Cross-Platform Malware contamination

Aims and Objectives of Project
Understand and analyse current malware strategies
 Analyse in detail various malware infection vectors and
new revenue channels being exploited
 Review malware concealment and detection strategies
 Carry out an infection between Android device and
Windows, analysing in detail what is happening
 Propose an efficient and practical way in which crosscontamination across platforms can be restricted
 Challenges and barriers to the implementation of our
Malware history
Mobile malware timeline, attack vectors
and new revenue channels created
Malware concealment and detection
Analysis of cross-platform malware
Limiting cross-platform malware
Challenges and barriers to implementation
Concluding remarks
Malware history
Definition of malware - A general term used
to refer to any software that is installed on
a machine and performs unwanted
(malicious) tasks (Christodorescu et al,
Different classifications have been
attempted, mostly based upon the payload
type, vulnerabilities exploited and
propagation mechanisms used
Malware history
Became known to many computer users
through the Melissa virus in 1999 and the
LoveLetter worm in 2000 (Dunham et al,
Mobile malware timeline
• Timofonica (targeted at Movistar mobile operator)
• Cabir (first worm to target mobile phones)
2004 • Duts (malware targeted at Windows Mobile)
• FakePlayer (first SMS trojan for Android devices)
• Obad (spread via alien botnets)
• FakeBank (Windows trojan attacks Android devices)
Mobile malware attack vectors
Attack Vectors
User Interface
Screen size
Mobility issues
Mobile malware revenue channels
New revenue channels exploited by mobile
 Billed events
○ Premium-rate numbers still being used to target
mobile devices – malicious users can force mobile
devices to send premium-rate SMS messages
 Payment systems
○ Mobile devices being used as physical payment
○ Proximity payments (such as NFC) has opened up
new possibilities for malicious attackers e.g. inject
malicious URL through NFC tags
Cross-platform contamination
First example of cross-platform malware
contamination was the Morris Worm
(Orman, 2003)
Released in 1988
In less than 24 hours, caused great damage
Slowed thousands of systems
Exploited vulnerabilities on VAX and SUN
Microsystems platforms; and the Sendmail
email delivery software
Cross-platform contamination
Following the Morris worm, other multiplatform malware emerged:
1999 – W32/W97M Coke
2000 – W32/HLP Dream and Pluma
2001 – W32/Linux Peelf
2010 – StuxNet
2011 – Duqu
2014 – FakeBank
Cross-platform contamination
Proof-of-concept by Wang and Stavrou
using USB in 2010 (Z. Wang and A.
Stavrou, 2010)
 USB commonly used as a means to charge,
communicate and synchronise
 Malware exploits this connection to
propagate itself
 In 2010, Wang and Stavrou demonstrated
how a PC can use USB connection to
unlock and flash software of a mobile device
Cross-platform contamination
Proof-of-concept breaking Mobile Transaction
Authentication Numbers (Dmitrienko et al,
 Attack was divided into three phases
 First phase, malware installed on the terminal
steals the user’s credentials
 Second phase involves cross-platform infection
 Third phase, the malicious attacker performs
transaction with the user’s bank, mimicking the
Malware concealment strategies
Malware concealment strategies serve one
purpose, namely survival of the code
The longer malware can protect itself from
detection, the more time it has available for
replication and infection
Malware concealment strategies
Aim to increase the span of time between
infection and detection phases
Phase 1
Phase 4
Phase 2
Phase 3
Malware concealment strategies
Passive strategies to evade detection:
 Malware which implements a set of
techniques to hide itself from detection, such
as bypassing anti‐virus or anti‐malware
signature detection
Active strategies to evade detection:
 Malware that, apart from concealing their
presence, actively tries to hinder the
detection and analysis of the code
Malware detection strategies
Using static techniques:
 Signature analysis and hashing
 Extracting system calls
 Static taint analysis
Using dynamic techniques:
 Dynamic taint analysis
 Behavioural analysis
Malware detection strategies
Using heuristics:
 Monitoring API and system calls
 OpCode analysis
 Using N-Grams
 Control flow graphs
Using hybrid techniques
Analysis of cross-platform malware
Practical implementation of cross-platform
infection for detailed analysis
 Used a physical Android 4.1.1 tablet
connected via USB Device Filter to a host
running a virtual machine with Windows XP
 Malware sample used was DroidCleaner,
served via another virtual machine running
Kali Linux and Apache
Analysis of cross-platform malware
Tablet device connected to our web server,
downloaded and installed the malicious
Analysis of cross-platform malware
Shark for Root was launched and kept in
listening mode
 DroidCleaner application launched and
‘Default Cleanup’ was selected
Analysis of cross-platform malware
Following the hypothetical clean-up,
DroidCleaner was closed
 Shark Reader was then used to review the
logs generated by Shark for Root
 Two IPs were noted:
 – host located on the
Amazon Cluster
 – reported by
as serving a number of known malware files
Analysis of cross-platform malware
All latest Windows XP updates were
installed but the default installation settings
were left enabled
 Autorun feature was kept enabled for the
purpose of our analysis
 Launched two applications on our Windows
XP machine, Process Hacker and Wire
Analysis of cross-platform malware
Upon connecting the tablet to the Windows
XP machine, Process Hacker detected two
unknown applications namely ‘pwd.exe’
and ‘Start.exe’
A short while afterwards, the application
‘Start.exe’ generated an application error
Analysis of cross-platform malware
Analysis of cross-platform malware
Wire Shark was stopped and proceeded
to analyse the logs generated
 We noted that our XP machine was
trying to connect to IP
using SSLv3
 This IP address was checked again
 Reported to resolve to
Analysis of cross-platform malware
Analysis of cross-platform malware
ILSpy was launched and file ‘svchosts.exe’
 File contains the NAudio library, launched
upon program execution
 NAudio is an open source .NET audio and
MIDI library
 Confirmed our initial thoughts that this
malware will record, and upload, voice
recordings to the attacker
Analysis of cross-platform malware
To further the analysis, the function
‘XControl’ was opened and the following
details were noted:
 the attacker’s server (hostname)
 the FTP user name and password
 the destination port number to use
Analysis of cross-platform malware
Analysis of cross-platform malware
The file was then uploaded to an online
sandbox analysis facility
 Two anti-debugging techniques were found
 Guard pages – used to protect against
reverse engineering and debugging,
returning an exception
 SystemKernelDebuggerInformation – a
feature used to check for kernel debuggers
attached to the system
Analysis of cross-platform malware
We then analysed the Android application
using various tools found within the Kali
Linux distribution
Of particular interest are the various
commands which the attacker can use
once the mobile device is infected
Analysis of cross-platform malware
Analysis of cross-platform malware
Registration of the Android device was
made using config file ConnectorService
 The device was instructed to send the
command string:
‘|NEW_HELLOW|’ followed by ‘ACCT +
 On successful connection, the device
would then download three files
‘svchost.exe’, ‘Kst.exe’ and ‘Controller.exe’
Analysis of cross-platform malware
 The unsuspecting user downloads a rogue
 When the user launches the application, it
communicates with a remote
command‐and‐control server
 The user then proceeds to connect his
Android device to the computer
 The malware on the Android device
propagates to the victim’s computer
Limiting cross-platform malware
Malware creators are being craftier in
evading anti-malware engines
 Through our research, it was noted that
detection through anti-malware engines is
carried out from within the operating
 The actual anti-malware engine is running
as a process in itself which can be easily
subverted and inherits weaknesses in the
operating system
 Zero-day exploits and other advanced
persistent threats are a daily occurrence
Limiting cross-platform malware
Proposal of adding a new layer between
the hardware layer and the operating
system/kernel layers
 Security layer denoted as hypervisor
 Can be used to monitor and protect the
whole system
 Must be lightweight in resources
consumed, transparent to the operating
