Can You Infect Me Now? Malware Propagation in Mobile Phone Networks Authors: Presented by: Michael Annichiarico

Mobile Malware Like normal malware, but on mobile phones  (smart phones and dumb ones too)‏ Why worry about mobile malware?  “combination of vulnerable platforms (symbian), unsuspecting users, and explosive growth in potential victims will inevitably attract propagating malware”

What Makes This Paper Different? Previous malware propagation research:  Proximity Propagation Bluetooth, etc This research:  Focuses on propagation via the telecommunications network

Why Moble Malware? (from the bad guy's perspective)‏ Smart phones are a lot like PCs:  market share per OS (72% symbian)‏  software vulnerabilities exist Exploited smart phones could provide an attacker with means to:  steal private data / users' identities  spam  make free calls  execute (D)DoS

Main Paper Goal(s)‏ Simulate the effects of mobile malware propagation via the telecommunications network  Simulated both VoIP malware and MMS malware Draw some conclusions for defending

Simulator Event Driven, Custom Code. (so they could better adapt for their needs)‏ 1 second step size, stepping 12 hours Infection beginning at a single phone Telecom Network  UMTS Topology  Boston Metro Area

Network: UMTS UMTS is the 3G successor to GSM  (2.5G/GPRS, 2.75G/EDGE)‏  Network side is very similar to GSM, air interface side changed to support higher data rates. Signaling and control are negligible (ignored in the model)‏

Topology: Boston Metro Area 100sq miles, divided into 1sq mile cells Mobile Station Distribution  from US Census data  scaled by 78% (by cell phone penetration)‏ Mobility is not modeled  Authors speculate the bottleneck will be in the network, not at the air interface

Simplified UTMS Network

Simulation Construction Assume normal MMS usage is based on a charge per message MMS Server Capacity  Server handles 100 msg/sec, although higher rates were simulated with “a qualitatively similar result” Authors explanation: MMS server will not be dimensioned to handle users behaving like an aggressive worm (i.e., sending large numbers of messages as quickly as possible). Bottom-up design of the UMTS Network

Simplified UTMS Network

Modeled UTMS Network

Simulation Parameters 1 single server serving 100 msg/sec 49 servers serving 10k users each 49 servers 9616 Node B's 2Mbps 100Mbps 1Gbps links between SGSNs

Simulation Notes “The granularity of our Node B placement was a limiting factor of our initial population data. A finer granularity would, no doubt, offer a more detailed and accurate picture of malware propagation.”

Spreading via Phone books/Contact Lists No published studies of address book characteristics found, so:  contacts (upper limit from empirical data on phone book maximums)‏  Phone book/contact degree distributions based on statistical analysis

Phonebook/contact degree distributions (for contact list size)‏ Power-Law: from yahoo groups, and other authors' research. Log-Normal: from social networking websites' statistics. Erlang Dist: from authors' experiment (but very small sample size of 73)‏

Node Attachment... you dont call everybody in your address book Probabilistically randomly assign address book size based on distribution, then...  70% - “The probability that two users were friends was proportional to the inverse of the number of people between them.”(from LiveJournal.com study)‏  30% uniformly randomly assigned

Attack Vector: VoIP Assumes vulnerable service on the mobile phone which does not require user interaction Assume all phones are vulnerable.  (Authors note that in reality a fraction would be vulnerable, and they state a qualitatively similar result)‏

Simulated Propagation of VoIP Malware  “...constrained bandwidth should also be considered; but doing so requires estimating typical traffic characteristics, and we lacked meaningful data on which to base such estimates.” --- ?????

Techniques for Faster Propagation of VoIP Malware (and Simulation Results)‏ Divide and distribute (transfer) contacts from address book Congestion backoff (wait) 10s

Attack Vector: MMS Handled by central MMS server Requires user interaction  only a percentage “F” act on message Can be done while phone is off  So there is a wait time to answer messages. Mixture of two Gaussian distributions centered at 20s & 45m

Simulated Propagation of MMS Malware

Techniques for Faster Propagation of MMS Malware Congestion backoff (10s)‏  Not very much advantage, due to MMS central server constraint. Divide and distribute contacts from address book  Same as above Global contact book method  Infected half the population in 12 hrs. (what F value?)‏

Faster MMS Malware Propagation

Defending Against Mobile Malware Propagation in Telecom. Networks (This section is way too small in the paper, would have liked to see more on this.)‏ Rate Limiting  ACCELLERATES infection! (same as congestion avoidance)‏ Blacklisting Containment  large number still get infected more slowly (no details given on %).  removing phones leads to a less congested network for those infected but non-blacklisted phones Content Filtering  “Seems promising due to centralized topology.” "Investigating whether it's practical remains future work." (and they didnt provide any information on how promising or why)‏

Questions?