Can You Infect Me Now Malware Propagation in Mobile Phone Networks

1
Can You Infect Me Now?Malware Propagationin
Mobile Phone Networks

• Authors
• Presented by Michael Annichiarico

2
Mobile Malware

• Like normal malware, but on mobile phones
• (smart phones and dumb ones too)?
• Why worry about mobile malware?
• combination of vulnerable platforms (symbian),
  unsuspecting users, and explosive growth in
  potential victims will inevitably attract
  propagating malware

3
What Makes This Paper Different?

• Previous malware propagation research
• Proximity Propagation
• Bluetooth, etc
• This research
• Focuses on propagation via the telecommunications
  network

4
Why Moble Malware?(from the bad guy's
perspective)?

• Smart phones are a lot like PCs
• market share per OS (72 symbian)?
• software vulnerabilities exist
• Exploited smart phones could provide an attacker
  with means to
• steal private data / users' identities
• spam
• make free calls
• execute (D)DoS

5
Main Paper Goal(s)?

• Simulate the effects of mobile malware
  propagation via the telecommunications network
• Simulated both VoIP malware and MMS malware
• Draw some conclusions for defending

6
Simulator

• Event Driven, Custom Code. (so they could better
  adapt for their needs)?
• 1 second step size, stepping 12 hours
• Infection beginning at a single phone
• Telecom Network
• UMTS
• Topology
• Boston Metro Area

7
Network UMTS

• UMTS is the 3G successor to GSM
• (2.5G/GPRS, 2.75G/EDGE)?
• Network side is very similar to GSM, air
  interface side changed to support higher data
  rates.
• Signaling and control are negligible (ignored in
  the model)?

8
Topology Boston Metro Area

• 100sq miles, divided into 1sq mile cells
• Mobile Station Distribution
• from US Census data
• scaled by 78 (by cell phone penetration)?
• Mobility is not modeled
• Authors speculate the bottleneck will be in the
  network, not at the air interface

9
Simplified UTMS Network
10
Simulation Construction

• Assume normal MMS usage is based on a charge per
  message
• MMS Server Capacity
• Server handles 100 msg/sec, although higher rates
  were simulated with a qualitatively similar
  result
• Authors explanation MMS server will not be
  dimensioned to handle users behaving like an
  aggressive worm (i.e., sending large numbers of
  messages as quickly as possible).
• Bottom-up design of the UMTS Network

11
Simplified UTMS Network
12
Simplified UTMS Network
13
Simplified UTMS Network
14
Simplified UTMS Network
15
Simplified UTMS Network
16
Simplified UTMS Network
17
Simplified UTMS Network
18
Modeled UTMS Network
19
Simulation Parameters
1Gbps links between SGSNs
1 single server serving 100 msg/sec
49 servers serving 10k users each
100Mbps
49 servers
2Mbps
9616 Node B's
20
Simulation Notes

• The granularity of our Node B placement was a
  limiting factor of our initial population data. A
  finer granularity would, no doubt, offer a more
  detailed and accurate picture of malware
  propagation.

21
Spreading via Phone books/Contact Lists

• No published studies of address book
  characteristics found, so
• 1-1000 contacts (upper limit from empirical data
  on phone book maximums)?
• Phone book/contact degree distributions based on
  statistical analysis

22
Phonebook/contact degree distributions(for
contact list size)?

• Power-Law from yahoo email groups, and other
  authors' research.
• Log-Normal from social networking websites'
  statistics.
• Erlang Dist from authors' experiment (but very
  small sample size of 73)?

23
Node Attachment ... you dont call everybody in
your address book

• Probabilistically randomly assign address book
  size based on distribution, then...
• 70 - The probability that two users were
  friends was proportional to the inverse of the
  number of people between them.(from
  LiveJournal.com study)?
• 30 uniformly randomly assigned

24
Attack Vector VoIP

• Assumes vulnerable service on the mobile phone
  which does not require user interaction
• Assume all phones are vulnerable.
• (Authors note that in reality a fraction would be
  vulnerable, and they state a qualitatively
  similar result)?

25
Simulated Propagation of VoIP Malware

• ...constrained bandwidth should also be
  considered but doing so requires estimating
  typical traffic characteristics, and we lacked
  meaningful data on which to base such estimates.
  --- ?????

26
Techniques for Faster Propagation of VoIP Malware
(and Simulation Results)?

• Congestion backoff (wait) 10s

• Divide and distribute (transfer) contacts from
  address book

27
Attack Vector MMS

• Handled by central MMS server
• Requires user interaction
• only a percentage F act on message
• Can be done while phone is off
• So there is a wait time to answer messages.
  Mixture of two Gaussian distributions centered at
  20s 45m

28
Simulated Propagation of MMS Malware
29
Techniques for Faster Propagation of MMS Malware

• Congestion backoff (10s)?
• Not very much advantage, due to MMS central
  server constraint.
• Divide and distribute contacts from address book
• Same as above
• Global contact book method
• Infected half the population in 12 hrs. (what F
  value?)?

30
Faster MMS Malware Propagation
31
Defending Against Mobile Malware Propagation in
Telecom. Networks

• (This section is way too small in the paper,
  would have liked to see more on this.)?
• Rate Limiting
• ACCELLERATES infection! (same as congestion
  avoidance)?
• Blacklisting Containment
• large number still get infected more slowly (no
  details given on ).
• removing phones leads to a less congested network
  for those infected but non-blacklisted phones
• Content Filtering
• Seems promising due to centralized topology.
  "Investigating whether it's practical remains
  future work." (and they didnt provide any
  information on how promising or why)?

32
Questions?