CHAPTER 1

INTRODUCTION
1.1 ABSTRACT
At first glance, mobile phones might seem to have all the technology needed for a major virus outbreak now. They have modern CPUs, built-in Bluetooth wireless technology, and data transfer across multiple networks. Many even ship with Java. By some estimates, up to half of these new "smartphones" leave the factory with some version of the Symbian OS, which is gaining in popularity because of endorsements by leaders Nokia, Eriksson, and others. With the worldwide market for mobile phones still growing at a phenomenal 32 per cent in 2004, and with an estimated 1.5 billion people (or 1/4 of the world's population) already owning a mobile phone, virus epidemics that target mobile phones will one day become a reality. The first proof-of-concept mobile phone virus appeared in June 2004 for the Symbian OS, but as proof of concepts tend to be, it proved relatively harmless. Subsequent versions have significantly improved capabilities, but they're still very low risk. Mostly all use Bluetooth to propagate. Bluetooth is a great technology for connecting small devices that are close to one another, but therein is also its disadvantage: with a few exceptions, the technology has a very limited range. With Macs and PCs, Bluetooth lets you connect your mobile phone, PDA, and laptop to your printer. It lets you sync your calendar and address book, and of course, allows for the transfer of arbitrary data. Getting infected with a virus via Bluetooth is interesting because it's akin to a human virus, which requires proximity to spread - but it also severely limits how far the virus can go. As newer variants get smarter, however, they'll start to use the phone's GPRS-style data capabilities to spread. After all, they have immediate access to the address book inside your mobile phone. Why should one care about mobile phone viruses? There is clearly a profit motive, and that's all that is needed to kick-start another dubious industry. From a virus that will dial 1-900 numbers all day long, to the one that automatically buys a hundred ringtones that get added to your phone bill, there is money to be made by the next wave of miscreants. In Asia, telcos have already begun testing e-commerce transactions that are available through your

-1-

phone. Where there's e-commerce, you can bet there will be viruses and security threats. We begin with examining what Mobile Worms and Viruses are, and the differences between these and their PC counterparts. This report refers to such malicious software for mobile devices as Mobile Malware. The mode of spreading of mobile malware and their effects has been enumerated. The risks and threats from these are then examined, and various methods that have been used to prevent and protect against their attacks are listed. Case studies of three widespread and important mobile malware, Cabir, ComWar and CardTrap are presented. We also examine the extent of harm that could be caused by mobile malware in combination with other newer technology. Though such viruses do not yet exist, it can be seen that it is only a matter of time before they can wreak havoc.

1.2 BRIEF HISTORY

1.2.1 CELL-PHONE VIRUS BASICS
What is a virus Viruses are software programs deliberately designed to interfere with computer operation, record, corrupt, or delete data, or spread themselves to other computers and throughout the Internet, often slowing things down and causing other problems in the process. Just as human viruses range in severity from the 24-hour flu to the Ebola virus, computer viruses range from the mildly annoying to the downright destructive, and come in new and different forms. The good news is that with an ounce of prevention and a little knowledge, you are less likely to fall victim to viruses and you can diminish their impact. A large number of mobile devices are now part of everyday use. These include cell phones, smartphones and PDAs (Personal Digital Assistants). The functionality and applications offered by current day mobile devices are beginning to rival those offered by a traditional PC. These mobile devices are usually have some form of connectivity (e.g., GSM, GPRS, Bluetooth, WiFi). These devices have vulnerabilities like PCs, but also have some peculiarities of their own. Worms and viruses, and other malicious software have been released that exploit vulnerabilities in some of these devices. These malware can cause harm or annoyance to the users of the mobile devices. Over the past few years, there has been a substantial increase in the number of malware that have been written for mobile devices. There exist at least 31 families and 170 variants of known mobile malware. Statistics have -2-

shown that at least 10 Trojans are released every week. Even though it took computer viruses twenty years to evolve, their mobile device counterparts have evolved in just a span of two years. To understand the threat that is involved, we first present the comparison of the environment for PC-based and mobile device malware. Comparison between mobile malware and PC malware The following points illustrate the differences and similarities between mobile malware and PC malware. Vulnerabilities in PCs that have been exploited are related to vulnerabilities in the operating system or application software. Patches for such vulnerabilities are released periodically by the software vendors. The users (or administrators) of the PCs are then responsible for ensuring that these patches are applied to their systems as and when released. Though vulnerabilities for mobile devices have been found and documented it is very difficult to roll-out patches to the software or firmware on the mobile devices that have already been sold. Considering that the users of mobile devices include a vast majority of people that are not security conscious, it is difficult to expect users to apply patches to their devices as and when the patches are released. This problem is compounded because there is no easy way to upgrade the firmware or software of a mobile device just by using the mobile device. Connectivity with a PC is usually the only way to upgrade the firmware or software. Mobile devices such as phones are almost always switched on and stay connected to the network. Unlike a PC whose neighboring network nodes remain relatively fixed, the neighbors of a mobile device keep changing with every change of location of the user carrying the mobile device. As a result, for example, a single user with an infected phone entering a stadium can potentially infect the phones of all the people within the stadium if these phones have the same vulnerability. Mobile phone users are less security conscious than the average Internet user. Unlike PCs, several variants of mobile devices exist. This makes it difficult for the mobile malware to infect or spread to dissimilar devices. For example, a mobile -3On the positive side:

