Aims and Objectives of Project
Understand and analyse current malware strategies
 Analyse in detail various malware infection vectors and
new revenue channels being exploited
 Review malware concealment and detection strategies
 Carry out an infection between Android device and
Windows, analysing in detail what is happening
 Propose an efficient and practical way in which crosscontamination across platforms can be restricted
 Challenges and barriers to the implementation of our
proposal

Agenda







Malware history
Mobile malware timeline, attack vectors
and new revenue channels created
Malware concealment and detection
strategies
Analysis of cross-platform malware
Limiting cross-platform malware
Challenges and barriers to implementation
Concluding remarks
Malware history

Definition of malware - A general term used
to refer to any software that is installed on
a machine and performs unwanted
(malicious) tasks (Christodorescu et al,
2007)

Different classifications have been
attempted, mostly based upon the payload
type, vulnerabilities exploited and
propagation mechanisms used
Malware history

Became known to many computer users
through the Melissa virus in 1999 and the
LoveLetter worm in 2000 (Dunham et al,
2009)
Mobile malware timeline
2000
• Timofonica (targeted at Movistar mobile operator)
• Cabir (first worm to target mobile phones)
2004 • Duts (malware targeted at Windows Mobile)
2010
2013
2014
• FakePlayer (first SMS trojan for Android devices)
• Obad (spread via alien botnets)
• FakeBank (Windows trojan attacks Android devices)
Mobile malware attack vectors
Attack Vectors
Limited
Resources
SMS/MMS
Processing
power
Network
User Interface
Limitation
Screen size
Mobility issues
Bluetooth
WiFi
Storage
capacity
Battery
autonomy
Screen
resolution
Network
coverage
Visual
indicators
Mobile malware revenue channels

New revenue channels exploited by mobile
malware:
 Billed events
○ Premium-rate numbers still being used to target
mobile devices – malicious users can force mobile
devices to send premium-rate SMS messages
 Payment systems
○ Mobile devices being used as physical payment
devices
○ Proximity payments (such as NFC) has opened up
new possibilities for malicious attackers e.g. inject
malicious URL through NFC tags
Cross-platform contamination

First example of cross-platform malware
contamination was the Morris Worm
(Orman, 2003)




Released in 1988
In less than 24 hours, caused great damage
Slowed thousands of systems
Exploited vulnerabilities on VAX and SUN
Microsystems platforms; and the Sendmail
email delivery software
Cross-platform contamination

Following the Morris worm, other multiplatform malware emerged:






1999 – W32/W97M Coke
2000 – W32/HLP Dream and Pluma
2001 – W32/Linux Peelf
2010 – StuxNet
2011 – Duqu
2014 – FakeBank
Cross-platform contamination

Proof-of-concept by Wang and Stavrou
using USB in 2010 (Z. Wang and A.
Stavrou, 2010)
 USB commonly used as a means to charge,
communicate and synchronise
 Malware exploits this connection to
propagate itself
 In 2010, Wang and Stavrou demonstrated
how a PC can use USB connection to
unlock and flash software of a mobile device
Cross-platform contamination

Proof-of-concept breaking Mobile Transaction
Authentication Numbers (Dmitrienko et al,
2012)
 Attack was divided into three phases
 First phase, malware installed on the terminal
steals the user’s credentials
 Second phase involves cross-platform infection
 Third phase, the malicious attacker performs
transaction with the user’s bank, mimicking the
user
Malware concealment strategies

Malware concealment strategies serve one
purpose, namely survival of the code

The longer malware can protect itself from
detection, the more time it has available for
replication and infection
Malware concealment strategies

Aim to increase the span of time between
infection and detection phases
Phase 1
Infect
Phase 4
Eradicate
Phase 2
Detect
Phase 3
Analyse
Malware concealment strategies

Passive strategies to evade detection:
 Malware which implements a set of
techniques to hide itself from detection, such
as bypassing anti‐virus or anti‐malware
signature detection

Active strategies to evade detection:
 Malware that, apart from concealing their
presence, actively tries to hinder the
detection and analysis of the code
Malware detection strategies

Using static techniques:
 Signature analysis and hashing
 Extracting system calls
 Static taint analysis

