Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 3 Instance and theory of Malicious code Malicious code defense in mobile networks Funded by Intel Corp.

Published byEzra Barnett Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 3 Instance and theory of Malicious code Malicious code defense in mobile networks Funded by Intel Corp."— Presentation transcript:

1 Chapter 3 Instance and theory of Malicious code Malicious code defense in mobile networks Funded by Intel Corp.

2 OUTLINE Bind type mobile phone virus and Realization Mobile Worm and its basic theory Mobile Trojan and its principles Mobile RootKit

3 3.1 Bind type mobile phone virus and Realization

4 What is file bind ? –It is born of file compression (like WinRAR) –A malware may be put in compressed packet and uncompressed automatically –The malicious code could run and infect by this way Introduction of SIS File –It’s the INF for Symbian system(just like ipa for iPhone)

5 3.1 Bind type mobile phone virus and Realization Since the mobile phone virus can use SIS file to run and spread itself, they must be compressed into a SIS file, or other normal documents to deceive users.

6 3.1 Bind type mobile phone virus and Realization Here is a example about how to make a SIS file First, we create a text file temp.pkg &ZH #{“filename”},(0xUID),1,00,0,TYPE = SISAPP (0x101000F1),0,0,0,{“Series60ProductID”} “C:\text.txt”-””,ft,tc

7 3.1 Bind type mobile phone virus and Realization 0xUID is the UID of this file, it can be looked by UnMakeSIS 1,00,0 is the version number, it can be looked by UnMakeSIS C:\text.txt”-””,ft,tc is the setup info.

8 3.1 Bind type mobile phone virus and Realization Click “create SIS file” button, MakeSIS will pack a file “test.sis”. And it will create a log file. &ZH #{“test”},(0x102F68010),1,00,0,TYPE = SISAPP (0x101000F1),0,0,0,{“Series60ProductID”} “C:\1\system\test\test.app”- ”C:\1\system\test\test.app Save this file as test.pkg, then enter “CMD”, type “makesis test.pkg”. Well, we have certainly make an sis file “test.sis”

9 3.1 Bind type mobile phone virus and Realization Using MakeSIS software, We can make arbitrary files are packaged in the SIS file. If we can install a MDL file into a mobile phone Recogs file menu, then we can use it to make the mobile phone start automaticly by system program. In this way, the virus program will successfully achieve the target of self operation and infection.

10 3.1 Bind type mobile phone virus and Realization The characteristics and aftermath of Bind type mobile phone virus –No additional conditions –Depending on the corresponding mobile phone system SFX operation file format support –Difficult for user to find it –Good camouflage, easy to cheat users

11 3.2 Mobile Worm and its basic theory

12 3.2 Mobile Worms and basic theory Definition of worms –In DOS environment, a worm-like thing appear on the screen of infected computer and eat letters. The difference between the maximum and the ordinary worm virus is, it is a independent operating software, unlike previous virus program which requires a storage body. A complete program can be viewed as a worm virus characteristics, even it will be infected by common virus

13 3.2 Mobile Worms and basic theory worms program virus Differences between worms and normal virus

14 3.2 Mobile Worms and basic theory The instance of Mobile Worms: Cabir Cabir is the virus that ignited the MM revolution. The first sample of the family was released in June 2004. The source code was released in 29A ezine and quickly produced 35 new known variants as a result.

15 3.2 Mobile Worms and basic theory Viva España! The original Cabir.A MM was e-mailed to Kaspersky Labs by a famous virus collector from Spain name VirusBuster.

16 3.2 Mobile Worms and basic theory The worm would spread as a SIS archive file named caribe.sis, which arrived in the inbox of the target device. The user was required to give permission to install the file onto the device. Once the worm was installed, it would immediately start seeking other Bluetooth- enabled devices within range. When a device was located, Cabir would lock to that device and commence sending the SIS files multiple times in the hopes of successful infection.

17 3.2 Mobile Worms and basic theory The following are the files included in the SIS file and the locations they were copied to when the worm infected a new device: ■ caribe.app to \system\symbiansecuredata\caribesecuritymanager\ ■ caribe.rsc to \system\symbiansecuredata\caribesecuritymanager\ ■ flo.mdl to \system\recogs

18 3.2 Mobile Worms and basic theory The source code for this virus was released to the public in the #8 issue of the ezine published by the malware group 29A. The author’s name is Vallez. The malware was written in the C/C++ languages specifically for Symbian series 60 platform.

