WHY MOBILE TO MOBILE MALWARE WON’T CAUSE A STORM Nathaniel Husted Steven Myers Indiana University Monday, April 4, 2011
MOBILE TO MOBILE MALWARE • Bluetooth (Mabir/Cabir/Commwarrior) Vs. MMS (Mabir/Commwarrior) • Symbian OS -- Dominant Market Share • Feature Phones -- Dominant Phone Style Malware Malware Malware Bluetooth MMS Monday, April 4, 2011
ROADMAP 1. Related Work 2. Feature phones to smartphones: expanded threat surface 3. Requirements for studying malware spread 4. Interesting variables 5. Results 6. Conclusion Monday, April 4, 2011
RELATED WORK • [CARETONNI07] - Analytical model... • [SU06] - Analytical model... • [WANG09] - Empirical data but without fine positioning... • [CHANNAKESHAVA09] - Activity based data but no transmission during mobility... Monday, April 4, 2011
FEATURE PHONES TO SMARTPHONES • Bluetooth to WiFi • Larger threat surface • More features • More complex software • Always on Internet Google Developer Phone http://www.flickr.com/photos/tagzania/3119293948 • Potential: Jailbroken iPhone’s with default SSH credentials Monday, April 4, 2011
FEATURE PHONES TO SMARTPHONES • Bluetooth to WiFi • WiFi devices, when on, are always visible, Bluetooth devices must be discoverable to be visible • WiFi management traffic is transparent • WiFi has greater range than common Bluetooth devices • WiFi has higher speeds • We assume WiFi is always on Monday, April 4, 2011
LOOKING AT MALWARE SPREAD 1. Epidemiological Model • S-E-I-R Model • Susceptible 5... • Exposed 4... 3... • Infected 2... • Recovered 1... Exposure Example Monday, April 4, 2011
LOOKING AT MALWARE SPREAD 2. Realistic Mobility Model - UdelModels • High Spatial Fidelity • High Temporal Fidelity • Accurate Population Density Example UdelModels Simulation http://www.udelmodels.eecis.udel.edu/ Monday, April 4, 2011
LOOKING AT MALWARE SPREAD 3. Target Geographical Area -- CHICAGO Population 9056 [Landscan] http://www.udelmodels.eecis.udel.edu/ http://seamless.usgs.gov/hro.php Monday, April 4, 2011
LOOKING AT MALWARE SPREAD • Infection Style: Parallel Vs. Serial • Parallel -- Many devices targeted and infected all at once. • Serial -- One device targeted and infected at one time . • Exposure Time - Viral Spread Speed • Susceptibility - Different phone hardware/software • Broadcast Radius - 802.11g vs. 802.11n Monday, April 4, 2011
IMPORTANCE OF VIRAL SPREAD SPEED Not-Infected Infected Monday, April 4, 2011
EXPOSED POPULATIONS Population Infections from 7:00AM − 11:00AM in Chicago 1 0.9 0.8 Fraction of Population Infected 0.7 0.6 0.5 0.4 0.3 10s(Serial) 10s(Parallel) 30s(Serial) 0.2 30s(Parallel) 60s(Serial) 60s(Parallel) 0.1 120s(Serial) 120s(Parallel) 0 0 5000 10000 15000 Time(Seconds) Constants: Radius: 15m Susceptibility: 100% Initial Infection: 1% Monday, April 4, 2011
IMPORTANCE OF SUSCEPTIBILITY Not-Infected Infected Non-Susceptible Monday, April 4, 2011
SUSCEPTIBLE POPULATIONS Population Infections at 7:00AM − 11:00AM in Chicago 1 5% Susc. (Ser) 5% Susc. (Par) 0.9 10% Susc. (Ser) 10% Susc. (Par) 25% Susc. (Ser) 0.8 25% Susc. (Par) Fraction of Population Infected 50% Susc. (Ser) 50% Susc. (Par) 0.7 75% Susc. (Ser) 75% Susc. (Par) 100% Susc. (Ser) 0.6 100% Susc. (Par) 0.5 0.4 0.3 0.2 0.1 0 0 5000 10000 15000 Time(Seconds) Constants: Radius: 15m Exposure Time: 30s Initial Infection: 30 People Monday, April 4, 2011
IMPORTANCE OF BROADCAST RADIUS Not-Infected Infected Monday, April 4, 2011
BROADCAST RADIUS Population Infections from 7:00AM − 11:00AM in Chicago Population Infections from 7:00AM − 11:00AM in Chicago 1 1 0.9 0.9 15m (Serial) 0.8 0.8 Fraction of Population Infected Fraction of Population Infected 15m (Parallel) 30m (Serial) 0.7 0.7 30m (Parallel) 45m (Serial) 0.6 0.6 45m (Parallel) 0.5 0.5 0.4 0.4 15m (Serial) 0.3 0.3 15m (Parallel) 30m (Serial) 0.2 0.2 30m (Parallel) 45m (Serial) 0.1 0.1 45m (Parallel) 0 0 0 5000 10000 15000 0 5000 10000 15000 Time(Seconds) Time(Seconds) Constants: 100% Susceptible Exposure Time: 30s 25% Susceptible Initial Infection: 1% Monday, April 4, 2011
CONCLUSIONS • Current U.S. city resident densities do not lead to epidemics, even with increased range • Epidemics in the U.S. will only occur with very high (arguably unrealistic) susceptibility rates • Parallel spread has little effect • Mobile-to-mobile epidemics are the least of our worries... • Privacy violating mobile malware -- Tapsnake • SoundComber -- http://www.cs.indiana.edu/~kapadia/soundcomber-news.html • Malware targeting mobile banking -- Mitmo Monday, April 4, 2011
QUESTIONS? Monday, April 4, 2011
REFERENCES • [Landscan] http://www.ornl.gov/sci/landscan/(July 2010). • [CARETONNI07] CARETTONI, L., MERLONI, C., AND ZANERO, S. Studying bluetooth malware propagation: The bluebag project. IEEE Security and Privacy 5, 2 (2007), 17–25. • [SU06] SU, J., CHAN, K., MIKLAS, A., PO, K., AKHAVAN, A., SAROIU, S., DE LARA, E., AND GOEL, A. A preliminary investigation of worm infections in a bluetooth environment. In Proceedings of the 4th ACMworkshop on Recurring malcode (2006), ACM, p. 16. • [WANG09] WANG, P ., GONZALEZ, M., HIDALGO, C., AND BARABASI, A. Understanding the spreading patterns of mobile phone viruses. Science 324, 5930 (2009), 1071. • [CHANNAKESHAVA09] CHANNAKESHAVA, K., CHAFEKAR, D., BISSET, K., KUMAR, V., AND MARATHE, M. EpiNet: a simulation framework to study the spread of malware in wireless networks. In Proceedings of the 2nd International Conference on Simulation Tools and Techniques (2009), ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering), pp. 1– 10. Monday, April 4, 2011
SERIAL VS. PARALLEL INFECTIONS Dont Dont Walk Walk Not-Infected Walk Walk Infected Monday, April 4, 2011
INFECTED POPULATIONS Population Infections Between 7:00AM − 11:00AM in Chicago With Incubation Per. of 30 Seconds 1 0.9 0.8 Fraction of Population Infected 0.7 0.6 0.5 0.4 0.3 0.2 0.01 Initial(Serial) 0.01 Initial(Parallel) 0.05 Initial(Serial) 0.1 0.05 Initial(Parallel) 0.10 Initial(Serial) 0.10 Initial(Parallel) 0 0 5000 10000 15000 Time(Seconds) Monday, April 4, 2011
Recommend
More recommend