Using dynamic techniques:
 Dynamic taint analysis
 Behavioural analysis
Malware detection strategies

Using heuristics:
 Monitoring API and system calls
 OpCode analysis
 Using N-Grams
 Control flow graphs

Using hybrid techniques
Analysis of cross-platform malware
Practical implementation of cross-platform
infection for detailed analysis
 Used a physical Android 4.1.1 tablet
connected via USB Device Filter to a host
running a virtual machine with Windows XP
SP3
 Malware sample used was DroidCleaner,
served via another virtual machine running
Kali Linux and Apache

Analysis of cross-platform malware

Tablet device connected to our web server,
downloaded and installed the malicious
application
Analysis of cross-platform malware
Shark for Root was launched and kept in
listening mode
 DroidCleaner application launched and
‘Default Cleanup’ was selected

Analysis of cross-platform malware
Following the hypothetical clean-up,
DroidCleaner was closed
 Shark Reader was then used to review the
logs generated by Shark for Root
 Two IPs were noted:

 54.235.185.74 – host located on the
Amazon Cluster
 173.194.70.95 – reported by virustotal.com
as serving a number of known malware files
Analysis of cross-platform malware
All latest Windows XP updates were
installed but the default installation settings
were left enabled
 Autorun feature was kept enabled for the
purpose of our analysis
 Launched two applications on our Windows
XP machine, Process Hacker and Wire
Shark

Analysis of cross-platform malware

Upon connecting the tablet to the Windows
XP machine, Process Hacker detected two
unknown applications namely ‘pwd.exe’
and ‘Start.exe’

A short while afterwards, the application
‘Start.exe’ generated an application error
message
Analysis of cross-platform malware
Analysis of cross-platform malware
Wire Shark was stopped and proceeded
to analyse the logs generated
 We noted that our XP machine was
trying to connect to IP 190.93.253.132
using SSLv3
 This IP address was checked again
using virustotal.com
 Reported to resolve to minecraft.org

Analysis of cross-platform malware
Analysis of cross-platform malware
ILSpy was launched and file ‘svchosts.exe’
analysed
 File contains the NAudio library, launched
upon program execution
 NAudio is an open source .NET audio and
MIDI library
 Confirmed our initial thoughts that this
malware will record, and upload, voice
recordings to the attacker

Analysis of cross-platform malware

To further the analysis, the function
‘XControl’ was opened and the following
details were noted:
 the attacker’s server (hostname)
 the FTP user name and password
 the destination port number to use
Analysis of cross-platform malware
Analysis of cross-platform malware
The file was then uploaded to an online
sandbox analysis facility
 Two anti-debugging techniques were found
namely:

 Guard pages – used to protect against
reverse engineering and debugging,
returning an exception
 SystemKernelDebuggerInformation – a
feature used to check for kernel debuggers
attached to the system
Analysis of cross-platform malware

We then analysed the Android application
using various tools found within the Kali
Linux distribution

Of particular interest are the various
commands which the attacker can use
once the mobile device is infected
Analysis of cross-platform malware
Analysis of cross-platform malware
Registration of the Android device was
made using config file ConnectorService
 The device was instructed to send the
command string:
‘|NEW_HELLOW|’ followed by ‘ACCT +
PORT’
 On successful connection, the device
would then download three files
‘svchost.exe’, ‘Kst.exe’ and ‘Controller.exe’

Analysis of cross-platform malware

Summary
 The unsuspecting user downloads a rogue
application
 When the user launches the application, it
communicates with a remote
command‐and‐control server
 The user then proceeds to connect his
Android device to the computer
 The malware on the Android device
propagates to the victim’s computer
Limiting cross-platform malware
Malware creators are being craftier in
evading anti-malware engines
 Through our research, it was noted that
detection through anti-malware engines is
carried out from within the operating
system
 The actual anti-malware engine is running
as a process in itself which can be easily
subverted and inherits weaknesses in the
operating system
 Zero-day exploits and other advanced
persistent threats are a daily occurrence

Limiting cross-platform malware
Proposal of adding a new layer between
the hardware layer and the operating
system/kernel layers
 Security layer denoted as hypervisor
 Can be used to monitor and protect the
whole system
 Must be lightweight in resources
consumed, transparent to the operating
system and compatible across multiple
platforms