19 3.2 Mobile Worms and basic theory Cabir.C through Cabir.G are identical in functionality to Cabir.B, with the only difference being the name of the SIS archive file and the text displayed on the device when the MM is installed. Screenshots of Cabir.C,.D, and.E

20 3.2 Mobile Worms and basic theory Bluetooth Openness The majority of Bluetooth MM infects mobile devices only when the device is set to discoverable mode. By switching this option to hidden, you just protected yourself from several headaches. Is your Bluetooth-enabled phone in discoverable mode?

21 3.2 Mobile Worms and basic theory This new incarnation of Cabir now had the capability to propagate via Bluetooth to several devices. When Cabir found a Bluetooth-enabled device, it would send a SIS file named velasco.sis repeatedly to the device until it accepted it or went out of range.

22 3.2 Mobile Worms and basic theory Once the device went out of range, Cabir would immediately start searching for another Bluetooth-enabled device. This empowered Cabir by now having the ability to infect more than one device per execution. Luckily, no reports of it in the wild ever emerged. Display of Cabir.H after Completed Installation

23 3.3 Mobile Trojan and its principles

24 3.3.1 Overview of Mobile Trojan Through the previous study, we have had a preliminary understanding of the Trojan. For mobile phone system, mobile phone itself is like a Trojan country. If a user accidentally installs a program with the nature of malicious on his mobile phone, There is no doubt that this will be a Trojan horse program. It can create hazards from interior of mobile phone system.

25 The basic architecture of Mobile Trojans The basic structure of Mobile Trojans can be broadly divided into three parts: 1 Infection section –The role of this part is similar with ordinary virus program. It is mainly to make the Trojan program run smoothly on mobile system. To this end, a Trojan program need to use some of the basic features of the mobile phone system to realize its own file copy or start running. We often call the process that Trojan infect the mobile phone “Trojans implants"

26 The basic architecture of Mobile Trojans 2 Data transmission section –This part is mainly used to receive and respond commands and results of program execution. In order to receive or respond information to the manufacturer, Mobile Trojans must call on some communication methods of the phone. These communications include bluetooth, infrared, short message, MMS and Internet access. –In order to reduce the rate of been found by users, Mobile Trojans take use of the method that receiving multiple commands at one time, then returning the results partially.

27 The basic architecture of Mobile Trojans 3 task execution section –For the Trojans, performance is reflected in another aspect. Task execution section. –When the task a Trojan receives is relatively simple and not so wasteful when consuming mobile resources, Trojans can use one-to-one implementation modalities. So-called one-to-one implementation modalities refers to executing a command after the Trojans received the control command, and no longer receiving any other commands before this command is executed.

28 The basic architecture of Mobile Trojans 3 task execution section For some high-performance mobile phones, attackers equip Trojans with one-to-many implementation modalities. One-to-many implementation modalities refers to that Trojan can receive a lot of commands one time and run them simultaneously, or Trojan can break a task into subtasks and then executing them. Benefit of this modality is that for multiple commands execution, Trojans greatly improves its productivity. The malicious attacker at Trojans receiver can suddenly get a lot of information about the mobile phone users, which is helpful for further attacks in his favour.

29 3.3.2 Perniciousness of Mobile Trojans Perniciousness of cell phone Trojans include the following: 1 Remote snooping 2 Communication monitoring 3 Information interception 4 Forging cheat

30 Remote snooping Once Trojans successfully implanted into mobile phone system, it will first check the user’s mobile phone type and basic information to determine its next step. Then the Trojan program started to obtain the basic information of the mobile phone users. Trojans can check the phone book and try to find out corresponding number information about words as "my number”, quickly send to the attacker after having found. Sometimes, the privacy information of users in the cell phone is not limited to the phone book and short messages. Some files on the user mobile phone memory card is likely to be involved in the user's personal information. Such as photo or video and so on

31 Communication monitoring Communication monitoring is the most important hazard of Mobile Trojan. Trojans can connect to the outside mobile devices and the voice data is the most commonly used exchange information in mobile communication. At the same time, because the mobile phone is usually carried by the user, it can also record the voices around. The general method of monitoring is that Mobile Trojan will dial a contact number automatically at a given moment after having infected the cell phone system,. At this point, the mobile phone is in a state of voice calls. Thus any sound information in a certain range of this side of the phone can be transmitted by the mobile phone to the connected monitor.

