Download 3. Instance and theory of Malicious code

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
page
71
page
72
page
73
page
74
page
75
page
76
page
77
page
78
page
79
page
80
page
81
page
82
page
83
page
84
page
85
page
86
page
87
page
88
Document related concepts

Burroughs MCP wikipedia , lookup

Windows Phone wikipedia , lookup

CP/M wikipedia , lookup

Unix security wikipedia , lookup

VS/9 wikipedia , lookup

Windows Phone 8.1 wikipedia , lookup

Windows Mobile wikipedia , lookup

Mobile operating system wikipedia , lookup

Transcript 
Chapter 3
Instance and theory of Malicious code
Malicious code defense in mobile networks
Funded by Intel Corp.
OUTLINE
• Bind type mobile phone virus and Realization
• Mobile Worm and its basic theory
• Mobile Trojan and its principles
• Mobile RootKit
3.1 Bind type mobile phone
virus and Realization
3.1 Bind type mobile phone virus and Realization
• What is file bind ?
– It is born of file compression (like WinRAR)
– A malware may be put in compressed packet and
uncompressed automatically
– The malicious code could run and infect by this way
• Introduction of SIS File
– It’s the INF for Symbian system(just like ipa for
iPhone)
3.1 Bind type mobile phone virus and Realization
Since the mobile phone virus can use
SIS file to run and spread itself, they
must be compressed into a SIS file, or
other normal documents to
deceive users.
3.1 Bind type mobile phone virus and Realization
Here is a example about how to make
a SIS file
First, we create a text file temp.pkg
&ZH
#{“filename”},(0xUID),1,00,0,TYPE =
SISAPP
(0x101000F1),0,0,0,{“Series60ProductID”}
“C:\text.txt”-””,ft,tc
3.1 Bind type mobile phone virus and Realization
• 0xUID is the UID of this file, it can
be looked by UnMakeSIS
• 1,00,0 is the version number, it can
be looked by UnMakeSIS
• C:\text.txt”-””,ft,tc is the setup info.
3.1 Bind type mobile phone virus and Realization
Click “create SIS file” button, MakeSIS will pack
a file “test.sis” . And it will create a log file.
&ZH
#{“test”},(0x102F68010),1,00,0,TYPE =
SISAPP
(0x101000F1),0,0,0,{“Series60ProductID”}
“C:\1\system\test\test.app””C:\1\system\test\test.app
Save this file as test.pkg, then enter “CMD”,
type “makesis test.pkg”. Well, we have certainly
make an sis file “test.sis”
3.1 Bind type mobile phone virus and Realization
Using MakeSIS software, We can make
arbitrary files are packaged in the SIS
file.
If we can install a MDL file into a mobile
phone Recogs file menu, then we can
use it to make the mobile phone start
automaticly by system program.
In this way, the virus program will
successfully achieve the target
of self operation and infection.
3.1 Bind type mobile phone virus and Realization
• The characteristics and aftermath of
Bind type mobile phone virus
– No additional conditions
– Depending on the corresponding mobile
phone system SFX operation file format
support
– Difficult for user to find it
– Good camouflage, easy to cheat users
3.2 Mobile Worm and its basic
theory
3.2 Mobile Worms and basic theory
Definition of worms
– In DOS environment, a worm-like thing appear on the
screen of infected computer and eat letters.
The difference between the maximum and the
ordinary worm virus is, it is a independent
operating software, unlike previous virus program
which requires a storage body.
A complete program can be viewed as a worm virus
characteristics, even it will be infected
by common virus
3.2 Mobile Worms and basic theory
program
worms
virus
Differences between worms and normal virus
3.2 Mobile Worms and basic theory
The instance of Mobile Worms: Cabir
• Cabir is the virus that ignited the MM revolution.
The first sample of the family was released in
June 2004. The source code was released in
29A ezine and quickly produced 35 new known
variants as a result.
3.2 Mobile Worms and basic theory
• Viva España!
