DroidKungFu and AnserverBot

Slides:



Advertisements
Similar presentations
New Security Issues Raised by Open Cards Pierre GirardJean-Louis Lanet GERMPLUS R&D.
Advertisements

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.
Thank you to IT Training at Indiana University Computer Malware.
MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.
Dissecting Android Malware : Characterization and Evolution
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Vaibhav Rastogi, Yan Chen, and Xuxian Jiang
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Joshua Senzer, CISSP Sr. Systems Engineer – North East Channel
Android Malware Characterisaion. Android Under Attack Android Malware is on the rise In 2012 malware presence has increased by 580% compared to the same.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Server-Side vs. Client-Side Scripting Languages
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.
Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Introduction to Mobile Malware
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
APT29 HAMMERTOSS Jayakrishnan M.
All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영
Introducing, Installing, and Upgrading Windows 7 Lesson 7.
Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,
RiskRanker: Scalable and Accurate Zero‐day Android Malware Detection.
Monitoring Malware at Runtime. From Last Lecture Malware authors use advanced coding for avoiding detection AnserverBot is a very sophisticate piece of.
Attacking Applications: SQL Injection & Buffer Overflows.
Computer project – computer virus 1D Christy Chan (9) Patricia Cheung (14)
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.
Recent Internet Viruses & Worms By Doppalapudi Raghu.
Confidential. For use within only Slide 1 iOS and Android content protection requirements Version 0.2 Sony Pictures Entertainment Tim Wright.
Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Android Security Auditing Slides and projects at samsclass.info.
Android Security Corrado Aaron Visaggio PhD, docente del Corso di Sicurezza delle Reti e dei Sistemi Software Università degli.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Grace. M, Zhou. Y, Shilong. Z, Jiang. X.  RiskRanker analyses the paths within an android application  Potentially malicious security risks are flagged.
Submitted By :- Neeraj Kumar Singh Branch :Electronics&communication Topic : computer Viruses Submitted to :- Ms. Veena Gupta.
Title of Presentation DD/MM/YYYY © 2015 Skycure Why Are Hackers Winning the Mobile Malware Battle.
Sky Advanced Threat Prevention
Cryptography and Network Security Sixth Edition by William Stallings.
MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
W elcome to our Presentation. Presentation Topic Virus.
Role Of Network IDS in Network Perimeter Defense.
NADAV PELEG HEAD OF MOBILE SECURITY The Mobile Threat: Consumer Devices Business Risks David Parkinson MOBILE SECURITY SPECIALIST, NER.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
BareDroid Presenter: Callan Christophersen. What is BareDroid BareDroid is a system to analyse Android apps on real devices with no emulation. It uses.
THREATS, VULNERABILITIES IN ANDROID OS BY DNYANADA PRAMOD ARJUNWADKAR AJINKYA THORVE Guided by, Prof. Shambhu Upadhyay.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Preparing Your Apps for Publication Test your app thoroughly on a variety of devices. The app might work perfectly using the emulator on your.
APACHE Apache is generally recognized as the world's most popular Web server (HTTP server). Originally designed for Unix servers, the Apache Web server.
©2014 Check Point Software Technologies Ltd Security Report “Critical Security Trends and What You Need to Know Today” Nick Hampson Security Engineering.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Security Issues in Information Technology
Chapter 40 Internet Security.
Sophos Intercept X Matt Cooke – Senior Product Marketing Manager.
Ilija Jovičić Sophos Consultant.
Chapter 1. Basic Static Techniques
Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.
Active Cyber Security, OnDemand
How To Install Norton Security on Android Phone
Steps to Troubleshoot Norton 360 Error Norton 360 security software is all in one solution that combined online protection and performance tuning.
Android.Adware.Plankton.A % Android.Adware.Wapsx.A – 4.73%
When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.
Presentation transcript:

DroidKungFu and AnserverBot Android Malware Characterisaion part II

Analysis of Two Malware Families DroidKungFu and AnserverBot represent the most recent incarnation of malware engineering Since they first appearance several improvements have been coded to increase their stealthiness

DroidKungFu There are 6 different known variants of DroidKungFu They appeared within a period of 6 months Probably many more now They contain Root-kit Exploits C&C Server comm Shadow Payloads Code Obfuscation

DroidKungFu – Root Exploits 4 variants contain root exploits DroidKungFu is the first to use encrypted root-kit Root-kit are stored as assets to look like normal data files Initially the asset name was ratc (RageAgainstTheCage) Then it has been changed to myicon

DroidKungFu – C&C Comm All the variants communicate with C&C servers To evade detection, the C&C servers’ addresses keep changing DroidKungFu1 uses a plaintext string in one of its Java classes DroidKungFu2 the address is moved to plain-text in native code DroidKungFu3 and DroidKungFu4 use encrypted names (stored in Java class and native code)

DroidKungFu – Shadow Payload If the root-kit is successful, then a shadow app will be installed The user will not be aware of this app This app contains the same code as the malicious payload included in the repackaged app This means that in the event the user removes the host app, the shadow app will remain Variants encrypt the shadow app to evade detection and no icon is shown

DroidKungFu – Code Obfuscation Extensive use of encryption for constant strings, C&C servers’ addresses, native payload and shadow app Keys are changed very often Extensive use of code obfuscation Use of native code and JNI to make more difficult code analysis DroidKungFuUpdate use the update attack to download the actual payload and evade static code analysis

AnserverBot One of the most advanced malware It uses evasion techniques not used before by any other Android malware It has been discovered in repackaged apps available in Chinese app markets It seems that is an evolution of the BaseBridge malware family

AnserverBot – Anti Analysis It use the repackaging attack However, when installed it checks whether the hosting app has been tampered with It checks the signature and then it unfolds its payload It extensively uses code obfuscation to make it human unreadable The payload is split in three different apps The host app plus two shadow apps

AnserverBot – Anti Analysis The shadow apps share the same package names Com.sec.android.touchScreen.server One shadow app is loaded through the update attack The other shadow app is dynamically loaded through JVM dynamic class load method However it is not installed! AnserverBot is able to load any code retrieved from the C&C server

AnserverBot – AV Detection This malware is very aggressive It tries to detect if AV software is installed in the device It contains the encrypted names for security apps such as LBE, 360 MobileSafe If installed, the malware uses the restartPackage method to stop the AV and then displays an error message

AnserverBot – C&C Comm AnserverBot supports two types of C&C servers One type is used for sending command The second one is used for retrieving encrypted payloads To reach the second one, it uses a encrypted entry posted in public blog providers - i.e. Sina and Baidu This entry contains the (encrypted) address of the second C&C server

The AVS race Given the rapid evolution of malware, AV software is lagging behind Mainly, AVS uses a signature based approach It relies on the content of its signature DB If an app signature is not there it may not be malware How easy is to change the signature of an app? Very!

The AVS race Interesting report from Imperva http://www.imperva.com/docs/HII_Assessing_the_Effectiveness_of_Antivirus_Solutions.pdf Using unknown malware and submit to AVS The goal is to evaluate how effective AVS solutions are The results are really scary

Imperva Study Results Less than 5% of the malware were detected Most of the AVS cannot keep up with a fast changing landscape of malware families AVS requires up to 4 weeks to detect a new malware The best of the breed: the free ones! Although they had a very high false positive Consumers spend $4.5 billion while Enterprises $2.9 billion 1/3 of the total money spent on security software

Imperva Study Results It might be best to spend some resources on other type of software that is not AVS For AVS better to use free ones Note: this study is for PC malware Does it apply to Android Malware? We will know very soon ;-)

Questions?