32 Windows Mobile system, for example, the concrete implementation of this technology class PhoneDailing { // Creating call is a basic operation under the Windows Mobile system. It mainly uses PhoneMakeCall function. We pass on a string parameter to the PhoneMakeCall, to realize the operations of indicating target address and determining whether to confirm the operations before the call. private static long PMCF_DEFAULT = 0x00000001; private static long PMCF_PROMPTBEFORECALLING = 0x00000002; //And then we define a structure whose function is not too big. private struct PhoneMakeCallInfo {public IntPtr cbSize; public IntPtr dwFlags; public IntPtr pszDestAddress; public IntPtr pszAppName; public IntPtr pszCalledParty; public IntPtr pszComment; }//parameter structure which need to be passed to PhoneMakeCall function

33 Windows Mobile system, for example, the concrete implementation of this technology //cbSize suggests The size of PhoneMakeCallInfo. DwFlags is an option. It’s used to specify whether to prompt the user before calling. PszDestAddress is a pointer that point to the phone number to be dialed. It does not support pszAppName currently. PszCalledParty is optional that shows the called party's name. It does not support pszComment currently. Now, we activate PInvoke and call DLLImport to access API function PhoneMakeCall. [ DllImport(″″) ] //Introduce the main library file the call realized. private static extern IntPtr PhoneMakeCall(ref PhoneMakeCallInfo ppmci); //To make it convenient, we include an auxiliary function in order to omit confirmation before dialing, As to the actual Mobile Trojan, such confirmation is not required and the Trojans will dial directly.

34 Windows Mobile system, for example, the concrete implementation of this technology public static void MakeCall(string PhoneNumber) {MakeCall(PhoneNumber, false);} // To introduce the function of MakeCall, we will divide PhoneNumber parameters (as a string) into a character array private static void MakeCall(string PhoneNumber, bool PromptBeforeCall) {… IntPtr iPhoneNumber=Marshal.AllocHGloba(clPhoneNumber.Len gth); Marshal.copy(cPhoneNumber, 0, iPhoneNumber, clPhoneNumber.Length); Info.pszDestAddress=iPhoneNumber; PhoneMakeCall(ref info); //Begin to dial }

35 Windows Mobile system, for example, the concrete implementation of this technology //In order to cheat users, Trojans often read some information about the SIM card, this information includes phone book, messages, etc. we have a simple description here. [ StructLayout() ] private struct SimRecord { public IntPtr cbSize; public IntPtr dwParams; public IntPtr dwRecordType; public IntPtr dwItemCount; public IntPtr dwSize; }

36 Windows Mobile system, for example, the concrete implementation of this technology //Because we can only automatically marshall order layout structure between managed code and native code, we use the order layout tag to modify our structure. CbSize is the size of the conveyed structure. DwParams is the parameter value. Here we need not worry. DwRecordType indicates the record format.... } Through the above code, we can basically achieve program automatical dial-up, connecting speech. At this time, the phone is in the listening state. All the voice messages of mobile phone users can be remote surveillanted completely.

37 Information interception Our mobile phones often play a role which we use to obtain information in time. There is a special kind of Mobile Trojan which often intercepts information (whether short messages or MMS) as soon as the user receives the new outside information. After interception, the Mobile Trojan may delete the information or send it to the receiver of the Trojan malicious attackers, letting cell phone users to miss a lot of important things. Information interception type Trojan is a kind of very malicious Trojan. It often makes users hard to detect what is happening around.

38 Forging cheat Besides intercepting user information, Mobile Trojan can also forge phone messages to cheat the mobile phone users. When Mobile Trojans provide a malicious attacker with user address book information, the attacker can remove one important number, and then send a text message to mobile phone user to cheat. Its content may involve economic fraud or even more serious crime.

