network-

based defenses against malware

Goals


12/39

Investigations by Su et al[3]Collected three different traces ofBluetooth activity.

Two of the traces are gathered inside Pacific Mall andEaton Centre, two malls in Toronto, Canada.

The third trace while riding the Toronto subway system.

These three locations provide a broad coverage of differentdensity and mobility characteristics one might find in

various urban destinations.

Image courtesy BluebagProject [5]


13/39

Feasibility of a bluetooth worminfection

Their results suggest an outbreakis viable today :

1) Discoverable bluetoothenabled devices are prevalent

today.

2) The device population is relatively homogenous.

3) Most devices remain within scanners' Bluetooth

range long enough for an infection to occur.

Si l ti bl t th


14/39

Simulating bluetooth wormpropagation by Su et al.

Their simulator takes four inputs :device population size,

fraction of vulnerable devices,

number of infection seeds,input trace of bluetooth events.

Important limitations of their simulator :

1) Does not capture physical proximity and

geographical disribution of devices.

2) It assumes that an infection occurs immediately

when any two devices are in contact.


15/39

Conclusions by Su et al.

I augment my opinions along with their conclusions:

1) Human-mediated counter response solutions ?

2) Outbreak is viable once a vulnerability is

exploited.

3) Placing monitoring systems at public locations

like malls.


16/39

Investigations by Fleizach et al


17/39

To accomplish these goals :

Created a realistic network topology

generator.

Modeled address books of cell phone users.

Created an event-driven simulator:

Model two attack vectors: Voice-over IP

and MMS

Investigate ways to speed up the spread of

malware

Examine network-based defenses

Methodology


18/39

Modeling social networks

Existing viruses in cell phones (e.g.Commwarrior) use the entries in the addressbook to spread

The implication is that there is an underlyingsocial network topology

How are nodes connected?

Used various degree distributions

models for address book. (Erlang)


19/39

Node Attachment

The probability that one person was connectedto another was inversely proportional to thenumber of people between them

),(

1),(

yxdyxp

P(x,y) = probability

person x is a friend

with person y

d(x,y) = number of

people between

person x and person y


20/39

Congestion in VoIP scenarioMajor bottleneck

is at the RNC ->SGSN link.

Congestion also

decreases overtime

- Phones finish

enumerating

their contacts,start randomly

dialing

Image coutesy [2]


21/39

Image coutesy [2]

Combining Strategies

Transferringcontacts andavoidingcongestion can be

very effective

Infection reaches

90% rate 4x fasterthan the standard

scenario


22/39

Image coutesy [2]

Speeding up MMSUse an out-of-band channel (Internet) to

coordinate. Malware can quickly build aglobal address book

The infectionrate using an

Internet serverreaches 48infections/s(nearly

optimal)

Standard

malware only


23/39

Network based Defenses

Since the infrastructure is centrally managed andowned, defenses can be inserted at critical points toaffect the spread

However, the fact that the end nodes (phones) canbe hard to disinfect introduces challenges

A few defensive scenarios:

Blacklisting

Rate limiting

Filtering

Removing the infected reduces congestion!

Removing the infected reduces congestion!

Can be effective for MMS. But difficult, for VoIP


24/39

Futuristics threats

1) Location Tracking.

2) Espionage bug.

3) Loss of security.

4) DDOS attack.


25/39

Common protection against mobile malware

1) Non-discoverable mode.

2) Install antivirus/IDS.

3) Firmware Updates.

4) Untrusted sites & softwares.

5) Filtering out malware at MSP.

6) Infection Scanners at public locations.

Image courtesy FSecure Corp.


26/39

Thank You


27/39

Questions and Answers


28/39

References[1] Hypponen, M.Malware goes mobile. Scientific American 295,

5 (Nov 2006)[2] SU, J., CHAN, K. K. W., MIKLAS, A. G., PO, K., A KHAVAN ,

A., SAROIU , S., DELARA , E., AND GOEL , A.

A preliminary investigation of worm infections in a

Bluetooth environment. In Proc. of ACM WORM06 (Nov. 2006).

[3] C Fleizach, M Liljenstan, Per J., G.M.Voelkar,

Can you infect me now? Malware propagation in Mobile phone

networks. In proc of WORM, 2 (Nov 2007)

[4] F-S ECURE. F-Secure Virus Information Pages: Cabir.

http://www.f-secure.com/v-descs/cabir.shtml[5] F-S ECURE. F-Secure Virus Information Pages:Commwarrior.

http://www.f-secure.com/v-descs/commwarrior.shtml

[6] A.Gostev, Kaspersky Labs.(Oct 2006). Mobile Malware Evolution:

An overview Part 1 & 2. http://www.viruslist/en/analysis
http://www.f-secure.com/v-descs/commwarrior.shtmlhttp://www.f-secure.com/v-descs/commwarrior.shtml


29/39

Future work

There is a need to redesign the technology. The protectionmechanisms can be broadly classified on the basis of the

requirements of the protection systems.

1) System Level Security : MOSES Architecture System levelsecurity aims to make the system more secure by restricting the

execution of unauthorised applications.

2) Network Level Security : Proactive Approach Network level

security aims to provide a basis of filtering out malware

transitioning over the network beween various devices.


30/39

Case StudiesCabir (bluetooth : worm)

CommWarrior (MMS : worm)

Skuller (Most numerous family, OS vulnerability : Trojans)


31/39


32/39

Mobile Virus Families

Image Courtesy: http://www.viruslist.com?pubid=204791922


33/39

Cabir Detected June 2004.

First network worm capable ofspreading through bluetooth.

Intended to demonstrate how toexploit bluetooth.

caribe.sis : worm as a system file.

Continuous scanning for mobiledevices using bluetooth. Causesbattery drainage.

No real harm, however code freelyavailable and well documented.Hence, has 15 variants.


34/39

CommWarrriorFirst network worm capable ofpropagating via MMS, also bluetooth.

Worm searches for active bluetoothdevices.

When found sends .sis infected file whenthe receiver agrees.

Also sends infected file to all contacts inaddress book.

Financial harm to the user and batterydrainage.

Currently we know of 7 modifications.Four of them have the author'ssignature.

CommWarrior v1.0b 2005 by e10d0r. CommWarrior is freeware

product. You may freely distribute it in its original unmodified form.


35/39

Image courtesy M.Hypponen [1]


36/39



37/39



38/39



39/39

SkullerMost primitive malicious programs for

symbian OS., trojan.Overwrite any files including system

files, system becomes unstable.

The .aif files are malicious; these createskull icons and block access to theapplication for which the skulls act asan icon.

Once a mobile has been infected it canonly be used to make calls; SMS, MMS,

camera, organiser functions etc. will nolonger work.

Is the most numerous family of mobiletrojans till date. ( 31 variants )

Documents

Mobile Worms and Viruses