An OpenBTS GSM Replication Jail for Mobile Malware - Virus Bulletin

An OpenBTS GSM Replication Jail for

Mobile Malware

Axelle Apvrille

Virus Bulletin Conference, October 2011

Malware Jail

Thou Shalt Not Spread (Nor Leak)

VirusBulletin Conference 2011 - A. Apvrille 2/11

Malware Jail

Jail 1. Remove SIM/ O�ine/ Flight mode

I Secure... probably

I Behaviour: changed!

Malware Name Online O�ine

SymbOS/Album Sends 2 SMS -SymbOS/Acallno Trojan spyware Can't be activatedSymbOS/Feixiang Sends 2 SMS Sends 1 SMSJava/Konov, SymbOS/-ZoomSms

Sends SMS System lag

Jail 2. Use an emulator

I Good Android emulator, butother OS?

I Same behaviour change problem

I Hardware exploits/ VMdetection

Jail 3. Faraday cage

Courtesy of J. Danielshttp://www.jeddaniels.

com/2007/

faraday-cage-part-1/

Not that easy to build...

I How to see the screen?

I Access to keyboard?

Large Faraday cages

Expensive + Weight

com/2007/

Large Faraday cages

Expensive + Weight

com/2007/

Large Faraday cages

Expensive + Weight

com/2007/

Large Faraday cages

Expensive + Weight

Build your own operator network!

What's OpenBTS?

OpenBTS

I Open source project

I Local GSM operator = USRP + accurate clock + hostrunning OpenBTS / Asterix

I No GPRS, EDGE, UMTS...

OpenBTS is a registered trademark of Range Networks, Inc.

And nanoBTS-OpenBSC?

Good (perhaps better?)... but 6 times more expensive

Jail Architecture

Video: Using an OpenBTS Jail for Malware Analysis

What the analyst sees...

Part 1. ... when the phone is o�inePart 2. ... with an OpenBTS-based jail

Results

Blue: o�ine, Red: with GSM jail, Yellow: +GPRS jail.Full results: see paper.

Main Advantages

I Behaviour similar to realconditions

I See SMS contents and details

I No leak to real networks

I Low cost

Limitations

I Sample requires a WCDMAbearer

I MMS not handled

I Dynamic analysis limitations

Thank You !

Follow us on http://blog.fortinet.com

or twitter: @FortiGuardLabs

Axelle Apvrille

aka Crypto Girl

/mobile malware reverse engineering/aapvrille@fortinet.com

Slides edited with LOBSTER

An OpenBTS GSM Replication Jail for Mobile Malware - Virus Bulletin

Documents

Openbts animal farm david a burgess germany

Open Source Mobile Network Using OpenBTS and USRP 9

JilL IISPECtlOI BISICS JAIL INSPECtiON BASICS JAIL

Manual de instalación de OpenBTS Versión 0.2

OpenBTS for dummies - v0 - Freewikisec.free.fr/papers/fordummies.pdf · OpenBTS for dummies - v0.5 Axelle Apvrille, Fortinet aapvrille@fortinet.com April 19, 2011 Abstract This document

Linux OpenBTS how to

GSM Network using OpenBTS - IIT School of Applied · PDF filertorresg@hawk.iit.edu Project Report 1 GSM Network using OpenBTS Ramon Torres Gomez ... This picture represents a basic

OpenBTS Installation and Configuration Guide v0

Manual de uso e instalación de OpenBTS

29c3 OpenBTS workshop - Hardware and sotware

0 4 OpenBTS for Dummies

Malware & Anti-Malware

Cеминар по OpenBTS №2 - Архитектура OpenBTS

Jail Crowding: Understanding Jail Population Dynamics

Adding Support for Authentication and Encryption to Openbts

[eBook] OpenBTS Guide

Openbts For Dummies

Dagah User Manual 1.1.4 Installation Click on the .ova ... · OpenBTS Dagah can attach to an OpenBTS based system to simulate a rogue cell tower. The OpenBTS system needs to have

OpenBTS Guide

Cеминар по OpenBTS №1 - Введение в GSM