worm spreading through MMS can do little if the phone it has infected does not have MMS functionality. Mobile malware have not yet caused critical harm or damage. At most o they increase the users billing, or o cause the mobile phone to stop working (can be restored by a factory reset) However, as a result, there is not enough motivation, either for device manufacturers or for the users, for taking preventive action against mobile malware. A cell-phone virus is basically the same thing as a computer virus an unwanted executable file that "infects" a device and then copies itself to other devices. But whereas a computer virus or worm spreads through e-mail attachments and Internet downloads, a cellphone virus or worm spreads via Internet downloads, MMS (multimedia messaging service) attachments and Bluetooth transfers. The most common type of cell-phone infection right now occurs when a cell phone downloads an infected file from a PC or the Internet, but phone-to-phone viruses are on the rise. Current phone-to-phone viruses almost exclusively infect phones running the Symbian operating system. The large number of proprietary operating systems in the cellphone world is one of the obstacles to mass infection. Cell-phone-virus writers have no Windows-level market share to target, so any virus will only affect a small percentage of phones.

Figure 1.1: Cell-phone viruses currently target Symbian Series 60 phones with Bluetooth and MMS capabilities, like this Nokia 6620. Infected files usually show up disguised as applications like games, security patches, add-on functionalities and, of course, pornography and free stuff. Infected text messages

-4-

sometimes steal the subject line from a message you've received from a friend, which of course increases the likelihood of your opening it -- but opening the message isn't enough to get infected. You have to choose to open the message attachment and agree to install the program, which is another obstacle to mass infection: To date, no reported phone-to-phone virus auto-installs. The installation obstacles and the methods of spreading limit the amount of damage the current generation of cell-phone virus can do. The first known cell-phone virus appeared in 2004 and didn't get very far. Cabir.A infected only a small number of Bluetooth-enabled phones and carried out no malicious action -- a group of malware developers created Cabir to prove it could be done. Their next step was to send it to anti-virus researchers, who began the process of developing a solution to a problem that promises to get a lot worse. Cell-phone viruses are at the threshold of their effectiveness. At present, they can't spread very far and they don't do much damage, but the future might see cell-phone bugs that are as debilitating as computer viruses.

1.2.2 MILESTONES OF MOBILE VIRUSES

These are some main events concerning the cell phone viruses history. Additional variants of viruses that are mentioned here might exist. Name Cabir Mquito Skulls First Discovered June 2004 August 2004 November 2004 MGDropper December Details Spreads via Bluetooth Attacks Symbian Series 60 phones Sends SMS messages to premium rate number Spreads via Internet Download Attacks various Symbian phones Disables all phone functions except sending/receiving calls Disables most well known third party file managers and antivirus software Spreads via Bluetooth and MMS Attacks Symbian Series 60 phones Sends out expensive MMS messages to everyone in

2004 Commwarrior January 2005

-5-

Locknut

March 2005

phonebook Spreads via Internet Download Attacks Symbian Series 60 phones Crashes system ROM; disables all phone functions; inserts other (inactive) malware into phone Disables some system applications and it cannot be uninstalled without being disinfected first. Disables cell phones antivirus programs Spreads via Internet Download Attacks Symbian Series 60 phones Locks up phone in start-up mode; disables phone entirely Attacks Symbian Series 60 phones Spreads through Bluetooth and MMS