Limiting cross-platform malware

We still need some sort of malware
detection technique in order to detect the
presence of malicious intentions during
programme execution

Malware using polymorphism or
metamorphism can easily evade static
malware detection
Limiting cross-platform malware
In addition, static detection is largely based
on signatures
 These systems are equipped with a
database of known signatures or
instructions that are considered malicious
 Such a setup imposes a restriction on the
frequency when this signature database is
updated e.g. out of (3G) data reception

Limiting cross-platform malware
During our malware analysis, we showed
how DroidCleaner attacked both Android
and Windows
 Through registration of our Android device
to the attacker’s server, access to the
various hardware components was made
available.
 On Windows, the attacker could install an
open source audio library that controlled
microphone activation and the local
storage

Limiting cross-platform malware
User applications
Protected operating system
Hypervisor level
Hardware components
Limiting cross-platform malware

We propose two configuration sets

One set, S1, will contain hardware features
to be monitored e.g. GPS sensor, WiFi,
microphone, camera

The other set, S2, will contain the
permissions requested for S1 e.g. take a
picture, enable WiFi, access microphone
Limiting cross-platform malware

By way of example:

If hypervisor detects a request to access
camera (S1) for taking a snapshot (S2), the
request will be allowed if a previous user
activity took place within a configured
timeout in seconds
Limiting cross-platform malware
Start Device
Load Dataset
Launch
Hypervisor
Deny Access,
Update
Dataset
Monitor
Requests
Allow Access,
Update
Dataset
If timeout is <
than limit set
Check User
Activity
If timeout is >
than limit set
Challenges to implementation

Access to hardware drivers and source code
due to diversification of the Android platform
(ARM, Intel to name a few)

Power management and battery life are a
critical factor – possible use of ‘wakelocks’ in
Android to avoid constant polling (allow apps
to notify the kernel that they are doing
something, and that the kernel should not put
the device to sleep)
Challenges to implementation

Functionality is a critical factor – added
benefits of security are seen as extra
burden, limiting use of their device

Security review – cannot be software with
an unknown internal structure; opening the
system to the security community allows
independent assessment of its exposure to
risk
Concluding remarks

Significance of our research
Gain a better understanding of the way cross‐platform
malware contamination occurs in practice
An attempt was made to come up with a new
framework that can assist us in limiting such
contamination, moving away from traditional detection

Future research
The weaknesses affecting current malware detection
strategies lie at the basis of our departure from the
traditional view of how we can protect devices in
favour of new methods designed to amplify the
effectiveness of existing detection techniques
Practical hints for your project
Liaise with your personal adviser to discuss
your interests and direct you to relevant
tutor sharing your interests
 Make early contact and try to come up with
two to three areas of interest
 Prepare a solid timetable, defining the
chapters, amount of pages to write and set
deadlines
 Adjust your timetable schedule where
necessary but try not to diverge too much

References

M. Christodorescu, S. Jha, D. Maughan, D. Song and C. Wang,
"Introduction to Malware Detection," in Malware Detection, New York, USA,
Springer Science and Business Media, 2007, p. IX

K. Dunham, S. Abu‐Nimeh, S. Fogie, B. Hernacki, J. A. Morales and
C. Wright, Mobile
Malware Attacks and Defense, Syngress Publishing Inc, 2009


H. Orman, "The Morris Worm: A Fifteen‐Year Perpective," Security &
Privacy, IEEE, vol. 1, no. 5, pp. 35‐43, November 2003

Z. Wang and A. Stavrou, "Exploiting Smart‐Phone USB Connectivity for Fun
and Profit," in Preceedings of the 26th Annual Computer Security
Applications Conference (ACSAC), 6‐10 December pp. 357‐366, Austin,
Texas, USA, 2010

A. Dmitrienko, L. Davi, A.‐R. Sadeghi and C. Liebchen, "Over‐the‐Air
Cross‐platform Infection for Breaking mTAN‐based Online Banking
Authentication," in Black Hat 2012, Abu Dhabi, UAE, 2012
Thank you
http://mt.linkedin.com/naquilina
info@nicholasaquilina.com