Presentation is loading. Please wait.

Presentation is loading. Please wait.

DroidKungFu and AnserverBot

Published byGarey James Modified over 9 years ago

Similar presentations

Presentation on theme: "DroidKungFu and AnserverBot"— Presentation transcript:

1 DroidKungFu and AnserverBot
Android Malware Characterisaion part II

2 Analysis of Two Malware Families
DroidKungFu and AnserverBot represent the most recent incarnation of malware engineering Since they first appearance several improvements have been coded to increase their stealthiness

3 DroidKungFu There are 6 different known variants of DroidKungFu
They appeared within a period of 6 months Probably many more now They contain Root-kit Exploits C&C Server comm Shadow Payloads Code Obfuscation

4 DroidKungFu – Root Exploits
4 variants contain root exploits DroidKungFu is the first to use encrypted root-kit Root-kit are stored as assets to look like normal data files Initially the asset name was ratc (RageAgainstTheCage) Then it has been changed to myicon

5 DroidKungFu – C&C Comm All the variants communicate with C&C servers
To evade detection, the C&C servers’ addresses keep changing DroidKungFu1 uses a plaintext string in one of its Java classes DroidKungFu2 the address is moved to plain-text in native code DroidKungFu3 and DroidKungFu4 use encrypted names (stored in Java class and native code)

6 DroidKungFu – Shadow Payload
If the root-kit is successful, then a shadow app will be installed The user will not be aware of this app This app contains the same code as the malicious payload included in the repackaged app This means that in the event the user removes the host app, the shadow app will remain Variants encrypt the shadow app to evade detection and no icon is shown

7 DroidKungFu – Code Obfuscation
Extensive use of encryption for constant strings, C&C servers’ addresses, native payload and shadow app Keys are changed very often Extensive use of code obfuscation Use of native code and JNI to make more difficult code analysis DroidKungFuUpdate use the update attack to download the actual payload and evade static code analysis

8 AnserverBot One of the most advanced malware
It uses evasion techniques not used before by any other Android malware It has been discovered in repackaged apps available in Chinese app markets It seems that is an evolution of the BaseBridge malware family

9 AnserverBot – Anti Analysis
It use the repackaging attack However, when installed it checks whether the hosting app has been tampered with It checks the signature and then it unfolds its payload It extensively uses code obfuscation to make it human unreadable The payload is split in three different apps The host app plus two shadow apps

10 AnserverBot – Anti Analysis
The shadow apps share the same package names Com.sec.android.touchScreen.server One shadow app is loaded through the update attack The other shadow app is dynamically loaded through JVM dynamic class load method However it is not installed! AnserverBot is able to load any code retrieved from the C&C server

11 AnserverBot – AV Detection
This malware is very aggressive It tries to detect if AV software is installed in the device It contains the encrypted names for security apps such as LBE, 360 MobileSafe If installed, the malware uses the restartPackage method to stop the AV and then displays an error message

12 AnserverBot – C&C Comm AnserverBot supports two types of C&C servers
One type is used for sending command The second one is used for retrieving encrypted payloads To reach the second one, it uses a encrypted entry posted in public blog providers - i.e. Sina and Baidu This entry contains the (encrypted) address of the second C&C server

13 The AVS race Given the rapid evolution of malware, AV software is lagging behind Mainly, AVS uses a signature based approach It relies on the content of its signature DB If an app signature is not there it may not be malware How easy is to change the signature of an app? Very!

14 The AVS race Interesting report from Imperva
Using unknown malware and submit to AVS The goal is to evaluate how effective AVS solutions are The results are really scary

15 Imperva Study Results Less than 5% of the malware were detected
Most of the AVS cannot keep up with a fast changing landscape of malware families AVS requires up to 4 weeks to detect a new malware The best of the breed: the free ones! Although they had a very high false positive Consumers spend $4.5 billion while Enterprises $2.9 billion 1/3 of the total money spent on security software

16 Imperva Study Results It might be best to spend some resources on other type of software that is not AVS For AVS better to use free ones Note: this study is for PC malware Does it apply to Android Malware? We will know very soon ;-)

17 Questions?

Download ppt "DroidKungFu and AnserverBot"

Similar presentations

New Security Issues Raised by Open Cards Pierre GirardJean-Louis Lanet GERMPLUS R&D.

New Security Issues Raised by Open Cards Pierre GirardJean-Louis Lanet GERMPLUS R&D.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Mary Ann Fitzsimmons Regional.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.

MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.
Dissecting Android Malware : Characterization and Evolution

Dissecting Android Malware : Characterization and Evolution
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Vaibhav Rastogi, Yan Chen, and Xuxian Jiang

Vaibhav Rastogi, Yan Chen, and Xuxian Jiang
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Joshua Senzer, CISSP Sr. Systems Engineer – North East Channel

Joshua Senzer, CISSP Sr. Systems Engineer – North East Channel
Android Malware Characterisaion. Android Under Attack Android Malware is on the rise In 2012 malware presence has increased by 580% compared to the same.

Android Malware Characterisaion. Android Under Attack Android Malware is on the rise In 2012 malware presence has increased by 580% compared to the same.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Chapter 9 Security 9.7 - 9.8 Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.

1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.
Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC.

Bypassing the Android Permission Model Georgia Weidman Founder and CEO, Bulb Security LLC.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Introduction to Mobile Malware

Introduction to Mobile Malware
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

Similar presentations

Ads by Google