• Home

  • Documents

  • An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication...
26

An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

  • Upload
    others

  • View
    7

  • Download
    0

Embed Size (px)

Citation preview

Page 1: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

An OpenBTS GSM Replication Jail for

Mobile Malware

Axelle Apvrille

Virus Bulletin Conference, October 2011

Page 2: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Malware Jail

Thou Shalt Not Spread (Nor Leak)

VirusBulletin Conference 2011 - A. Apvrille 2/11

Page 3: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Malware Jail

Thou Shalt Not Spread (Nor Leak)

VirusBulletin Conference 2011 - A. Apvrille 2/11

Page 4: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Malware Jail

Thou Shalt Not Spread (Nor Leak)

VirusBulletin Conference 2011 - A. Apvrille 2/11

Page 5: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Malware Jail

Thou Shalt Not Spread (Nor Leak)

VirusBulletin Conference 2011 - A. Apvrille 2/11

Page 6: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Malware Jail

Thou Shalt Not Spread (Nor Leak)

VirusBulletin Conference 2011 - A. Apvrille 2/11

Page 7: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Malware Jail

Thou Shalt Not Spread (Nor Leak)

VirusBulletin Conference 2011 - A. Apvrille 2/11

Page 8: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Malware Jail

Thou Shalt Not Spread (Nor Leak)

VirusBulletin Conference 2011 - A. Apvrille 2/11

Page 9: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Malware Jail

Thou Shalt Not Spread (Nor Leak)

VirusBulletin Conference 2011 - A. Apvrille 2/11

Page 10: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Malware Jail

Thou Shalt Not Spread (Nor Leak)

VirusBulletin Conference 2011 - A. Apvrille 2/11

Page 11: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Jail 1. Remove SIM/ O�ine/ Flight mode

I Secure... probably

I Behaviour: changed!

Malware Name Online O�ine

SymbOS/Album Sends 2 SMS -SymbOS/Acallno Trojan spyware Can't be activatedSymbOS/Feixiang Sends 2 SMS Sends 1 SMSJava/Konov, SymbOS/-ZoomSms

Sends SMS System lag

VirusBulletin Conference 2011 - A. Apvrille 3/11

Page 12: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Jail 2. Use an emulator

I Good Android emulator, butother OS?

I Same behaviour change problem

I Hardware exploits/ VMdetection

VirusBulletin Conference 2011 - A. Apvrille 4/11

Page 13: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Jail 3. Faraday cage

Courtesy of J. Danielshttp://www.jeddaniels.

com/2007/

faraday-cage-part-1/

Not that easy to build...

I How to see the screen?

I Access to keyboard?

Large Faraday cages

Expensive + Weight

VirusBulletin Conference 2011 - A. Apvrille 5/11

http://www.jeddaniels.com/2007/faraday-cage-part-1/
http://www.jeddaniels.com/2007/faraday-cage-part-1/
http://www.jeddaniels.com/2007/faraday-cage-part-1/
Page 14: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Jail 3. Faraday cage

Courtesy of J. Danielshttp://www.jeddaniels.

com/2007/

faraday-cage-part-1/

Not that easy to build...

I How to see the screen?

I Access to keyboard?

Large Faraday cages

Expensive + Weight

VirusBulletin Conference 2011 - A. Apvrille 5/11

http://www.jeddaniels.com/2007/faraday-cage-part-1/
http://www.jeddaniels.com/2007/faraday-cage-part-1/
http://www.jeddaniels.com/2007/faraday-cage-part-1/
Page 15: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Jail 3. Faraday cage

Courtesy of J. Danielshttp://www.jeddaniels.

com/2007/

faraday-cage-part-1/

Not that easy to build...

I How to see the screen?

I Access to keyboard?

Large Faraday cages

Expensive + Weight

VirusBulletin Conference 2011 - A. Apvrille 5/11

http://www.jeddaniels.com/2007/faraday-cage-part-1/
http://www.jeddaniels.com/2007/faraday-cage-part-1/
http://www.jeddaniels.com/2007/faraday-cage-part-1/
Page 16: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Jail 3. Faraday cage

Courtesy of J. Danielshttp://www.jeddaniels.

com/2007/

faraday-cage-part-1/

Not that easy to build...

I How to see the screen?

I Access to keyboard?

Large Faraday cages

Expensive + Weight

VirusBulletin Conference 2011 - A. Apvrille 5/11

http://www.jeddaniels.com/2007/faraday-cage-part-1/
http://www.jeddaniels.com/2007/faraday-cage-part-1/
http://www.jeddaniels.com/2007/faraday-cage-part-1/
Page 17: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Build your own operator network!

