鑒於手機的功能越來越強大且計算能力不斷提升下,手機已漸漸跟筆記型電腦一 樣具有多樣化的功能,因此過往只會在 PC 上出現的殭屍網路病毒也慢慢入侵到手機 上,造成手機安全更大的威脅。
因此我們將功能強大的 Snort 配合殭屍異常封包的偵測技術,對傳入手機的封包 進行檢測,確保手機隱私和上網的安全性。
最後目前手機上的殭屍病毒並不多,因此本論文在無法取得實際樣本下,透過一 些手機病毒公司的描述與報導來實際模擬手機殭屍病毒,在未來一定會出現更多更強 大甚至攻擊手法更多元的殭屍病毒,到時可以取得實際的樣本後,便可設計出更完善 的偵測方法來抵擋手機的殭屍病毒攻擊。
攻 擊 畫 面
惡意天氣軟體,包含後門程式和開啟手機 port 5555
正在下載並執行 bot code
偷偷連到 C&C server
攻擊者使用系統指令觀看系統資訊
/system/bin/id:目前攻擊者所擁有的權限
/system/bin/netstat:觀看手機內部 port 資訊
/system/bin/ps : 查看系統中正在執行的程式之程序資料
/system/bin/ls /sdcard : 顯示手機 SDcard 的內容
/system/bin/cat /proc/cpuinfo :手機系統架構資訊
/system/bin/ftpput : 將手機 SDcard 上的 photo3.jpg 傳送到遠端 server
Adb 遠端安裝 spam mail app 到手機上
發送 Spam mail App
偽裝成系統更新的 APP,但暗地裡卻發送 spam mail
顯示出假的更新訊息來騙取使用者
已接收到 spam mail 的訊息
偵 測 畫 面
Snort 執行畫面
Argus 執行畫面
額外添加的功能
系統內部資源
各個資源耗電量的分布
系統的應用程式執行時耗費的 CPU 和 Memory
參 考 文 獻
[1] Android - An Open Handset Alliance Project , http://www.android.com/
[2] Android Open Source Project http://source.android.com/
[3] Android SDK http://developer.android.com/index.html
[4] Android Market http://www.android.com/market/#app=com.farproc.wifi.analyzer [5] Eclipse Integrated Development Environment , http://www.eclipse.org/
[6] 台灣 Android 資源網站
http://android.cool3c.com/
[7] Jollen 的 Android 專欄
http://www.jollen.org/Android/
[8] Android 資訊雜誌
http://www.android-hk.com/about/
[9] Android Customized ROM Information http://androidspin.com/
[10] Cyanogenmod http://wiki.cyanogenmod.com/index.php?title=Main_Page [11] Snort http://www.snort.org/
[12] Analysis of a Botnet Takeover,IEEE Security & Privacy
[13] J.Zhuge, T.Holz, X.Han, J.Guo, and W.Zou, “Characterizing the irc-based
botnet phenomenon”. Peking University & University of Mannheim Technical Report, 2007.
[14] Jae-Seo Lee, HyunCheol Jeong, Jun-Hyung Park, Minsoo Kim, and Bong-Nam Noh, “The Activity Analysis of Malicious HTTP-Based Botnets Using Degree of Periodic
Repeatability”. In Proceedings of the International Conference on Security Technology, South Korea, December. 2008.
[15] J.B.Grizzard, V.Sharma, C.Nunnery, B.ByungHoon Kang, and D.Dagon, “Peer-to-peer botnets: overview and case study”. In Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA, April. 2007.
[16] D.Moore, C.Shannon, D. J.Brown, G. M Voelker, and S.Savage, “Inferring Internet Denial of Service Activity”. In Proceedings of the ACM Transactions on Computer Systems, NY, USA, May, 2006.
[17]
Jih-Hong Lo , Wen-Guey Tzeng,“ Porting Snort on Android ”,NCTU ,ROC , June ,2010 [18] P.Bacher, T.Holz, M.Kotter, and G.Wicherski, “Know your Enemy: Tracking Botnets”.
http://www.honeynet.org/papers/bots. 2008.
