際際滷

際際滷Share a Scribd company logo

Automated Mobile Malware Classification

zynamics GmbH
zynamics GmbH

This document discusses developing an automated system called VxClass for classifying mobile malware. It summarizes the current state of mobile malware, the problem of variant detection, and proposes using program comparison tools to analyze malware variants at scale. The system would allow users to upload files to check against a malware database, identify variants, and optionally share samples. Pricing models and a roadmap are proposed to adapt the system to emerging mobile platforms and file types.

1 of 30
Downloaded 56 times
AUTOMATED MOBILE MALWARE CLASSIFICATION zynamics GmbH
Status Quo: Mobile Malware The deluge of mobile malware that was predicted has not happened yet
Status Quo: Mobile Malware This does not mean that mobile malware is not a threat More money moving through GSM means more incentive to build malware Result: There WERE and WILL be outbreaks
News Item
Problem: Variants A lot of filtering can be done using MD5 But: Fraudsters learned to obfuscate Variants are easy to create In the Windows world: 20k MD5-different variants of the same malware each month
Problem: Variants Ways to determine whether a file is a variant of a known malware are needed. Preferrably: Fast Cheap Reliable Easily adapted to future threats
Current approach Analysis is Notdone at all Done manually by a security expert Done in some ad-hoc automated fashion
Problem: Variants Manual approaches do not satisfy our requirements: Fast: No Cheap: No Reliable: Depends on the guy Easily adaptable Depends on the guy
Program Comparison How would we check if a file is a variant ? Program comparison tools are needed Surprise: We have built some In use in the ITSec and AV world since 2004 Best Paper at SSTIC 2005 Germanys biggest privately funded research prize 2006 We beat Siemens and T-Systems
Program Comparison Core principle: Comparison is structural Instructions may change a lot, the program structure only slightly Graphs are generated from the programs Comparison happens on these graphs
Status Quo: The Windows World
Competition
Program Comparison Our comparison is strong because ... The entire program is taken into consideration Recompiling does not fool us Stable parts are identified Large changes do not matter much
VxClass for Mobile Malware VxClass compares executables A library of known malware is kept New executables can be checked if they are similar to existing malware Easy to use, Reliable, Cheap
Case Study Unknown executable is received MD5 does not match anything Is it a variant of an existing piece of malware ?
Automated Mobile Malware Classification
Automated Mobile Malware Classification
Automated Mobile Malware Classification
Automated Mobile Malware Classification
Automated Mobile Malware Classification
Automated Mobile Malware Classification
Multi-User capability Web-based Log in via username/password or SSL certificates Automation: Interaction via XMLRPC
Multi-User capability Different users can upload samples Three levels of permissions: Public: All users can download the sample Protected: All users can see, but not download the sample Private: No other users can see the sample
Business Case Basic scenario: Recognize new malware variants Limit risk of outbreak Low-cost Fast response time
Business Case Advanced scenario (with shared samples): Neighborhood watch Who else has seen this before ? Where ? When ? Who should I talk to ? Improve communication
Pricing Telco-Style: Base Fee + Volume Basic: 200 / month 50 per uploaded executable Medium: 500 / month 10 uploads included, 30 each afterwards Flat rate: 999 / month No volume fee*
Pricing Only available to GSMA members The basic and medium packages may be shared between business entities
Pricing This includes Providing the server / service Backups Email support
Roadmap We will watch and adapt to new threats Windows Mobile Executables Of current relevance: .pyc Widgets iPhone executables Android
Summary We provide strong methods that identify malware variants Cheap, Fast, Accurate Any questions ? Contact us ! info@zynamics.com

More Related Content

Automated Mobile Malware Classification

  • 2. Status Quo: Mobile Malware The deluge of mobile malware that was predicted has not happened yet
  • 3. Status Quo: Mobile Malware This does not mean that mobile malware is not a threat More money moving through GSM means more incentive to build malware Result: There WERE and WILL be outbreaks
  • 5. Problem: Variants A lot of filtering can be done using MD5 But: Fraudsters learned to obfuscate Variants are easy to create In the Windows world: 20k MD5-different variants of the same malware each month
  • 6. Problem: Variants Ways to determine whether a file is a variant of a known malware are needed. Preferrably: Fast Cheap Reliable Easily adapted to future threats
  • 7. Current approach Analysis is Notdone at all Done manually by a security expert Done in some ad-hoc automated fashion
  • 8. Problem: Variants Manual approaches do not satisfy our requirements: Fast: No Cheap: No Reliable: Depends on the guy Easily adaptable Depends on the guy
  • 9. Program Comparison How would we check if a file is a variant ? Program comparison tools are needed Surprise: We have built some In use in the ITSec and AV world since 2004 Best Paper at SSTIC 2005 Germanys biggest privately funded research prize 2006 We beat Siemens and T-Systems
  • 10. Program Comparison Core principle: Comparison is structural Instructions may change a lot, the program structure only slightly Graphs are generated from the programs Comparison happens on these graphs
  • 11. Status Quo: The Windows World
  • 13. Program Comparison Our comparison is strong because ... The entire program is taken into consideration Recompiling does not fool us Stable parts are identified Large changes do not matter much
  • 14. VxClass for Mobile Malware VxClass compares executables A library of known malware is kept New executables can be checked if they are similar to existing malware Easy to use, Reliable, Cheap
  • 15. Case Study Unknown executable is received MD5 does not match anything Is it a variant of an existing piece of malware ?
  • 22. Multi-User capability Web-based Log in via username/password or SSL certificates Automation: Interaction via XMLRPC
  • 23. Multi-User capability Different users can upload samples Three levels of permissions: Public: All users can download the sample Protected: All users can see, but not download the sample Private: No other users can see the sample
  • 24. Business Case Basic scenario: Recognize new malware variants Limit risk of outbreak Low-cost Fast response time
  • 25. Business Case Advanced scenario (with shared samples): Neighborhood watch Who else has seen this before ? Where ? When ? Who should I talk to ? Improve communication
  • 26. Pricing Telco-Style: Base Fee + Volume Basic: 200 / month 50 per uploaded executable Medium: 500 / month 10 uploads included, 30 each afterwards Flat rate: 999 / month No volume fee*
  • 27. Pricing Only available to GSMA members The basic and medium packages may be shared between business entities
  • 28. Pricing This includes Providing the server / service Backups Email support
  • 29. Roadmap We will watch and adapt to new threats Windows Mobile Executables Of current relevance: .pyc Widgets iPhone executables Android
  • 30. Summary We provide strong methods that identify malware variants Cheap, Fast, Accurate Any questions ? Contact us ! info@zynamics.com