Tip:
Highlight text to annotate it
X
>> Okay. Without any further adieu, we have a short talk, a 20 minute talk, Jaime Sanchez
talking about building an Android IDS on the network level. Jaime, take it away.
>> JAIME SANCHEZ: Hello. My name is Jaime Sanchez. I'm going to talk about building
Android IDS on a network level. I work for security for about ten years. I work for international
companies, especially as an advisor. In my free time, I enjoy doing research on security.
And I work as an independent consultant. I'm from Spain.
I have talked in other conference, in Spain, like, rootedCON and Nuit du Hack.
I don't know what happened. Last night it's my first time in Vegas. Today I wake up, I
was with two strippers. No, don't laugh. I know the reason of this. Just blame aliens.
I'm sure they forced me to drink. I'm from Spain. I don't like partying.
(Laughter). >> AUDIENCE MEMBER: Right!
>> JAIME SANCHEZ: You know us. We have 20 minutes before I get with my lawyers to get
divorced. So let's get ‑‑ (Laughter).
So let's get down to business. The reason of this conference is Android has
great access. Being popular is not always good. Because as it grows, do the attackers.
There are over 100 million Android devices. It was from just last year, and we have our
market share of nearly 50%, and there are several techniques that are used to detect
malware and do attacks on mobile phones. I haven't seen any open source tool to detect
and create patterns to look at these kinds of attacks.
So we have in the last years, we have seen several exploits like the USSD exploit, several
vulnerabilities from webkit and now there's a meterpreter for this.
I took my mobile and my other mobile phone and I make a VPN tunnel with my computer.
So I was trying to analyze all the traffic passing through my device. I launched this
node on my computer to detect suspicious traffic and I could also use tools like TCP RAM. I
would make all the analysis on the forensic as I could. Well, this type of IPS sucks,
man. Are I have several problems because I have to take the traffic from my ‑‑ from
my mobile phone to my computer that's a waste of bandwidth. I couldn't act like an IPS.
Could detect all the attacks. I could take all the malware, but that was just after it
happened. So that has no sense for me. There are a lot of signatures for snort. There
are signatures for other things but they are not associated with Android. What's important
is that we don't have any real notification for the user. So the user doesn't even know
if an attack is happening or is infected by malware or anything.
So I continue with my life. I made and OSfooler, it is for active fingerprinting and it takes
events of code Q and that's when I come up with an idea on how to solve it problem. With
this tool, I was able to modify in realtime all the traffic that was passing through my
computer. So I found a problem that is the packets I
want to capture, they are in kernel space. So the kernel distinction on the device, is
right inside the colonel of space and I couldn't take the pacts to modify in realtime before
the computer has it. I have to work in user space. So I have my own virtual memory and
I have no other option. So for this approach to work, let me show
you a little bit of the ‑‑ of the travel for pacts from the network card to the application.
I call it how I met your packets. (Laughter).
So the first thing, when the ‑‑ when the kernel takes a packet, put inside the
process, the first one is taking directly from the network and put inside a buffer and
then it goes with the software or hardware IRQ, it calls the CPU letting him know there's
a new packet, but the special thing here is before it gets processed, we have to pass
through the chains of IP tables. I'm sure you ‑‑ everyone knows the typical target
destination, but here ‑‑ here's the special thing I found to make my ideas in my tools.
Just after the IP tables, it gets through the IP layer and it checks the headers and
this puts into in the kernels and the corresponding circuit.
So we have several targets for IP tables. You know, you can accept packet, you can drop
the packet. You can let the remote computer know that you have dropped a packet, but there's
a special one, at queue, that's from packet space to user space.
So a little of theory, is that this queue delegates the decision from user space to
kernel space. So in user space, you must have a listener the taker of every packet.
That's because you have to issue a verdict for etch each packet. You have to accept it.
You can drop it, but you can modify in realtime before it gets into the TCP IP stack.
You have to be very fast because if the queue gets full, all the packets that you receive
will be dropped. So for summary, I'm capable of processing
all incoming and all outgoing traffic inside of my device. I make my tool. I thought I
was able to make a tool like this. If I'm able to issue a verdict for every packet,
maybe I'm not also acting like an IDS. I'm acting too like an IPS.
So the release of my tool was and then I moved to C and then to Python and C again.
And then I get to Android IDS. This Android IDS is the first approach to create an source
software that it's a network IDS and a network IPS that has produce real traffic analysis
and look at the Internet protocol. I just say this like protocol searching, or protocol
analysis, content mapping and content searching. It was ‑‑ it would be great if you were
able to hook into the device and work at this, because you could reduce the amount of false
positive. But there is some problems finding the ‑‑ the address of the table. There
is ‑‑ there is ‑‑ there is the difference between the different versions of Android
kernel. So this is something I have to work on.
So the architectures should be a sensor and a server. The sensor is inside of our Android
mobile device and run with no human interaction. It is responsible for analysis in traffic.
It should send some push message to the mobile device of the ‑‑ the user can know if
it's ‑‑ if it's having an attack or it's malware. So I dump this with an application
you will see that's called notify my Android with the IP and realtime notifications.
So it reports through the log‑in server if you want. You can do a devices log and
you can create a VPN internal and do some custom reactive actions like dropping the
packet and adding new rules to the API tables or run a script as we will see.
And very important, it should be minimal overhead to the device.
