SESSION ID: #RSAC Chaz Lever Characterizing Malicious Traffic on Cellular Networks A Retrospective MBS-W01 Researcher Damballa,

Slides:

Advertisements

Similar presentations

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.

Advertisements

Dynamics of Online Scam Hosting Infrastructure

Network Operations Research Nick Feamster

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

The Threat Landscape Jan Threat Report 2.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Taking Control of Cloud Security Travis Abrams. Consulting and Professional Services Health checks Deployment services Strategic Partner VAR Board Leadership.

Making Contact With Your Customers. Who are Klick2Contact? Highly experienced telecommunications professionals Backed by major European investment group.

LittleOrange Internet Security an Endpoint Security Appliance.

On the Feasibility of Large-Scale Infections of iOS Devices

Department Of Computer Engineering

© Blue Coat Systems, Inc John Yun Director, Product Marketing.

Mobile App Monetization: Understanding the Advertising Ecosystem Vaibhav Rastogi.

Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Norman SecureSurf Protect your users when surfing the Internet.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

Introduction to Honeypot, Botnet, and Security Measurement

資安新聞簡報報告者：劉旭哲、曾家雄. Spam down, but malware up 報告者：劉旭哲.

A Comprehensive Guide to Mobile Targeted Attacks (and What Can You Do About It) Ohad Bobrov, CTO twitter.com/LacoonSecurity.

Mobile Device Security Challenges  Mustaque Ahamad, Director, Georgia Tech Information Security Center  Patricia Titus, VP and Global Chief Information.

BotNet Detection Techniques By Shreyas Sali

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.

©2015 Check Point Software Technologies Ltd. 1 Rich Comber SME, Threat Prevention Check Point Software Technologies Moving to a Prevent Based Security.

Smart Protection Network Kelvin Liu AVP, Core Tech Development.

Technology Platforms: Applying Systems Thinking MIS5801: Cali, Colombia Richard Flanagan Adapted fronm material by Schuff, Mandviwalla,

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

A CRAWLER BASED STUDY OF SPYWARE ON THE WEB Vijay Savanth The University of Auckland Computer Science Department A. Moshchuk, T.

Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.

Examining the Landscape and Impact of Android App Plagiarism Clint Gibler Ryan Stevens Jonathan Crussell Hao Chen Hui Zang Heesook Choi 1.

Developer TECH REFRESH 15 Junho 2015 #pttechrefres h Understand your end-users and your app with Application Insights.

© 2009 WatchGuard Technologies WatchGuard ReputationAuthority Rejecting Unwanted & Web Traffic at the Perimeter.

Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)

Basics of testing mobile apps

Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.

Mohammad Taha Khan *, Xiang Huo *, Zhou Li † & Chris Kanich * University of Illinois at Chicago * & RSA Labs † Every Second Counts: Quantifying the Negative.

MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD.

FFIEC Cyber Security Assessment Tool

CERT cooperation with ISP’s on Cybersecurity C ă t ă lin P ă trașcu CERT-RO 29 October 2015 RONOG 2 Meeting1.

A Framework for Detection and Measurement of Phishing Attacks Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 2/25/2016 Slide.

1 #UPAugusta Today’s Topics What are Deadly IT Sins? Know them. Fear them. Fix them. #UPAugusta201 6.

©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.

Mobile Device Security Threats Christina Blakley Host Computer Security.

©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals CHECK POINT MOBILE THREAT PREVENTION.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

Blue Coat Confidential Web and Mobile Application Controls Timothy Chiu Director of Product Marketing, Security July 2012.

Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal of all fast flux variants –Avoid detection and take down of.

Spike DDoS Toolkit A Multiplatform Botnet Threat.

MEDIA KIT. WHO WE ARE? YOUR TEXT HERE 6:58 min AVG. SESSION DURATION 13.6M+ UNIQUE USERS 2.8M+ FACEBOOK LIKES 189M+ MONTHLY PAGE VIEWS 71.3M+ RETURNING.

No boundaries with Unified Web Security Solutions Steven Vlastra Sr. Systems Engineer - Benelux.

