Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile Malware defense and possibly Anti-forensics


Published on

Mobile Malware defense and possibly Anti-forensics - Sheran Gunasekera

Published in: Technology, Business
  • Be the first to comment

Mobile Malware defense and possibly Anti-forensics

  1. 1. Mobile MalwareDefenseand possibly Anti-ForensicsSheran A. Gunasekera <>IDSECCONF 2013, Surabaya, Indonesia1
  2. 2. Digital forensics - Analyzing & gatheringevidence of incidents occurring on a digitaldeviceMalware - Malicious software designed todisrupt or collect sensitive information fromdigital devices2
  3. 3. In 2011, we saw unprecedented growth of mobilemalware attacks with a 155 percent increase across allplatforms. -- Daniel Hoffman (Juniper)Malware3
  4. 4. DetectionSignature based?Unique characteristicsNo signature, no detection4
  5. 5. In 2012, 45 percent ofthe AV signatures failed todetect malware that usedsuch basic transformationtechniques -- DarkReading Article [April2013]ACMEMalwareDetectorMalwareSignatures5
  6. 6. PWN3DAssume you’ve been infectedHelps you stay paranoid6
  7. 7. ActorsYouYour Mobile DeviceThe guy spying on you7
  8. 8. Inbound & outbound emailInbound & outbound SMS/MMSPhone Call LogsBBM MessagesContact informationHow does it work?8
  9. 9. Crippling MalwareRelies on exfiltrated dataExpects data to be accurateBut what if the data wasn’t accurate...?9
  10. 10. TechniquesDDTS - Don’t Drop The Soap *POEPFlood - Phony Object EscalationProcessFML - Flush My Log ** Can be used for Anti-forensics10
  11. 11. DDTSPossible use for Anti-ForensicsWorks on USB triggerUse IOPortListener orUSBPortListenerTrigger on event connectionRequested()11
  12. 12. USB Connection •Flood Email•Flood SMS•Flood Contact•Flush Log12
  13. 13. Hooking emailEmail MessagesPackage: net.rim.blackberry.api.mail.eventInterface: FolderListenerMethods: messagesAdded()- Intercept and forward all emails on theBlackBerry handheld13
  14. 14. Listener14
  15. 15. ListenerFlooder15
  16. 16. 16
  17. 17. Hooking Call Logs17
  18. 18. Hooking Call Logs18
  19. 19. ContactFlooderContact 1Contact 2Contact 3Contact 419
  20. 20. A note about keywordsFake email only as good as keywordsBuild an algorithm to mine existing keywordsThink like the person that spies on youIf they search for “bank”,”password”,”pin”...20
  21. 21. Log FilesEvent LogLog Entry 1Log Entry 2Log Entry3Log Entry n-2Log Entry n-1Log Entry n...16KbLog SizeNew entries writtento the bottomOld entriesare ejected21
  22. 22. FMLEvent LogLog Entry 1CrapCrapCrapCrapCrap...16KbLog SizeFMLog attackwritesfake dataValid Entriesare deleted22
  23. 23. FMLBlackBerry Log Size - 16kbAndroid LogCat size - 64kb23
  24. 24. Why?24
  25. 25. Why?UnorthodoxGood wing-man for conventionalFrustrates the guy spying on you25
  26. 26. Recap• Assume you’re pwn3d• Introduce controlled “noise” in your data• Make it harder for the guy spying on us• Sit back and laugh26
  27. 27. Thankssheran@zenconsult.net