system and compatible across multiple
Limiting cross-platform malware
We still need some sort of malware
detection technique in order to detect the
presence of malicious intentions during
programme execution
Malware using polymorphism or
metamorphism can easily evade static
malware detection
Limiting cross-platform malware
In addition, static detection is largely based
on signatures
 These systems are equipped with a
database of known signatures or
instructions that are considered malicious
 Such a setup imposes a restriction on the
frequency when this signature database is
updated e.g. out of (3G) data reception
Limiting cross-platform malware
During our malware analysis, we showed
how DroidCleaner attacked both Android
and Windows
 Through registration of our Android device
to the attacker’s server, access to the
various hardware components was made
 On Windows, the attacker could install an
open source audio library that controlled
microphone activation and the local
Limiting cross-platform malware
User applications
Protected operating system
Hypervisor level
Hardware components
Limiting cross-platform malware
We propose two configuration sets
One set, S1, will contain hardware features
to be monitored e.g. GPS sensor, WiFi,
microphone, camera
The other set, S2, will contain the
permissions requested for S1 e.g. take a
picture, enable WiFi, access microphone
Limiting cross-platform malware
By way of example:
If hypervisor detects a request to access
camera (S1) for taking a snapshot (S2), the
request will be allowed if a previous user
activity took place within a configured
timeout in seconds
Limiting cross-platform malware
Start Device
Load Dataset
Deny Access,
Allow Access,
If timeout is <
than limit set
Check User
If timeout is >
than limit set
Challenges to implementation
Access to hardware drivers and source code
due to diversification of the Android platform
(ARM, Intel to name a few)
Power management and battery life are a
critical factor – possible use of ‘wakelocks’ in
Android to avoid constant polling (allow apps
to notify the kernel that they are doing
something, and that the kernel should not put
the device to sleep)
Challenges to implementation
Functionality is a critical factor – added
benefits of security are seen as extra
burden, limiting use of their device
Security review – cannot be software with
an unknown internal structure; opening the
system to the security community allows
independent assessment of its exposure to
Concluding remarks
Significance of our research
Gain a better understanding of the way cross‐platform
malware contamination occurs in practice
An attempt was made to come up with a new
framework that can assist us in limiting such
contamination, moving away from traditional detection
Future research
The weaknesses affecting current malware detection
strategies lie at the basis of our departure from the
traditional view of how we can protect devices in
favour of new methods designed to amplify the
effectiveness of existing detection techniques
Practical hints for your project
Liaise with your personal adviser to discuss
your interests and direct you to relevant
tutor sharing your interests
 Make early contact and try to come up with
two to three areas of interest
 Prepare a solid timetable, defining the
chapters, amount of pages to write and set
 Adjust your timetable schedule where
necessary but try not to diverge too much
M. Christodorescu, S. Jha, D. Maughan, D. Song and C. Wang,
"Introduction to Malware Detection," in Malware Detection, New York, USA,
Springer Science and Business Media, 2007, p. IX
K. Dunham, S. Abu‐Nimeh, S. Fogie, B. Hernacki, J. A. Morales and
C. Wright, Mobile
Malware Attacks and Defense, Syngress Publishing Inc, 2009
H. Orman, "The Morris Worm: A Fifteen‐Year Perpective," Security &
Privacy, IEEE, vol. 1, no. 5, pp. 35‐43, November 2003
Z. Wang and A. Stavrou, "Exploiting Smart‐Phone USB Connectivity for Fun
and Profit," in Preceedings of the 26th Annual Computer Security
Applications Conference (ACSAC), 6‐10 December pp. 357‐366, Austin,
Texas, USA, 2010
A. Dmitrienko, L. Davi, A.‐R. Sadeghi and C. Liebchen, "Over‐the‐Air
Cross‐platform Infection for Breaking mTAN‐based Online Banking
Authentication," in Black Hat 2012, Abu Dhabi, UAE, 2012
Thank you
[email protected]

similar documents