Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail...
-
Upload
colleen-chambers -
Category
Documents
-
view
215 -
download
2
Transcript of Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail...
![Page 1: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/1.jpg)
CROSS-PLATFORM MALWARE
CONTAMINATION
MSc Information Security Project 2013/2014Author: Nicholas Aquilina
Supervisor: Dr Konstantinos Markantonakis
![Page 2: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/2.jpg)
Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and
new revenue channels being exploited Review malware concealment and detection strategies Carry out an infection between Android device and
Windows, analysing in detail what is happening Propose an efficient and practical way in which cross-
contamination across platforms can be restricted Challenges and barriers to the implementation of our
proposal
![Page 3: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/3.jpg)
Agenda Malware history Mobile malware timeline, attack vectors
and new revenue channels created Malware concealment and detection
strategies Analysis of cross-platform malware Limiting cross-platform malware Challenges and barriers to implementation Concluding remarks
![Page 4: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/4.jpg)
Malware history Definition of malware - A general term used
to refer to any software that is installed on a machine and performs unwanted (malicious) tasks (Christodorescu et al, 2007)
Different classifications have been attempted, mostly based upon the payload type, vulnerabilities exploited and propagation mechanisms used
![Page 5: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/5.jpg)
Malware history Became known to many computer users
through the Melissa virus in 1999 and the LoveLetter worm in 2000 (Dunham et al, 2009)
![Page 6: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/6.jpg)
Mobile malware timeline2000
• Timofonica (targeted at Movistar mobile operator)
2004
• Cabir (first worm to target mobile phones)• Duts (malware targeted at Windows Mobile)
2010
• FakePlayer (first SMS trojan for Android devices)
2013
• Obad (spread via alien botnets)
2014
• FakeBank (Windows trojan attacks Android devices)
![Page 7: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/7.jpg)
Mobile malware attack vectors
Attack Vectors
SMS/MMS
Bluetooth
WiFi
Limited Resources
Processing power
Storage capacity
Battery autonomy
Network
Mobility issues
Network coverage
User Interface Limitation
Screen size
Screen resolution
Visual indicators
![Page 8: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/8.jpg)
Mobile malware revenue channels
New revenue channels exploited by mobile malware:
Billed events○ Premium-rate numbers still being used to target
mobile devices – malicious users can force mobile devices to send premium-rate SMS messages
Payment systems○ Mobile devices being used as physical payment
devices○ Proximity payments (such as NFC) has opened up
new possibilities for malicious attackers e.g. inject malicious URL through NFC tags
![Page 9: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/9.jpg)
Cross-platform contamination First example of cross-platform malware
contamination was the Morris Worm (Orman, 2003)
Released in 1988In less than 24 hours, caused great damageSlowed thousands of systemsExploited vulnerabilities on VAX and SUN
Microsystems platforms; and the Sendmail email delivery software
![Page 10: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/10.jpg)
Cross-platform contamination Following the Morris worm, other multi-
platform malware emerged:
1999 – W32/W97M Coke2000 – W32/HLP Dream and Pluma2001 – W32/Linux Peelf2010 – StuxNet2011 – Duqu2014 – FakeBank
![Page 11: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/11.jpg)
Cross-platform contamination Proof-of-concept by Wang and Stavrou using
USB in 2010 (Z. Wang and A. Stavrou, 2010)
USB commonly used as a means to charge, communicate and synchronise
Malware exploits this connection to propagate itself
In 2010, Wang and Stavrou demonstrated how a PC can use USB connection to unlock and flash software of a mobile device
![Page 12: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/12.jpg)
Cross-platform contamination Proof-of-concept breaking Mobile Transaction
Authentication Numbers (Dmitrienko et al, 2012)
Attack was divided into three phasesFirst phase, malware installed on the terminal
steals the user’s credentialsSecond phase involves cross-platform infectionThird phase, the malicious attacker performs
transaction with the user’s bank, mimicking the user
![Page 13: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/13.jpg)
Malware concealment strategies
Malware concealment strategies serve one purpose, namely survival of the code
The longer malware can protect itself from detection, the more time it has available for replication and infection
![Page 14: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/14.jpg)
Malware concealment strategies
Aim to increase the span of time between infection and detection phases
Phase 1 Infect
Phase 2 Detect
Phase 3 Analyse
Phase 4 Eradicate
![Page 15: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/15.jpg)
Malware concealment strategies
Passive strategies to evade detection:Malware which implements a set of
techniques to hide itself from detection, such as bypassing anti‐virus or anti‐malware signature detection
Active strategies to evade detection:Malware that, apart from concealing their
presence, actively tries to hinder the detection and analysis of the code
![Page 16: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/16.jpg)
Malware detection strategies
Using static techniques:
Signature analysis and hashingExtracting system callsStatic taint analysis
Using dynamic techniques:
Dynamic taint analysisBehavioural analysis
![Page 17: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/17.jpg)
Malware detection strategies Using heuristics:
Monitoring API and system callsOpCode analysisUsing N-GramsControl flow graphs
Using hybrid techniques
![Page 18: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/18.jpg)
Analysis of cross-platform malware
Practical implementation of cross-platform infection for detailed analysis
Used a physical Android 4.1.1 tablet connected via USB Device Filter to a host running a virtual machine with Windows XP SP3
Malware sample used was DroidCleaner, served via another virtual machine running Kali Linux and Apache
![Page 19: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/19.jpg)
Analysis of cross-platform malware
Tablet device connected to our web server, downloaded and installed the malicious application
![Page 20: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/20.jpg)
Analysis of cross-platform malware Shark for Root was launched and kept in
listening mode DroidCleaner application launched and
‘Default Cleanup’ was selected
![Page 21: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/21.jpg)
Analysis of cross-platform malware Following the hypothetical clean-up,
DroidCleaner was closed Shark Reader was then used to review the
logs generated by Shark for Root Two IPs were noted:
54.235.185.74 – host located on the Amazon Cluster
173.194.70.95 – reported by virustotal.com as serving a number of known malware files
![Page 22: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/22.jpg)
Analysis of cross-platform malware
All latest Windows XP updates were installed but the default installation settings were left enabled
Autorun feature was kept enabled for the purpose of our analysis
Launched two applications on our Windows XP machine, Process Hacker and Wire Shark
![Page 23: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/23.jpg)
Analysis of cross-platform malware Upon connecting the tablet to the Windows
XP machine, Process Hacker detected two unknown applications namely ‘pwd.exe’ and ‘Start.exe’
A short while afterwards, the application ‘Start.exe’ generated an application error message
![Page 24: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/24.jpg)
Analysis of cross-platform malware
![Page 25: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/25.jpg)
Analysis of cross-platform malware Wire Shark was stopped and proceeded
to analyse the logs generated We noted that our XP machine was
trying to connect to IP 190.93.253.132 using SSLv3
This IP address was checked again using virustotal.com
Reported to resolve to minecraft.org
![Page 26: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/26.jpg)
Analysis of cross-platform malware
![Page 27: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/27.jpg)
Analysis of cross-platform malware
ILSpy was launched and file ‘svchosts.exe’ analysed
File contains the NAudio library, launched upon program execution
NAudio is an open source .NET audio and MIDI library
Confirmed our initial thoughts that this malware will record, and upload, voice recordings to the attacker
![Page 28: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/28.jpg)
Analysis of cross-platform malware
To further the analysis, the function ‘XControl’ was opened and the following details were noted:
the attacker’s server (hostname) the FTP user name and password the destination port number to use
![Page 29: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/29.jpg)
Analysis of cross-platform malware
![Page 30: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/30.jpg)
Analysis of cross-platform malware The file was then uploaded to an online
sandbox analysis facility Two anti-debugging techniques were found
namely:
Guard pages – used to protect against reverse engineering and debugging, returning an exception
SystemKernelDebuggerInformation – a feature used to check for kernel debuggers attached to the system
![Page 31: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/31.jpg)
Analysis of cross-platform malware
We then analysed the Android application using various tools found within the Kali Linux distribution
Of particular interest are the various commands which the attacker can use once the mobile device is infected
![Page 32: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/32.jpg)
Analysis of cross-platform malware
![Page 33: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/33.jpg)
Analysis of cross-platform malware Registration of the Android device was
made using config file ConnectorService The device was instructed to send the
command string:
‘|NEW_HELLOW|’ followed by ‘ACCT + PORT’
On successful connection, the device would then download three files ‘svchost.exe’, ‘Kst.exe’ and ‘Controller.exe’
![Page 34: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/34.jpg)
Analysis of cross-platform malware Summary
The unsuspecting user downloads a rogue application
When the user launches the application, it communicates with a remote command‐and‐control server
The user then proceeds to connect his Android device to the computer
The malware on the Android device propagates to the victim’s computer
![Page 35: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/35.jpg)
Limiting cross-platform malware
Malware creators are being craftier in evading anti-malware engines
Through our research, it was noted that detection through anti-malware engines is carried out from within the operating system
The actual anti-malware engine is running as a process in itself which can be easily subverted and inherits weaknesses in the operating system
Zero-day exploits and other advanced persistent threats are a daily occurrence
![Page 36: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/36.jpg)
Limiting cross-platform malware
Proposal of adding a new layer between the hardware layer and the operating system/kernel layers
Security layer denoted as hypervisor Can be used to monitor and protect the
whole system Must be lightweight in resources
consumed, transparent to the operating system and compatible across multiple platforms
![Page 37: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/37.jpg)
Limiting cross-platform malware
We still need some sort of malware detection technique in order to detect the presence of malicious intentions during programme execution
Malware using polymorphism or metamorphism can easily evade static malware detection
![Page 38: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/38.jpg)
Limiting cross-platform malware
In addition, static detection is largely based on signatures
These systems are equipped with a database of known signatures or instructions that are considered malicious
Such a setup imposes a restriction on the frequency when this signature database is updated e.g. out of (3G) data reception
![Page 39: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/39.jpg)
Limiting cross-platform malware
During our malware analysis, we showed how DroidCleaner attacked both Android and Windows
Through registration of our Android device to the attacker’s server, access to the various hardware components was made available.
