computer virology and mobile malware detection · 2019-03-14 · outline •introduction...

Computer Virology and Mobile Malware Detection

Francesco Mercaldo

IIT-CNR

Outline

• Introduction

• Computer Virology• Malware taxonomy

• Encrypted malware

• Malware Detection

• Mobile Security• Composition Malware

• An Hybrid Tool for Accurate Detection of Android Malware

• Conclusion

Threat Landscape 2017

Malware Statistics

Malware

• software intended to intercept or take partial control of a computer's operation without the user's informed consent.

• it subverts the computer's operation for the benefit of a third party.

The purpose of malware

• To partially control the user’s computer, for reasons such as: • to subject the user to advertising

• to launch DDoS on another service

• to spread spam

• to track the user’s activity (“spyware”)

• to commit fraud, such as identity theft and affiliate fraud

• to spread FUD (fear, uncertainty, doubt)

Outline

• Introduction






• Conclusion

Taxonomy of Malicious Software

One form of categorisation:

• Host Dependent• program fragments dependent on

• Application

• Utility

• System program

• Host Independent• Self contained programs

• can be scheduled and run by OS

Taxonomy of Malicious Software

Another form of categorisation:

• Those that do not Replicate• Fragments of programs to be activated when the host program is invoked to

perform a specific function

• Those that Replicate• Program fragment

• Virus

• Independent program• Worm

• Zombie

Malicious Software

Trap Door• Code

• Recognises special input• E.g. a user ID or sequence of events

• Secret entry point into program• Allows entry without going through normal security access procedures

• Used originally as• Aid to programmers to gain access without going through lengthy access procedures• Method of activating program should something go wrong with the authentication procedure

• Threat• When used by malicious parties for unauthorised access

• Any mechanism that bypasses a normal security check.

• It is a code that recognizes for example some special input sequence of input; programmers can use backdoors legitimately to debug and test programs.

• aka backdoor

Logic Bomb

• Code embedded in legitimate program• Primed to activate under key conditions

• Examples• Presence or absence of files

• Day of week• Date

• Particular user

• Once triggered:• Can alter/delete data/files• Cause machine to halt• Other damage …

• One of the oldest types of Malicious software

Trojan Horse

• Useful or Apparently useful programs / command procedure• Contains hidden code• Upon activation

• Performs unwanted/harmful function

• Examples• To gain access to another users files on a shared system

• Create Trojan Horse that when executed• Changes invoking users file permissions so that all can read

• Author can induce users to run program by• Placing file in common directory• Renaming file as an apparently useful utility

• Example• A program that produces a listing of the users files in a desirable format• After user runs program, author can access information in users file

• Common Motivation for Trojan Horse• Data destruction• Trojan appears to perform useful function but also deletes users programs

Zombie

• Program that secretly takes over another computer (via internet)

• Motive:• To use computer to launch attacks

• Make it difficult to trace attack back to author

• Example:• Denial of Service Attacks against particular web site

• Zombies planted on hundreds of unsuspecting nodes

• Used to launch overwhelming onslaught of internet traffic on target

Worm

• Doesn’t require human as part of propagation process

• Actively seeks machines to infect

• Machines become launch pad for attacks on other machines

Viruses

• Virus: a program that can “infect” other programs through modification• Modification includes embedding a copy of virus program within host program

• Copy used to ‘infect’ other programs• Virus carries instructional code for making copies of itself (like biological counterpart)

• Once loaded in host computer• Typical virus takes temporary control of disk operating system

• Whenever infected computer comes into contact with uninfected program, a copy of virus is passed into new program

• ‘infection’ spreads from computer to computer through disk swapping and sending of programs/files through network

• Network seen as perfect medium for the proliferation of a virus

The Nature of Viruses

• Viruses• Attach themselves to host programs

• Executes secretly when host program is run

• Once invoked it can perform any function

• Erasing files, programs, …

• Major Components• Infection mechanism: the code that enables replication

• Trigger: the event that makes payload activate

• Payload: what it does, malicious or benign


• 4 – Phase

• Dormant• Virus idle

• Activated by event (e.g. date, presence of program/file, disc capacity exceeding a particular value)

• No all viruses have a dormant stage

• Propagation• Virus places copy of itself in another program or system area of disc

