An OpenBTS GSM Replication Jail for Mobile Malware - Virus Bulletin
Transcript of An OpenBTS GSM Replication Jail for Mobile Malware - Virus Bulletin
An OpenBTS GSM Replication Jail for
Mobile Malware
Axelle Apvrille
Virus Bulletin Conference, October 2011
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Jail 1. Remove SIM/ O�ine/ Flight mode
I Secure... probably
I Behaviour: changed!
Malware Name Online O�ine
SymbOS/Album Sends 2 SMS -SymbOS/Acallno Trojan spyware Can't be activatedSymbOS/Feixiang Sends 2 SMS Sends 1 SMSJava/Konov, SymbOS/-ZoomSms
Sends SMS System lag
VirusBulletin Conference 2011 - A. Apvrille 3/11
Jail 2. Use an emulator
I Good Android emulator, butother OS?
I Same behaviour change problem
I Hardware exploits/ VMdetection
VirusBulletin Conference 2011 - A. Apvrille 4/11
Jail 3. Faraday cage
Courtesy of J. Danielshttp://www.jeddaniels.
com/2007/
faraday-cage-part-1/
Not that easy to build...
I How to see the screen?
I Access to keyboard?
Large Faraday cages
Expensive + Weight
VirusBulletin Conference 2011 - A. Apvrille 5/11
Jail 3. Faraday cage
Courtesy of J. Danielshttp://www.jeddaniels.
com/2007/
faraday-cage-part-1/
Not that easy to build...
I How to see the screen?
I Access to keyboard?
Large Faraday cages
Expensive + Weight
VirusBulletin Conference 2011 - A. Apvrille 5/11
Jail 3. Faraday cage
Courtesy of J. Danielshttp://www.jeddaniels.
com/2007/
faraday-cage-part-1/
Not that easy to build...
I How to see the screen?
I Access to keyboard?
Large Faraday cages
Expensive + Weight
VirusBulletin Conference 2011 - A. Apvrille 5/11
Jail 3. Faraday cage
Courtesy of J. Danielshttp://www.jeddaniels.
com/2007/
faraday-cage-part-1/
Not that easy to build...
I How to see the screen?
I Access to keyboard?
Large Faraday cages
Expensive + Weight
VirusBulletin Conference 2011 - A. Apvrille 5/11
Build your own operator network!
VirusBulletin Conference 2011 - A. Apvrille 6/11
Build your own operator network!
VirusBulletin Conference 2011 - A. Apvrille 6/11
Build your own operator network!
VirusBulletin Conference 2011 - A. Apvrille 6/11
Build your own operator network!
VirusBulletin Conference 2011 - A. Apvrille 6/11
Build your own operator network!
VirusBulletin Conference 2011 - A. Apvrille 6/11
What's OpenBTS?
OpenBTS
I Open source project
I Local GSM operator = USRP + accurate clock + hostrunning OpenBTS / Asterix
I No GPRS, EDGE, UMTS...
OpenBTS is a registered trademark of Range Networks, Inc.
And nanoBTS-OpenBSC?
Good (perhaps better?)... but 6 times more expensive
VirusBulletin Conference 2011 - A. Apvrille 7/11
Jail Architecture
VirusBulletin Conference 2011 - A. Apvrille 8/11
Video: Using an OpenBTS Jail for Malware Analysis
What the analyst sees...
Part 1. ... when the phone is o�inePart 2. ... with an OpenBTS-based jail
VirusBulletin Conference 2011 - A. Apvrille 9/11
Results
Blue: o�ine, Red: with GSM jail, Yellow: +GPRS jail.Full results: see paper.
Main Advantages
I Behaviour similar to realconditions
I See SMS contents and details
I No leak to real networks
I Low cost
Limitations
I Sample requires a WCDMAbearer
I MMS not handled
I Dynamic analysis limitations
VirusBulletin Conference 2011 - A. Apvrille 10/11
Thank You !
Follow us on http://blog.fortinet.com
or twitter: @FortiGuardLabs
Axelle Apvrille
aka Crypto Girl
/mobile malware reverse engineering/[email protected]
Slides edited with LOBSTER
VirusBulletin Conference 2011 - A. Apvrille 11/11