Dampig Drever Fontal

March 2005 March 2005 April 2005

Mabir

April 2005

Table 1.1: Milestones of Mobile Virus

CHAPTER 2

TECHNOLOGY AND TRENDS

-6-

2.1 TECHNOLOGY:
2.1.1 ATTACK VECTORS FOR MOBILE MALWARE
Current known mobile malware use the following attack vectors: Bluetooth: Many mobile devices have the capability to communicate with other devices in a short range using the Bluetooth technology. However, several flaws exist in both the protocol as well as its implementation. Some mobile malware exploit these to spread. Others disguise themselves as legitimate applications (Trojans) and try to spread to other devices that are within its Bluetooth communication range. These latter types of malware prompt the user to install the application and when the user does install them, these malware cause harm to the mobile. The first known mobile malware, Cabir spread through Bluetooth. Malware that spread through Bluetooth can only communicate within the range of communication of Bluetooth devices (typically a few meters). However, such malware can Still rapidly spread across many devices if there is dense collection of Bluetooth-enabled devices. Such an attack has been reported previously at the World Athletics championship in Helsinki in 2005. A large number of people that were in the stadium had their devices infected with Cabir very rapidly. SMS2, MMS3, WiFi: Some mobile malware spread themselves through SMS, MMS or WiFi technology. Most of these send SMS or MMS to other phones and attach themselves to the message that they send. ComWar, for example, spreads through MMS. There also exists a buffer overflow vulnerability in the SMIL (Synchronized Multimedia Integration Language) parser on mobile devices based on the Microsoft Windows Mobile 2003 operating system. This parser is used for parsing incoming MMS messages. As demonstrated by this can be exploited to launch a buffer overflow attack on the recipient of such an MMS message. The user only needs to view the message to trigger the exploit; there is no need to explicitly launch an application. Malware that spread through SMS or MMS can spread across larger areas simply because the only restriction to spreading across the continents is the amount of balance left in the users mobile phone account. Some worms that spread exploiting vulnerabilities in WiFi could also infect mobile devices that are WiFi capable. Vulnerabilities in the operating system: Vulnerabilities exist in the operating systems used by mobile devices. SymbianOS, included as the operating system in most Nokia mobile phones, has several vulnerabilities [2], [3]. For example, one vulnerability -7-

found in the Symbian Series 6.x devices (Nokia 3650 and Siemens SX-1) is to create a file called INFO.wmlc in the root folder with 67 spaces between the INFO and the .. This causes the mobile to work slowly or even crash. Microsoft Windows Mobile 2003 is the other popular operating system used on mobile devices. This latter operating system also suffers from vulnerabilities. For example, the Duts virus exploits a zero-day vulnerability in the file handling API of the operating system. At this point, it is worth mentioning that there are also several phones (some by Motorola and Samsung) that use Linux or its variant as the operating system.

Figure 2.1 Potential Infection Vectors for Mobile Devices

2.1.2 DAMAGE DONE

The first known cell-phone virus, Cabir, is entirely innocuous. All it does is sit in the phone and try to spread itself. Other cell-phone viruses, however, are not as harmless. A virus might access and/or delete all of the contact information and calendar entries in your phone. It might send an infected MMS message to every number in your phone book -- and MMS messages typically cost money to send, so you're actually paying to send a virus to all

-8-

of your friends, family members and business associates. On the worst-case-scenario end, it might delete or lock up certain phone applications or crash your phone completely so its useless.

Figure 2.2 Damage done to the Nokia Mobile series 60

2.2 CLASSIFICATION
As with any entity with multiple types, taxonomy based classification is necessary to properly identify the various individuals to respective classes. According to the following was seen to be the best mode of classifying mobile malware. The classification system is structured on the following three characteristics: Behavior: Mobile malware can be classified depending upon the way the malware behaves. For example, whether it propagates like a virus or a worm, or whether it opens backdoors for attackers, like a trojan. Environment: Another characteristic in the classification is the type of operating system that the mobile malware has been designed to infect and spread to. This also includes vulnerable applications that the malware might exploit. The family name and variant: Some malware are variants of existing ones. This classification characteristic identifies if the mobile malware is a completely new entity or has been built based on some other previously existing one.

2.2.1 MOBILE VIRUS FAMALIES

-9-

Figures 2.3 and 2.4 shows the increase in known mobile malware. Figure 2.3 shows variants of mobile viruses in each month from June 2004 (first mobile virus found in June 2004) till June 2006 along with cumulative index. Figure 2.4 shows the increase in the known mobile malware families. There are 31 families of virus and 170 variants exist today. This also shows the curve is rapidly increasing and hence in future we may expect much more harmful viruses.

Figure 2.3: Increase in known mobile malware variants

Figure 2.4: Increases in known mobile malware families

- 10 -

2.3 CURRENT THREATS

Any open operating system is vulnerable. We have seen this with all open operating systems throughout computerized history. One of the most important mobile operating system is Symbian OS. Other major open operating systems are Windows Mobile, Palm OS and Linux. The threats can be classified into: Harmful content such as viruses, malformatted SMS, MMS or WAP pages, malicious actively spreading applications Denial of service and system unavailability Unauthorized access to the device and corporate networks through Trojan horses, screensavers, spyware, eavesdropping etc. Unwanted disclosure of stored information: deleted, corrupted, modified or stolen user data An example of a concrete threat is Cabir, a Bluetooth using worm that emerged in summer 2004. When installed, it activates automatically and starts looking for new Bluetooth devices trying to replicate. While doing that it empties the smartphone battery very fast. It has been detected all around the world. There are several more advanced adaptations of the original Cabir. Another example of a threat is Skulls, a malicious Trojan that replaces the system applications with non-functional versions disabling most functionality. With Skulls all functions needing system applications such as SMS and MMS messaging, web browsing and camera no longer function. Why havent we seen more of this yet? Smartphone operating systems have so far been used mainly for high priced business phones with low production numbers. This will change. New vulnerabilities are found regularly that can be exploited quickly after discovery. This is resulted partly from the fast development cycle of new devices. Starting from summer 2004 with the rise of mobile threats, there has been an increasing amount of new global mobile malware discoveries.