• The original Cabir.A MM was e-mailed to
Kaspersky Labs by a famous virus
collector from Spain name VirusBuster.
3.2 Mobile Worms and basic theory
The worm would spread as a SIS archive file
named caribe.sis, which arrived in the inbox of the
target device.
The user was required to give permission to install
the file onto the device. Once the worm was installed,
it would immediately start seeking other Bluetoothenabled devices within range.
When a device was located, Cabir would
lock to that device and commence sending
the SIS files multiple times in the hopes of
successful infection.
3.2 Mobile Worms and basic theory
The following are the files included in the SIS file
and the locations they were copied to when the
worm infected a new device:
■ caribe.app to
\system\symbiansecuredata\caribesecuritymanager\
■ caribe.rsc to
\system\symbiansecuredata\caribesecuritymanager\
■ flo.mdl to \system\recogs
3.2 Mobile Worms and basic theory
The source code for this virus was released to the
public in the #8 issue of the ezine published by the
malware group 29A. The author’s name is Vallez.
The malware was written in the C/C++ languages
specifically for Symbian series 60 platform.
3.2 Mobile Worms and basic theory
Cabir.C through Cabir.G are identical in
functionality to Cabir.B, with the only difference
being the name of the SIS archive file and the text
displayed on the device when the MM is installed.
Screenshots of Cabir.C, .D, and .E
3.2 Mobile Worms and basic theory
• Bluetooth Openness
The majority of Bluetooth MM infects
mobile devices only when the device
is set to discoverable mode. By
switching this option to hidden, you
just protected yourself from several
headaches. Is your Bluetoothenabled phone in discoverable
mode?
3.2 Mobile Worms and basic theory
This new incarnation of Cabir now had
the capability to propagate via
Bluetooth to several devices. When
Cabir found a Bluetooth-enabled
device, it would send a SIS file named
velasco.sis repeatedly to the device
until it accepted it or went out of range.
3.2 Mobile Worms and basic theory
• Once the device went out of range, Cabir would
immediately start searching for another
Bluetooth-enabled device. This empowered
Cabir by now having the ability to infect more
than one device per execution. Luckily, no
reports of it in the wild ever emerged.
Display of Cabir.H after Completed Installation
3.3 Mobile Trojan and its
principles
3.3.1 Overview of Mobile Trojan
• Through the previous study, we have had a preliminary
understanding of the Trojan.
• For mobile phone system, mobile phone itself is like a
Trojan country. If a user accidentally installs a program
with the nature of malicious on his mobile phone, There
is no doubt that this will be a Trojan horse program. It
can create hazards from interior of mobile phone system.
The basic architecture of Mobile Trojans
• The basic structure of Mobile Trojans can be
broadly divided into three parts:
• 1 Infection section
– The role of this part is similar with ordinary virus
program. It is mainly to make the Trojan program run
smoothly on mobile system. To this end, a Trojan
program need to use some of the basic features of
the mobile phone system to realize its own file copy
or start running. We often call the process that Trojan
infect the mobile phone “Trojans implants"
The basic architecture of Mobile Trojans
• 2 Data transmission section
– This part is mainly used to receive and respond
commands and results of program execution. In
order to receive or respond information to the
manufacturer, Mobile Trojans must call on some
communication methods of the phone. These
communications include bluetooth, infrared, short
message, MMS and Internet access.
– In order to reduce the rate of been found by users,
Mobile Trojans take use of the method that receiving
multiple commands at one time, then returning
the results partially.
The basic architecture of Mobile Trojans
• 3 task execution section
– For the Trojans, performance is reflected
in another aspect. Task execution section.
– When the task a Trojan receives is
relatively simple and not so wasteful when
consuming mobile resources, Trojans can
use one-to-one implementation
modalities. So-called one-to-one
implementation modalities refers to
executing a command after the Trojans
received the control command, and no
longer receiving any other commands
before this command is executed.