39 3.3.3 Implementation of Mobile Trojan Self-starting activation method Hiding technology Implementation of running in the background Receiving of the control commands The process of command execution The result feedback

40 Self-starting activation method If the Mobile Trojans can be banned by powering off phones, we won't have to be afraid of them. But the fact is that mobile Trojan will always exists in mobile phone system so long as you don't clean it. The method it start itself after powering off and then turning on the device is called "since the launch" technology. Since the launch technology use a kind of special function mobile phone system provides to run specified program files with the startup of the system.

41 Self-starting of mobile systems 1 Symbian For Symbian system, the system provides some certain methods. One method mainly use the function provided by "Recognizer". Using Recognizer, developers can create a MDL file which is similar to DLL library files. It will be loaded by the kernel after the Symbian system startup. 2 Linux When Linux system boots, the init program will be executed after the kernel boots. Generally init works in the /etc/ files. Thus you can add a statement in the file directly to realize the program self-starting with the system. At the same time, the rcS will call /usr/etc/. So the application can also add the statement here.

42 Self-starting of mobile systems 3 Windows Mobile In the Windows Mobile system, there is a folder named "StartUp” which can be used to implement self-starting. It’s in the Windows directory. When we add a shortcut of program to the directory, self- starting can be achieved. There exists another method. Just as Windows system, Windows Mobile system supports a function called "system service". System service mainly refers to a kind of program that works in the system background and receives and dispose events from the front desk at any time. It usually starts with the operating system. Since system services has the dual nature of self-starting and background running, it is often preferred by mobile phone virus program.

43 Hiding technology In order to be able to lurk in the mobile system Trojan program must wipe away its "trace". For example, if the Trojan program has recorded the voice communication of the user, the relative files should be deleted immediately. At the same time, some users may install some software in their phone, which can be used to monitor or query system information. To avoid being found, Mobile Trojans will use some Hiding technologies. The easy one is Hook technology.

44 Hiding technology The principle of Hook is that using certain method to replace some system functions and processes. –In this way, if system or a program is to use the system functions and processes, the Hook procedure will be executed first and gain the surveillance authority. –Authors of Hook procedures can add codes to change the original system function or method in the process of implementation. –So if the system software use thread traversal functions to monitor running threads, the Trojan maker can use hook technology to intercept this thread traversal functions, change the thread traverse information, delete information about the Trojan program, and then return the results to the software.

45 Hiding technology In addition to using Hook technology to realize hiding, system callback function is another choice. –Mobile system will use callback functions to notify mobile phone interface or log will change with the corresponding action when the system finds that system files or running threads are changed. The existence of callback functions will affect the concealment of the Mobile Trojans. –Mobile Trojans hide themselves by changing return information of the callback functions.

46 Implementation of running in the background Some of the key programs of mobile phone system run in the background of the mobile phone. –Screen saver, for example, is running in the background when the phone is in a state of work, namely users are calling or sending a short message by using mobile phone. While the screen saver will automatically run when the mobile phone is to enter standby mode. –This is a typical kind of background running program.

47 Implementation of running in the background Mobile Trojan program is illegal. It must run in the background. For smartphones, methods to make the program run in the background are quite different. In Symbian system, to make a program run in the background, we must make sure that the program is an exe file. Exe file can run without operation interface under the Symbian system. It is very similar to the command line programs in Windows system. Then you can make the exe program as self-starting so that it can be hidden in the background and executed secretly.

48 Receiving of the control commands Trojan is more terrible than general virus, because Trojan program can receive instructions from attacker and take action. So in order to achieve access to external information, the mobile phone should use the basic functions of mobile phone, such as short message and accessory functions, such as bluetooth. Theoretically, as long as your phone has electricity, Mobile Trojans can receive the attacker's any instructions at any time.

49 The process of command execution The process should be efficient and compact for Mobile Trojans. Performance of mobile platform cannot be compared with that of ordinary PC. If the process of Trojan program execution is too complex, crash may happen. Mobile phone may even automatically shut down. Thus the Mobile Trojan comes to nothing.

50 The process of command execution The attacker should consider the size and amount of stolen data during stealing subscriber data. Otherwise Trojan program will take up a lot of resources to deal with these data information, leading to cell phone users perceiving that his phone is not normal. For Trojan program running on a smartphone, multithreading and the background running are the best options. As a result, the operation of the mobile Trojan may not trigger rush of mobile system, and Trojan program is still running very efficiently.