- 11 -

2.3.1 HARM CAUSED BY MOBILE MALWARE

Current mobile malware are capable of causing the following harm to the infected devices or its user: Causing financial loss to the user o Initiate unnecessary calls, send SMS or MMS o Send private information (such as contacts or address book information) to a predefined phone Spread via Bluetooth, causing drainage of battery Cause the devices to work slowly or to crash Infect files (attach its code to the application sis files) Modify or replace icons or system applications Wipe out information (such as address books) on the infected devices Install bogus applications on the device Allow remote control of the device

2.4 EXAMPLES
In this section, we look at examples of some important and widespread mobile malware.

2.4.1 CABIR
Cabir is the first network worm capable of spreading through Bluetooth and was first detected in June 2004. It was a Proof-of-Concept code developed by the group 29A. The intention was to demonstrate how to exploit Bluetooth to spread worms. This worm infects mobile phones which run the Symbian OS. Any handset running the Symbian OS is potentially vulnerable to infection. Examples of such phones include the Nokia 3650, 7650 and N-Gage phones. The worm itself is an SIS format file, called caribe.sis. Each time the infected phone is switched on, the worm scans the list of active Bluetooth connections. The worm selects the first active connection detected and attempts to send its main file, caribe.sis, to this device. If receipt of the infected file is confirmed, the users will be asked if they wish

- 12 -

to launch the file. This worm does not cause any real harm since the intention was to only demonstrate how Bluetooth could be used for spreading. However, since the worm keeps scanning for active Bluetooth devices, it drains the battery of the phone rapidly. Since Cabir is well documented and code is available freely, other malicious users used it for developing malicious code to cause real damage. Cabir has 15 different variants.

Figure 2.5: Cabir Virus infecting the Mobile Device through Bluetooth

2.4.2 COMWAR
Comwar is the second landmark in mobile malware. This is the first worm for mobiles phones which is able to propagate via MMS and could potentially go global in just minutes. It also spreads over Bluetooth. It infects telephones running under OS Symbian Series 60. The executable worm file is packed into a Symbian archive (*.SIS). The archive is approximately 27 - 30KB in size. The name of the file varies: when propagating via Bluetooth, the worm creates a random file name, which is 8 characters long, e.g. bg82o s1.sis Once launched, the worm searches for accessible Bluetooth devices and sends the infected .SIS archive under a random name to these devices. When the recipient user confirms that the file is to be accepted, it will infect the phone. The worm also sends itself via MMS to all contacts in the address book. The subject and text of the messages varies. Since it sends MMS to all the contacts in address book it is not as a proof of concept and the intention is to

- 13 -

cause financial harm by charging the mobile user. Scanning active Bluetooth devices also drains the battery.

2.4.3 CARDTRAP
Cardtrap is the first mobile virus found which is capable of infectingWindows PCs. The most significant characteristics of Cardtrap are that it also installs three Windows worms (Win32.Rays, Win32.Padobot.Z and Win32.Cydog.B) onto the devices memory card. Once the card is inserted into the PC, Padobot.Z will attempt to start automatically on machines runningWindows OS via the autorun.ini file. A recent virus called Crossover (2006) spreads from Windows desktop PCs to mobile devices running on Windows Mobile Pocket PC. Once it is installed on a Windows PC, the virus makes a copy of itself and adds a registry entry pointing to the new file so that the payload is activated each time the machine is rebooted. It then waits for an application for synchronizing Pocket PC devices with the infected Windows desktop PC. When a connection is detected, it copies itself over to the Pocket PC device, deletes all files in the My Documents directory, copies itself to the system directory and places a link to itself in the startup directory.

