Presentation is loading. Please wait.

Presentation is loading. Please wait.

SESSION ID: #RSAC Chaz Lever Characterizing Malicious Traffic on Cellular Networks A Retrospective MBS-W01 Researcher Damballa,

Published byMaria Malone Modified over 8 years ago

Similar presentations

Presentation on theme: "SESSION ID: #RSAC Chaz Lever Characterizing Malicious Traffic on Cellular Networks A Retrospective MBS-W01 Researcher Damballa,"— Presentation transcript:

1 SESSION ID: #RSAC Chaz Lever Characterizing Malicious Traffic on Cellular Networks A Retrospective MBS-W01 Researcher Damballa, Inc @chazlever

2 #RSAC Mobile Malware

3 #RSAC Malware Going Nuclear

4 #RSAC Mobile Malware Research  Significant effort has been spent by researchers to characterize mobile applications and markets.  Market operators have invested significant resources in preventing malicious applications from being installed.  Extent to which mobile ecosystem is actually infected is still not well understood. Use network level analysis to better understand the threat.

5 #RSAC Data Collection  Use passive DNS (pDNS) data collected at the recursive DNS (RDNS) level.  Data collected from a major US cellular provider and a large traditional, non-cellular ISP. Cell Wired

6 #RSAC Characterizing Cellular Traffic Non- Mobile Mix Mobile Labeling of Devices Malicious Unknown Benign Classification of RR

7 #RSAC Cellular pDNS Data Summary Week (2012)HoursRRsDomainsHostsDevices (Avg) 4/15 - 4/211688,553,1558,040,1412,070,18922,469,561 5/13 – 5/191689,240,3728,711,7042,168,26624,223,108 6/17 – 6/231688,660,5558,109,5362,050,16821,932,245 Total (Unique) 50416,298,11414,828,1493,053,70422,874,971 Week (2014)HoursRRsDomainsHostsDevices (Avg) 11/01 – 11/07168178,752,268158,214,78818,673,671132,152,348 11/08 – 11/14168185,125,832163,740,91021,179,148152,832,654 11/15 – 11/21168188,458,108166,929,11118,617,397159,200,303 11/22 – 11/28168183,678,777162,213,5218,963,386160,788,608 11/29 – 11/304860,706,04553,244,3545,768,628137,285,304 Total (Unique) 720684,641,271613,350,81928,799,008151,858,362

8 #RSAC Cellular pDNS Data Summary Week (2012)HoursRRsDomainsHostsDevices (Avg) 4/15 - 4/211688,553,1558,040,1412,070,18922,469,561 5/13 – 5/191689,240,3728,711,7042,168,26624,223,108 6/17 – 6/231688,660,5558,109,5362,050,16821,932,245 Total (Unique) 50416,298,11414,828,1493,053,70422,874,971 Week (2014)HoursRRsDomainsHostsDevices (Avg) 11/01 – 11/07168178,752,268158,214,78818,673,671132,152,348 11/08 – 11/14168185,125,832163,740,91021,179,148152,832,654 11/15 – 11/21168188,458,108166,929,11118,617,397159,200,303 11/22 – 11/28168183,678,777162,213,5218,963,386160,788,608 11/29 – 11/304860,706,04553,244,3545,768,628137,285,304 Total (Unique) 720684,641,271613,350,81928,799,008151,858,362

9 #RSAC Hosting Infrastructure Observed 2,762,453 unique hosts contacted by mobile devices. Only 1.3% (35,522) of “mobile” hosts were not in the set of hosts contained by historical non-cellular pDNS data. The mobile Internet is really just the Internet. Mobile Hosts Mobile Hosts Wired Hosts Wired Hosts 1.3%

10 #RSAC Evidence of Malware  Public Blacklist (PBL)  Phishing and Drive-by-Downloads (URL)  Desktop Malware Association (MAL)  Mobile Blacklist (MBL)

11 #RSAC Observed Historical Evidence Mobile Specific Evidence

12 #RSAC Observed Historical Evidence Desktop Related Evidence

13 #RSAC Observed Historical Evidence (Redux) Mobile Specific Evidence

14 #RSAC Observed Historical Evidence (Redux) Desktop Related Evidence

15 #RSAC Platform % Population requesting tainted hosts (2012) % Population requesting tainted hosts (2014) iOS All other mobile (Android, etc.) Tainted Hosts and Platforms

16 #RSAC Platform % Population requesting tainted hosts (2012) % Population requesting tainted hosts (2014) iOS31.6% All other mobile (Android, etc.)68.4% Tainted Hosts and Platforms

17 #RSAC Platform % Population requesting tainted hosts (2012) % Population requesting tainted hosts (2014) iOS31.6% 38.9 % All other mobile (Android, etc.)68.4%61.1% Tainted Hosts and Platforms

18 #RSAC Platform % Population requesting tainted hosts (2012) % Population requesting tainted hosts (2014) iOS31.6% 38.9 % All other mobile (Android, etc.)68.4%61.1% Tainted Hosts and Platforms

19 #RSAC Mobile Malware in Numbers  Only 0.015% (3,492) out of a total of 23M mobile devices contacted MBL domains (observation period 2012).  Only 0.0064% (9,688) out of a total of 151M mobile devices contacted MBL domains (observation period 2014).  According to National Weather Service, odds of an individual being struck by lightning in a lifetime is 0.01% (1/10,000)! Mobile malware is currently a real but small threat.

