Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11.

Slides:



Advertisements
Similar presentations
!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.
Advertisements

Dissecting Android Malware : Characterization and Evolution
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
SCRUB: Secure Computing Research for Users’ Benefit David Wagner 1.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Fundamentals of Computer Security Geetika Sharma Fall 2008.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.
Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones Colin Mulliner, Steffen Liebergeld, Matthias Lannge, and Jean-Pierre Seifert Technische.
Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Efficient Protection of Kernel Data Structures via Object Partitioning Abhinav Srivastava, Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012.
Android Security What is out there? Waqar Aziz. Android Market Share - I 2.
CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.
Presentation By Deepak Katta
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Introduction to Mobile Malware
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
DroidKungFu and AnserverBot
A Comprehensive Guide to Mobile Targeted Attacks (and What Can You Do About It) Ohad Bobrov, CTO twitter.com/LacoonSecurity.
Mobile Device Security Challenges  Mustaque Ahamad, Director, Georgia Tech Information Security Center  Patricia Titus, VP and Global Chief Information.
All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영
Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto Networks.
Chapter 6 Operating System Support. This chapter describes how middleware is supported by the operating system facilities at the nodes of a distributed.
1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.
An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.
Trojan Virus By Forbes and Mark. What is a Trojan virus Trojans are malicious programs that perform actions that have not been authorised by the user.
1 Company Proprietary and ConfidentialThe document name can go here Android OS Security Omar Alaql July 8, 2013 Kent State University Android OS Security.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Android Security Auditing Slides and projects at samsclass.info.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
ANDROID BY:-AANCHAL MEHTA MNW-880-2K11. Introduction to Android Open software platform for mobile development A complete stack – OS, Middleware, Applications.
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
Synchronized Security Revolutionizing Advanced Threat Protection
Malicious Software.
Security Vulnerabilities in A Virtual Environment
Wireless and Mobile Security
security breakthrough INTRODUCING hypervisor memory introspection
MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Class Presentation Pete Bohman, Adam Kunk, Erik Shaw (ONL)
VMM Based Rootkit Detection on Android
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
© 2015 IBM Corporation John Guidone Account Executive IBM Security IBM MaaS360.
Mobile Security Tom Taylor. Roadmap Security Risks Security Risks Examples of Attacks Examples of Attacks Personal Protection Personal Protection Business.
Analysis And Research Of System Security Based On.
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
DeepDroid Dynamically Enforcing Enterprise Policy Manwoong (Andy) Choi
Android and IOS Permissions Why are they here and what do they want from me?
Introducing Dell SonicWALL Capture Advanced Threat Protection Service
Get Full Protection on Microsoft Azure with Symantec™ Endpoint Protection 12.1 MICROSOFT AZURE ISV PROFILE: SYMANTEC Symantec™ Endpoint Protection is an.
Android’s Malware Attack, Stealthiness and Defense: An Improvement Mohammad Ali, Humayun Ali and Zahid Anwar 2011 Frontiers of Information Technology.
Google. Android What is Android ? -Android is Linux Based OS -Designed for use on cell phones, e-readers, tablet PCs. -Android provides easy access to.
Module 51 (Mobile Device Fundamentals - Android)
Top 5 Open Source Firewall Software for Linux User
Critical Security Controls
Boxify: Full-fledged App Sandboxing for Stock Android
Practical Rootkit Detection with RAI
Test 3 review FTP & Cybersecurity
Presentation transcript:

Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11

Outline Introduction Related Work Mobile Malware Airmid Architecture Implementation Discussion Conclusion

Introduction new mobile malware samples per day70000 new mobile malware samples per day

Introduction Cellular providers will not be able to rely solely upon the rapid identification and removal of malware by mobile market operators

Introduction A system for automated detection of and response to malicious software infections on handheld mobile devices – Airmid Airmid: the goddess of healing

Introdution We developed laboratory samples of mobile malware ▫Leak private data ▫Dial premium numbers ▫Participate in botnet activity And… ▫Detect the presence of an emulated environment ▫Change their behavior, create hidden background process, scrub logs, and restart on reboot

Introduction Contribution ▫Identification of current remediation shortcomings ▫Design and implementation of advanced prototype malware ▫Cooperatively neutralize malware on infected mobile phones

Related Work Traynor et al. On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network CoreOn Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core Xu et al. Stealthy Video Capturer: A New Video- based Spyware in 3G SmartphonesStealthy Video Capturer: A New Video- based Spyware in 3G Smartphones TaintDroid PiOS

Mobile Malware In the wild… ▫Privilege escalation to root (DroidDream) ▫Bots (Drad.A) ▫Data exfiltration (DroidKungFu, StreamyScr.A) ▫Backdoor triggered via SMS (Bgyoulu.A) Jailbroken iPhone ▫iKee.B BotiKee.B Bot

Mobile Malware Deficiencies of marketplaces: ▫Malware authors can write their apps with logic to evade detection of analysis ▫The Android platform allows users to install apps from third-party marketplaces

Mobile Malware Enhanced prototype malware ▫Loudmouth  a Twitter client that leaks private data ▫2Faced  A Facebook client sync app that dials premium numbers ▫Thor  A mobile bot

Mobile Malware Loudmouth ▫Malicious mobile functionality  Data exfiltration ▫Evasive functionality  Malware analysis environment detection ▫Benign host app  Twitter client

Mobile Malware 2Faced ▫Malicious mobile functionality  Premium number dialer ▫Evasive functionality  Log sanitization and a hidden native process ▫Benign host app  Facebook sync

Mobile Malware Thor ▫Malicious mobile functionality  Bot client ▫Evasive functionality  Persistence across reboot ▫Benign host app  Weather display

Mobile Malware Permissions use:

Architecture Threat model ▫Install malware via a variety of usual mechanisms  Drive-by downloads or automated propagation  Distribution on marketplaces ▫Attackers can subvert the correct execution of a benign app  Exploiting a security defect in the app’s design

Architecture Assume… ▫A protected software layer on the device lower than the level at which the malware executes  Kernel (if kernel-level malware can be prevented)  Hypervisor (if virtualized environments can be created on a mobile device) ▫A communication channel between the network and each device ▫Detectable malicious behavior in the network

Architecture Remote repair

Architecture Side-effects: ▫Process termination ▫On-device traffic filtering ▫App update ▫Device update ▫File removal ▫Factory reset

Architecture Authenticated communication ▫[UMTS Security Wiki][UMTS Security Wiki] ▫[REF][REF] ▫[SPEC][SPEC] ▫[AKA Mechanism RFC][AKA Mechanism RFC]

Implementation Hardware ▫HTC Dream with Android 1.6

Implementation Network component ▫SnortSnort ▫Airmid Server by using Python packet creation library ScapyScapy

Implementation Device component ▫A modified Linux kernel ▫Disable dynamically load kernel modules ▫1200 lines of C

Implementation Infection provenance

Implementation Infection provenance

Implementation Remediation strategies ▫Block the malicious traffic ▫Termination of process ▫Removal of the apk owned by the UID ▫Removal of all files owned by the UID ▫UID <  system user ID  Only block the malicious traffic ▫UID ≧  Terminate & Remove ▫Any native ARM processes?  If yes  full scan !

Implementation Performance evaluation

Discussion Airmid control ▫Some may not trust a cellular network provider ▫Airmid is not a “one size fits all” solution ▫Proxied via VPN ▫Roaming? ▫Relaying on IDS

Discussion Device hardening ▫Disable LKM ▫Virtualization?  L4Android L4Android

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.