The basic architecture of Mobile Trojans
• 3 task execution section
• For some high-performance mobile phones, attackers
equip Trojans with one-to-many implementation
modalities. One-to-many implementation modalities
refers to that Trojan can receive a lot of commands one
time and run them simultaneously, or Trojan can break
a task into subtasks and then executing them.
• Benefit of this modality is that for multiple commands
execution, Trojans greatly improves its productivity.
The malicious attacker at Trojans receiver can
suddenly get a lot of information about the mobile
phone users, which is helpful for further attacks in his
favour.
3.3.2 Perniciousness of Mobile Trojans
• Perniciousness of cell phone
Trojans include the
following:
• 1 Remote snooping
• 2 Communication
monitoring
• 3 Information interception
• 4 Forging cheat
Remote snooping
• Once Trojans successfully implanted into
mobile phone system, it will first check the
user’s mobile phone type and basic information
to determine its next step.
• Then the Trojan program started to obtain the
basic information of the mobile phone users.
Trojans can check the phone book and try to
find out corresponding number information
about words as "my number”, quickly send to
the attacker after having found.
• Sometimes, the privacy information of users in
the cell phone is not limited to the phone book
and short messages. Some files on the user
mobile phone memory card is likely to be
involved in the user's personal information.
Such as photo or video and so on
Communication monitoring
• Communication monitoring is the most important
hazard of Mobile Trojan. Trojans can connect to the
outside mobile devices and the voice data is the
most commonly used exchange information in
mobile communication. At the same time, because
the mobile phone is usually carried by the user, it
can also record the voices around.
• The general method of monitoring is that Mobile
Trojan will dial a contact number automatically at a
given moment after having infected the cell phone
system,. At this point, the mobile phone is in a state of
voice calls. Thus any sound information in a certain
range of this side of the phone can be transmitted by
the mobile phone to the connected monitor.
Windows Mobile system, for example, the concrete
implementation of this technology
•
•
•
•
•
•
•
•
•
•
•
•
•
class PhoneDailing
{ // Creating call is a basic operation under the Windows Mobile system. It
mainly uses PhoneMakeCall function. We pass on a string parameter to
the PhoneMakeCall, to realize the operations of indicating target address
and determining whether to confirm the operations before the call.
private static long PMCF_DEFAULT = 0x00000001;
private static long PMCF_PROMPTBEFORECALLING = 0x00000002;
//And then we define a structure whose function is not too big.
private struct PhoneMakeCallInfo
{public IntPtr cbSize;
public IntPtr dwFlags;
public IntPtr pszDestAddress;
public IntPtr pszAppName;
public IntPtr pszCalledParty;
public IntPtr pszComment;
}//parameter structure which need to be passed to PhoneMakeCall
function
Windows Mobile system, for example, the concrete
implementation of this technology
• //cbSize suggests The size of PhoneMakeCallInfo. DwFlags is an
option. It’s used to specify whether to prompt the user before calling.
PszDestAddress is a pointer that point to the phone number to be
dialed. It does not support pszAppName currently. PszCalledParty
is optional that shows the called party's name. It does not support
pszComment currently. Now, we activate PInvoke and call
DLLImport to access API function PhoneMakeCall.
• [DllImport(″″)]//Introduce the main library file the call realized.
• private static extern IntPtr PhoneMakeCall(ref PhoneMakeCallInfo
ppmci);
• //To make it convenient, we include an auxiliary function in order to
omit confirmation before dialing, As to the actual Mobile Trojan, such
confirmation is not required and the Trojans will dial directly.
Windows Mobile system, for example, the concrete
implementation of this technology
• public static void MakeCall(string PhoneNumber)
• {MakeCall(PhoneNumber, false);}
• // To introduce the function of MakeCall, we will divide
PhoneNumber parameters (as a string) into a character
array
• private static void MakeCall(string PhoneNumber, bool
PromptBeforeCall)
• {…
• IntPtr
iPhoneNumber=Marshal.AllocHGloba(clPhoneNumber.Len
gth);
• Marshal.copy(cPhoneNumber, 0, iPhoneNumber,
clPhoneNumber.Length);
• Info.pszDestAddress=iPhoneNumber;
• PhoneMakeCall(ref info); //Begin to dial
• }
Windows Mobile system, for example, the concrete
implementation of this technology
• //In order to cheat users, Trojans often read some information about
the SIM card, this information includes phone book, messages, etc.
we have a simple description here.
