Pocket-Sized Badness: Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game

Presented at Black Hat Europe 2016, Nov. 3, 2016, 10 a.m. (60 minutes).

While we have grown accustomed to stealthy malware, specifically written to gain and maintain control of the victim machines to abuse their resources, ransomware really comes as a "plot twist!" After 10+ years of stealthy malware, spread mainly for building botnets and steal information, for the second time we're witnessing a growth of disruptive malware, and an interest for direct and fast profit. Ransomware is a particularly striking example of disruptive malware, both on mobile and desktop targets: While traditional mass malware must fly under the radar to fulfill its goals, a ransomware attack that remains unaccountable has failed miserably. It must show up to inform and frighten the victim! As a result, the human psychological response to the attack plays a significant role in the success of ransomware schemes. And, given the remarkable revenue, the scheme seems to be working fairly well.

This talk will describe the technical impact of disruptive malware and its game-changing approach, which made us (at least) rethink our incident-response plans. We will focus on mobile ransomware as a representative, extreme case study. Albeit not very studied, we are currently tracking 10 distinct families, and collected tenths of thousands distinct samples in three months. In this talk, we will go through the most notorious families such as Koler, SLocker, Svpeng (and mention the other notable ones), overviewing their social-engineering tricks and how they are technically implemented. This will include, for instance, how an app can effectively lock a device to forcefully display the typical threatening message that informs the victim of what just happened, or how crypto and file-system APIs are (ab)used to surreptitiously encrypt the valuable data.

After having overviewed these aspects, we will describe how they can be effectively detected with specific static features. We will present a lightweight Smali emulator to track the instruction sequences that implement device-locking mechanisms. To detect malicious encryption attempts, we will present a static, dataflow-based program-analysis technique and tool that track file-system operations (e.g., file listing, file reading) to determine if they are "connected" to encryption flows. Since the most recent families have started to abuse the device-administration API (e.g., to lock the device), obfuscated method names and reflection to hinder automatic static analysis, we will show a couple of counter-tricks.

Last, we will show how the threatening messages can be recognized from normal text using a language-analysis technique, which classifies text based on the appearance of key terms frequently found in ransomware samples but not in benign sources. Since static program-analysis approaches like ours can be time and resource consuming, we describe a fast triaging pre-filtering technique to quickly discard strikingly benign applications. This filter is generic and ransomware-agnostic. Thus, in principle, it could be applied to any app-vetting pipeline. With this talk we will release the source code of a prototype that implements (part of) the described techniques, and a dataset comprising tenths of thousands of ransomware applications targeting the Android platform, each labeled with the set of features that characterize their statically-extracted behavior.


Presenters:

  • Federico Maggi - Senior Threat Researcher, Trend Micro
    Federico Maggi is a Senior Threat Researcher with Trend Micro's Forward-Looking Threat Research (FTR) team, an elite team of researchers fighting against cyber criminals and scouting the future of the Internet to predict the future evolutions of cybercrime. His research interests, mainly developed during his MSc and PhD, revolve around various topics under the "cyber security" and "cyber crime" umbrella terms, such as threat analysis and intelligence, malware analysis, mobile security, fraud analysis and detection, web- and social-network security and data visualization. Before joining Trend Micro, Federico was an Assistant Professor at Dipartimento di Elettronica, Informazione e Bioingegneria (DEIB), Politecnico di Milano in Italy, with which he co-authors the talk on mobile ransomware. The ultra-sonic device communication talk, instead, is the result of a fruitful collaboration with UCSB in Winter 2015. Federico has given several lectures and talks as an invited speaker at international venues and research schools. He also serves in the review or organizing committees of well-known conferences.
  • Stefano Zanero - Associate Professor, Politecnico di Milano
    Stefano Zanero received a PhD in Computer Engineering from Politecnico di Milano, where he is currently an associate professor with the Dipartimento di Elettronica, Informazione e Bioingegneria. His research focuses on mobile malware, malware analysis, and systems security. Besides teaching "Computer Security" at Politecnico, he has an extensive speaking and training experience in Italy and abroad. He co-authored over 50 scientific papers and books. He is an associate editor for the "Journal in computer virology and hacking techniques". He's a Senior Member of the IEEE (covering volunteer positions at national and regional level), the IEEE Computer Society (for which he is a member of the Board of Governors), and a lifetime senior member of the ACM. Stefano co-founded the Italian chapter of ISSA (Information System Security Association), of which he is a senior member. He sits in the International Board of Directors of the same association. A long time op-ed writer for magazines (among which "Computer World"), Stefano is also a co-founder and chairman of Secure Network S.r.l., a leading Italian information security consulting firm, and a co-founder of 18Months, a cloud-based ticketing solutions provider.

Links:

Similar Presentations: