Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue

CROSS-PLATFORM MALWARE

CONTAMINATION

MSc Information Security Project 2013/2014Author: Nicholas Aquilina

Supervisor: Dr Konstantinos Markantonakis

Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and

new revenue channels being exploited Review malware concealment and detection strategies Carry out an infection between Android device and

Windows, analysing in detail what is happening Propose an efficient and practical way in which cross-

contamination across platforms can be restricted Challenges and barriers to the implementation of our

proposal

Agenda Malware history Mobile malware timeline, attack vectors

and new revenue channels created Malware concealment and detection

strategies Analysis of cross-platform malware Limiting cross-platform malware Challenges and barriers to implementation Concluding remarks

Malware history Definition of malware - A general term used

to refer to any software that is installed on a machine and performs unwanted (malicious) tasks (Christodorescu et al, 2007)

Different classifications have been attempted, mostly based upon the payload type, vulnerabilities exploited and propagation mechanisms used

Malware history Became known to many computer users

through the Melissa virus in 1999 and the LoveLetter worm in 2000 (Dunham et al, 2009)

Mobile malware timeline2000

• Timofonica (targeted at Movistar mobile operator)

2004

• Cabir (first worm to target mobile phones)• Duts (malware targeted at Windows Mobile)

2010

• FakePlayer (first SMS trojan for Android devices)

2013

• Obad (spread via alien botnets)

2014

• FakeBank (Windows trojan attacks Android devices)

Mobile malware attack vectors

Attack Vectors

SMS/MMS

Bluetooth

WiFi

Limited Resources

Processing power

Storage capacity

Battery autonomy

Network

Mobility issues

Network coverage

User Interface Limitation

Screen size

Screen resolution

Visual indicators

Mobile malware revenue channels

New revenue channels exploited by mobile malware:

Billed events○ Premium-rate numbers still being used to target

mobile devices – malicious users can force mobile devices to send premium-rate SMS messages

Payment systems○ Mobile devices being used as physical payment

devices○ Proximity payments (such as NFC) has opened up

new possibilities for malicious attackers e.g. inject malicious URL through NFC tags

Cross-platform contamination First example of cross-platform malware

contamination was the Morris Worm (Orman, 2003)

Released in 1988In less than 24 hours, caused great damageSlowed thousands of systemsExploited vulnerabilities on VAX and SUN

Microsystems platforms; and the Sendmail email delivery software

Cross-platform contamination Following the Morris worm, other multi-

platform malware emerged:

1999 – W32/W97M Coke2000 – W32/HLP Dream and Pluma2001 – W32/Linux Peelf2010 – StuxNet2011 – Duqu2014 – FakeBank

Cross-platform contamination Proof-of-concept by Wang and Stavrou using

USB in 2010 (Z. Wang and A. Stavrou, 2010)

USB commonly used as a means to charge, communicate and synchronise

Malware exploits this connection to propagate itself

In 2010, Wang and Stavrou demonstrated how a PC can use USB connection to unlock and flash software of a mobile device

Cross-platform contamination Proof-of-concept breaking Mobile Transaction

Authentication Numbers (Dmitrienko et al, 2012)

Attack was divided into three phasesFirst phase, malware installed on the terminal

steals the user’s credentialsSecond phase involves cross-platform infectionThird phase, the malicious attacker performs

transaction with the user’s bank, mimicking the user

Malware concealment strategies

Malware concealment strategies serve one purpose, namely survival of the code

The longer malware can protect itself from detection, the more time it has available for replication and infection


Aim to increase the span of time between infection and detection phases

Phase 1 Infect

Phase 2 Detect

Phase 3 Analyse

Phase 4 Eradicate


Passive strategies to evade detection:Malware which implements a set of

techniques to hide itself from detection, such as bypassing anti‐virus or anti‐malware signature detection

Active strategies to evade detection:Malware that, apart from concealing their

presence, actively tries to hinder the detection and analysis of the code

Malware detection strategies

Using static techniques:

Signature analysis and hashingExtracting system callsStatic taint analysis

Using dynamic techniques:

Dynamic taint analysisBehavioural analysis

Malware detection strategies Using heuristics:

Monitoring API and system callsOpCode analysisUsing N-GramsControl flow graphs

Using hybrid techniques

Analysis of cross-platform malware

Practical implementation of cross-platform infection for detailed analysis

Used a physical Android 4.1.1 tablet connected via USB Device Filter to a host running a virtual machine with Windows XP SP3

Malware sample used was DroidCleaner, served via another virtual machine running Kali Linux and Apache


Tablet device connected to our web server, downloaded and installed the malicious application

Analysis of cross-platform malware Shark for Root was launched and kept in

listening mode DroidCleaner application launched and

‘Default Cleanup’ was selected

Analysis of cross-platform malware Following the hypothetical clean-up,

DroidCleaner was closed Shark Reader was then used to review the

logs generated by Shark for Root Two IPs were noted:

54.235.185.74 – host located on the Amazon Cluster

173.194.70.95 – reported by virustotal.com as serving a number of known malware files


All latest Windows XP updates were installed but the default installation settings were left enabled

Autorun feature was kept enabled for the purpose of our analysis

Launched two applications on our Windows XP machine, Process Hacker and Wire Shark

Analysis of cross-platform malware Upon connecting the tablet to the Windows

XP machine, Process Hacker detected two unknown applications namely ‘pwd.exe’ and ‘Start.exe’

A short while afterwards, the application ‘Start.exe’ generated an application error message


