event-based method for detecting trojan · pdf filewindows mobile client ... (c++ to c#)....
TRANSCRIPT
EVENT-BASED METHOD FOR DETECTING
TROJAN HORSES IN MOBILE DEVICES
Daniel Fuentes Brenes, J.Antonio Álvarez, J.A Ortega Ramírez, Jesús Torres
Universidad de SevillaMOBISEC 2010
Index
Introduction
Trojan horse detection
Experimentation
Conclusions
Event-based method for detecting Trojan horses in mobile devices
Index
Introduction Trojan horse detection
Experimentation
Conclusions
Event-based method for detecting Trojan horses in mobile devices
Introduction
Definition
We consider that a Trojan horse is an infection which allows a hacker remote access to a target computer system.
Other features:
Information theft
Propagation
Event-based method for detecting Trojan horses in mobile devices
Introduction
Motivation
Importance and volume of the stored data in
mobile phones.
Entry points for a possible infection.
Mobile phones
processing capacity.
Event-based method for detecting Trojan horses in mobile devices
Index
Introduction
Trojan horse detection Experimentation
Conclusions
Event-based method for detecting Trojan horses in mobile devices
Trojan horse detection
Generic Structure
Graphical User interface
Monitoring module based on event tracing. Two
submodules:
Connection submodule
File submodule
Event-based method for detecting Trojan horses in mobile devices
Trojan horse detection
Connection submodule
It controls protocols where a previous connection is
necessary before sending or receiving a file or a
message.
File submodule
It controls messages and files which can be sent or
received.
Event-based method for detecting Trojan horses in mobile devices
Trojan horse detection
Implementation Graphical User Interface
Show the information about the details of connection requests and received/sent files.
Ask user for confirmations.
Monitoring Module
Connection submodule: using protocols and ports details, examines the connection requests.
File submodule: controls the number of messages and the time between them.
Event-based method for detecting Trojan horses in mobile devices
Trojan horse detection
Symbian Client
Symbian C++ version S60 3rd with Nokia Carbide IDE.
The GUI shows the active connections and the last 10
sent/received messages.
Events capture implemented by sockets.
Windows Mobile Client
Windows Mobile 6 Professional Software Development Kit
and Microsoft Visual Studio 2008.
Events capture using event-handling functions.
Event-based method for detecting Trojan horses in mobile devices
Trojan horse detection
iPhone and Android drafts
Event-based method for detecting Trojan horses in mobile devices
ConnectionSubmodule
JavaUser
Interface Module
File Submodule
Linux
Cocoa Touch
Media Services
Core Services
Core OS
GUI
module
File
submodule
Connection
submodule
iPhone OS
Android iPhone
Index
Introduction
Trojan horse detection
Experimentation
Conclusions
Event-based method for detecting Trojan horses in mobile devices
Experimentation
Trojan-SMS.WinCE.Sejweek trojan (WM) Real behaviour
This infection downloads an XML file from a website which contains the numbers of premium rate SMS numbers and the frequency at which the expensive SMS messages are sent.
Adaptation
The phone numbers are sent by formatted SMS from a malicious user phone. The trojan send contact information to the hacker through other formatted SMS messages.
The trojan is propagated through MMS to all user contacts.
Event-based method for detecting Trojan horses in mobile devices
Experimentation
Trojan-SMS.WinCE.Sejweek trojan Implementation
Symbian and Windows mobile simulations.
Every time the hacker send a SMS to the trojan, it produces a high cost (≈102.62€ for a user with 100 contacts).
WM: AirScanner 3.0 and BullGuard 2.0 do not detect it.
Symbian: Net60 library enables the code adaptation from WM (C++ to C#).
Detection: The Monitoring Module detected the Trojan horse in every single test, and after user confirmation, the infection was deleted.
Event-based method for detecting Trojan horses in mobile devices
Experimentation
Neo-Call Spy Software (Symbian)
Behaviour
Similar to FlexiSPY or SpyPhone.
It conducts eavesdropping, call interception, GPS tracking,
etc, and monitors phone calls and SMS text messages.
A malicious user receives the spy information through SMS to
a phone and can control spy actions by sending SMS to the
attacked phone.
http://www.neo-call.com
Event-based method for detecting Trojan horses in mobile devices
Experimentation
Neo-Call Spy Software (Symbian)
Symbian Test
SMS and Bluetooth misbehaviours have been tested using
Nokia phones.
In both situations, the connections to send and receive
information through SMS are established through sockets.
Detection: The Monitoring Module controls the port range for
SMS and Bluetooth protocols and, using the User Interface
Module, the user was informed when Neo-call tried to
send/receive an SMS to/from the malicious user.
Event-based method for detecting Trojan horses in mobile devices
Experimentation
Cabir Worm (Symbian) Behaviour
First network worm capable of spreading via Bluetooth.
Bluetooth devices are sought by Cabir and once found, a file is transferred to them.
Cabir uses a socket with Bluetooth RFCOMM protocol and 0x00000009 port.
Detection: The Connection Submodule includes the RFCOMM protocol and a wide port range. Hence, the attacked device is informed of the connection attempts through a message on the screen.
Event-based method for detecting Trojan horses in mobile devices
Index
Introduction
Trojan horse detection
Experimentation
Conclusions
Event-based method for detecting Trojan horses in mobile devices
Conclusion
Limitations The user needs to know additional or advanced information
to decide if a suspicious connection request or file should be accepted.
Only a few Trojan horse samples are publicly available for research
Conclusion remarks All malicious applications produce events to carry out their
actions.
Using these events, the proposed Trojan detection method controls the connection requests and examines the sent/received files.
Event-based method for detecting Trojan horses in mobile devices
Questions?
Event-based method for detecting Trojan horses in mobile devices
Event-based method for detecting Trojan horses in mobile devices
Thanks!