Anda di halaman 1dari 39

Seminar on

Mobile viruses & worms

• by Viven Rajendra
• Guide : Prof. Bernard
Menezes
CONTENT
• Introduction
• Survey of current mobile malware
• Malware propagation in mobile
phone networks.(Experiments)
• Futuristic threats
• Conclusions
• Brief case studies
Why is this study important ?

Private photos MMSed.


Message outbox empty.

Background picture
is a skull :X

Unknown calls made.


Unknown MMS sent.

Image courtesy Hypponen[1].


Brief Malware Primer
Trojan - Designed to appear innocent,
causes malicious activity or provides a backdoor.
Cannot replicate itself or spread on its own.

Virus - When run, has the ability to self-replicate by


infecting other executables. Does not have the
ability to spread to another computer on its own.

Worm - Ability to spread to other computers on its


own using either mass-mailing to email addresses
on your computer or by using the Internet.
Comparing PC and mobile
malware
• Software Patches
• Mobility
• Ignorance and
security concerns.
• Device
characteristics.
Vulnerabilities
1) Social engineering based attacks.

Congratulations! You Are The Millionth Visitor.


I Have A Free Gift For You

Secret admirer ?? :)
2) Attacks exploiting software
vulnerabilities.

2 a) Protocol Complexity

Image courtesy Su et al[2]

2 b) Cryptographic vulnerability

2 c) OS vulnerability (buffer overflow).


Current threats
• Cause financial loss to user.
– Unknown calls made, sms sent.
– Losing confidentiality of data stored on the phone.
• Excessive Bluetooth usage.
– Continuous scanning, spreading via bluetooth
• Make Phone unusable.
– Devices crash frequently or work miserably slow.
– Infect system files. Hence, some applications do not
work.
• Data loss
– Delete address book entries.
• Miscellaneous
– Replace icons.
– Install malicious application on device.(trojan)
Experiments : Studying
propagation of mobile malware

Rather than wait to react to widespread outbreaks,


it is imortant to investigate their characteristics and propagation
as a basis for proactively defending against them.
Goals
• To explore the range of malware
propagation on mobile phone networks, we
need to :
—Characterize its speed and severity
—Understand how network provisioning
impacts propagation
—Understand how malware propagation
impacts the network
—Highlight the implications of network-
based defenses against malware
Investigations by Su et al[3]
Collected three different traces of Bluetooth activity.
Two of the traces are gathered inside Pacific Mall and
Eaton Centre, two malls in Toronto, Canada.
The third trace while riding the Toronto subway system.

These three locations provide a broad coverage of different


density and mobility characteristics one might find in
various urban destinations.

Image courtesy BluebagProject [5]


Feasibility of a bluetooth worm
infection
Their results suggest an outbreak
is viable today :

1) Discoverable bluetooth
enabled devices are prevalent
today.
2) The device population is relatively homogenous.

3) Most devices remain within scanners' Bluetooth


range long enough for an infection to occur.
Simulating bluetooth worm
propagation by Su et al.
Their simulator takes four inputs :
device population size,
fraction of vulnerable devices,
number of infection seeds,
input trace of bluetooth events.

Important limitations of their simulator :


1) Does not capture physical proximity and
geographical disribution of devices.
2) It assumes that an infection occurs immediately
when any two devices are in contact.
Conclusions by Su et al.
I augment my opinions along with their conclusions:

1) Human-mediated counter response solutions ?

2) Outbreak is viable once a vulnerability is


exploited.

3) Placing monitoring systems at public locations


like malls.
Investigations by Fleizach et al
Methodology
• To accomplish these goals :
—Created a realistic network topology
generator.
—Modeled address books of cell phone users.
—Created an event-driven simulator:
– Model two attack vectors: Voice-over IP
and MMS
– Investigate ways to speed up the spread of
malware
– Examine network-based defenses
Modeling social networks
• Existing viruses in cell phones (e.g.
Commwarrior) use the entries in the address
book to spread
• The implication is that there is an underlying
social network topology
– How are nodes connected?
– Used various degree distributions
models for address book. (Erlang)
Node Attachment
• The probability that one person was connected
to another was inversely proportional to the
number of people between them

P(x,y) = probability
person x is a friend
1 with person y
p( x , y )
d ( x, y )
d(x,y) = number of
people between
person x and person y
Congestion in VoIP scenario
Major bottleneck
is at the RNC ->
SGSN link.

