event-based method for detecting trojan · pdf filewindows mobile client ... (c++ to c#)....

EVENT-BASED METHOD FOR DETECTING

TROJAN HORSES IN MOBILE DEVICES

Daniel Fuentes Brenes, J.Antonio Álvarez, J.A Ortega Ramírez, Jesús Torres

Universidad de SevillaMOBISEC 2010

Index

Introduction

Trojan horse detection

Experimentation

Conclusions

Event-based method for detecting Trojan horses in mobile devices

Index

Introduction Trojan horse detection

Experimentation

Conclusions


Introduction

Definition

We consider that a Trojan horse is an infection which allows a hacker remote access to a target computer system.

Other features:

Information theft

Propagation


Introduction

Motivation

Importance and volume of the stored data in

mobile phones.

Entry points for a possible infection.

Mobile phones

processing capacity.


Index

Introduction

Trojan horse detection Experimentation

Conclusions



Generic Structure

Graphical User interface

Monitoring module based on event tracing. Two

submodules:

Connection submodule

File submodule



Connection submodule

It controls protocols where a previous connection is

necessary before sending or receiving a file or a

message.

File submodule

It controls messages and files which can be sent or

received.



Implementation Graphical User Interface

Show the information about the details of connection requests and received/sent files.

Ask user for confirmations.

Monitoring Module

Connection submodule: using protocols and ports details, examines the connection requests.

File submodule: controls the number of messages and the time between them.



Symbian Client

Symbian C++ version S60 3rd with Nokia Carbide IDE.

The GUI shows the active connections and the last 10

sent/received messages.

Events capture implemented by sockets.

Windows Mobile Client

Windows Mobile 6 Professional Software Development Kit

and Microsoft Visual Studio 2008.

Events capture using event-handling functions.



iPhone and Android drafts


ConnectionSubmodule

JavaUser

Interface Module

File Submodule

Linux

Cocoa Touch

Media Services

Core Services

Core OS

GUI

module

File

submodule

Connection

submodule

iPhone OS

Android iPhone

Index

Introduction


Experimentation

Conclusions


Experimentation

Trojan-SMS.WinCE.Sejweek trojan (WM) Real behaviour

This infection downloads an XML file from a website which contains the numbers of premium rate SMS numbers and the frequency at which the expensive SMS messages are sent.

Adaptation

The phone numbers are sent by formatted SMS from a malicious user phone. The trojan send contact information to the hacker through other formatted SMS messages.

The trojan is propagated through MMS to all user contacts.


Experimentation

Trojan-SMS.WinCE.Sejweek trojan Implementation

Symbian and Windows mobile simulations.

Every time the hacker send a SMS to the trojan, it produces a high cost (≈102.62€ for a user with 100 contacts).

WM: AirScanner 3.0 and BullGuard 2.0 do not detect it.

Symbian: Net60 library enables the code adaptation from WM (C++ to C#).

Detection: The Monitoring Module detected the Trojan horse in every single test, and after user confirmation, the infection was deleted.


Experimentation

Neo-Call Spy Software (Symbian)

Behaviour

Similar to FlexiSPY or SpyPhone.

It conducts eavesdropping, call interception, GPS tracking,

etc, and monitors phone calls and SMS text messages.

A malicious user receives the spy information through SMS to

a phone and can control spy actions by sending SMS to the

attacked phone.

http://www.neo-call.com


Experimentation

Neo-Call Spy Software (Symbian)

Symbian Test

SMS and Bluetooth misbehaviours have been tested using

Nokia phones.

In both situations, the connections to send and receive

information through SMS are established through sockets.

Detection: The Monitoring Module controls the port range for

SMS and Bluetooth protocols and, using the User Interface

Module, the user was informed when Neo-call tried to

send/receive an SMS to/from the malicious user.


Experimentation

Cabir Worm (Symbian) Behaviour

First network worm capable of spreading via Bluetooth.

Bluetooth devices are sought by Cabir and once found, a file is transferred to them.

Cabir uses a socket with Bluetooth RFCOMM protocol and 0x00000009 port.

Detection: The Connection Submodule includes the RFCOMM protocol and a wide port range. Hence, the attacked device is informed of the connection attempts through a message on the screen.


Index

Introduction


Experimentation

Conclusions


Conclusion

Limitations The user needs to know additional or advanced information

to decide if a suspicious connection request or file should be accepted.

Only a few Trojan horse samples are publicly available for research

Conclusion remarks All malicious applications produce events to carry out their

actions.

Using these events, the proposed Trojan detection method controls the connection requests and examines the sent/received files.


Questions?



Thanks!

event-based method for detecting trojan · pdf filewindows mobile client ... (c++ to c#)....

Documents