• Infected program will contain clone of virus


• Triggering• Virus activated for its intended function

• Activated by event• e.g. date, presence of program/file, disc capacity exceeding a particular value, number of

time clone has been created, …

• Execution• Function is performed (ranging from harmless, to messages on screen, to

letters dropping to bottom of screen, ambulances racing across the screen, to catastrophic results with the destruction of programs / data files, …

Encrypted malware

• This is the malicious bytecode

• We can create a polymorphic variant by encrypting the bytecodeaccording to the following function

• the resulting malicious bytecode will be the following

Morphic Virus

• Polymorphic virus• Mutates with every infection, making detection by the signature of the virus

impossible

• Have specially designed mutation engine (decryption also mutates)

• Metamorphic virus• Mutates with every infection, rewriting itself completely at each iteration

changing behavior and/or appearance, increasing the difficulty of detection

Replication

Basic virus

Polymorphic

Metamorphic

Metamorphic variants

Vx Heaven

• http://83.133.184.251/virensimulation.org/

Outline

• Introduction






• Conclusion

Malware Detection State of the Art

• Commercial Side:• Anti-Virus code base – signature based.

• Pretty much as standard computer AVs.

• Also same brands in Mobile edition

• Pro: • Ease of use and no false positives

• Cons:• Uneffective against new threats (zero day)

Signature-Based Approach

• Blacklist of known signatures to identify known threats.• Binary-based

…01100010010010010… Hash h1, h2, h3…

Signature DB

…01100010010010010… Hash

…00100010011010010…

…11100010010011010…

h2

Match

Application under analysis

Result

Signature-Based AV Software

• Requires a virus signature to identify a virus

• Virus signature• Early viruses had essentially the same bit pattern in all copies

• A small piece of the virus code as a means for identification

• Good signature is one that is found in every object infected by the virus, but is unlikely to be found if the virus is not present• Not too short (false positives), not too long (false negatives)

Signature-Based AV Example

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Design of anti-malware software

• Collection of large sets of malware samples

• Malware analysis• reverse engineering• sandboxing

• selection of the identifying malware elements• to produce the malware signature

• identification of the malware components to be removed after the detection of the infection

Malware detection is a difficult task

• Malware is a rare event compared to the production of legitimate software

• ...but for each malware, a large number of variants are produces• the same effect attained through a different obfuscated code

• malware families

Outline

• Introduction






• Conclusion

The reason why

Target of mobile attack

Mobile Malicious Behaviors

• Steal privacy sensitive data• Contacts

• Text messages

• Steal user’s money• Send text message

• Register to premium services

• Try to intercept bank transactions

• Show undesired advertisements (spam)

• Take control of the mobile device

Behind the scenes

Kind of attacks

• To infect mobile users, malicious apps typically lure users into downloading and installing them.

• Repackaging: downloading popular benign apps, repackaging them with additional malicious payloads, and then uploading repackaged ones to various Android marketplaces.

• Update attack : the malicious payloads are disguised as the “updated” version of legitimate apps.

• Drive-by download: redirect users to download malware, e.g., by using aggressive in-app advertisement or malicious QR code.

Google Bouncer

• Virtual Environment to check if app is malicious

• Runs the app in a phone like environment for around 5 mins beforepublishing

• Detects most of the known malware…

• Can be bypassed easily

DroidJack

• http://droidjack.net/

A novel model of malware

• It consists of composing fragments of code hosted on different and scattered locations at run time• The complete payload does not reside in the app, but is dinamically

build

• The complete payload is the result of the runtime compositions of different invocations of method residing on different servers

• The model exploits two well-known mechanisms• Reflection and dynamic loading

The Composition-malware

Advantages of the model

• The complete payload is never entirely available in any source• It is dynamically composed by the driver application

• The malicious behaviour could also change, for the same set of driver application-payload providers• This results in morphing both the structure and the behavior of the payload

file.config- IP and Port of server- File .jar to transfer- Class for dinamic loading- Target method executed

by reflection

simplified model

distributed

model

Driver App

(tr)appComponent

…

Pb

Pa

SC

Codebase Server

JVMDVM

SC

Host Server

JVMDVM

SC

Codebase Server

JVMDVM

SC

Codebase Server

JVMDVM

SC

Host Server

JVMDVM

…

Composition Malware Models

The case studies

• ARS (Android Remote Status)• It produces some reports (e.g. installed and runned applications)

and send the report via mail to the e-mail address of the smartphone administrator

