1、Mobile MalwareLike normal malware,but on mobile phones(smart phones and dumb ones too)Why worry about mobile malware?“combination of vulnerable platforms(symbian),unsuspecting users,and explosive growth in potential victims will inevitably attract propagating malware”What Makes This Paper Different?
2、Previous malware propagation research:Proximity PropagationBluetooth,etcThis research:Focuses on propagation via the telecommunications networkWhy Moble Malware?(from the bad guys perspective)Smart phones are a lot like PCs:market share per OS(72%symbian)software vulnerabilities existExploited smart
3、 phones could provide an attacker with means to:steal private data/users identitiesspammake free callsexecute(D)DoSMain Paper Goal(s)Simulate the effects of mobile malware propagation via the telecommunications networkSimulated both VoIP malware and MMS malwareDraw some conclusions for defendingSimu
4、latorEvent Driven,Custom Code.(so they could better adapt for their needs)1 second step size,stepping 12 hoursInfection beginning at a single phoneTelecom NetworkUMTSTopologyBoston Metro AreaNetwork:UMTSUMTS is the 3G successor to GSM(2.5G/GPRS,2.75G/EDGE)Network side is very similar to GSM,air inte
5、rface side changed to support higher data rates.Signaling and control are negligible(ignored in the model)Topology:Boston Metro Area100sq miles,divided into 1sq mile cellsMobile Station Distributionfrom US Census datascaled by 78%(by cell phone penetration)Mobility is not modeledAuthors speculate th
6、e bottleneck will be in the network,not at the air interfaceSimplified UTMS NetworkSimulation ConstructionAssume normal MMS usage is based on a charge per messageMMS Server CapacityServer handles 100 msg/sec,although higher rates were simulated with“a qualitatively similar result”Authors explanation
7、:MMS server will not be dimensioned to handle users behaving like an aggressive worm(i.e.,sending large numbers of messages as quickly as possible).Bottom-up design of the UMTS NetworkSimplified UTMS NetworkSimplified UTMS NetworkSimplified UTMS NetworkSimplified UTMS NetworkSimplified UTMS NetworkS
8、implified UTMS NetworkSimplified UTMS NetworkModeled UTMS NetworkSimulation Parameters1 single serverserving 100 msg/sec49 serversserving 10k users each49 servers9616 Node Bs2Mbps100Mbps1Gbps links between SGSNsSimulation Notes“The granularity of our Node B placement was a limiting factor of our ini
9、tial population data.A finer granularity would,no doubt,offer a more detailed and accurate picture of malware propagation.”Spreading via Phone books/Contact ListsNo published studies of address book characteristics found,so:1-1000 contacts(upper limit from empirical data on phone book maximums)Phone
10、 book/contact degree distributions based on statistical analysisPhonebook/contact degree distributions(for contact list size)Power-Law:from yahoo email groups,and other authors research.Log-Normal:from social networking websites statistics.Erlang Dist:from authors experiment(but very small sample si
11、ze of 73)Node Attachment.you dont call everybody in your address bookProbabilistically randomly assign address book size based on distribution,then.70%-“The probability that two users were friends was proportional to the inverse of the number of people between them.”(from LiveJournal study)30%unifor
12、mly randomly assignedAttack Vector:VoIPAssumes vulnerable service on the mobile phone which does not require user interactionAssume all phones are vulnerable.(Authors note that in reality a fraction would be vulnerable,and they state a qualitatively similar result)Simulated Propagation of VoIP Malwa
13、re“.constrained bandwidth should also be considered;but doing so requires estimating typical traffic characteristics,and we lacked meaningful data on which to base such estimates.”-?Techniques for Faster Propagation of VoIP Malware(and Simulation Results)Divide and distribute(transfer)contacts from
14、address bookCongestion backoff(wait)10sAttack Vector:MMSHandled by central MMS serverRequires user interactiononly a percentage“F”act on messageCan be done while phone is offSo there is a wait time to answer messages.Mixture of two Gaussian distributions centered at 20s&45mSimulated Propagation of M
15、MS MalwareTechniques for Faster Propagation of MMS MalwareCongestion backoff(10s)Not very much advantage,due to MMS central server constraint.Divide and distribute contacts from address bookSame as aboveGlobal contact book methodInfected half the population in 12 hrs.(what F value?)Faster MMS Malwar
16、e PropagationDefending Against Mobile Malware Propagation in Telecom.Networks(This section is way too small in the paper,would have liked to see more on this.)Rate LimitingACCELLERATES infection!(same as congestion avoidance)Blacklisting Containmentlarge number still get infected more slowly(no deta
17、ils given on%).removing phones leads to a less congested network for those infected but non-blacklisted phonesContent Filtering“Seems promising due to centralized topology.”Investigating whether its practical remains future work.(and they didnt provide any information on how promising or why)Questions?