On Windows, the attacker could install an open source audio library that controlled microphone activation and the local storage
![Page 40: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/40.jpg)
Limiting cross-platform malware
![Page 41: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/41.jpg)
Limiting cross-platform malware
We propose two configuration sets
One set, S1, will contain hardware features to be monitored e.g. GPS sensor, WiFi, microphone, camera
The other set, S2, will contain the permissions requested for S1 e.g. take a picture, enable WiFi, access microphone
![Page 42: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/42.jpg)
Limiting cross-platform malware
By way of example:
If hypervisor detects a request to access camera (S1) for taking a snapshot (S2), the request will be allowed if a previous user activity took place within a configured timeout in seconds
![Page 43: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/43.jpg)
Limiting cross-platform malware
Start Device
Launch Hypervisor
Monitor Requests
Check User Activity
Load Dataset
If timeout is > than limit set
If timeout is < than limit set
Allow Access, Update Dataset
Deny Access, Update Dataset
![Page 44: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/44.jpg)
Challenges to implementation
Access to hardware drivers and source code due to diversification of the Android platform (ARM, Intel to name a few)
Power management and battery life are a critical factor – possible use of ‘wakelocks’ in Android to avoid constant polling (allow apps to notify the kernel that they are doing something, and that the kernel should not put the device to sleep)
![Page 45: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/45.jpg)
Challenges to implementation
Functionality is a critical factor – added benefits of security are seen as extra burden, limiting use of their device
Security review – cannot be software with an unknown internal structure; opening the system to the security community allows independent assessment of its exposure to risk
![Page 46: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/46.jpg)
Concluding remarks Significance of our research
Gain a better understanding of the way cross‐platform malware contamination occurs in practice
An attempt was made to come up with a new framework that can assist us in limiting such contamination, moving away from traditional detection
Future research
The weaknesses affecting current malware detection strategies lie at the basis of our departure from the traditional view of how we can protect devices in favour of new methods designed to amplify the effectiveness of existing detection techniques
![Page 47: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/47.jpg)
Practical hints for your project
Liaise with your personal adviser to discuss your interests and direct you to relevant tutor sharing your interests
Make early contact and try to come up with two to three areas of interest
Prepare a solid timetable, defining the chapters, amount of pages to write and set deadlines
Adjust your timetable schedule where necessary but try not to diverge too much
![Page 48: Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d025503460f949d4dd1/html5/thumbnails/48.jpg)
References M. Christodorescu, S. Jha, D. Maughan, D. Song and C. Wang,
"Introduction to Malware Detection," in Malware Detection, New York, USA, Springer Science and Business Media, 2007, p. IX
K. Dunham, S. Abu‐Nimeh, S. Fogie, B. Hernacki, J. A. Morales and C. Wright, Mobile
Malware Attacks and Defense, Syngress Publishing Inc, 2009
H. Orman, "The Morris Worm: A Fifteen‐Year Perpective," Security & Privacy, IEEE, vol. 1, no. 5, pp. 35‐43, November 2003
Z. Wang and A. Stavrou, "Exploiting Smart‐Phone USB Connectivity for Fun and Profit," in Preceedings of the 26th Annual Computer Security Applications Conference (ACSAC), 6‐10 December pp. 357‐366, Austin, Texas, USA, 2010
A. Dmitrienko, L. Davi, A.‐R. Sadeghi and C. Liebchen, "Over‐the‐Air Cross‐platform Infection for Breaking mTAN‐based Online Banking Authentication," in Black Hat 2012, Abu Dhabi, UAE, 2012