View
7
Download
1
Category
Preview:
Citation preview
Computer Virology and Mobile Malware Detection
Francesco Mercaldo
IIT-CNR
Outline
• Introduction
• Computer Virology• Malware taxonomy
• Encrypted malware
• Malware Detection
• Mobile Security• Composition Malware
• An Hybrid Tool for Accurate Detection of Android Malware
• Conclusion
Outline
• Introduction
• Computer Virology• Malware taxonomy
• Encrypted malware
• Malware Detection
• Mobile Security• Composition Malware
• An Hybrid Tool for Accurate Detection of Android Malware
• Conclusion
Threat Landscape 2017
Malware Statistics
Malware
• software intended to intercept or take partial control of a computer's operation without the user's informed consent.
• it subverts the computer's operation for the benefit of a third party.
The purpose of malware
• To partially control the user’s computer, for reasons such as: • to subject the user to advertising
• to launch DDoS on another service
• to spread spam
• to track the user’s activity (“spyware”)
• to commit fraud, such as identity theft and affiliate fraud
• to spread FUD (fear, uncertainty, doubt)
Outline
• Introduction
• Computer Virology• Malware taxonomy
• Encrypted malware
• Malware Detection
• Mobile Security• Composition Malware
• An Hybrid Tool for Accurate Detection of Android Malware
• Conclusion
Taxonomy of Malicious Software
One form of categorisation:
• Host Dependent• program fragments dependent on
• Application
• Utility
• System program
• Host Independent• Self contained programs
• can be scheduled and run by OS
Taxonomy of Malicious Software
Another form of categorisation:
• Those that do not Replicate• Fragments of programs to be activated when the host program is invoked to
perform a specific function
• Those that Replicate• Program fragment
• Virus
• Independent program• Worm
• Zombie
Malicious Software
Trap Door• Code
• Recognises special input• E.g. a user ID or sequence of events
• Secret entry point into program• Allows entry without going through normal security access procedures
• Used originally as• Aid to programmers to gain access without going through lengthy access procedures• Method of activating program should something go wrong with the authentication procedure
• Threat• When used by malicious parties for unauthorised access
• Any mechanism that bypasses a normal security check.
• It is a code that recognizes for example some special input sequence of input; programmers can use backdoors legitimately to debug and test programs.
• aka backdoor
Logic Bomb
• Code embedded in legitimate program• Primed to activate under key conditions
• Examples• Presence or absence of files
• Day of week• Date
• Particular user
• Once triggered:• Can alter/delete data/files• Cause machine to halt• Other damage …
• One of the oldest types of Malicious software
Trojan Horse
• Useful or Apparently useful programs / command procedure• Contains hidden code• Upon activation
• Performs unwanted/harmful function
• Examples• To gain access to another users files on a shared system
• Create Trojan Horse that when executed• Changes invoking users file permissions so that all can read
• Author can induce users to run program by• Placing file in common directory• Renaming file as an apparently useful utility
• Example• A program that produces a listing of the users files in a desirable format• After user runs program, author can access information in users file
• Common Motivation for Trojan Horse• Data destruction• Trojan appears to perform useful function but also deletes users programs
Zombie
• Program that secretly takes over another computer (via internet)
• Motive:• To use computer to launch attacks
• Make it difficult to trace attack back to author
• Example:• Denial of Service Attacks against particular web site
• Zombies planted on hundreds of unsuspecting nodes
• Used to launch overwhelming onslaught of internet traffic on target
Worm
• Doesn’t require human as part of propagation process
• Actively seeks machines to infect
• Machines become launch pad for attacks on other machines
Viruses
• Virus: a program that can “infect” other programs through modification• Modification includes embedding a copy of virus program within host program
• Copy used to ‘infect’ other programs• Virus carries instructional code for making copies of itself (like biological counterpart)
• Once loaded in host computer• Typical virus takes temporary control of disk operating system
• Whenever infected computer comes into contact with uninfected program, a copy of virus is passed into new program
• ‘infection’ spreads from computer to computer through disk swapping and sending of programs/files through network
• Network seen as perfect medium for the proliferation of a virus