[19] Cyber-TA. SRI Honeynet and BotHunter Malware Analysis Automatic Summary Analysis Table.http://www.cyber-ta.org/releases/malware-analysis/public/.
[20] P. Barford and V. Yegneswaran. An inside look at botnets,2006. Special Workshop on Malware Detection, Advances in Information Security, Springer Verlag.
[21] Analysis of a Botnet Takeover , IEEE Security and Privacy
[22] A. Karasaridis, B. Rexroad, and D. Hoeflin. Wide-scale botnet detection and characterization.
In Proceedings of the 1st Workshop on Hot Topics in Understanding Botnets (HotBots’07), Apr 2007.
[23] G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), February 2008.
[24] Lei Liu, Songqing Chen, Guanhua Yan, and Zhao Zhang,“BotTracer: Execution-Based Bot-Like Malware Detection”,
[25] G. Gu, R. Perdisci, J. Zhang, and W. Lee, "Botminer: Clustering analysis of network traffic for protocol- and structure independent Botnet detection," in Proc. 17th USENIX Security Symposium, 2008
[26] G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting malware
Symposium (Security'07),2007.
[27] H. Choi, H. Lee, H. Lee, and H. Kim, "Botnet Detection by Monitoring Group Activities in DNS Traffic," in Proc. 7th IEEE International Conference on Computer and Information Technology(CIT 2007), 2007,pp.715-720.
[28] H.R. Zeidanloo, A.A. Manaf, " Botnet Detection by Monitoring Similar Communication Patterns". International Journal of Computer Science and Information Security, Vol. 7, No. 3, March 2010, ISSN 1947-5500. USA
[29] D. Dagon, G. Gu, C. Lee, and W. Lee. A taxonomy of botnet structures. In Proceedings of the 23 Annual Computer Security Applications Conference (ACSAC’07), Dec 2007.
[30] J. R. Binkley and S. Singh. An algorithm for anomaly-based botnet detection. In The 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI ’06), 2006.
[31] Huijun Xiong , Danfeng (Daphne) Yao, Lu Han “Personal Anomaly Detection and Smart-Phone Security”, April 2010
[32] N. Provos and T. Holz, “Virtual honeypots: From botnet tracking to intrusion detection”.
Addison-Wesley, July. 2007.
[33] C. C. Zou and R. Cunningham, “Honeypot-aware advanced botnet construction and maintenance”. In Proceedings of the International Conference on Dependable Systems and Networks, Orlando, FL, June. 2006.
[34] Ting-Fang Yen and Michael K. Reiter, “Traffic aggregation for malware detection”. In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Springer-Verlag Berlin, Heidelberg. 2008.
[35] F. Giroire, J. Chandrashekar, N. Taft, E. Schooler, D. Papagiannaki, “Exploiting Temporal Persistence to Detect Covert Botnet Channels”. In Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, September. 2009.
[36] S. Gianvecchio, M. Xie, Z. Wu, and H. Wang, “Measurement and Classification of Humans and Bots in Internet Chat”. Proceedings of the 17th conference on Security symposium, CA, USA. 2008.
[37] P. Baecher, M. Koetter, M. Dornseif, and F. Freiling, “The nepenthes platform: An efficient approach to collect malware”. In Proceedings of the 9 th International Symposium on Recent Advances in Intrusion Detection. 2006.
[38] Jingyu Hua, Kouichi Sakurai: A SMS-Based Mobile Botnet Using Flooding Algorithm. WISTP 2011: 264-279
[39] In Arne-Jørgen Berre, Asunción Gómez-Pérez, Kurt Tutschku, Dieter Fensel, editors, Future Internet - FIS 2010 - Third Future Internet Symposium, Berlin, Germany, September 20-22, 2010. Proceedings. Volume 6369 of Lecture Notes in Computer Science, pages 57-67, Springer,2010
[40] http://www.exploit-db.com/exploits/16974/