• [StructLayout()]
• private struct SimRecord
• {
• public IntPtr cbSize;
• public IntPtr dwParams;
• public IntPtr dwRecordType;
• public IntPtr dwItemCount;
• public IntPtr dwSize;
• }
Windows Mobile system, for example, the concrete
implementation of this technology
• //Because we can only automatically marshall order
layout structure between managed code and native
code, we use the order layout tag to modify our structure.
CbSize is the size of the conveyed structure. DwParams
is the parameter value. Here we need not worry.
DwRecordType indicates the record format. ...
• }
• Through the above code, we can basically achieve
program automatical dial-up, connecting speech. At this
time, the phone is in the listening state. All the voice
messages of mobile phone users can be remote
surveillanted completely.
Information interception
• Our mobile phones often play a role which we use
to obtain information in time.
• There is a special kind of Mobile Trojan which
often intercepts information (whether short
messages or MMS) as soon as the user receives
the new outside information. After interception,
the Mobile Trojan may delete the information or
send it to the receiver of the Trojan malicious
attackers, letting cell phone users to miss a lot of
important things.
• Information interception type Trojan is a kind of
very malicious Trojan. It often makes users hard
to detect what is happening around.
Forging cheat
• Besides intercepting user
information, Mobile Trojan can also
forge phone messages to cheat the
mobile phone users.
• When Mobile Trojans provide a
malicious attacker with user address
book information, the attacker can
remove one important number, and
then send a text message to mobile
phone user to cheat. Its content may
involve economic fraud or even
more serious crime.
3.3.3 Implementation of Mobile Trojan
• Self-starting activation method
• Hiding technology
• Implementation of running in
the background
• Receiving of the control
commands
• The process of command
execution
• The result feedback
Self-starting activation method
• If the Mobile Trojans can be banned by powering off
phones, we won't have to be afraid of them. But the fact
is that mobile Trojan will always exists in mobile phone
system so long as you don't clean it. The method it start
itself after powering off and then turning on the
device is called "since the launch" technology.
• Since the launch technology use a kind of
special function mobile phone system
provides to run specified program files with
the startup of the system.
Self-starting of mobile systems
• 1 Symbian
• For Symbian system, the system provides some certain
methods. One method mainly use the function provided
by "Recognizer". Using Recognizer, developers can
create a MDL file which is similar to DLL library files. It
will be loaded by the kernel after the Symbian system
startup.
• 2 Linux
• When Linux system boots, the init program will be
executed after the kernel boots. Generally init works in
the /etc/ files. Thus you can add a statement in the file
directly to realize the program self-starting with the
system. At the same time, the rcS will call /usr/etc/. So
the application can also add the statement here.
Self-starting of mobile systems
• 3 Windows Mobile
• In the Windows Mobile system, there is a folder named "StartUp”
which can be used to implement self-starting. It’s in the Windows
directory. When we add a shortcut of program to the directory, selfstarting can be achieved.
• There exists another method. Just as Windows system, Windows
Mobile system supports a function called "system service".
• System service mainly refers to a kind of program that works in
the system background and receives and dispose events from
the front desk at any time. It usually starts with the operating
system.
• Since system services has the dual nature of self-starting and
background running, it is often preferred by mobile phone virus
program.
Hiding technology
• In order to be able to lurk in the mobile
system Trojan program must wipe away
its "trace" . For example, if the Trojan
program has recorded the voice
communication of the user, the relative
files should be deleted immediately.