2.4.4 SKULLS
Skulls is a Trojan horse and thus masquerades as a useful application to convince users to install it. Its authors wrote Skulls to appear to be an application that lets users preview, select, and remove design themes for their phone screens. Hackers deliberately-and file sharers inadvertently-uploaded. Skulls to several shareware sites, from which unsuspecting users have downloaded the application. Skulls targets the Nokia 7610 phone, although some other Symbian Series 60 phones can also install it. According to SophosLabs' Svajcer, Skulls makes the original Symbian binaries for everyday functions-such as file management, Bluetooth control, messaging, Web browsing, and application installation and removal-useless by replacing them with nonfunctional binaries. The phones can then only make and receive calls. Because Skulls disables Symbian applications, only phones with third-party file managers can remove the Trojan. Those using Symbian's file manager must perform a hard reset, thereby erasing

- 14 -

all stored data. Skulls also replaces each application icon with a skull and crossbones. Each of several Skulls variants and hybrids has a slightly different effect. For example, Skulls.D-posted to several Web discussion forums and warez sitespretends to be a Macromedia Flash player for Symbian Series 60 devices. The variant replaces system binaries related to application uninstall and Bluetooth control with nonfunctional binaries, installs the Cabir.M worm, and disables antivirus programs and thirdparty file managers

Figure 2.6: Skull-D Virus infecting the Mobile Device

CHAPTER 3

ARCHITECTURE DESIGN
In this chapter we are going to discuss the Protection and Prevention Mechanisms and the algorithm of virus throttling that result in the decline of the virus in the mobile devices.

3.1 PROTECTION AND PREVENTION MECHANISMS

3.1.2 COMMON PROTECTION AGAINST MOBILE MALWARE

- 15 -

Keeping the device in non-discoverable Bluetooth mode: Since leaving a Bluetooth-enabled mobile device in discoverable mode makes it vulnerable to attacks by mobile malware and hackers that exploit the documented vulnerabilities in Bluetooth, it is best to turn off the Bluetooth discovery mode on the mobile device.

Installing an anti-virus / IDS on the mobile device: Vendors such as Trend Micro sell anti-virus software and Intrusion Detection Systems (IDS) for mobile devices. Installing these can protect the mobile devices from known malware. Some vendors also sell firewalls for mobile devices. However, it is not clear whether common users would go to the extent of installing such additional software on their devices.

Installing firmware updates when they are made available: Mobile device manufacturers release updates to the firmware of the devices. These may contain patches to the vulnera bilities that are exploited by mobile malware. Upgrading to new firmware may reduce the threat of being infected by mobile malware.

Exercising caution when installing applications from untrusted sources: As in the case of PC viruses, it is best not to install applications or to download other software from untrusted sources.

Filtering out malware at service provider: MMS messages that carry malicious payload can be detected at the service provider based on their signatures and thus can be filtered out at the service provider itself. The futuristic threats provided at the end can be equated to the metaphorical tip of the

iceberg. The possibilities of attacking mobile devices can only be limited by what the technology permits and hence very strong measure need to be taken for protection against such attacks. The protection mechanisms can be broadly classified on the basis of the requirements of the protection systems. They are System Level Security - MOSES Architecture System level security aims to make the system more secure by restricting the execution of unauthorized applications. Network Level Security - Proactive Approach Network level security aims to provide a basis of filtering out malware transitioning over the network between various devices.

- 16 -

3.2 WORKING MODEL

3.2.1 MOSES
MOSES stands for MObile SEcurity processing System. and was developed by Anand Raghunathan and his team working at NEC labs. The aim of designing MOSES was to overcome the following challenges. Performance gap between the security processing requirements and the system processing capabilities. Limited battery life in mobile devices. Eliminating the possibilities of various types of attacks launched against the implementation. According to The MOSES project employs a novel system-level design methodology to build the hardware / software platform. The MOSES design methodology combines stateof-the-art commercial design tools with several novel domain-specific methodologies that are indispensable in deriving optimized system architecture. As per the MOSES methodology, a separate device from the main processor relates to a huge jump in security. The idea is that if the security implementation is performed on a device separate from the main processor, then if the main processor gets hacked into, the hacker wont have access to stored passwords and encryption keys that would be necessary for them to gain access to further information. Software Architecture The software architecture for MOSES is layered and runs parallel to the one found in network protocols. The top layer provides a generic interface which applications can use to be ported to the platform. It consists of security primitives such as key generation, encryption/decryption of a block of data which are implemented on top of a layer of complex mathematical operations. Hardware Architecture One of the most important features provided by the MOSES architecture is the extension of processor instruction set for including cryptographic operations. This not only assists in increasing the computational speed but also reduces the power consumed by the processor.

- 17 -

Performance The MOSES platform has shown to speed up the execution of security protocols such as SSL, IPSec, and WTLS etc. For small data transactions, the MOSES platform contributes to an overall transaction speedup of around 2.18X. In the case of large transactions, MOSES achieves and overall transaction speed-up of 3.05X.

3.2.2 PROACTIVE APPROACH

The crucial protection measure performed in insecure environment is the search and destroys methodology which is better known as the reactive approach. According to this principle, we build a database of all the known virus signatures and then analyze the network traffic for their existence. This approach works when the network penetration is large but the network speed is slow. As a result by the time the virus reaches critical mass and begins to cause chaos, the scanners are already ready to pick it up. But in todays high speed networks, malware reach critical mass within a few hours. As a result reactive approach fails miserably. In light of such context, we discuss a proactive approach that is better suited for solving this problem. The crux of implementing the proactive approach is to patch a client before it gets infected or to stop a client from transferring data if it has been infected. However, the central problem of the proactive approach lies in the assessment of the vulnerability of the client and the infection status of the others. Hence to solve this problem, we need to develop a groupbehavior based proactive defense strategy.