The Nature of Viruses
• Viruses• Attach themselves to host programs
• Executes secretly when host program is run
• Once invoked it can perform any function
• Erasing files, programs, …
• Major Components• Infection mechanism: the code that enables replication
• Trigger: the event that makes payload activate
• Payload: what it does, malicious or benign
The Nature of Viruses
• 4 – Phase
• Dormant• Virus idle
• Activated by event (e.g. date, presence of program/file, disc capacity exceeding a particular value)
• No all viruses have a dormant stage
• Propagation• Virus places copy of itself in another program or system area of disc
• Infected program will contain clone of virus
The Nature of Viruses
• Triggering• Virus activated for its intended function
• Activated by event• e.g. date, presence of program/file, disc capacity exceeding a particular value, number of
time clone has been created, …
• Execution• Function is performed (ranging from harmless, to messages on screen, to
letters dropping to bottom of screen, ambulances racing across the screen, to catastrophic results with the destruction of programs / data files, …
Encrypted malware
• This is the malicious bytecode
• We can create a polymorphic variant by encrypting the bytecodeaccording to the following function
• the resulting malicious bytecode will be the following
Morphic Virus
• Polymorphic virus• Mutates with every infection, making detection by the signature of the virus
impossible
• Have specially designed mutation engine (decryption also mutates)
• Metamorphic virus• Mutates with every infection, rewriting itself completely at each iteration
changing behavior and/or appearance, increasing the difficulty of detection
Replication
Basic virus
Polymorphic
Metamorphic
Metamorphic variants
Vx Heaven
• http://83.133.184.251/virensimulation.org/
Outline
• Introduction
• Computer Virology• Malware taxonomy
• Encrypted malware
• Malware Detection
• Mobile Security• Composition Malware
• An Hybrid Tool for Accurate Detection of Android Malware
• Conclusion
Malware Detection State of the Art
• Commercial Side:• Anti-Virus code base – signature based.
• Pretty much as standard computer AVs.
• Also same brands in Mobile edition
• Pro: • Ease of use and no false positives
• Cons:• Uneffective against new threats (zero day)
Signature-Based Approach
• Blacklist of known signatures to identify known threats.• Binary-based
…01100010010010010… Hash h1, h2, h3…
Signature DB
…01100010010010010… Hash
…00100010011010010…
…11100010010011010…
h2
Match
Application under analysis
Result
Signature-Based AV Software
• Requires a virus signature to identify a virus
• Virus signature• Early viruses had essentially the same bit pattern in all copies
• A small piece of the virus code as a means for identification
• Good signature is one that is found in every object infected by the virus, but is unlikely to be found if the virus is not present• Not too short (false positives), not too long (false negatives)
Signature-Based AV Example
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Design of anti-malware software
• Collection of large sets of malware samples
• Malware analysis• reverse engineering• sandboxing
• selection of the identifying malware elements• to produce the malware signature
• identification of the malware components to be removed after the detection of the infection
Malware detection is a difficult task
• Malware is a rare event compared to the production of legitimate software
• ...but for each malware, a large number of variants are produces• the same effect attained through a different obfuscated code
• malware families
Outline
• Introduction
• Computer Virology• Malware taxonomy
• Encrypted malware
• Malware Detection
• Mobile Security• Composition Malware
• An Hybrid Tool for Accurate Detection of Android Malware
• Conclusion
The reason why
Target of mobile attack
Mobile Malicious Behaviors
• Steal privacy sensitive data• Contacts
• Text messages
• Steal user’s money• Send text message
• Register to premium services
• Try to intercept bank transactions
• Show undesired advertisements (spam)
• Take control of the mobile device
Behind the scenes
Kind of attacks
• To infect mobile users, malicious apps typically lure users into downloading and installing them.
• Repackaging: downloading popular benign apps, repackaging them with additional malicious payloads, and then uploading repackaged ones to various Android marketplaces.
• Update attack : the malicious payloads are disguised as the “updated” version of legitimate apps.
• Drive-by download: redirect users to download malware, e.g., by using aggressive in-app advertisement or malicious QR code.
