Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
An OpenBTS GSM Replication Jail for
Mobile Malware
Axelle Apvrille
Virus Bulletin Conference, October 2011
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Malware Jail
Thou Shalt Not Spread (Nor Leak)
VirusBulletin Conference 2011 - A. Apvrille 2/11
Jail 1. Remove SIM/ O�ine/ Flight mode
I Secure... probably
I Behaviour: changed!
Malware Name Online O�ine
SymbOS/Album Sends 2 SMS -SymbOS/Acallno Trojan spyware Can't be activatedSymbOS/Feixiang Sends 2 SMS Sends 1 SMSJava/Konov, SymbOS/-ZoomSms
Sends SMS System lag
VirusBulletin Conference 2011 - A. Apvrille 3/11
Jail 2. Use an emulator
I Good Android emulator, butother OS?
I Same behaviour change problem
I Hardware exploits/ VMdetection
VirusBulletin Conference 2011 - A. Apvrille 4/11
Jail 3. Faraday cage
Courtesy of J. Danielshttp://www.jeddaniels.
com/2007/
faraday-cage-part-1/
Not that easy to build...
I How to see the screen?
I Access to keyboard?
Large Faraday cages
Expensive + Weight
VirusBulletin Conference 2011 - A. Apvrille 5/11
Jail 3. Faraday cage
Courtesy of J. Danielshttp://www.jeddaniels.
com/2007/
faraday-cage-part-1/
Not that easy to build...
I How to see the screen?
I Access to keyboard?
Large Faraday cages
Expensive + Weight
VirusBulletin Conference 2011 - A. Apvrille 5/11
Jail 3. Faraday cage
Courtesy of J. Danielshttp://www.jeddaniels.
com/2007/
faraday-cage-part-1/
Not that easy to build...
I How to see the screen?
I Access to keyboard?
Large Faraday cages
Expensive + Weight
VirusBulletin Conference 2011 - A. Apvrille 5/11
Jail 3. Faraday cage
Courtesy of J. Danielshttp://www.jeddaniels.
com/2007/
faraday-cage-part-1/
Not that easy to build...
I How to see the screen?
I Access to keyboard?
Large Faraday cages
Expensive + Weight
VirusBulletin Conference 2011 - A. Apvrille 5/11
Build your own operator network!
VirusBulletin Conference 2011 - A. Apvrille 6/11
Build your own operator network!
VirusBulletin Conference 2011 - A. Apvrille 6/11
Build your own operator network!
VirusBulletin Conference 2011 - A. Apvrille 6/11
Build your own operator network!
VirusBulletin Conference 2011 - A. Apvrille 6/11
Build your own operator network!
VirusBulletin Conference 2011 - A. Apvrille 6/11
What's OpenBTS?
OpenBTS
I Open source project
I Local GSM operator = USRP + accurate clock + hostrunning OpenBTS / Asterix
I No GPRS, EDGE, UMTS...
OpenBTS is a registered trademark of Range Networks, Inc.
And nanoBTS-OpenBSC?
Good (perhaps better?)... but 6 times more expensive
VirusBulletin Conference 2011 - A. Apvrille 7/11
Jail Architecture
VirusBulletin Conference 2011 - A. Apvrille 8/11
Video: Using an OpenBTS Jail for Malware Analysis
What the analyst sees...
Part 1. ... when the phone is o�inePart 2. ... with an OpenBTS-based jail
VirusBulletin Conference 2011 - A. Apvrille 9/11
Results
Blue: o�ine, Red: with GSM jail, Yellow: +GPRS jail.Full results: see paper.
Main Advantages
I Behaviour similar to realconditions
I See SMS contents and details
I No leak to real networks
I Low cost
Limitations
I Sample requires a WCDMAbearer
I MMS not handled
I Dynamic analysis limitations
VirusBulletin Conference 2011 - A. Apvrille 10/11
Thank You !
Follow us on http://blog.fortinet.com
or twitter: @FortiGuardLabs
Axelle Apvrille
aka Crypto Girl
/mobile malware reverse engineering/[email protected]
Slides edited with LOBSTER
VirusBulletin Conference 2011 - A. Apvrille 11/11