Malware Detection Methods For Fixed And Mobile Networks

Transcription

Malware detection methods forfixed and mobile networksGavin McWilliamsg.mcwilliams@qub.ac.ukJanuary 2013

Academic Centre of Excellence inCyber Security Research

Presentation OutlineMalware detection methods for fixed andmobile networks1. Android Malware DetectionMachine learning approach using automated static code analysis2. Zeus Botnet DetectionRealtime Network Traffic & Content Analysis3. Question & Answers

Background/Motivation Android mobile platform is becoming more popular with estimated 675,000apps in the official Google's Android Market and downloads in excess of 25billion. As the popularity of Android grows, so is malware targeting the platform,primarily spread via: Repackaged apps to piggyback payloadUpdate attacksDrive-by downloadsGrowing sophistication to circumvent detection by mobile antivirus software.(A recent study reveals 79.6 % best case to 20.2 % worst case detection)Cumulative growth of collected Android mobilemalware samples. Two major outbreaksAnserverBot (Starting Sept. 2011) andDroidKungFu(startingJune2011)arehighlighted. Both are still actively evolving toevade detection from existing anti-virus software.

Background/Motivation Android malware remain undetected for up to three months Google’s Bouncer introduced in Feb. 2011 uses dynamicanalysis and can be circumvented. Several third party Android Marketplaces exist, most withoutapp scrutiny The above motivates our machine learning based approachusing static analysis. Main advantages: Malware cannot modify its behaviour during analysis Proactive and fast Flexible and easily automated Can complement signature-based and/or dynamic methods forunknown malware

Machine Learning Model Our approach uses Bayesian Classification models obtained fromautomated static analysis of Android packages. Models are built from collection of app and code characteristics thatprovide indicators of potential malicious activities. The models are evaluated with 1000 real malware samples from 49existing families including DroidKungFu, AnserverBot, Plankton,Pjapps, DroidDream, Geinimi etc. Malware samples are from both official and alternative Androidmarkets.

Android app reverse engineering Android applications are written in Java and packaged along withdata and resource files into a single compressed .apk package. The package contains: Manifest (where permissions and components are declared) Dalvik executable file (single .dex file with complete Dalvik bytecode) /assets and /res folders to hold binary, XML-based resources, Librariesetc. Java-based apk analyzer reverse engineers these files and applies‘property detectors’ to extract features for training the Machinelearning model.

Android package analyzerMinemanifest.xml.clean filesto extract featuresExtract from.apk files intofoldersConvertManifest.xml binaryto readablemanifest.xml.cleanDisassembleeach classe.dexfile to constituent.smaliBuild profile(s)Mine .smali filesto extractfeaturesFunctional steps of custom built Android package analyzer

App Property Detectors The property detectors include: API calls detectors: used to detect use of API’s e.g. Telephony ManagerAPIs for accessing IMSI, IMEI, sending/receiving SMS, listing/installingother packages etc. Command detectors: used to detect references to system commandse.g. ‘chmod’, ‘mount’ ‘/system/bin/su’ ‘chown, etc. Permission detectors: used to detect permissions requested at runtimeas declared in the Manifest file.

Feature ranking and selection Thus, 58 different feature attributes (excluding permissions) aredefined as matching criteria for the property detectors. These criteria are derived from commonly observed attributes usedto detect suspicious activity manually by security analysts. A feature ranking and selection function ranks these according torelevance using Mutual Information calculation:

Top 25 Ranked FeaturesTop 25 MI ranked features based on 1000 malware and 1000 benign apps corpusFeaturesgetSubscriberId (TelephonyManager)getDeviceId (TelephonyManager)getSimSerialNumber (TelephonyManager).apk (secondary payload)intent.action.BOOT COMPLETEDchmod (system command)Runtime.exec( ) (Executing process)abortBroadcast (intercepting broadcast notifications)getLine1Number rocess (creating child process)getSimOperator (TelephonyManager)remount (system command)DexClassLoader (stealthily loading a class)pm install (installing additional packages)getCallState (TelephonyManager)chown (system command).jar (secondary payload)mount (system command)KeySpec (code ator (TelephonyManager)SecretKey (code 368169196122152981191072521522549066353248

Experimental Scenario With feature vectors built from the top 25 MI-ranked features, theBayesian classifier model is trained to classify apps into ‘benign’ or‘suspicious’. The model is evaluated using N-fold validation technique by varyingnumber of features and number of training samples. True positive rate, True negative rate, accuracy, error rate, falsepositive rate etc. are determined.

Classification .100.005fL5fT10f15f20fError and Accuracy based on Bayesian classification

Conclusions / Summary Android malware is growing in scale and complexity Static analysis coupled with machine learning is an effective tool forfiltering apps to detect unknown Android malware Based on experiments with real malware samples 90% detection rate obtainable with low false positives usingBayesian classification. Higher detection rates are possible with the ML static analysismethod. Viable approach for filtering large amounts of apps added to Androidmarket on daily basis (estimated 1200 daily).

ZeuS (aka Zbot) Trojan first observed in middle 2007HTTP as command and control mechanismTargets mostly financial institutions (banks!)Spreads by drive-by-download and phishingattacks Polymorphic: signature-based detection difficult Suicide-trojan: able to self-destruct Activity increased by 130% between 2009 and2010 (www.eset.com)

ZeuS (aka Zbot) Recently merged with SpyEye, dubbed the ZeuSkiller! Ice IX botnet based on ZeuS’ older source code January 2012: ‘Gameover’ malware traced tomaker of ZeuS More distributed C&C (P2P) Launch DDoS attack against targets (e.g., bank, financialinstitution) immediately after stealing money Diversion: while target deals with attack, criminals launder money(e.g., by purchasing jewelry) Source: ComputerWorld.com

Experimental Setup

Detectable features in ZeuS traffic Double POST requests then responseGET, 200 OK, POST, POST, 200 OK, 200 OK Mismatched advertised content-typeContent-type: text/htmlactual content garbage (encrypted/obfuscated) Configuration file signature

Detectable features in ZeuS traffic Periodicity 1–– GET requests every 3600s (default)POST requests every 1200s (default)Periodicity 2Windows XP SP2 Packet size–GET/POST requests sizes stay constant within host–Pattern observed:x, x-1, x-1, x-1, x-1 (XP SP2)x, x 1, x 1 (XP SP3)

Current Work

g.mcwilliams@qub.ac.ukGavin McWilliamsStephen WrayEngineering Managerg.mcwilliams@qub.ac.ukCommercial Directors.wray@ecit.qub.ac.uk

Detectable features in ZeuS traffic Periodicity 1 – GET requests every 3600s (default) – POST requests every 1200s (default) Periodicity 2 Windows XP SP2 Packet size – GET/POST requests sizes stay constant within host – Pattern obse