Monitoring Malware at Runtime. From Last Lecture Malware authors use advanced coding for avoiding detection AnserverBot is a very sophisticate piece of.

Slides:

Advertisements

Similar presentations

Android Application Development A Tutorial Driven Course.

Advertisements

Aurasium: Practical Policy Enforcement for Android Applications

FireDroid: Hardening Security in Almost-Stock Android Giovanni Russello, Arturo Blas Jimenez, Habib Naderi, Wannes van der Mark 1 University of Auckland,

CC4100 Active Cellular Intercept Technologies

Dissecting Android Malware : Characterization and Evolution

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Android Malware Characterisaion. Android Under Attack Android Malware is on the rise In 2012 malware presence has increased by 580% compared to the same.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

1 HTTP and some other odds and ends Nelson Padua-Perez Bill Pugh Department of Computer Science University of Maryland, College Park.

TCP/IP Protocol Suite 1 Chapter 22 Upon completion you will be able to: World Wide Web: HTTP Know how HTTP accesses data on the WWW Objectives.

Definitions, Definitions, Definitions Lead to Understanding.

IBM Security Network Protection (XGS)

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

Lecture 4: stateful inspection, advanced protocols Roei Ben-Harush 2015.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

Presentation By Deepak Katta

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Copyright (c) 2011, FireEye, Inc. All rights reserved. | CONFIDENTIAL 1 Stopping Next-Gen Threats Dan Walters – Sr. Systems Engineer Mgr.

Real Security InterSwyft Technical information's.

Introduction to Mobile Malware

ECE Prof. John A. Copeland Office: Klaus or call.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

DroidKungFu and AnserverBot

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .

Web technologies and programming cse hypermedia and multimedia technology Fanis Tsandilas April 3, 2007.

Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.

Cli/Serv.: JXTA/151 Client/Server Distributed Systems v Objective –explain JXTA, a support environment for P2P services and applications ,

Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

@2011 Mihail L. Sichitiu1 Android Introduction Platform Overview.

Android Programming By Mohsen Biglari Android Programming, Part1: Introduction 1 Part1: Introduction By Mohsen Biglari.

Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.

ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.

Android ICC Part II Inter-component communication.

GSM Network Structure Lance Westberg.

AppShield: A Virtual File System in Enterprise Mobility Management Zhengyang Qu 1 Northwestern University, IL, US,

---- IT Acumens. COM IT Acumens. COMIT Acumens. COM.

Android Security Auditing Slides and projects at samsclass.info.

HTTP1 Hypertext Transfer Protocol (HTTP) After this lecture, you should be able to:  Know how Web Browsers and Web Servers communicate via HTTP Protocol.

Android Security Model that Provide a Base Operating System Presented: Hayder Abdulhameed.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

1-1 HTTP request message GET /somedir/page.html HTTP/1.1 Host: User-agent: Mozilla/4.0 Connection: close Accept-language:fr request.

WWW: an Internet application Bill Chu. © Bei-Tseng Chu Aug 2000 WWW Web and HTTP WWW web is an interconnected information servers each server maintains.

WEB SERVER Mark Kimmet Shana Blair. The Project Web Server Application  Receives request for web pages or images from a client browser via the internet.

Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.

CITA 310 Section 2 HTTP (Selected Topics from Textbook Chapter 6)

Wireless and Mobile Security

HTTP How the Internet servers and clients communicate.

1 REMOTE CONTROL SYSTEM V7 2 Introduction.

SMS Message Collection for a Public Research Corpus Tao Chen 14 January 2011.

1 ARC reporting ARCCerny Verze INTERNET ARC events reporting Control panel 3. PSTN Telephone network - CID 1. GSM network – GPRS IP CID.

GENA (General Event Notification Architecture) RTLAB 이 남 지 2003/01/08.

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 7 Omar Meqdadi Department of Computer Science and Software Engineering University of.

VMM Based Rootkit Detection on Android

Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.

Analysis And Research Of System Security Based On.

Fiddler and Your Website Robert Boedigheimer. About Me Web developer since 1995 Columnist for aspalliance.com Pluralsight Author 3 rd Degree Black Belt,

Lecture 4: Stateful Inspection, Advanced Protocols.