• FindMe• It finds the current position of the device and notifies the position

to a list of recipients

• The composition malware works on Android officialreleases

Payload 1: adding two addresses in the BCC to a Mail object

Payload 2: altering a Location object

Payload 3: adding a malicious link to a Mail object

0 / 47

0 / 23

Kaspersky

SophosEset

Norton

AVG

…

TrendMicro

Antivir

Avast

…

First Evaluation

Antivirus C P U T

1 Qihoo: 360 Mobile Security 1.4.5 Y 6.0 6.0 12.0

2 AhnLab: V3 Mobile 2.1 Y 5.5 6.0 11.5

3 Antiy: AVL 2.2.29 Y 5.5 5.5 11.0

4 Armor for Android: Armor for Android 2.1.6.2 Y 5.5 6.0 11.5

5 Avast: Mobile Security & Antivirus 3.0.6572 Y 5.5 6.0 11.5

6 Avira: Free Android Security 2.1 Y 5.5 6.0 11.5

7 Bitdefender: Antivirus Free 1.1.214 Y 5.5 6.0 11.5

8 ESET: Mobile Security & Antivirus 2.0.815.0 Y 5.5 6.0 11.5

9 F-Secure: Mobile Security 8.3.13441 Y 5.5 6.0 11.5

10 Ikarus: Mobile Security 1.7.16 Y 5.5 6.0 11.5

11 Kaspersky: Mobile Security 9.10.141 Y 5.5 6.0 11.5

12 KingSoft: Mobile Security 3.2.2.1 Y 5.5 6.0 11.5

13 Lookout: Security & Antivirus 8.21 Y 5.5 6.0 11.5

14 Symantec: Norton Mobile Security 3.7.0.1106 Y 5.5 5.0 10.5

15 Trend Micro: Mobile Security 3.5 Y 5.5 6.0 11.5

16 Comodo: Mobile Security & Antivirus 2.3.293084.125 Y 5.0 5.5 10.5

17 Webroot: SecureAnywhere Mobile 3.5.0.6043 Y 5.0 6.0 11.0

18 Anguanjia: Security Manager 4.2.1 Y 4.5 3.0 7..5

19 Tencent: Mobile Security Manager 4.3.1 Y 4.0 5.0 9.0

Install Download Activation Run

0 / 19

Best AntiMalware [4.0, 6.0]Second Evaluation

Android Ransomware Detector

R-PackDroid

BRIDEMAID: An Hybrid Tool for Accurate Detection of Android Malware

Detection Results

Conclusion

• Malware Taxonomy• Virus, Worm, Encrypted malware

• Current antimalware detection technologies exhibit severalweaknesses


• R-PackDroid

• BRIDEMAID

References

• Ferrante, A., Medvet, E., Mercaldo, F., Milosevic, J., Visaggio, C. A.: Spotting the maliciousmoment: Characterizing malware behavior using dynamic features, in Availability, Reliability and Security (ARES), 2016

• Maiorca, D., Mercaldo, F., Giacinto, G., Visaggio, C. A., Martinelli, F.: R-PackDroid: API package-based characterization and detection of mobile ransomware, In Symposium on Applied Computing (SAC), 2017

• Ferrante A., Malek M., Martinelli F., Mercaldo F., Milosevic J.: Extinguishing Ransomware-a Hybrid Approach to Android Ransomware Detection, in the 10th International Symposium on Foundations Practice of Security (FPS), 2017

• Canfora, G., Mercaldo, F., Moriano, G., Visaggio, C. A.: Composition-malware: building android malware at run time, in Availability, Reliability and Security (ARES), 2015.

• Martinelli, F., Mercaldo, F.,Saracino, A. BRIDEMAID: An Hybrid Tool for Accurate Detection of Android Malware. In Asia Conference on Computer and Communications Security (ASIACCS), 2017

• Mercaldo, F., Nardone, V., Santone, A.: Ransomware inside out, in Availability, Reliability and Security (ARES), 2016

computer virology and mobile malware detection · 2019-03-14 · outline •introduction...

Documents