1 november 2 nd, 2007worm’07 can you infect me now? chris fleizach 1, michael liljenstam 3, per...

1November 2nd, 2007 WORM’07

Can You Infect Me Now?

Can You Infect Me Now?Malware Propagation in Mobile Phone Networks

Chris Fleizach1, Michael Liljenstam3, Per Johansson2, Geoffrey M. Voelker1 and András Méhes3

1 2 3

Introduction



Motivation• Over 1.8 billion mobile subscriptions as of 2005• Phones are becoming general processing platforms.

• In Smartphones, the potential exists for malware developers to exploit the types of vulnerabilities that have long plagued Internet hosts– Mobile phone spam– Denial of service attacks– Mobile botnets (mobots)

• Ultimately, loss of service which leads to loss of revenue• Mobile phones will become a highly attractive target for

criminals.

Introduction



How will it happen?

• Mobile phones have multiple communication vectors:– Bluetooth– SMS and MMS– Voice and VoIP– Internet

• However, these channels are constricted by network topologies, contact graphs and bandwidth limitations– We cannot blindly apply the lessons learned from Internet

worms.

Introduction



Goals• Explore the range of malware propagation on

mobile phone networks– Characterize its speed and severity– Understand how network provisioning impacts

propagation– Understand how malware propagation impacts

the network– Highlight the implications of network-based

defenses against malware

Introduction



Methodology• To accomplish these goals, we:–Created a realistic network topology generator

(RACoON)–Modeled address books of cell phone users–Created an event-driven simulator: • Model two attack vectors: Voice-over IP and MMS• Investigate ways to speed up the spread of

malware• Examine network-based defenses

Introduction



Universal Mobile Telecommunications System

Modeling mobile phone networks

Network Elements• Node B• RNC• SGSN• GGSN • MMS server

We modeled a single carrier’s UMTS network



Modeling mobile phone networks• Networks are planned and provisioned using:– Population data – Land use data– Previous cell phone deployments– Radio effects

• We used U.S. census data to create a square grid of population densities to inform our placement of UMTS elements– Used a 1x1 sq. mi. resolution– Averaged population for regions based on county land area

and total population




Population Data

Areas of high population density are darker




Generating the network topology

• The Radio Access and Core Operator Network topology Generator (RACoON)– Uses population data as input to capture regional

population differences– Divides the area into uniform grid cells– Uses a bottom-up placement strategy to place

radio cells and Node Bs.– Adds fixed network nodes that obey capacity

constraints




A generated networkHighly populated regions correspond to regions that need more SGSNs

SGNSs connected with the Waxman model – distance based random topology

200x200 sq. mi grid of northwest US




Topology Specifics

• The topology we used in our simulated was based on the Boston metropolitan area (northeast U.S.)– 100x100 sq. mi. grid– 7 million people (but scaled down based on 78%

cell phone penetration statistics)– 9,616 Radio Cells– 49 RNCs, 49 SGSNs– 1 MMS server




Modeling social networks

• Existing viruses in cell phones (e.g. Commwarrior) use the entries in the address book to spread

• The implication is that there is an underlying social network topology– What is the degree distribution for address books?– How are nodes connected?

Modeling Social Topology Networks



Degree distributions

• Many real-world phenomena are modeled by scale-free networks (Internet AS topology, links between movie actors, file sizes, … )

• Zou et al. said email lists were power-law1

• Newman et al. said email address books were scale-free2

• Liben-Nowell said connections in a social network community (LiveJournal.com) were log-normal3

1 Zou, Towsley, Gong. “Email worm modeling and defense”2 Newman, Forrest, Balthrop. “Email networks and the spread of computer viruses”3 Liben-Nowell. “An algorithmic approach to social networks”




Degree distributions• But these models imply

that most people have very few connections.

• Intuitively, this seems incorrect.

• We surveyed cell phone owners at UCSD CSE and Ericsson

• The distribution was more like a stretched Gaussian.




Erlang Distribution

• In fact we found that the data fit an Erlang distribution

• Erlang is a shifted Gaussian




How are the nodes connected?