• At the same time, some users may
install some software in their phone,
which can be used to monitor or query
system information. To avoid being
found, Mobile Trojans will use some
Hiding technologies. The easy one is
Hook technology.
Hiding technology
• The principle of Hook is that using certain
method to replace some system functions
and processes.
– In this way, if system or a program is to use the system functions
and processes, the Hook procedure will be executed first and
gain the surveillance authority.
– Authors of Hook procedures can add codes to change the
original system function or method in the process of
implementation.
– So if the system software use thread traversal functions to
monitor running threads, the Trojan maker can use hook
technology to intercept this thread traversal functions, change
the thread traverse information, delete information about the
Trojan program, and then return the results to the software.
Hiding technology
• In addition to using Hook technology to realize hiding,
system callback function is another choice.
– Mobile system will use callback functions to notify mobile phone
interface or log will change with the corresponding action when
the system finds that system files or running threads are
changed. The existence of callback functions will affect the
concealment of the Mobile Trojans.
– Mobile Trojans hide themselves by changing return information
of the callback functions.
Implementation of running in the background
• Some of the key programs of mobile phone
system run in the background of the mobile
phone.
– Screen saver, for example, is running in the
background when the phone is in a state of work,
namely users are calling or sending a short message
by using mobile phone. While the screen saver will
automatically run when the mobile phone is to enter
standby mode.
– This is a typical kind of background running program.
Implementation of running in the background
• Mobile Trojan program is illegal. It must run in the
background. For smartphones, methods to make the
program run in the background are quite different.
• In Symbian system, to make a program run in the
background, we must make sure that the program is an
exe file. Exe file can run without operation interface
under the Symbian system. It is very similar to the
command line programs in Windows system.
• Then you can make the exe program as self-starting so
that it can be hidden in the background and executed
secretly.
Receiving of the control commands
• Trojan is more terrible than general virus,
because Trojan program can receive
instructions from attacker and take action.
• So in order to achieve access to external
information, the mobile phone should use the
basic functions of mobile phone, such as short
message and accessory functions, such as
bluetooth.
• Theoretically, as long as your phone has
electricity, Mobile Trojans can receive the
attacker's any instructions at any time.
The process of command execution
• The process should be
efficient and compact for
Mobile Trojans.
• Performance of mobile platform
cannot be compared with that of
ordinary PC. If the process of Trojan
program execution is too complex,
crash may happen. Mobile phone
may even automatically shut down.
Thus the Mobile Trojan comes to
nothing.
The process of command execution
• The attacker should consider the size and
amount of stolen data during stealing
subscriber data. Otherwise Trojan program will
take up a lot of resources to deal with these data
information, leading to cell phone users
perceiving that his phone is not normal.
• For Trojan program running on a smartphone,
multithreading and the background running
are the best options. As a result, the operation
of the mobile Trojan may not trigger rush of
mobile system, and Trojan program is still
running very efficiently.
The result feedback
• As receiving of the control commands, how to
return the results is decided by how
commands are received. But sometimes
Trojan programs will use multiple available
ways to return the result. The purpose is
increasing the probability of success, and
speeding up the returning of execution result.
3.3.4 Instance analysis: mobile Trojan
identification and elimination
•
•
•
•
Flocker Mobile Trojan
Pbstealer Mobile Trojan
Commwarrior Mobile Trojan
Cardtrap Mobile Trojan
Flocker
• Flocker is expressed as “TrojanSMS.Python.Flocker.a”.
– Its body file is a Python script.
– It only runs on mobile platform that support Python.
– Flocker script file is embedded in a SIS installation
package. SIS installation program lures users to
install in the disguise of "Icq_Python“. And as well
as normal procedure, after the installation the
following files are generated:
Flocker
Flocker
• The three pyd file is import modules Trojan script used.
• When users click the program icon, the script file will be
executed, the behaviors are as follows:
– (1) continue to send text messages to a specified number;
– (2) remove the reply messages from the specified number in
inbox.
• So that users’ phone charge is diddled under the
condition of unsuspected and corresponding
service provider can make exorbitant profits.
Pbstealer
• Pbstealer, commonly known as
the address book thief, is a typical
Mobile Trojan.
• It mainly infect nokia phones with
Symbian OS.
• Pbstealer Trojan will steal the
contact information in the card
holder in a short time after
infection. Then it will send
information of your contacts,
notepad and schedule to you
anyone around who has a
bluetooth device.
Pbstealer
• The general characteristic of the Trojan is
shown as that Pbstealer is disguised as
application software to compress contacts
database. It does not spread by itself. The
user who has downloaded Pbstealer SIS
installation package will be infected.
• The SIS file includes program files and
strings source code. Pbstealer will startup
automatically during SIS file’s installation.
Pbstealer displays text “Compacting your
contact (s), the step2, both Please wait
again, until done” etc.
Commwarrior
• Commwarrior, also known as MMS virus, belongs to
Mobile Trojans. The Trojans mainly infect Nokia phones
with Symbian operating system,
• When a user phone is infected, it starts looking for
other phones that can be reached via bluetooth, and
send them the infected SIS files. The SIS file will be
randomly named, which makes the user hard to
defend.
• In addition to spread through bluetooth, Comwarrior
will read user’s local mobile phone number address
book, and send MMS messages that contain
commwarrior SIS file,
Commwarrior
Commwarrior
• The general characteristic of the Trojan is
shown as that Commwarrior virus will lure
the user to open the MMS by using
alluring or fraudulent words when
spread by MMS, such as “NortonAntiVirus
Released now for mobile, install it!” and
“bad! Free *SEX* software for you!”.
• If a user attempts to delete executable
Commwarrior files or bootstrap a part of
them, they will be recreated in the phone.
Cardtrap
• Cardtrap belongs to the Mobile Trojan.
The Trojans mainly infect Nokia phones
with Symbian operating system.
• Cardtrap is a kind of SIS file Trojan that
damages Symbian system, it attempts
to damage some third party applications
and install computer worms onto
memory cards.
• The feature of the virus is that Cardtrap
installs W32/!p2p virus on MMC. The
virus has its file name, icon and
shortcut links after installed, trying to
lure users to click on them.
3.3.5 Basic identification means of Mobile
Trojans
• The most crucial thing about Mobile Trojan
is that a Trojan program needs to get in
touch with a malicious attacker in the
outside.
• So when you perceive that your mobile
phone receives strange short messages or
MMS, or somehow connects to the Internet,
you need to pay attention to your mobile
phone. It may be implanted with Trojan
program.
Basic identification means of Mobile Trojans
• But for Trojan using bluetooth to
transmit, it becomes difficult to detect
its existence. However, we do not use
bluetooth that frequently.
• So once you use mobile phone
bluetooth for data sending, if the
received data and the sent data do
not meet, the existence of the Trojan
program can also be found.
3.4 Mobile RootKit
3.4.1 RootKit technology
• RootKit derives from computer system. In 1994,
a security consultancy report used the word
RootKit for the first time.
– In the paper entitled "On going network monitoring
attacks", the author describes a stealth function
program which runs in the system quietly and
monitors user behavior at any time.
• The emergence of such programs have
attracted the attention of security personnel.
RootKit technology
• Because RootKit can be hidden in the
operating system, it must be closely
combined with the operating system.
• RootKit uses a few core technologies
to implement the hiding.
• Using these technologies, it often
need to get the highest system
permissions. The Root here shows
this meaning actually.
3.4.2 File hiding
• For RootKit, it must consider how to be stored in
phone memory or memory card.
– The infected target system is usually equipped with
anti-virus or security software. They often have the
function of monitoring the file system,
– When malicious code copies itself to mobile phone
memory card, the scanner will check the new file.
Malicious code is likely to be found and deleted.
File hiding
• But time difference often exists in file system
monitoring function.
– Some system functions and methods mobile phone
system released can not publish the core technologies in
the bottom due to certain economic interest and security
restrictions.