Analysis of cross-platform malware Wire Shark was stopped and proceeded

to analyse the logs generated We noted that our XP machine was

trying to connect to IP 190.93.253.132 using SSLv3

This IP address was checked again using virustotal.com

Reported to resolve to minecraft.org



ILSpy was launched and file ‘svchosts.exe’ analysed

File contains the NAudio library, launched upon program execution

NAudio is an open source .NET audio and MIDI library

Confirmed our initial thoughts that this malware will record, and upload, voice recordings to the attacker


To further the analysis, the function ‘XControl’ was opened and the following details were noted:

the attacker’s server (hostname) the FTP user name and password the destination port number to use


Analysis of cross-platform malware The file was then uploaded to an online

sandbox analysis facility Two anti-debugging techniques were found

namely:

Guard pages – used to protect against reverse engineering and debugging, returning an exception

SystemKernelDebuggerInformation – a feature used to check for kernel debuggers attached to the system


We then analysed the Android application using various tools found within the Kali Linux distribution

Of particular interest are the various commands which the attacker can use once the mobile device is infected


Analysis of cross-platform malware Registration of the Android device was

made using config file ConnectorService The device was instructed to send the

command string:

‘|NEW_HELLOW|’ followed by ‘ACCT + PORT’

On successful connection, the device would then download three files ‘svchost.exe’, ‘Kst.exe’ and ‘Controller.exe’

Analysis of cross-platform malware Summary

The unsuspecting user downloads a rogue application

When the user launches the application, it communicates with a remote command‐and‐control server

The user then proceeds to connect his Android device to the computer

The malware on the Android device propagates to the victim’s computer

Limiting cross-platform malware

Malware creators are being craftier in evading anti-malware engines

Through our research, it was noted that detection through anti-malware engines is carried out from within the operating system

The actual anti-malware engine is running as a process in itself which can be easily subverted and inherits weaknesses in the operating system

Zero-day exploits and other advanced persistent threats are a daily occurrence


Proposal of adding a new layer between the hardware layer and the operating system/kernel layers

Security layer denoted as hypervisor Can be used to monitor and protect the

whole system Must be lightweight in resources

consumed, transparent to the operating system and compatible across multiple platforms


We still need some sort of malware detection technique in order to detect the presence of malicious intentions during programme execution

Malware using polymorphism or metamorphism can easily evade static malware detection


In addition, static detection is largely based on signatures

These systems are equipped with a database of known signatures or instructions that are considered malicious

Such a setup imposes a restriction on the frequency when this signature database is updated e.g. out of (3G) data reception


During our malware analysis, we showed how DroidCleaner attacked both Android and Windows

Through registration of our Android device to the attacker’s server, access to the various hardware components was made available.

On Windows, the attacker could install an open source audio library that controlled microphone activation and the local storage



We propose two configuration sets

One set, S1, will contain hardware features to be monitored e.g. GPS sensor, WiFi, microphone, camera

The other set, S2, will contain the permissions requested for S1 e.g. take a picture, enable WiFi, access microphone


By way of example:

If hypervisor detects a request to access camera (S1) for taking a snapshot (S2), the request will be allowed if a previous user activity took place within a configured timeout in seconds


Start Device

Launch Hypervisor

Monitor Requests

Check User Activity

Load Dataset

If timeout is > than limit set

If timeout is < than limit set

Allow Access, Update Dataset

Deny Access, Update Dataset

Challenges to implementation

Access to hardware drivers and source code due to diversification of the Android platform (ARM, Intel to name a few)

Power management and battery life are a critical factor – possible use of ‘wakelocks’ in Android to avoid constant polling (allow apps to notify the kernel that they are doing something, and that the kernel should not put the device to sleep)

Challenges to implementation

Functionality is a critical factor – added benefits of security are seen as extra burden, limiting use of their device

Security review – cannot be software with an unknown internal structure; opening the system to the security community allows independent assessment of its exposure to risk

Concluding remarks Significance of our research

Gain a better understanding of the way cross‐platform malware contamination occurs in practice

An attempt was made to come up with a new framework that can assist us in limiting such contamination, moving away from traditional detection

Future research

The weaknesses affecting current malware detection strategies lie at the basis of our departure from the traditional view of how we can protect devices in favour of new methods designed to amplify the effectiveness of existing detection techniques

Practical hints for your project

Liaise with your personal adviser to discuss your interests and direct you to relevant tutor sharing your interests

Make early contact and try to come up with two to three areas of interest

Prepare a solid timetable, defining the chapters, amount of pages to write and set deadlines

Adjust your timetable schedule where necessary but try not to diverge too much

References M. Christodorescu, S. Jha, D. Maughan, D. Song and C. Wang,

"Introduction to Malware Detection," in Malware Detection, New York, USA, Springer Science and Business Media, 2007, p. IX

K. Dunham, S. Abu‐Nimeh, S. Fogie, B. Hernacki, J. A. Morales and C. Wright, Mobile

Malware Attacks and Defense, Syngress Publishing Inc, 2009

H. Orman, "The Morris Worm: A Fifteen‐Year Perpective," Security & Privacy, IEEE, vol. 1, no. 5, pp. 35‐43, November 2003

Z. Wang and A. Stavrou, "Exploiting Smart‐Phone USB Connectivity for Fun and Profit," in Preceedings of the 26th Annual Computer Security Applications Conference (ACSAC), 6‐10 December pp. 357‐366, Austin, Texas, USA, 2010

A. Dmitrienko, L. Davi, A.‐R. Sadeghi and C. Liebchen, "Over‐the‐Air Cross‐platform Infection for Breaking mTAN‐based Online Banking Authentication," in Black Hat 2012, Abu Dhabi, UAE, 2012

Thank you

http://mt.linkedin.com/[email protected]

Documents

Aims and Objectives of Project Understand and analyse current malware strategies Analyse in detail various malware infection vectors and new revenue