VirusBulletin Conference 2011 - A. Apvrille 6/11

Page 18: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Build your own operator network!

VirusBulletin Conference 2011 - A. Apvrille 6/11

Page 19: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Build your own operator network!

VirusBulletin Conference 2011 - A. Apvrille 6/11

Page 20: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Build your own operator network!

VirusBulletin Conference 2011 - A. Apvrille 6/11

Page 21: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Build your own operator network!

VirusBulletin Conference 2011 - A. Apvrille 6/11

Page 22: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

What's OpenBTS?

OpenBTS

I Open source project

I Local GSM operator = USRP + accurate clock + hostrunning OpenBTS / Asterix

I No GPRS, EDGE, UMTS...

OpenBTS is a registered trademark of Range Networks, Inc.

And nanoBTS-OpenBSC?

Good (perhaps better?)... but 6 times more expensive

VirusBulletin Conference 2011 - A. Apvrille 7/11

Page 23: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Jail Architecture

VirusBulletin Conference 2011 - A. Apvrille 8/11

Page 24: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Video: Using an OpenBTS Jail for Malware Analysis

What the analyst sees...

Part 1. ... when the phone is o�inePart 2. ... with an OpenBTS-based jail

VirusBulletin Conference 2011 - A. Apvrille 9/11

Page 25: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Results

Blue: o�ine, Red: with GSM jail, Yellow: +GPRS jail.Full results: see paper.

Main Advantages

I Behaviour similar to realconditions

I See SMS contents and details

I No leak to real networks

I Low cost

Limitations

I Sample requires a WCDMAbearer

I MMS not handled

I Dynamic analysis limitations

VirusBulletin Conference 2011 - A. Apvrille 10/11

Page 26: An OpenBTS GSM Replication Jail for Mobile Malware · 2011-10-12 · An OpenBTS GSM Replication Jail for Mobile Malware Axelle Apvrille Virus Bulletin Conference, October 2011

Thank You !

Follow us on http://blog.fortinet.com

or twitter: @FortiGuardLabs

Axelle Apvrille

aka Crypto Girl

/mobile malware reverse engineering/[email protected]

Slides edited with LOBSTER

VirusBulletin Conference 2011 - A. Apvrille 11/11

http://blog.fortinet.com
http://www.eurecom.fr/~apvrille/lobster.html

Yavapai County Jail District. Jail District Overview Jail District History –Formation of Jail District –¼ Cent Sales Tax –Camp Verde Jail Expansion

Yavapai County Jail District. Jail District Overview Jail District History –Formation of Jail District –¼ Cent Sales Tax –Camp Verde Jail Expansion

Documents
OpenBTS P2 - Wush · 3 The OpenBTS GSM Air Interface 17 2. CONTENTS 3 ... This document describes the organization and operation of the OpenBTS P2.8-series GSM access point software

OpenBTS P2 - Wush · 3 The OpenBTS GSM Air Interface 17 2. CONTENTS 3 ... This document describes the organization and operation of the OpenBTS P2.8-series GSM access point software

Documents
Cеминар по OpenBTS №1 - Введение в GSM

Cеминар по OpenBTS №1 - Введение в GSM

Technology
OpenBTS P2.8 Users' Manual Doc. Rev. 3 (OpenBTS)

OpenBTS P2.8 Users' Manual Doc. Rev. 3 (OpenBTS)

Documents
OpenBTS - Building Real Mobile Networks, Big or Small

OpenBTS - Building Real Mobile Networks, Big or Small

Technology
Open Source Mobile Network Using OpenBTS and USRP 9

Open Source Mobile Network Using OpenBTS and USRP 9

Documents
AN OPENBTS GSM REPLICATION JAIL FOR MOBILE MALWAREsource project named OpenBTS. The overall cost of the equipment is a little over US$1,000. We register our test lab phones to this

AN OPENBTS GSM REPLICATION JAIL FOR MOBILE MALWAREsource project named OpenBTS. The overall cost of the equipment is a little over US$1,000. We register our test lab phones to this

Documents
GSM Wireshark Capture over OpenBTS System · PDF fileGSM Wireshark Capture over OpenBTS System Cruz Tovar ... GSM phones. This report details how RTL-SDR ... The logical architecture

GSM Wireshark Capture over OpenBTS System · PDF fileGSM Wireshark Capture over OpenBTS System Cruz Tovar ... GSM phones. This report details how RTL-SDR ... The logical architecture

Documents
OpenBTS for dummies - v0 - Freewikisec.free.fr/papers/fordummies.pdf · OpenBTS for dummies - v0.5 Axelle Apvrille, Fortinet aapvrille@fortinet.com April 19, 2011 Abstract This document