– When software developers use the "incomplete" system
functions and methods to develop software, developed
function is not likely to be responsive enough, there are
some drawbacks.
– And malicious code types differ in many ways. It is
impossible to have feature record for each kind of
malicious code.
File hiding
• RootKit is different from ordinary malicious code, its core
purpose is to use the underlying technology of mobile
phone system to achieve some of the "advanced"
purposes. Hiding its existence is one of them.
• Typically, the user will check the status of his mobile
phone and anti-virus and security software will
conduct regular scanning to delete junk files.
• If malicious code uses some kinds of technologies to
hide itself, it can escape the bad luck, RootKit is
such program.
security software
Means of file hiding
• In the design of mobile phone system,
developers is likely to adopt some undisclosed
ways to implement some special purpose.
• The maker of mobile malware will take in-depth
analysis of the internal implementation
principles of the mobile phone system and find
out the undisclosed methods.
• These methods involved some of the
underlying technologies in the file system.
Using the underlying technologies, RootKit will
will make itself disappear from the system.
Means of file hiding
• Another way: When a RootKit program runs successfully
on the mobile phone system for the first time, it will
delete its files on the memory card and monitor the
system state changes at the same time.
– On the one hand, it monitors whether antivirus security software
runs in the system.
– On the other hand, it monitors whether the phone will be turned
off. If it is, the program will write itself into the file system to
prevent that it can not run when the phone is switched on next
time.
• The implementation is difficult, which requires that each
operation of mobile phone users are monitored.
Implementation of the global keyboard
monitoring in Symbian system
•
•
•
•
•
Void CClockSSAppUi:: SetCaptureKey()
{
CancelCaptureKey();
//Begin to capture button clicking
iHandleCaptureKey = CCoeEnv:: Static()-> RootWin().
CaptureKeyUpAndDowns (KOkKeyScanCode,
EModifierShift, EModifierShift
PRIORITYCAPTUREKEY);
• iHandleCaptureKey2 = CCoeEnv:: Static()-> RootWin().
CaptureKeyn (KOkKeyCode, EModifierShift,
EModifierShift PRIORITYCAPTUREKEY);
• }
Implementation of the global keyboard
monitoring in Symbian system
• TKeyResponse CClockSSAppUi:: HandleKeyEventL
(const TKeyEvent & aKeyEvent, TEventCode aType)
• {
• If ((KOkKeyScanCode == (TUint) aKeyEvent.
iScanCode)&&(EEventKeyDown == aType) &&
((aKeyEvent. iModifiers & EModifierShift) ==
EModifierShift))
• {
• CAknGlobalNote* globalNote= CAknGlobalNote::
NewLC();
• globalNote-> ShowNoteL(EAknGlobalInformationNote,
_L(“CaptureKey!”));
• CleanupStack:: PopAndDestroy();}}
Means of file hiding
• File hiding of RootKit is also reflected in
the use of some system settings, such as
registry file of mobile phone system
(mainly for Windows Mobile), set up files
for the system properties (Symbian), etc.
3.4.3 Job/thread hiding
• Job/thread hiding is to make RootKit
program disappear from mobile phone
running state.
• Mobile anti-virus and security software
can not only traverse file information of
phone file system, but also monitor the
operation task of the phone.
• For malicious code, file hiding is
not enough.
Job/thread hiding
• There are some differences between
intelligent mobile system and computer
operating system. Hook technology in the
computer operating system is hard to
implement in mobile system.
• Job/thread information is closely
associated with the normal operation of
the mobile phone system. If the
information is changed easily, collapse of
the mobile phone system will happen such
as crash and automatic shutdown.
Means of Job/thread hiding
• Temporary change of mobile phone system
cache is a very effective method. Through
modifying the key data in system cache, some
of the key information in mobile phone system
will be changed.
• If this influence comes down to job/thread
information, an attacker can find an
opportunity.
Means of Job/thread hiding
• Mobile phones system stores data in some key
positions, in order to use and modify at any time.