20 #RSAC Market and Malware (M&A) Dataset Market NameMarket CountryDate of Snapshot# Unique Apps# Unique Domains# Unique IPs Google Play*US09/20/11, 01/20/1226,33227,58147,144 SoftAndroidRU02/07/123,6263,0288,868 ProAndroidCN02/02/12, 03/11/122,4072,7128,458 AnzhiCN01/31/1228,76011,71924,032 NdooCN10/25/12, 02/03/12, 03/06/12 7,9145,93914,174 Malware Dataset Name Date of Snapshot # Unique Apps# Unique Domains # Unique IPs Contagio03/27/123382462,324 Zhou et al02/20125962812,413 M103/26/20121,4858395,540 * Top 500 free applications per category only

21 #RSAC M&A Overlap with Wired pDNS  At most 10% of M&A hosts are outside our non-cellular pDNS dataset.  More than 50% of M&A hosts are associated with at least seven domain names. Mobile applications reusing same hosting infrastructure as desktop applications. M&A Hosts M&A Hosts Wired Hosts Wired Hosts 10%

22 #RSAC Lifecycle of a Threat  Threat publicly disclosed by security community in October.  Associated domain no longer resolved at time of disclosure. Point of Disclosure October Threat ε

23 #RSAC Network Behavior  Mobile threats show high degree of network agility similar to traditional botnets. Use of network based countermeasures may help better detect and mitigate threats. Threat β

24 #RSAC Summary of Observations  Mobile Internet is really just the Internet.  Mobile malware is still a real but small threat.  Mobile applications reusing same infrastructure as desktop applications.  Analysis of mobile malware slow to identify threats.  Network based countermeasures can and should be used.

25 #RSAC Apply What You Have Learned Today  What you can do today:  When downloading applications for your mobile device, try and stick to first-party application markets.  Be mindful that certain threats like phishing can be more effective against mobile users due to limited screen real estate.  What you should be doing in the future:  Leverage your existing network infrastructure to help identify mobile devices.  Analyzing the network infrastructure mobile devices are contacting by using new or existing tools to evaluate the reputation of that infrastructure.

26 #RSAC Questions?

27 #RSAC References  The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers, Network & Distributed System Security Symposium (NDSS), 2013 The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers  Mobile Malware Sources (Public)  Contagio Mobile Malware (http://contagiominidump.blogspot.com)http://contagiominidump.blogspot.com  Android Malware Genome (http://www.malgenomeproject.org)http://www.malgenomeproject.org  VirusTotal (https://www.virustotal.com)https://www.virustotal.com

Download ppt "SESSION ID: #RSAC Chaz Lever Characterizing Malicious Traffic on Cellular Networks A Retrospective MBS-W01 Researcher Damballa,"

Similar presentations

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.
Dynamics of Online Scam Hosting Infrastructure

Dynamics of Online Scam Hosting Infrastructure
Network Operations Research Nick Feamster

Network Operations Research Nick Feamster
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
The Threat Landscape Jan 2013. 2013 Threat Report 2.

The Threat Landscape Jan Threat Report 2.
Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
Taking Control of Cloud Security Travis Abrams. Consulting and Professional Services Health checks Deployment services Strategic Partner VAR Board Leadership.

Taking Control of Cloud Security Travis Abrams. Consulting and Professional Services Health checks Deployment services Strategic Partner VAR Board Leadership.
Making Contact With Your Customers. Who are Klick2Contact? Highly experienced telecommunications professionals Backed by major European investment group.

Making Contact With Your Customers. Who are Klick2Contact? Highly experienced telecommunications professionals Backed by major European investment group.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
On the Feasibility of Large-Scale Infections of iOS Devices

On the Feasibility of Large-Scale Infections of iOS Devices
Department Of Computer Engineering

Department Of Computer Engineering
© Blue Coat Systems, Inc. 2012. John Yun Director, Product Marketing.

© Blue Coat Systems, Inc John Yun Director, Product Marketing.
Mobile App Monetization: Understanding the Advertising Ecosystem Vaibhav Rastogi.

Mobile App Monetization: Understanding the Advertising Ecosystem Vaibhav Rastogi.
Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.

Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
2010.11.22 資安新聞簡報 報告者:劉旭哲、曾家雄. Spam down, but malware up 報告者:劉旭哲.

資安新聞簡報 報告者:劉旭哲、曾家雄. Spam down, but malware up 報告者:劉旭哲.

Similar presentations

Ads by Google