51 The result feedback As receiving of the control commands, how to return the results is decided by how commands are received. But sometimes Trojan programs will use multiple available ways to return the result. The purpose is increasing the probability of success, and speeding up the returning of execution result.

52 3.3.4 Instance analysis: mobile Trojan identification and elimination Flocker Mobile Trojan Pbstealer Mobile Trojan Commwarrior Mobile Trojan Cardtrap Mobile Trojan

53 Flocker Flocker is expressed as “Trojan- SMS.Python.Flocker.a”. –Its body file is a Python script. –It only runs on mobile platform that support Python. –Flocker script file is embedded in a SIS installation package. SIS installation program lures users to install in the disguise of "Icq_Python“. And as well as normal procedure, after the installation the following files are generated:

54 Flocker

55 The three pyd file is import modules Trojan script used. When users click the program icon, the script file will be executed, the behaviors are as follows: –(1) continue to send text messages to a specified number; –(2) remove the reply messages from the specified number in inbox. So that users’ phone charge is diddled under the condition of unsuspected and corresponding service provider can make exorbitant profits.

56 Pbstealer Pbstealer, commonly known as the address book thief, is a typical Mobile Trojan. It mainly infect nokia phones with Symbian OS. Pbstealer Trojan will steal the contact information in the card holder in a short time after infection. Then it will send information of your contacts, notepad and schedule to you anyone around who has a bluetooth device.

57 Pbstealer The general characteristic of the Trojan is shown as that Pbstealer is disguised as application software to compress contacts database. It does not spread by itself. The user who has downloaded Pbstealer SIS installation package will be infected. The SIS file includes program files and strings source code. Pbstealer will startup automatically during SIS file’s installation. Pbstealer displays text “Compacting your contact (s), the step2, both Please wait again, until done” etc.

58 Commwarrior Commwarrior, also known as MMS virus, belongs to Mobile Trojans. The Trojans mainly infect Nokia phones with Symbian operating system, When a user phone is infected, it starts looking for other phones that can be reached via bluetooth, and send them the infected SIS files. The SIS file will be randomly named, which makes the user hard to defend. In addition to spread through bluetooth, Comwarrior will read user’s local mobile phone number address book, and send MMS messages that contain commwarrior SIS file,

59 Commwarrior

60 The general characteristic of the Trojan is shown as that Commwarrior virus will lure the user to open the MMS by using alluring or fraudulent words when spread by MMS, such as “NortonAntiVirus Released now for mobile, install it!” and “bad! Free *SEX* software for you!”. If a user attempts to delete executable Commwarrior files or bootstrap a part of them, they will be recreated in the phone.

61 Cardtrap Cardtrap belongs to the Mobile Trojan. The Trojans mainly infect Nokia phones with Symbian operating system. Cardtrap is a kind of SIS file Trojan that damages Symbian system, it attempts to damage some third party applications and install computer worms onto memory cards. The feature of the virus is that Cardtrap installs W32/!p2p virus on MMC. The virus has its file name, icon and shortcut links after installed, trying to lure users to click on them.

62 3.3.5 Basic identification means of Mobile Trojans The most crucial thing about Mobile Trojan is that a Trojan program needs to get in touch with a malicious attacker in the outside. So when you perceive that your mobile phone receives strange short messages or MMS, or somehow connects to the Internet, you need to pay attention to your mobile phone. It may be implanted with Trojan program.

63 Basic identification means of Mobile Trojans But for Trojan using bluetooth to transmit, it becomes difficult to detect its existence. However, we do not use bluetooth that frequently. So once you use mobile phone bluetooth for data sending, if the received data and the sent data do not meet, the existence of the Trojan program can also be found.

64 3.4 Mobile RootKit

65 3.4.1 RootKit technology RootKit derives from computer system. In 1994, a security consultancy report used the word RootKit for the first time. –In the paper entitled "On going network monitoring attacks", the author describes a stealth function program which runs in the system quietly and monitors user behavior at any time. The emergence of such programs have attracted the attention of security personnel.

66 RootKit technology Because RootKit can be hidden in the operating system, it must be closely combined with the operating system. RootKit uses a few core technologies to implement the hiding. Using these technologies, it often need to get the highest system permissions. The Root here shows this meaning actually.