CloudAV: N-Version Antivirus in the Network Cloud Jon Oberheide, Evan Cooke, Farnam Jahanian Electrical Engineering and Computer Science Department, University.

WHAT THE APP IS THAT? DECEPTION AND COUNTERMEASURES IN THE ANDROID USER INTERFACE.

I2Coalition: How To Build Relationships And Save Money With Better Abuse Reporting Moderator: Michele Neylon CEO, Blacknight.

GST Helpline - A Complete GST App TO RESOLVE GST INDIA QUERIES

Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks Sumayah Alrwais, Xiaojing Liao, Xianghang.

Under the Shadow of sunshine

A lustrum of malware network communication: Evolution & insights

A Lustrum of Malware Network Communication: Evolution and Insights

Android System Security

Mobile Application Development

On the road: Test automation in practice for a BMW map update service

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Dieudo Mulamba November 2017

CERT-GIB IN 2018 DNS FORUM 2018 Alexander Kalinin Head of CERT-GIB.

Mobile Security Evangelos Markatos FORTH-ICS and University of Crete

Mobile Security What is mobile secuirty & Identifying smartphone security holes& Sayed Hashimi Proposal Project.

When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.

Presentation transcript:

SESSION ID: #RSAC Chaz Lever Characterizing Malicious Traffic on Cellular Networks A Retrospective MBS-W01 Researcher Damballa,

#RSAC Mobile Malware

#RSAC Malware Going Nuclear

#RSAC Mobile Malware Research  Significant effort has been spent by researchers to characterize mobile applications and markets.  Market operators have invested significant resources in preventing malicious applications from being installed.  Extent to which mobile ecosystem is actually infected is still not well understood. Use network level analysis to better understand the threat.

#RSAC Data Collection  Use passive DNS (pDNS) data collected at the recursive DNS (RDNS) level.  Data collected from a major US cellular provider and a large traditional, non-cellular ISP. Cell Wired

#RSAC Characterizing Cellular Traffic Non- Mobile Mix Mobile Labeling of Devices Malicious Unknown Benign Classification of RR

#RSAC Cellular pDNS Data Summary Week (2012)HoursRRsDomainsHostsDevices (Avg) 4/15 - 4/211688,553,1558,040,1412,070,18922,469,561 5/13 – 5/191689,240,3728,711,7042,168,26624,223,108 6/17 – 6/231688,660,5558,109,5362,050,16821,932,245 Total (Unique) 50416,298,11414,828,1493,053,70422,874,971 Week (2014)HoursRRsDomainsHostsDevices (Avg) 11/01 – 11/ ,752,268158,214,78818,673,671132,152,348 11/08 – 11/ ,125,832163,740,91021,179,148152,832,654 11/15 – 11/ ,458,108166,929,11118,617,397159,200,303 11/22 – 11/ ,678,777162,213,5218,963,386160,788,608 11/29 – 11/304860,706,04553,244,3545,768,628137,285,304 Total (Unique) ,641,271613,350,81928,799,008151,858,362

#RSAC Cellular pDNS Data Summary Week (2012)HoursRRsDomainsHostsDevices (Avg) 4/15 - 4/211688,553,1558,040,1412,070,18922,469,561 5/13 – 5/191689,240,3728,711,7042,168,26624,223,108 6/17 – 6/231688,660,5558,109,5362,050,16821,932,245 Total (Unique) 50416,298,11414,828,1493,053,70422,874,971 Week (2014)HoursRRsDomainsHostsDevices (Avg) 11/01 – 11/ ,752,268158,214,78818,673,671132,152,348 11/08 – 11/ ,125,832163,740,91021,179,148152,832,654 11/15 – 11/ ,458,108166,929,11118,617,397159,200,303 11/22 – 11/ ,678,777162,213,5218,963,386160,788,608 11/29 – 11/304860,706,04553,244,3545,768,628137,285,304 Total (Unique) ,641,271613,350,81928,799,008151,858,362

#RSAC Hosting Infrastructure Observed 2,762,453 unique hosts contacted by mobile devices. Only 1.3% (35,522) of “mobile” hosts were not in the set of hosts contained by historical non-cellular pDNS data. The mobile Internet is really just the Internet. Mobile Hosts Mobile Hosts Wired Hosts Wired Hosts 1.3%

