1 / 32

Can You Infect Me Now? Malware Propagation in Mobile Phone Networks

Can You Infect Me Now? Malware Propagation in Mobile Phone Networks. Authors: Presented by: Michael Annichiarico. Mobile Malware. Like normal malware, but on mobile phones (smart phones and dumb ones too) ‏ Why worry about mobile malware?

renee-wood
Download Presentation

Can You Infect Me Now? Malware Propagation in Mobile Phone Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Can You Infect Me Now?Malware Propagationin Mobile Phone Networks • Authors: • Presented by: Michael Annichiarico

  2. Mobile Malware • Like normal malware, but on mobile phones • (smart phones and dumb ones too)‏ • Why worry about mobile malware? • “combination of vulnerable platforms (symbian), unsuspecting users, and explosive growth in potential victims will inevitably attract propagating malware”

  3. What Makes This Paper Different? • Previous malware propagation research: • Proximity Propagation • Bluetooth, etc • This research: • Focuses on propagation via the telecommunications network

  4. Why Moble Malware?(from the bad guy's perspective)‏ • Smart phones are a lot like PCs: • market share per OS (72% symbian)‏ • software vulnerabilities exist • Exploited smart phones could provide an attacker with means to: • steal private data / users' identities • spam • make free calls • execute (D)DoS

  5. Main Paper Goal(s)‏ • Simulate the effects of mobile malware propagation via the telecommunications network • Simulated both VoIP malware and MMS malware • Draw some conclusions for defending

  6. Simulator • Event Driven, Custom Code. (so they could better adapt for their needs)‏ • 1 second step size, stepping 12 hours • Infection beginning at a single phone • Telecom Network • UMTS • Topology • Boston Metro Area

  7. Network: UMTS • UMTS is the 3G successor to GSM • (2.5G/GPRS, 2.75G/EDGE)‏ • Network side is very similar to GSM, air interface side changed to support higher data rates. • Signaling and control are negligible (ignored in the model)‏

  8. Topology: Boston Metro Area • 100sq miles, divided into 1sq mile cells • Mobile Station Distribution • from US Census data • scaled by 78% (by cell phone penetration)‏ • Mobility is not modeled • Authors speculate the bottleneck will be in the network, not at the air interface

  9. Simplified UTMS Network

  10. Simulation Construction • Assume normal MMS usage is based on a charge per message • MMS Server Capacity • Server handles 100 msg/sec, although higher rates were simulated with “a qualitatively similar result” • Authors explanation: MMS server will not be dimensioned to handle users behaving like an aggressive worm (i.e., sending large numbers of messages as quickly as possible). • Bottom-up design of the UMTS Network

  11. Simplified UTMS Network

  12. Simplified UTMS Network

  13. Simplified UTMS Network

  14. Simplified UTMS Network

  15. Simplified UTMS Network

  16. Simplified UTMS Network

  17. Simplified UTMS Network

  18. Modeled UTMS Network

  19. Simulation Parameters 1Gbps links between SGSNs 1 single server serving 100 msg/sec 49 servers serving 10k users each 100Mbps 49 servers 2Mbps 9616 Node B's

  20. Simulation Notes • “The granularity of our Node B placement was a limiting factor of our initial population data. A finer granularity would, no doubt, offer a more detailed and accurate picture of malware propagation.”

  21. Spreading via Phone books/Contact Lists • No published studies of address book characteristics found, so: • 1-1000 contacts (upper limit from empirical data on phone book maximums)‏ • Phone book/contact degree distributions based on statistical analysis

  22. Phonebook/contact degree distributions(for contact list size)‏ • Power-Law: from yahoo email groups, and other authors' research. • Log-Normal: from social networking websites' statistics. • Erlang Dist: from authors' experiment (but very small sample size of 73)‏

  23. Node Attachment ... you dont call everybody in your address book • Probabilistically randomly assign address book size based on distribution, then... • 70% - “The probability that two users were friends was proportional to the inverse of the number of people between them.”(from LiveJournal.com study)‏ • 30% uniformly randomly assigned

  24. Attack Vector: VoIP • Assumes vulnerable service on the mobile phone which does not require user interaction • Assume all phones are vulnerable. • (Authors note that in reality a fraction would be vulnerable, and they state a qualitatively similar result)‏

  25. Simulated Propagation of VoIP Malware • “...constrained bandwidth should also be considered; but doing so requires estimating typical traffic characteristics, and we lacked meaningful data on which to base such estimates.” --- ?????

  26. Techniques for Faster Propagation of VoIP Malware (and Simulation Results)‏ • Congestion backoff (wait) 10s • Divide and distribute (transfer) contacts from address book

  27. Attack Vector: MMS • Handled by central MMS server • Requires user interaction • only a percentage “F” act on message • Can be done while phone is off • So there is a wait time to answer messages. Mixture of two Gaussian distributions centered at 20s & 45m

  28. Simulated Propagation of MMS Malware

  29. Techniques for Faster Propagation of MMS Malware • Congestion backoff (10s)‏ • Not very much advantage, due to MMS central server constraint. • Divide and distribute contacts from address book • Same as above • Global contact book method • Infected half the population in 12 hrs. (what F value?)‏

  30. Faster MMS Malware Propagation

  31. Defending Against Mobile Malware Propagation in Telecom. Networks • (This section is way too small in the paper, would have liked to see more on this.)‏ • Rate Limiting • ACCELLERATES infection! (same as congestion avoidance)‏ • Blacklisting Containment • large number still get infected more slowly (no details given on %). • removing phones leads to a less congested network for those infected but non-blacklisted phones • Content Filtering • “Seems promising due to centralized topology.” "Investigating whether it's practical remains future work." (and they didnt provide any information on how promising or why)‏

  32. Questions?

More Related