67 3.4.2 File hiding For RootKit, it must consider how to be stored in phone memory or memory card. –The infected target system is usually equipped with anti-virus or security software. They often have the function of monitoring the file system, –When malicious code copies itself to mobile phone memory card, the scanner will check the new file. Malicious code is likely to be found and deleted.

68 File hiding But time difference often exists in file system monitoring function. –Some system functions and methods mobile phone system released can not publish the core technologies in the bottom due to certain economic interest and security restrictions. –When software developers use the "incomplete" system functions and methods to develop software, developed function is not likely to be responsive enough, there are some drawbacks. –And malicious code types differ in many ways. It is impossible to have feature record for each kind of malicious code.

69 File hiding RootKit is different from ordinary malicious code, its core purpose is to use the underlying technology of mobile phone system to achieve some of the "advanced" purposes. Hiding its existence is one of them. Typically, the user will check the status of his mobile phone and anti-virus and security software will conduct regular scanning to delete junk files. If malicious code uses some kinds of technologies to hide itself, it can escape the bad luck, RootKit is such program.

70 security software

71 Means of file hiding In the design of mobile phone system, developers is likely to adopt some undisclosed ways to implement some special purpose. The maker of mobile malware will take in-depth analysis of the internal implementation principles of the mobile phone system and find out the undisclosed methods. These methods involved some of the underlying technologies in the file system. Using the underlying technologies, RootKit will will make itself disappear from the system.

72 Means of file hiding Another way: When a RootKit program runs successfully on the mobile phone system for the first time, it will delete its files on the memory card and monitor the system state changes at the same time. –On the one hand, it monitors whether antivirus security software runs in the system. –On the other hand, it monitors whether the phone will be turned off. If it is, the program will write itself into the file system to prevent that it can not run when the phone is switched on next time. The implementation is difficult, which requires that each operation of mobile phone users are monitored.

73 Implementation of the global keyboard monitoring in Symbian system Void CClockSSAppUi:: SetCaptureKey() { CancelCaptureKey(); //Begin to capture button clicking iHandleCaptureKey = CCoeEnv:: Static()-> RootWin(). CaptureKeyUpAndDowns (KOkKeyScanCode, EModifierShift, EModifierShift PRIORITYCAPTUREKEY); iHandleCaptureKey2 = CCoeEnv:: Static()-> RootWin(). CaptureKeyn (KOkKeyCode, EModifierShift, EModifierShift PRIORITYCAPTUREKEY); }

74 TKeyResponse CClockSSAppUi:: HandleKeyEventL (const TKeyEvent & aKeyEvent, TEventCode aType) { If ((KOkKeyScanCode == (TUint) aKeyEvent. iScanCode)&&(EEventKeyDown == aType) && ((aKeyEvent. iModifiers & EModifierShift) == EModifierShift)) { CAknGlobalNote* globalNote= CAknGlobalNote:: NewLC(); globalNote-> ShowNoteL(EAknGlobalInformationNote, _L(“CaptureKey!”)); CleanupStack:: PopAndDestroy();}} Implementation of the global keyboard monitoring in Symbian system

75 Means of file hiding File hiding of RootKit is also reflected in the use of some system settings, such as registry file of mobile phone system (mainly for Windows Mobile), set up files for the system properties (Symbian), etc.

76 3.4.3 Job/thread hiding Job/thread hiding is to make RootKit program disappear from mobile phone running state. Mobile anti-virus and security software can not only traverse file information of phone file system, but also monitor the operation task of the phone. For malicious code, file hiding is not enough.

77 Job/thread hiding There are some differences between intelligent mobile system and computer operating system. Hook technology in the computer operating system is hard to implement in mobile system. Job/thread information is closely associated with the normal operation of the mobile phone system. If the information is changed easily, collapse of the mobile phone system will happen such as crash and automatic shutdown.

78 Means of Job/thread hiding Temporary change of mobile phone system cache is a very effective method. Through modifying the key data in system cache, some of the key information in mobile phone system will be changed. If this influence comes down to job/thread information, an attacker can find an opportunity.