The basic idea for doing so is as follows: 3.2.2.1 Behavior Vectors A behavior vector can be defined as a collection of features which represent any client on the network. For our representation, the behavior vector is two dimensional. One parameter represents the physical information of the client device. The other represents the temporal information such as network traffic and connectivity. Both of these can be extracted from the message headers and the message logs.

- 18 -

The physical information of a client consists of data such as the operating system running on the client, its version, the various applications running, the version of the firmware, etc. Since most mobile malware propagate and infect by exploiting certain known vulnerabilities in the system, having prior knowledge of the physical information of a client lets us classify the client as vulnerable or not to the infection. The second feature of the behavior vector can be calculated by the messages exchanged by the different clients and hence is a temporal feature. This consists of information such as the number of messages exchanged, the clients involved in the transaction, and the interarrival rate of the messages. This component of the behavior vector puts a limit on the number of clients that a mobile malware infection can propagate to. Thus every client in its immediate neighborhood is at the maximum risk, those farther away, a little lesser. 3.2.2.2 Behavior Clustering Once the behavior vectors are generated for all the clients based on the respective header information and the message logs, the next step is to identify the various set of clients that belong to the same cluster. The idea behind clustering is to have a limit on the number of filters to setup within the network to monitor the traffic. Once a cluster is identified, then a single monitor can be setup for the entire cluster. This is because any infection originating within the cluster will stay confined to it and not pass outside. There are a number of techniques that exist for clustering. A hierarchical graph partitioning has been used to solve this problem, although any other approach can be used. Once the clustering algorithm is executed on the behavior vector data, distinct clusters are identified. Since the number of clusters is not fed to the clustering algorithm as it is not a requirement, the algorithm is highly flexible in the number of clusters it can identify in the given graph data. An important deployment issue is how often the service-behavior graph should be updated. This is due to the highly volatile temporal data component. The solution depends on the spreading speed of the malicious code and the amount of traffic flowing in the network. We can also apply the triggered updates concept implemented in many intrusion detection systems.

- 19 -

Using triggered updates, the service behavior graph is updated whenever: 1. New vertices or edges are added (or subtracted) to (or from) the last computed graph. 2. The parameters of the behavior vectors change by a certain threshold over the previous values.

3.2.3 PROACTIVE CONTAINMENT METHODS

Once the monitors setup within any cluster determine that the traffic from a particular client is over a particular threshold, then we need to perform proactive containment to prevent an infection from spreading, if one exists. This is performed in two stages. 3.2.3.1 Virus Throttling Algorithm The virus throttling algorithm is designed keeping in mind the average flow of traffic in a network. When a worm tries to propagate within a network, it repeatedly sends itself to every recipient within that network. This type of behavior is identified by the virus throttling algorithm and mitigated. The need for virus throttling algorithm exists because if a general user sends out a legitimate and genuine message to multiple users, then a direct block approach will block this legitimate message resulting in a false positive for the proactive approach.

- 20 -

Figure 3.1: Virus Throttling Algorithm The intermediate step of rate limiting due to the virus throttling algorithm decreases the false positive rate to a near negligible value. The virus throttling algorithm works as follows: A working set of size n is maintained for every client. This holds the clients that have been recently sent a message to. Whenever the client wants to send a new message, the recipient is matched against this working set. If the recipient exists, the message is sent immediately. If the recipient does not exist, then this message is put on a delay queue. At periodic intervals, the top entry is removed from the delay queue. This entry replaces the oldest entry from the working set using the least recently used algorithm. Once that is done, all messages queued up for that recipient are delivered immediately. Also if the queue length exceeds a particular threshold value, then all further messages can be blocked. 3.2.3.2 Quarantine The aim of the virus throttling algorithm is to identify the false positives in the classifications performed by the monitors installed in the clusters. Hence we set up a time and message threshold on the output of the virus throttling algorithm. If after a certain period also the message rate from the sender does not reduce, we can be certain that the client has been infected by a worm, and hence we can quarantine that client from the network. All messages from that client will thus be blocked. With the increasing number of attack vectors being developed and the vulnerabilities being exposed, the need for advanced protective measures is very much on the rise. As a result, the protective measures proposed above have a very strong futuristic value. The main aspect of both of these proposed schemes is to be proactive in approach and not reactive. Since the spread time of mobile malware has dropped down exponentially, the malware can reach critical mass before any proper reactive techniques can be designed to successfully combat it. Hence the proactive measures are the only ray of hope as they can curb the malware from propagation before it is even detected. The MOSES system designed has a very strong architectural base. Separating the crypto engines from the actual mobile processing provides a fence within which all the