Android Mobile Application Development

Understanding Android Security

Configure Instruction

Android System Security

Application Development A Tutorial Driven Course

Android.Adware.Plankton.A % Android.Adware.Wapsx.A – 4.73%

Korea Software HRD Center

Understanding Android Security

Presentation transcript:

Monitoring Malware at Runtime

From Last Lecture Malware authors use advanced coding for avoiding detection AnserverBot is a very sophisticate piece of software AVS is lagging behind Low detection rate on new malware Large exposure window before updating DB Main issue: rely only on app signature What we need is a tool to detect runtime behaviour

FireDroid Our group is developing a new Android Security framework FireDroid is capable of monitoring app execution and enforcing security policies No need of modifying Android OS code! Only modification is to insert a line of text in the init.rc file FireDroid enables us to monitor system call execution of apps (and malware)

System Call Interposition System calls are used by apps to interact with the kernel By intercepting sensitive system calls we can enforce security policies to better protect Android We can use FireDroid also to provide us information about the system call executed by apps

Malware Genome Project Collection of 2GB of malware samples We have executed some of these samples within FireDroid sandbox In the following, we are going to see some more details After the semester break, Daniel will provide a live demo

Plankton Communication with a C&C server Sends some info when the installation is complete Together with some setting of the phone

Opening a socket [1743] syscall=socket(281) domain:PF INET6 type:SOCK STREAM protocol:IPPROTO IP ****************************** [1743] syscall=bind(282) socket: socket:[26088] sa family = AF INET6 port = 0 address = :: ****************************** [1743] syscall=connect(283) socket: socket:[26088] sa family = AF INET6 port = 80 address = ******************************

Establishing a connection [****************************** [1743] syscall=sendto(290) socket: socket:[26088] Connected Socket! data len: 168 data: POST /ProtocolGW/installation HTTP/1.1 Content-Length: 1426 Content-Type: application/x-www-form-urlencoded Host: Connection: Keep-Alive ****************************** [1743] syscall=sendto(290) socket:socket:[26088] Connected Socket! data len: 1024 data: action=get&applicationId= &developerId= & deviceId= &currentVersion=-1&permissions=android…..

FakePlayer The main activity is to send SMS It will get the handler for the SMS service from the Service Manager Then sends SMS to premium number (7132) with different subscription codes

Sending SMS [*1905]ioctl on /dev/binder with BINDER WRITE READ cmd:BC TRANSACTION: target name = android.os.IServiceManager target = 0x0 code = SVC _MGR _GET _SERVICE service name = isms data size = 80 ****************************** [*1905]ioctl on /dev/binder with BINDER WRITE READ cmd:BC TRANSACTION: target name = com.android.internal.telephony.ISms target = 0x9 code = 5 (sendText) data size = 128 Destination: 7132 SMS Body:

AnserverBot Retrieves information from the Telephony services Telephone number International Mobile Station Equipment Identity (IMEI) International Mobile Subscriber Identity (IMSI) This info is quite sensitive because it specifically points at YOU!

Getting the PhoneSubInfo Service [*2071]ioctl on /dev/binder with BINDER WRITE READ cmd:BC TRANSACTION: target name = android.os.IServiceManager target = 0x0 code = SVC MGR GET SERVICE service name = iphonesubinfo ****************************** [*2071]ioctl on /dev/binder with BINDER WRITE READ cmd:BC TRANSACTION: target name = com.android.internal.telephony.IPhoneSubInfo target = 0xe code = 5 data size = 100 data in text format: code 5: getLineNumber: Retrieves the phone number string for line 1

Getting More Info ****************************** … code 1: getDeviceId: Retrieves the unique device ID, e.g., IMEI for GSM phones. ****************************** … code 4: getIccSerialNumber: Retrieves the serial number of the ICC, if applicable. ****************************** … code 2: getDeviceSvn: Retrieves the software version number for the device, e.g., IMEI/SV for GSM phones. ****************************** … code 3: getSubscriberId: Retrieves the unique subscriber ID, e.g., IMSI for GSM phones.

AnserverBot Fetching from Baidu ****************************** [1639] syscall=connect(283) socket: socket:[57270] sa family = AF INET6 port = 80 address = ****************************** [1639] syscall=sendto(290) socket: socket:[57270] Connected Socket! data len: 153 data: GET / HTTP/1.1 User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.0.4; sdk Build/MR1)^M Host: Connection: Keep-Alive Accept-Encoding: gzip

AnserverBot Fetching from Baidu [1639] syscall=recvfrom(292) socket: socket:[57270] Connected Socket! data len: 128 data: HTTP/ OK^M Set-Cookie: BAIDUID=127C8FA29422CAB3BA61707A4969F5DB:FG=1; max-age= ; expires=Tue, 29-Oct-13 01:17:10 GM ****************************** [1639] syscall=recvfrom(292) :00:00 GMT; path=/; domain=.baidu.com^M P3P: CP='' OTI DSP COR IVA OUR IND COM ``^M Cache-Control: no-cache^M Content-type: text/html ******************************

Questions?