OpenBTS for dummies - v0 - Freewikisec.free.fr/papers/fordummies.pdf · OpenBTS for dummies - v0.5 Axelle Apvrille, Fortinet [email protected] April 19, 2011 Abstract This document

Documents
Membangun BTS untuk Teknologi GSM dengan Menggunakan OpenBTS

Membangun BTS untuk Teknologi GSM dengan Menggunakan OpenBTS

Documents
OpenBTS Guide en v0.1

OpenBTS Guide en v0.1

Documents
Intrusion Detection and Malware Analysis - Malware collection134.2.173.140/lehre/ws10/ids-malware/12-malware-collection.pdf · Intrusion Detection and Malware Analysis Malware collection

Intrusion Detection and Malware Analysis - Malware collection134.2.173.140/lehre/ws10/ids-malware/12-malware-collection.pdf · Intrusion Detection and Malware Analysis Malware collection

Documents
[eBook] OpenBTS Guide

[eBook] OpenBTS Guide

Documents
Installation Guide for OpenBTS - · PDF fileInstallation Guide for OpenBTS DOCUMENTATION Christoph Kemetmüller Center for Advanced Security Research Darmstadt ebruaryF 2010

Installation Guide for OpenBTS - · PDF fileInstallation Guide for OpenBTS DOCUMENTATION Christoph Kemetmüller Center for Advanced Security Research Darmstadt ebruaryF 2010

Documents
0 4 OpenBTS for Dummies

0 4 OpenBTS for Dummies

Documents
Malware & Anti-Malware

Malware & Anti-Malware

Engineering
OpenBTS - suryaden · 8 OpenBTS 2.6.0 Mamou 9 SDCC (Source) 2.9.0 Perangkat Lunak. Pemasangan

OpenBTS - suryaden · 8 OpenBTS 2.6.0 Mamou 9 SDCC (Source) 2.9.0 Perangkat Lunak. Pemasangan

Documents
GSM, OpenBTS Teoria

GSM, OpenBTS Teoria

Documents
AN OPENBTS GSM REPLICATION JAIL FOR MOBILE MALWAREwikisec.free.fr/papers/VB2011-Apvrille.pdf · 2011-10-24 · AN OPENBTS GSM REPLICATION JAIL FOR MOBILE MALWARE APVRILLE 2 VIRUS

AN OPENBTS GSM REPLICATION JAIL FOR MOBILE MALWAREwikisec.free.fr/papers/VB2011-Apvrille.pdf · 2011-10-24 · AN OPENBTS GSM REPLICATION JAIL FOR MOBILE MALWARE APVRILLE 2 VIRUS

Documents
Adding Support for Authentication and Encryption to Openbts

Adding Support for Authentication and Encryption to Openbts

Documents
JilL IISPECtlOI BISICS JAIL INSPECtiON BASICS JAIL

JilL IISPECtlOI BISICS JAIL INSPECtiON BASICS JAIL

Documents
OpenBTS Installation and Configuration Guide v0

OpenBTS Installation and Configuration Guide v0

Documents
Malware Nilgün Kablan. Malware …………………………………….…….……………………………………………… Geschichte der Malware ……………….…………………………………………………

Malware Nilgün Kablan. Malware …………………………………….…….……………………………………………… Geschichte der Malware ……………….…………………………………………………

Documents
Linux OpenBTS how to

Linux OpenBTS how to

Documents
Introduction of USRP - handong.me · • OpenBTS (Open Base Transceiver Station)---OpenBTS is a software-based GSM access point, allowing standard GSM-compatible mobile phones to

Introduction of USRP - handong.me · • OpenBTS (Open Base Transceiver Station)---OpenBTS is a software-based GSM access point, allowing standard GSM-compatible mobile phones to

Documents
Installation Guide for OpenBTS

Installation Guide for OpenBTS

Documents
29c3 OpenBTS workshop - Hardware and sotware

29c3 OpenBTS workshop - Hardware and sotware

Technology
OpenBTS for dummies - GNU Radio

OpenBTS for dummies - GNU Radio

Documents
Openbts For Dummies

Openbts For Dummies

Documents
Dagah User Manual 1.1.4 Installation Click on the .ova ... · OpenBTS Dagah can attach to an OpenBTS based system to simulate a rogue cell tower. The OpenBTS system needs to have

Dagah User Manual 1.1.4 Installation Click on the .ova ... · OpenBTS Dagah can attach to an OpenBTS based system to simulate a rogue cell tower. The OpenBTS system needs to have

Documents