Malware in Mobile Platform from Panoramic Industrial View

804 views
746 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
804
On SlideShare
0
From Embeds
0
Number of Embeds
43
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Malware in Mobile Platform from Panoramic Industrial View

  1. 1. Malware in Mobile Platform from Panoramic Industrial View Antiy Labs
  2. 2. Contentsintroduction •a piece of “news” + a mobile phonephenomenon •new threat solution •Is everything under control? analysis •the history of confrontation conclusion •conclusion
  3. 3. INTRODUCTION:A PIECE OF “NEWS”+ A MOBILE PHONE
  4. 4. Talking From A Piece of “News”
  5. 5. Analysis
  6. 6. Taking from a Grey Mobile Phone Customize Extra Expenses Extra Services Download Other Software 恶意行为 Network Flows Website Hits Steal Message, Privacy Contacts list
  7. 7. Information Analysis on MalwareName com.google.android.providers.enhancedgooglesearchChinese NameOriginal Name a.apkURL SourceCollectionSourceSystem AndroidPlatformFormat apkMD5 Value BFBB58D0F8B487869393A0244AE71AFCCRC32 Value C1C12A99SHA1 Value 59EE114166CDBCDDB88B38299934021080053D86Bytes Malware Information Name Trojan/Android.droiddg.a[rmt,sys] CNCERT Name a.remote.droiddg.a Chines Name Other Names None Original/Tied Firmware embedding Threat type remote system
  8. 8. A Truely Funny Story A sexy E-marketA grey Android mobile Genuine mobile Real E-market
  9. 9. Diverted Industrial Chain
  10. 10. INTERPRETATIONS OF NEW THREATS
  11. 11. Crossing the System Platform(Zitmo) Android RIM OSWindows Zeus Zitmo Symbian account/ random password identifying code WinCE attacker Net Bank
  12. 12. Steal Message and Contacts List (SW.Spyware) Propagation Means – Disguise as Tax Amount Calculating Software Package Calculating Procedure – Installation – Model as QQ Loginform to Lure Uses – Get the Account and Password of QQ and Send to Some Specific Mobile Phone Object system – Android Harm – Steal Message Contetns – The SW.Spyware.B Variant Can Even Monitor the Communication Record of User Damage Range – First version of Android virus Propagaton Time – July, 2010
  13. 13. Spycall (Nickispy)• Spycall and send back• Disguise as Google+ in the First Time2011/09/17 第13页
  14. 14. Form Control System(Adrd)• Trojan/Android.Adrd.a[exp] Issue the control command and the malware trigger command Provide the data-accessing address URL needed by malware behavior Provide the parameter data needed by malware behavior Provide updating service for malware files
  15. 15. the interdisciplinary use of leak and social engineering 1. Replace normal application by means of Google application download bug 2. Consumers download bootleg applications which are actually malware, with 200 thousand victims. 3.Google clears out malware by remote upgrade interplay and provides security software 4.The malware attacker disguises as Google security software
  16. 16. SOLUTION:IS EVERYTHING UNDER CONTROL
  17. 17. Traditional view Host SIS format APK PE ……… Malware Mobile malware AndroidSpreading System SymbOS media entrance Various Windows media Mobile
  18. 18. Major Spreading Approaches• Official • GPRS/3G market/network • Wi-Fi• Third-party market • PC shared network• Message/multimedia Internet User message installation download PC Inserting penetration ROM• Flash memory share • User Flash• USB communication • Vendor pre-setting up 第18页
  19. 19. Dalvik Disassembling: IDA Pro 第19页
  20. 20. Static Analysis: ARM Disassembling 第20页
  21. 21. Static Analysis: Java Decompilation2011/09/20 第21页
  22. 22. Dynamic Analysis: SDK Simulator 第22页
  23. 23. Dynamic Analysis: Behavior Monitor 第23页
  24. 24. Network Analysis 第24页
  25. 25. Automatic Analysis 第25页
  26. 26. Disassembling Dalvik Code 第26页
  27. 27. Disassembling Dalvik Code 第27页
  28. 28. Disassembling ARM Code 第28页
  29. 29. Decompilation as Java 第29页
  30. 30. System Simulation 第30页
  31. 31. Network Data Analysis 第31页
  32. 32. Dynamic Behavior Monitor 第32页
  33. 33. Automatic Comprehensive Analysis 第33页
  34. 34. Visualized Comprehensive Analysis 第34页
  35. 35. ANALYSIS:THE HISTORY OF CONFRONTATION
  36. 36. Those Forgotten Grey Faces ? CIH Melisa Sasser1998 1999 2004
  37. 37. Those Forgotten Red Alert ?
  38. 38. A Cross-Platform Contrast 2001 2010
  39. 39. Winux(2001)
  40. 40. Cross Platform-Mobile + PC BimorphismSymbianUpdateSrv.exe 912812352001_3rd.sisxstart and updatenew module 0xe61caca0.dat (jar) symbianDL.exe dlinstall.dat (sisx) Function disguising class files download module module install.dat20 (sisx) symbianStarter.exe symbianSrv.exe clearing module service-monitoring symbianChkServer.exe module heartbeat telecontrol module
  41. 41. The Confrontation History Since 1988 Industrial Confrontation Systematical ConfrontationNormalizedConfrontation
  42. 42. Notable Event and Typical Method of Normalized Confrontation• Bouncing Ball Virus • Pattern Matching Penetrated • Difficulty Promoted• Encrypted Virus • Direct Attack Mechanism• Metamorphic Virus • Disrupting the Wording Chain• Script Virus • Interfering Mechanism• Macro Virus • Normalized Confrontation
  43. 43. Normalized Confrontation Virus current database framework diverter Objectobataining matching preprocessor box assessor disposer Solution
  44. 44. Systematical confrontation(2000~2005)
  45. 45. Systematical confrontation (notable event)The Emerge of P2P Zombie NetworkThe Application of PKI System in Zombie NetworkAttack on VirusTotal by distributed DDosShift from Client to Could Port
  46. 46. Industrial Confrontation (2005—Now) underground information industrial industrial system system
  47. 47. An Integral Whole Seen from Underground Economy Chain invade enterprise sale server steal secret invade server network gamesunderground obtain money steal virtual industrial steal account launder currency player steal bank money account invade website massively steal network send rubbish e- exchange mail account compile malware steal virtual reject service spreading property attack incorporate forum spread charge spread Compile Zombie mobile tying spread network malware mobile SP expense malware code deducting
  48. 48. Industrial Chain: Complex and Interminable app store Software personal content supplier supplier enterprise security application vendors sale service software service private official supplier service after-salebaseband spare- manufactu sale solution OS chip parts ring approachQualcomm TechFaith ARM Symbian、WM、 genuine product TI DaTang Memory Macos、android、 grey product …… Battery palm…… custom and tie 48
  49. 49. SummaryMalware has developed and broke through the traditional single concept of program code. It has penetrated into the whole system of society, politics, economy and life. It is impossible to resist malware effectively only relying on anti-virus vendors. The battle against malware requires the management and resistance of the whole social system.Anti-virus men of all countries, unite!Thank you!seak@antiy.com

×