It’s like Windows system stores the task information
in the registration table after creating a new task.
• RootKit makers must take detailed analysis and
judgment for each system cache file and
understand their access format,
• Sometimes system uses encryption to store some
of the core data information, so the attacker will
have to crack algorithm of the encryption
mechanism, and then modify them to make the
RootKit hide in the system.
Means of Job/thread hiding
• Finding out the system vulnerabilities is a
method attackers often use.
– Security design of mobile phone systems is worse
than that of computer operating system. Mainly
because the use of mobile phones is not as
complicated as it in the computer. The user may only
use it to make a phone call, send text messages, etc.
– As a result, in the design of some mobile phone
systems colossal security hidden troubles exist,
– These hidden dangers, once discovered by RootKit
designers, will incur unimaginable consequences.
Means of Job/thread hiding
• From the design idea of operating system,
general operating system code runs in high
address in memory. This address does not allow
users’ access.
• If the address of the access is not in legal range,
the visit is prohibited and warning message will
be given.
• But in some mobile phone systems, the designer
omits the code implementation of this part for
the sake of simplicity. When all the job/thread
information is stored in high memory address,
direct access from a RootKit application to this
address may modify its contents. The system
itself and other information query software can't
detect this kind of change.
3.4.4 RootKit in drive level
• Malicious code designed in free development
environment belongs to simple application program. To
achieve the purpose of program behavior hiding, it must
involve within the system.
• The essential purpose of mobile phone system is
calling up all hardware for convenient use. It need to
use the drive program.
• Drive program is a kind of program that makes the
software and hardware communicate. It is like
software interface of hardware. Operating system
controls hardware work only by using this interface.
The basic structure of drive program and
operating system
Operating system
Drive program
Hardware
RootKit in drive level
• Because of the importance of the driver,
mobile system makers often design and
realize some basic drive programs.
• But as the function of mobile phone becomes
complex, it is too cumbersome to write all of
them. So they entrust other manufacturers to
design the drive programs, This is a basic
mode of modern phone system
development.
• Technology levels are different due to
different manufacturers, so the drive
programs may have a lot of potential safety
hazards.
RootKit in drive level
• If a RootKit maker is familiar with
mobile phone hardware and knows
how to develop hardware drive
programs for mobile phone system at
the same time, then he is likely to
write drive program with viral quality.
• Once adopted by the mobile system,
RootKit can modify the core system
data through drive program, including
process information, file information,
etc. It can also modify the system
running state, such as formatting cell
phone memory card.
3.4.6 The development trend of mobile
RootKit
• Along with the widespread popularity of smart
phones, mobile RootKit enters the view of the
security personnel quickly.
• Due to the concealment of RootKit technology, its
efficiency is much higher than the average mobile
phone virus. And RootKit anti-delete technology for
mobile anti-virus software is more underlying than
virus program.
• These advantages make the attacker shift
the line of sight to the development of mobile
RootKit.
The development trend of mobile RootKit
• Mobile phone hardware RootKit will teem
• File hiding technology will be increasingly mature
technology (such as Hook)
• Job/thread hiding technology begins to be mature at
the same time
• There would be the underlying technology against
antivirus software
• RootKit will focus on mobile system security holes
• RootKit in drive level will become the mainstream
Related documents
Nick Zibbideo God/Goddess Role in Greek Society Artemis Ruled
Nick Zibbideo God/Goddess Role in Greek Society Artemis Ruled
Part One : Mythology
Part One : Mythology
Data Security
Data Security
Security strategy
Security strategy
Aphrodite - Gone with the Word
Aphrodite - Gone with the Word
Trojan Cycle
Trojan Cycle
Beginnings of Ancient Greek Civilization
Beginnings of Ancient Greek Civilization
dc10-sensepost-setiri
dc10-sensepost-setiri
Part II:
Part II:
Introduction to Information and Communication Technologies
Introduction to Information and Communication Technologies