#RSAC Evidence of Malware  Public Blacklist (PBL)  Phishing and Drive-by-Downloads (URL)  Desktop Malware Association (MAL)  Mobile Blacklist (MBL)

#RSAC Observed Historical Evidence Mobile Specific Evidence

#RSAC Observed Historical Evidence Desktop Related Evidence

#RSAC Observed Historical Evidence (Redux) Mobile Specific Evidence

#RSAC Observed Historical Evidence (Redux) Desktop Related Evidence

#RSAC Platform % Population requesting tainted hosts (2012) % Population requesting tainted hosts (2014) iOS All other mobile (Android, etc.) Tainted Hosts and Platforms

#RSAC Platform % Population requesting tainted hosts (2012) % Population requesting tainted hosts (2014) iOS31.6% All other mobile (Android, etc.)68.4% Tainted Hosts and Platforms

#RSAC Platform % Population requesting tainted hosts (2012) % Population requesting tainted hosts (2014) iOS31.6% 38.9 % All other mobile (Android, etc.)68.4%61.1% Tainted Hosts and Platforms

#RSAC Platform % Population requesting tainted hosts (2012) % Population requesting tainted hosts (2014) iOS31.6% 38.9 % All other mobile (Android, etc.)68.4%61.1% Tainted Hosts and Platforms

#RSAC Mobile Malware in Numbers  Only 0.015% (3,492) out of a total of 23M mobile devices contacted MBL domains (observation period 2012).  Only % (9,688) out of a total of 151M mobile devices contacted MBL domains (observation period 2014).  According to National Weather Service, odds of an individual being struck by lightning in a lifetime is 0.01% (1/10,000)! Mobile malware is currently a real but small threat.

#RSAC Market and Malware (M&A) Dataset Market NameMarket CountryDate of Snapshot# Unique Apps# Unique Domains# Unique IPs Google Play*US09/20/11, 01/20/1226,33227,58147,144 SoftAndroidRU02/07/123,6263,0288,868 ProAndroidCN02/02/12, 03/11/122,4072,7128,458 AnzhiCN01/31/1228,76011,71924,032 NdooCN10/25/12, 02/03/12, 03/06/12 7,9145,93914,174 Malware Dataset Name Date of Snapshot # Unique Apps# Unique Domains # Unique IPs Contagio03/27/ ,324 Zhou et al02/ ,413 M103/26/20121, ,540 * Top 500 free applications per category only

#RSAC M&A Overlap with Wired pDNS  At most 10% of M&A hosts are outside our non-cellular pDNS dataset.  More than 50% of M&A hosts are associated with at least seven domain names. Mobile applications reusing same hosting infrastructure as desktop applications. M&A Hosts M&A Hosts Wired Hosts Wired Hosts 10%

#RSAC Lifecycle of a Threat  Threat publicly disclosed by security community in October.  Associated domain no longer resolved at time of disclosure. Point of Disclosure October Threat ε

#RSAC Network Behavior  Mobile threats show high degree of network agility similar to traditional botnets. Use of network based countermeasures may help better detect and mitigate threats. Threat β

#RSAC Summary of Observations  Mobile Internet is really just the Internet.  Mobile malware is still a real but small threat.  Mobile applications reusing same infrastructure as desktop applications.  Analysis of mobile malware slow to identify threats.  Network based countermeasures can and should be used.

#RSAC Apply What You Have Learned Today  What you can do today:  When downloading applications for your mobile device, try and stick to first-party application markets.  Be mindful that certain threats like phishing can be more effective against mobile users due to limited screen real estate.  What you should be doing in the future:  Leverage your existing network infrastructure to help identify mobile devices.  Analyzing the network infrastructure mobile devices are contacting by using new or existing tools to evaluate the reputation of that infrastructure.

#RSAC Questions?

#RSAC References  The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers, Network & Distributed System Security Symposium (NDSS), 2013 The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers  Mobile Malware Sources (Public)  Contagio Mobile Malware (  Android Malware Genome (  VirusTotal (