Google Bouncer
• Virtual Environment to check if app is malicious
• Runs the app in a phone like environment for around 5 mins beforepublishing
• Detects most of the known malware…
• Can be bypassed easily
DroidJack
• http://droidjack.net/
A novel model of malware
• It consists of composing fragments of code hosted on different and scattered locations at run time• The complete payload does not reside in the app, but is dinamically
build
• The complete payload is the result of the runtime compositions of different invocations of method residing on different servers
• The model exploits two well-known mechanisms• Reflection and dynamic loading
The Composition-malware
Advantages of the model
• The complete payload is never entirely available in any source• It is dynamically composed by the driver application
• The malicious behaviour could also change, for the same set of driver application-payload providers• This results in morphing both the structure and the behavior of the payload
file.config- IP and Port of server- File .jar to transfer- Class for dinamic loading- Target method executed
by reflection
simplified model
distributed
model
Driver App
(tr)appComponent
…
Pb
Pa
SC
Codebase Server
JVMDVM
SC
Host Server
JVMDVM
SC
Codebase Server
JVMDVM
SC
Codebase Server
JVMDVM
SC
Host Server
JVMDVM
…
Composition Malware Models
The case studies
• ARS (Android Remote Status)• It produces some reports (e.g. installed and runned applications)
and send the report via mail to the e-mail address of the smartphone administrator
• FindMe• It finds the current position of the device and notifies the position
to a list of recipients
• The composition malware works on Android officialreleases
Payload 1: adding two addresses in the BCC to a Mail object
Payload 2: altering a Location object
Payload 3: adding a malicious link to a Mail object
0 / 47
0 / 23
Kaspersky
SophosEset
Norton
AVG
…
TrendMicro
Antivir
Avast
…
First Evaluation
Antivirus C P U T
1 Qihoo: 360 Mobile Security 1.4.5 Y 6.0 6.0 12.0
2 AhnLab: V3 Mobile 2.1 Y 5.5 6.0 11.5
3 Antiy: AVL 2.2.29 Y 5.5 5.5 11.0
4 Armor for Android: Armor for Android 2.1.6.2 Y 5.5 6.0 11.5
5 Avast: Mobile Security & Antivirus 3.0.6572 Y 5.5 6.0 11.5
6 Avira: Free Android Security 2.1 Y 5.5 6.0 11.5
7 Bitdefender: Antivirus Free 1.1.214 Y 5.5 6.0 11.5
8 ESET: Mobile Security & Antivirus 2.0.815.0 Y 5.5 6.0 11.5
9 F-Secure: Mobile Security 8.3.13441 Y 5.5 6.0 11.5
10 Ikarus: Mobile Security 1.7.16 Y 5.5 6.0 11.5
11 Kaspersky: Mobile Security 9.10.141 Y 5.5 6.0 11.5
12 KingSoft: Mobile Security 3.2.2.1 Y 5.5 6.0 11.5
13 Lookout: Security & Antivirus 8.21 Y 5.5 6.0 11.5
14 Symantec: Norton Mobile Security 3.7.0.1106 Y 5.5 5.0 10.5
15 Trend Micro: Mobile Security 3.5 Y 5.5 6.0 11.5
16 Comodo: Mobile Security & Antivirus 2.3.293084.125 Y 5.0 5.5 10.5
17 Webroot: SecureAnywhere Mobile 3.5.0.6043 Y 5.0 6.0 11.0
18 Anguanjia: Security Manager 4.2.1 Y 4.5 3.0 7..5
19 Tencent: Mobile Security Manager 4.3.1 Y 4.0 5.0 9.0
Install Download Activation Run
0 / 19
Best AntiMalware [4.0, 6.0]Second Evaluation
Android Ransomware Detector
R-PackDroid
BRIDEMAID: An Hybrid Tool for Accurate Detection of Android Malware
Detection Results
Conclusion
• Malware Taxonomy• Virus, Worm, Encrypted malware
• Current antimalware detection technologies exhibit severalweaknesses
• Mobile Security• Composition Malware
• R-PackDroid
• BRIDEMAID
References
• Ferrante, A., Medvet, E., Mercaldo, F., Milosevic, J., Visaggio, C. A.: Spotting the maliciousmoment: Characterizing malware behavior using dynamic features, in Availability, Reliability and Security (ARES), 2016
• Maiorca, D., Mercaldo, F., Giacinto, G., Visaggio, C. A., Martinelli, F.: R-PackDroid: API package-based characterization and detection of mobile ransomware, In Symposium on Applied Computing (SAC), 2017
• Ferrante A., Malek M., Martinelli F., Mercaldo F., Milosevic J.: Extinguishing Ransomware-a Hybrid Approach to Android Ransomware Detection, in the 10th International Symposium on Foundations Practice of Security (FPS), 2017
• Canfora, G., Mercaldo, F., Moriano, G., Visaggio, C. A.: Composition-malware: building android malware at run time, in Availability, Reliability and Security (ARES), 2015.
• Martinelli, F., Mercaldo, F.,Saracino, A. BRIDEMAID: An Hybrid Tool for Accurate Detection of Android Malware. In Asia Conference on Computer and Communications Security (ASIACCS), 2017
• Mercaldo, F., Nardone, V., Santone, A.: Ransomware inside out, in Availability, Reliability and Security (ARES), 2016
Recommended