Congestion also
decreases over
time
- Phones finish
enumerating
their contacts,
start randomly
dialing
Image coutesy [2]
Combining Strategies
• Transferring
contacts and
avoiding
congestion can be
very effective

• Infection reaches
90% rate 4x faster
than the standard
scenario

Image coutesy [2]


Speeding up MMS
Use an out-of-band channel (Internet) to
coordinate. Malware can quickly build a
global address book
The infection
rate using an
Internet server
reaches 48
infections/s
(nearly
optimal)

Standard
malware only Image coutesy [2]
Network based Defenses
• Since the infrastructure is centrally managed and
owned, defenses can be inserted at critical points to
affect the spread
• However, the fact that the end nodes (phones) can
be hard to disinfect introduces challenges
• A few defensive scenarios:
 Removing the infected reduces congestion!
– Blacklisting
 Removing the infected reduces congestion!
– Rate limiting
 Can be effective for MMS. But difficult, for VoIP
– Filtering
Futuristics threats

1) Location Tracking.

2) Espionage bug.

3) Loss of security.

4) DDOS attack.
Common protection against mobile malware

1) Non-discoverable mode.

2) Install antivirus/IDS.

3) Firmware Updates.
Image courtesy FSecure Corp.
4) Untrusted sites & softwares.

5) Filtering out malware at MSP.

6) Infection Scanners at public locations.


Thank You
Questions and Answers
References
[1] Hypponen, M.Malware goes mobile. Scientific American 295,
5 (Nov 2006)
[2] SU, J., CHAN, K. K. W., MIKLAS, A. G., PO, K., A KHAVAN ,
A., SAROIU , S., DELARA , E., AND GOEL , A.
A preliminary investigation of worm infections in a
Bluetooth environment. In Proc. of ACM WORM’06 (Nov. 2006).
[3] C Fleizach, M Liljenstan, Per J., G.M.Voelkar,
Can you infect me now? Malware propagation in Mobile phone
networks. In proc of WORM, 2 (Nov 2007)
[4] F-S ECURE. F-Secure Virus Information Pages: Cabir.
http://www.f-secure.com/v-descs/cabir.shtml
[5] F-S ECURE. F-Secure Virus Information Pages:Commwarrior.
http://www.f-secure.com/v-descs/commwarrior.shtml
[6] A.Gostev, Kaspersky Labs.(Oct 2006). Mobile Malware Evolution:
An overview Part 1 & 2. http://www.viruslist/en/analysis
Future work
There is a need to redesign the technology. The protection
mechanisms can be broadly classified on the basis of the
requirements of the protection systems.

1) System Level Security : MOSES Architecture System level


security aims to make the system more secure by restricting the
execution of unauthorised applications.

2) Network Level Security : Proactive Approach Network level


security aims to provide a basis of filtering out malware
transitioning over the network beween various devices.
Case Studies
Cabir (bluetooth : worm)

CommWarrior (MMS : worm)

Skuller (Most numerous family, OS vulnerability : Trojans)


Image coutesy http://www.viruslist.com/?pubid=204791922

Increase in number of mobile virus variants in 2006


Mobile Virus Families

Image Courtesy: http://www.viruslist.com?pubid=204791922


• Detected June 2004.
Cabir
• First network worm capable of
spreading through bluetooth.
• Intended to demonstrate how to
exploit bluetooth.
• caribe.sis : worm as a system file.
• Continuous scanning for mobile
devices using bluetooth. Causes
battery drainage.
• No real harm, however code freely
available and well documented.
Hence, has 15 variants.
CommWarrrior
— First network worm capable of
propagating via MMS, also bluetooth.
— Worm searches for “active” bluetooth
devices.
— When found sends .sis infected file when
the receiver agrees.
— Also sends infected file to all contacts in
address book.
— Financial harm to the user and battery
drainage.
— Currently we know of 7 modifications.
Four of them have the author's
signature.
“CommWarrior v1.0b © 2005 by e10d0r. CommWarrior is freeware
product. You may freely distribute it in its original unmodified form.”
Image courtesy M.Hypponen [1]
Image courtesy M.Hypponen [1]
Image courtesy M.Hypponen [1]
Image courtesy M.Hypponen [1]
Skuller
— Most primitive malicious programs for
symbian OS., trojan.
— Overwrite any files including system
files, system becomes unstable.
— The .aif files are malicious; these create
skull icons and block access to the
application for which the skulls act as
an icon.
— Once a mobile has been infected it can
only be used to make calls; SMS, MMS,
camera, organiser functions etc. will no
longer work.
— Is the most numerous family of mobile
trojans till date. ( 31 variants )

Anda mungkin juga menyukai