• In power law distributions, some nodes act as “super-hubs”, while most have very few connections

• There is a preference for less popular nodes to attach to more popular nodes (creating more inbound connections)

• Intuitively, this seems unlikely in the cell phone domain




Node Attachment

• Attachment instead can be influenced by geography and population

• Liben-Nowell found the probability that one person was connected to another was inversely proportional to the number of people between them

),(

1),(

yxdyxp

P(x,y) = probability person x is a friend with person y

D(x,y) = number of people between person x and person y




Experiments

• We studied two scenarios with our modeling techniques:– Voice-over IP– MMS

• Measured the percentage of infected phones over a 12 hour period

• The malware contacts numbers from the address book until completed, and then randomly dials phone numbers

Experimental Results



Voice-over IP Attack

• A Voice-over IP exploit would subvert one of the stacks handling packetized voice data.

• Infecting another phone implies that an end-to-end connection can be made.

• The bandwidth used to send the payload is the maximum available bandwidth for all the paths between the two phones

Voice over IP Results



Voice over IPNot a standard S-curve infection

- Complete reaches 90% after 4 hours

- Erlang reaches 90% at 12 hours

But in log-scale, the “S” curve returns




Congestion in VoIP scenario

Major bottleneck is at the RNC -> SGSN link. - RNCs have to little outbound bandwidth

Congestion also decreases over time - Phones finish enumerating their contacts, start randomly dialing

Average congestion across all elements




MMS Scenario

• MMS-based malware infects a phone by being read by a victim

• The MMS server stores the message until the victim requests it

• The MMS server in our simulations had 100 message/s capacity for sending and receiving.

Wait time before a user retrieves the MMS message

Modeled as a mixture of Gaussians, centered at 20 seconds and 45 minutes

MMS Results



MMS Scenario

Rate of infection significantly different from VoIP

Primary constraint is the 100mps limit of the MMS server

MMS Results



Engineering malware for speed

• A clever attacker can use knowledge about the network to exacerbate the spread of malware

• We look at various ways that malware creators may try to speed up their worms:– Transferring contacts– Avoiding congestion– Using out of band channels

Speedy Malware



Combining Strategies• Transferring

contacts and avoiding congestion can be very effective

• Infection reaches 90% rate 4x faster than the standard scenario

Speedy Malware



Speeding up MMS

The infection rate using an Internet server reaches 48 infections/s (nearly optimal)

Standard malware only reaches 35 infections/s

Speedy Malware

Use an out-of-band channel (Internet) to coordinate. Malware can quickly build a global address book



Defenses

• Network operators are in a better position than the Internet community

• Since the infrastructure is centrally managed and owned, defenses can be inserted at critical points to affect the spread

• However, the fact that the end nodes (phones) can be hard to disinfect introduces challenges

• We examined a few defensive scenarios:– Blacklisting– Rate limiting– Filtering

Defenses

Removing the infected reduces congestion!

Removing the infected reduces congestion!

Can be effective for MMS. Possible, but difficult, for VoIP



Conclusion

• Communications based worms can severely disrupt service and spread quickly if engineered correctly.

• Defenses need to be applied early and with extreme prejudice to stop an outbreak

• Still much work to be done in the area.– Our model is very coarse. It could use other

sources of data to inform modeling.

Conclusion



Questions and AnswersConclusion



Voice over IP infections

Does the size of the address book affect when a phone is infected?




Transferring Contacts

• Advanced malware could divide address books between infected phones

• This strategy would approximate a “complete” address book, while dividing work

Speedy Malware



Avoiding congestion

• The real bottleneck is bandwidth.

• If malware can recognize that their links are congested and back off, it will allow other phones to complete their connections

Speedy Malware



MMS and Users • Almost all cell phone

malware to-date has relied on user intervention

• We model the spread when 25%, 50%, 75% and 100% of the population intervene to cause an infection to occur

MMS Results



MMS and Capacity• As MMS usage increases,

operators will naturally increase capacity.

• We look at what happens when the MMS server can handle 2x and 5x the current capacity (with only one server)

• Bandwidth starts to affect spread more than capacity constraints

MMS Results



BlacklistingBlacklisting would use some heuristic to identify infected phones and then block their connectivity.

Even aggressive blacklisting, done early, may still not be effective

Standard VoIP malware

Defenses



Rate limiting

• A network operator could try to limit how many calls or messages could be sent within a time period

• This can have the adverse effect of reducing overall congestion

Standard malware is occluded by rate limiting scenario

Defenses

1 november 2 nd, 2007worm’07 can you infect me now? chris fleizach 1, michael liljenstam 3, per...

Documents

malware introduction

mobile subscriptions

network topologies

implications of network

generated network

fixed network nodes

loss of revenue mobile

resolution averaged