79 Means of Job/thread hiding Mobile phones system stores data in some key positions, in order to use and modify at any time. It’s like Windows system stores the task information in the registration table after creating a new task. RootKit makers must take detailed analysis and judgment for each system cache file and understand their access format, Sometimes system uses encryption to store some of the core data information, so the attacker will have to crack algorithm of the encryption mechanism, and then modify them to make the RootKit hide in the system.

80 Means of Job/thread hiding Finding out the system vulnerabilities is a method attackers often use. –Security design of mobile phone systems is worse than that of computer operating system. Mainly because the use of mobile phones is not as complicated as it in the computer. The user may only use it to make a phone call, send text messages, etc. –As a result, in the design of some mobile phone systems colossal security hidden troubles exist, –These hidden dangers, once discovered by RootKit designers, will incur unimaginable consequences.

81 Means of Job/thread hiding From the design idea of operating system, general operating system code runs in high address in memory. This address does not allow users’ access. If the address of the access is not in legal range, the visit is prohibited and warning message will be given. But in some mobile phone systems, the designer omits the code implementation of this part for the sake of simplicity. When all the job/thread information is stored in high memory address, direct access from a RootKit application to this address may modify its contents. The system itself and other information query software can't detect this kind of change.

82 3.4.4 RootKit in drive level Malicious code designed in free development environment belongs to simple application program. To achieve the purpose of program behavior hiding, it must involve within the system. The essential purpose of mobile phone system is calling up all hardware for convenient use. It need to use the drive program. Drive program is a kind of program that makes the software and hardware communicate. It is like software interface of hardware. Operating system controls hardware work only by using this interface.

83 The basic structure of drive program and operating system Operating system Drive program Hardware

84 RootKit in drive level Because of the importance of the driver, mobile system makers often design and realize some basic drive programs. But as the function of mobile phone becomes complex, it is too cumbersome to write all of them. So they entrust other manufacturers to design the drive programs, This is a basic mode of modern phone system development. Technology levels are different due to different manufacturers, so the drive programs may have a lot of potential safety hazards.

85 RootKit in drive level If a RootKit maker is familiar with mobile phone hardware and knows how to develop hardware drive programs for mobile phone system at the same time, then he is likely to write drive program with viral quality. Once adopted by the mobile system, RootKit can modify the core system data through drive program, including process information, file information, etc. It can also modify the system running state, such as formatting cell phone memory card.

86 3.4.6 The development trend of mobile RootKit Along with the widespread popularity of smart phones, mobile RootKit enters the view of the security personnel quickly. Due to the concealment of RootKit technology, its efficiency is much higher than the average mobile phone virus. And RootKit anti-delete technology for mobile anti-virus software is more underlying than virus program. These advantages make the attacker shift the line of sight to the development of mobile RootKit.

87 The development trend of mobile RootKit Mobile phone hardware RootKit will teem File hiding technology will be increasingly mature technology (such as Hook) Job/thread hiding technology begins to be mature at the same time There would be the underlying technology against antivirus software RootKit will focus on mobile system security holes RootKit in drive level will become the mainstream

88

Download ppt "Chapter 3 Instance and theory of Malicious code Malicious code defense in mobile networks Funded by Intel Corp."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Unit 1 Living in the Digital WorldChapter 1 Lets Communicate Internet Safety.

Unit 1 Living in the Digital WorldChapter 1 Lets Communicate Internet Safety.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Microsoft Office 2007-Illustrated Introductory, Windows Vista Edition Windows XP Unit B.

Microsoft Office 2007-Illustrated Introductory, Windows Vista Edition Windows XP Unit B.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
Windows XP Basics OVERVIEW Next.

Windows XP Basics OVERVIEW Next.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Unit 18 Data Security 1.

Unit 18 Data Security 1.
3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.

3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.
Computer Viruses.

Computer Viruses.
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
INTERNET THREATS AND HOW TO PROTECT YOUR COMPUTER -BRIAN ARENDT.

INTERNET THREATS AND HOW TO PROTECT YOUR COMPUTER -BRIAN ARENDT.
Operating Systems.

Operating Systems.
MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.

MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.
Video Following is a video of what can happen if you don’t update your security settings! security.

Video Following is a video of what can happen if you don’t update your security settings! security.
Chapter Three OPERATING SYSTEMS.

Chapter Three OPERATING SYSTEMS.

Similar presentations

Ads by Google