- 21 -

secure data is held. As a result, even if the processor security was compromised, the attacker cannot decipher the secure data held within it. MOSES also uses secure connections for all communications and hence evesdropping these by bug applications installed on the phone is not possible. I found that the work done on proactive security in mobile networks is highly needed in view of the current and forthcoming network threats. The ideas of behavior vectors and behavioral clustering proposed by the group have a solid ground in data mining activities. As a result, it is not possible for the worm to propagate at a high rate without being detected and effectively quarantined. One disadvantage I found with this approach is that the Mobile service provider needs to carefully monitor and update all the parameters involved with this approach. This requires significant effort and also changes to the current underlying technology. Hence most of the mobile service providers are hesitant and unwilling in adopting this protection measure. But in due course of time, with faster network speed and higher network load, the mobile service provider will face threats from the infected mobile devices. We have shown one such example in the section Futuristic Threats. In such a scenario, the service provider will have to implement protective measures to protect the network from such attacks.

CHAPTER 4

IMPLEMENTATION
4.1 RISK SCENARIO
An MMS virus scenario in a 5 million subscriber Network 09:47 An unknown virus starts spreading 14:58 Already 5,000 subscribers are infected and are unable to make calls. 15:10 The customer service call centre can not accept anymore costs because its overloaded. 15:42 20,000 subscribers cant make calls anymore. 19:53 Engineers find the reason for the disruption is due to some strange traffic. 20:00 80,000 subscribers cant make calls anymore.

- 22 -

 21:04 Engineers find the pattern of a virus. 21:36 90,000 subscribers are infected. The GPRS/WDCMA network is so congested that infections slow down anyway. 21:40 The engineers decide to shutdown some of the network equipment. 21:41 The infection stops. Subscribers come with their phones to service centers. Some of the phones can be cleaned, some not. Many subscribers have been charged for virus traffic. Many unhappy subscribers move to another operator.

4.2 A REVISED RISK SCENARIO

An MMS virus scenarion in a 5 Million Subsriber Network 09:47 An unknown virus starts spreading. 10:36 Protection Mechanism methods notice some suspect traffic. The engineers are informed. 10:53 140 subscribers are infected. 11:02 They notice that the infections is growing quicker. 11:09 Infection stops. 236 subscribers are infected. 11:11 Engineers collect the IMSI/MSISDN of those infected subscribers and de-activate their GPRS/WCDMA subscription. The call center asks them to go to a service center for phone repair and service re-activation. 11:45 Network equipment is plugged in. Engineers carefully monitor the virus traffic to make sure the infection is contained. The result is minimum impact on service and minimized revenue loss to both customer and to network providers.

- 23 -

CHAPTER 5

CONCLUSION
5.1 CONCLUSION:
However, the reality is that the real threat from viruses just doesn't exist today. Mobile phones shouldnt experience any major security issues for several years, for the same reasons that we don't see major virus threats in the computer world for any platform other than Windows: there needs to be a critical mass of a given population for the threat to be real. Today there are too many different competing phone technologies, operating systems and architectures for there to be any clear winner. If the same were true in the computer security world, there would be far fewer viruses than there are today.

- 24 -

Mobile devices are becoming smarter and more powerful. Such devices, once in widespread use, will herald the growth of using mobile devices for performing sensitive tasks such as storing sensitive data and performing eBanking transactions. Recent reports show that there exist sufficient vulnerabilities in these devices that could be exploited to cause harm to the device, to reveal sensitive information or to use the mobile device in a malicious way. It is, therefore, easy to visualize that in the near future, the threat posed by mobile worms and viruses can cause considerable harm to the users of such devices. Cellphones have been with us for a long time, but in a way the wireless industry feels like the computer industry was back in the 1980s: many proprietary systems that do interact, to some extent, without any one clear technological winner. With at least 30 mobile virus variants today for the Symbian OS alone, many people will be surprised at how easy it will be to carry around malcode clipped to our belt in the years to come. The best reason why mobile viruses won't become an issue for some time is the wide array of different phone models, network technologies and embedded operating systems. In short, we have still have choice.

5.2 FUTURISTIC THREATS

Mobile malware as present today, does not present a significant risk to the average mobile user. This is mainly because of the lack of potent mobile malware in the wild. I could determine the following factors resulting in mobile malware being less harmful. Mobile devices did not store any critical information. Thus leaking it or erasing was not lucrative to the mobile malware developers. Most of the mobile devices in use today do not support programmable capabilities or for that matter processors capable of running applications. As a result, even with the penetration of mobile devices being high, those that can support these mobile malware is not very large.

