Mobile Malware Attacks and Defense > Learning about Dynamic Software Analysis > Notes on Interception Completeness

Table of Contents

Download Safari Books Online apps: Apple iOS | Android

Entire Site

Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Search

Table of Contents

Front Cover

Mobile Malware Attacks and Defense

Technical Editor

Contributing Authors

Acknowledgments/Contributors

Contents

Chapter 1: Introduction to Mobile Malware

Chapter 2: Visual Payloads

Chapter 3: Timeline of Mobile Malware, Hoaxes, and Threats

Chapter 4: Overview of Mobile Malware Families

Chapter 5: Taxonomy of Mobile Malware

Chapter 6: Phishing, SMishing, and Vishing

Chapter 7: Operating System and Device Vulnerabilities

Chapter 8: Analyzing Mobile Malware

Introduction

Learning about Dynamic Software Analysis

Designing a Sandbox Solution

Import Address Table Patching

Kernel-Level Interception

Porting to Other Mobile Operating Systems

Notes on Interception Completeness

Interception

Signature Recognition

Using MobileSandbox

Analyzing Mobile Malware

Summary

Solutions Fast Track

Frequently Asked Questions

Notes

Chapter 9: Forensic Analysis of Mobile Malware

Chapter 10: Debugging and Disassembly of MMC

Chapter 11: Mobile Malware Mitigation Measures

Glossary: Glossary of Terms

Index

282 Chapter8·AnalyzingMobileMalware Notes from the Underground... Using the Techniques as Rootkit MobileSandbox uses the presented techniques for dynamically analyzing a malware sample. It is only natural that the sandbox wants to hide its presence and simulate a normal system for the analyzed malware. But the same techniques can be applied to develop a malware that hides itself from the system: a rootkit. This is a perfect exam- ple of dual-use technology; it can be used for peaceful purposes or for malevolent ones. Porting to Other Mobile Operating Systems It is an interesting question as to whether presented techniques for Windows Mobile can be used for other mobile operating systems as well. Unfortunately, the answer to this is "generally, no." The system architectures are very different from Windows Mobile. Our approach is based on the fact that it is very easy for untrusted software to run as a kernel-mode process. Other operating systems are more restricted, so the support of the operating system manufacturer would be required to get a sufficient trust level for the sandbox program. Examples of the more restricted operating systems are Symbian OS and the iPhone operating system. Symbian OS, especially, implements very restricted access to almost anything, beginning with system version 9. If software wants to access system directories or manipulate other processes, it needs special Symbian OS capabilities that are not easy to obtain. The upcoming Linux phones promise to be more accessible because of the open-source nature of their operating system. Examples are the Open Handset Alliance (Android), the LiMo foundation, and Openmoko. But the future still must determine which of these platforms will really be used and gain wide acceptance. Notes on Interception Completeness There are two aspects when considering completeness: interception of every system call and recognition of the system call's signature (parameters). The solution for both aspects is described in the following. Interception The most important part is to see every system call. This is achieved through the technique depicted in Figure 8.3. We change the central pointer for the data structures to point to our

Download Safari Books Online apps: Apple iOS | Android

This Book

Search

Contents

Learning about Dynamic Software Analysis > Notes on Interception Completeness - Pg. 282