On the other side, we'll find the ‑‑ we'll find the server. The server is the only
responsible for taking all the traffic. It should send the signatures, the updates signatures
to the device and store the events in the database. Another feature is that we can do
the statistical analysis of the packets in the server instead in the mobile device, because
of the power of the computer, and we could use any CM or whatever you want to add, IP
replication and correlation for the attacks. So the first thing I have to do is protocol
analysis. As my day by day. So the packets, you know that packets don't conform to standards
and some will almost rob them. These kinds of packets you can find in the service attacks in worms
and virus and several of them have several anomalies because of programming with raw
circuits. So as an example, you can see now that there
is TCP IP packet. It has several flags activated and this kind of packet belongs to a network
scanner and should be dropped and it should be reported to the ‑‑ to the server.
So, as I told you, I have a tool, it was called OSfooler. It was for active and inactive fingerprinting.
So I have to port all of my code because my tool was working okay. So I was trying to
detect on drop packets from well‑known tools. In this case, the Nmap is 16 proofs, TCP IP
and ICMP. And also you have how it get ‑‑ how it
detects the attack. In this case, you are seeing that we are connected through ‑‑
to the mobile. We have to have the ‑‑ the device rooted because we need access to
the IP table since and in this case, we are launching the IDS. It's in log‑in mode.
You can see that it's log‑in almost every packet that has come to the mobile device
and as you see, when it finished, the Nmap has detected that it has like a Linux box,
2.6 or 3.0. In this case, we have only logged all the attacks. It has a notification. It's
disabled to ‑‑ not to stop the demo, and in this case, what we are going to do
is to use the IDS to fool these kind of fingerprinting. We have to activate it and it's in an Android
mode. So every packet has been dropped and reported to the central server and it's sending
full packets to the attacker. You have seen now it's on a telephone. It's
based on Linux 2.4, but it works with any other signature. I have to work on the ‑‑
on this release. And now you can see that through my Android, you have the two alerts.
One is for log‑in, the scan and the second one is that we have the ideas in remote and
it's in these scans. The next thing I have to take care of is pattern
matching. I don't work for NSA, so I have to work for myself to look at the traffic
and look for a sequence of bytes inside almost every packet. This is a problem because some
of the ‑‑ some of the tacks are related to a well‑known port and if we have to inspect
almost every packet, we can have some false positives. This can be done by using a full
state packet mapping. I'm still using on it too. I want to search for a pattern through
very ‑‑ through several packets and it's the only way to make it work.
So another thing I have to deal with was the signatures. There are some signatures from
emerging threats for Android, and I have to run it on a script to convert that from Snort
to our format. In this case, it's only covered Snort rules. We can only search for a specific
pattern for a specific string. We should work with preprocessors and isolate the flow but
still working on it. Some of the things, the exploits we have seen,
is the USSD code. The USSD code is a code that is entering to your phone to perform
some actions, and it's used by the network providers to gain the users to some access
like code for wording and any of those functions. It's very simple. It links the browser to
the phone application. That means that when you get into the web application and you have
this code, the phone without human interaction will show you telephone application.
So this exploit was published one year or so ago and we have several web signatures
and we can detect it. In this case, I have ‑‑ you have to detect it, our exploit, and Android
browser mode crash. You can detect the payloads. You can detect almost everything that you
want. The last thing, I wanted to deal with was
the malware. There are a lot of malware for Android. Almost every malware has a pattern.
I search in this case, the MSN. You can go from here. And when you get downloaded it
connects through the command and control server. You can clarify the string that it's using
to connect to the remote server and the string to find the pacts is the RQ.php. We could
just do those proofs. If we have the pattern the malware is using,
we can detect almost every malware we have, and not only detecting it. We can drop all
of the traffic that it's sending. On the other side, we have the meterpreter,
I think you know, it's an ostensible payload for metasploit. It has some featured like
command history, and top conventions and some channels some modes. Now there's an Android
version. What I have done is creating a package for Android, installing inside of my own system.
And tried to detect all the traffic that it's having.
So the processor is the same. We have to get inside our Android device. We have to be root
and we should launch the script. In this video, we can show how was the soft installed, but
there several methods for assigning this kind of malware and it will only have to take a
listening circuit for metasploit and connect it back from the ‑‑ from the Android
device. So now we are waiting until the circuit gets
opened. And when it does, what we are going to see is just connect and see whether we
can detect all the traffic that's passing. So just at the bottom, we have found it. We
can see that there is several comments that it sends from the meterpreter to get the system
information and so and we have several comments. We are running it one by one and when you
recall, the channel is very easy to see which comment is being executed the fun thing is
I could have done a personal consult now. You can use some kind of honeypot because
you are able to modify the packet in realtime. If you get infected, you can fool the attacker
too. You can show whatever directory you want. You can send it pictures when he's asking
for the welcome list or you can send it any audio file when it's trying to attach to the
microphone. In this case, you see it's very simple. You have ‑‑ not only are we going
to log this, we are able to drop the packet too in this case I'm not going to drop all
this session. You see that it's working and what I want to do is only drop the packets
related with the web cam. So now you can see that there is no way to
access to the web cam and the ideas is blocking all the traffic.
So with this, that's the way I found to create ideas. You don't have to depend on the Snort
or the commercial appliance that costs $20,000. You can do it by your own and the only thing
you have to work is having a great signature database to work this because the Android
devices are the next target for attackers. So that's it.
(Applause). Thank you.
>> This is this is guy's first time speaking at DEF CON. How did he do?
(Applause) >> Good job.