- 25 -

Depending upon our study of the current technologies prevalent in the mobile domain, the vulnerabilities present in them and the different possibilities of attack, we could briefly categorize the futuristic threats in the following categories.

5.2.1 LOCATION TRACKING

Services already exist for tracking mobile users. By using one of the many mobile phone location tracking services aimed at businesses or concerned parents, and some trickery, it is possibly to get almost anyones mobile phone position without their agreement. All that is required is their mobile phone number, and carrier. Over the past year a number of sites have popped up offering web based mobile phone tracking services. To use their services you purchase a monthly subscription or set number of credits, and enter in the targets phone number. The target then receives an SMS message asking them to confirm they consent to the tracking. After the target replies, the tracker can then request their position online and receive a street address, post code, and map of their location with an accuracy of around 250 meters.

5.2.2 BUGGING
A bug is a tiny transmitter, that can covertly transmit the video and audio data to any receiver nearby that is tuned to receive it. A mobile bug is an application that can take the microphone audio data and the camera video data and stream it over a bluetooth connection. If an attacker designs a mobile trojan and covertly installs it on a mobile device, then all the incoming and outgoing voice calls can be tracked by that attacker. The trojan can also be programmed to record this data and send it over a GPRS connection. This will result in a serious invasion of privacy as well as a security risk. Leakage of video data can result in private information being made public. Also as a result of the video data sent over the GPRS the user can be tracked anywhere, including sensitive locations.

5.2.3 LEAKAGE OF CONFIDENTIAL DATA

Mobile phones are increasingly being used for making online payments and managing e-accounts. As a result of this a large amount of confidential data gets stored into the mobile. This includes account information, account balance, passwords, credit card - 26 -

numbers, transactions etc. Also mobile phones need authorization information which is stored in the form of public and private keys. Since the data is easily accessible to any application, all of such sensitive and highly confidential information can be easily leaked out by a trojan installed on the system.

5.2.4 DDOS ATTACK

One of the most serious effects of having a multitude of mobile devices under a single MSP is the threat of a DDOS attack. Denial vulnerability existed in the GGSN4 made by Nokia. This could be remotely exploited by an attacker by sending a TCP packet as 0xFF. This was not handled by the GGSN which sent it into kernel panic and resulted in a reboot of the GGSN. As a result of this, all the mobile devices connected to that GGSN would lose connectivity. This is a very serious vulnerability and one which can be attacked very easily. The DDOS attack can be launched in two stages. In stage one the trojan will get installed into as many mobile devices as possible and thus create a zombie army. Then on a aforementioned date and time all of them will start to bombard the GGSN with these malformed packets resulting in multiple reboots by the GGSN. Compared to DDOS attacks on websites which hinder the access only to them, a DDOS attack on a mobile service provider results in the total disconnection of all the clients under that service provider.

APPENDIX
GGSN GPRS IMSI MMS MSISDN MOSES IDS WAP - Gateway GPRS Support Node -General Packet Radio Service -International Mobile Subscriber Identity -Multimedia Message Service -Mobile Station ISDN Number - MObile SEcurity processing System -Intrusion Detection Systems -Wireless Acess Protocol

- 27 -

SMIL PDA

-Synchronized Multimedia Integration Language - Personal Digital Assistants

BIBLIOGRAPHY
[1] A. Bose,K. G. Shin.ProactiveSecurityforMobileMessagingNetworks, WiSe06, September29,2006. [2] A. Gostev, Kaspersky Labs. (October 2006). Mobile Malware Evolution: An Overview, Part1. [Online]. Available: http://www.viruslist.com/en/analysis?pubid=200119916 [3] A. Gostev, Kaspersky Labs. (October 2006). Mobile Malware Evolution: An Overview, Part2. [Online]. Available: http://www.viruslist.com/en/analysis?pubid=201225789

- 28 -

[4] A. Gostev, Kaspersky Labs. (October 2006). Kaspersky Security Bulletin, January - June 2006: Malicious programs for mobile devices. [Online]. Available: http://www.viruslist.com/en/analysis?pubid=198981193 [5] C. Mulliner. Advanced Attacks Against PocketPC Phones, Defcon 14, August 2006. [6] S. Ravi. (October 2006) Embedded System Security. [Online]. Available: http://www.princeton.edu/~sravi/security.htm [7] MobileActive.org (November 2006) Security Guide for Mobile Activists: Checklist and Tips.[Online].Available:http://mobileactive.org/wiki/index.php? title=Security_Guide_for_Mobile_Activists:_Checklist_and_Tips [8] Trend Micro. (October 2006) Trend Micro Mobile Security. [Online]. Available: http://www.trendmicro.com/en/products/mobile/tmms/evaluate/overview.htm [9] CVE-2003-0368. (October 2006) Common Vulnerabilities and Exposure. [Online] Available:http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0368

- 29 -