how an sms-based malware infection will get throttled by the wireless link roger piqueras jover (w....
TRANSCRIPT
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.
How an SMS-Based Malware Infection Will Get Throttled by the Wireless Link
Roger Piqueras Jover (w. Ilona Murynets)
AT&T Security Research Center
June 13, 2012
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.2
Agenda
• SMS-based malware• Related work• SMS over GSM and UMTS• Simulation model• SMS-based malware infection getting throttled by the wireless link• Results
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.3
SMS-based Malware
SMS is one of the most popular cellular services providing millions of revenue to operators.
Also known for being a common platform for spam, fraud and malware.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.4
SMS-based Malware
Malware infection and spreading.• SMS message with a link to a
malicious app.– Disguised as a game or social app
• User install app and phone gets infected
• App gains access to phone’s contact book– Selects targets to send SMS with link
• Infection spreads
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.5
Related work
Husted and Myers, LEET’11
Direct contact propagation (via Bluetooth). Mild propagation, controllable by lowering susceptibility of population to infections.
Fleizach et al., WORM’07
MMS-based malware propagation through cellular. Slower propagation on a mobility network with respect to a wired network. Bottleneck at the link between NodeB and RNC. Assumes wireless signaling and control channel effects not significant.
Traynor, IEEEE Trans Computing’11
Wireless link is the main bottleneck when it comes to massive SMS distribution.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.6
SMS Network Architecture
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.7
SMS Over GSM
Standalone Dedicated Control Channel (SDCCH)• Shared by all users within one cell/sector• Registration, establishment of authentication and encryption, initial call
set-up, etc• Highly bandwidth-limited– Aggregation of 4 logically consecutive time-slots within multi-frame– Effective bandwidth of 782bps
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.8
SMS Over UMTS
Random Access Channel (RACH)• Control channel shared by all users within one cell/sector• Registration, establishment of authentication and encryption, initial call
set-up, etc• Contention-based access channel– Collisions are possible– Collision avoidance and delayed transmission protocol
• Similar to Slotted-ALOHA
Throughput 0.45
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.9
SMS Over UMTS
Random Access Channel (RACH)• A user willing to transmit waits
a certain backoff time and starts a preamble cycle
• A slot is randomly selected out of the 15 and also a signature (out of 16 possible) is chosen
• A short preamble message is transmitted on the selected slot with probability p and power Pstart• If an ACK message is received on the same slot of the AICH channel containing the same signature…
• The user gets assigned to transmit data in the following frame (a data message is longer than a preamble and might occupy several slots)
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.10
SMS Over UMTS
Random Access Channel (RACH)• A user willing to transmit waits
a certain backoff time and starts a preamble cycle
• A slot is randomly selected out of the 15 and also a signature (out of 16 possible) is chosen
• A short preamble message is transmitted on the selected slot with probability p and power Pstart• If no response is received on the AICH…
• In the following frame, the same preamble is sent (with probability p) on new random slot with power Pstart + dB (power ramping)
• The user proceeds to listen to the same slot in the AICH• If a maximum number of preambles is sent, we go back to the beginning and start a new preamble cycle
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.11
SMS Over UMTS
Random Access Channel (RACH)• A user willing to transmit waits
a certain backoff time and starts a preamble cycle
• A slot is randomly selected out of the 15 and also a signature (out of 16 possible) is chosen
• A short preamble message is transmitted on the selected slot with probability p and power Pstart• If a NACK message is received on the AICH…
• Back to the beginning and start a new preamble cycle
• If a maximum number of preamble cycles is reached, the call fails (it is what happens when we try to call but it doesn’t go through…)
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.12
Simulation Model
Scenario
Large and dense urban environment (Washington DC, 68.2mi2).Only malware-related SMS traffic (no background traffic).• 600000 mobile users• 120 cells• Barabasi and Albert network model– Contact book size power-law distribution (80)– Contacts distributed in neighboring cells and a couple of other clusters
• Malware propagation:– SMS with link to a malicious app– Prob(user clicks on link and downloads app) = 0.5– Infected phone sends SMS to k random contacts every minutes• k = 3• ~ exp(40min)
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.13
Simulation ModelGSM SDCCH• 8 SDCCH channels per cell/sector– Constant per cell SMS capacity: 8 SMS/5sec
UMTS RACH• Matlab custom RACH model• 3G Access Service Class #4
Simulation time
Slots of 5 seconds
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.14
SMS-based malware infection throttled by the wireless link
GSM
3G
WiredTransmitted load
Input load
Mbps
Kbps
782 bps
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.15
Results
Number of transmitted messages• Exponential propagation in Wired Scenario• Spreading rate much lower in mobility networks– Close to linear spreading in GSM (8 SMS/5sec)– Faster spreading in UMTS• Spreading stops when RACH is clogged• Propagation slows down RACH congestion level decreases Propagation continues
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.16
Results
Number of queued messages: global (a), one cell (b)• Messages start queuing after 2000 slots of 5 seconds (2.7 hours)• Total SMS network load at the saturation point:– 50 SMS/sec– Equivalent to 8.310-5 SMS per second per user– Malware message load could be masked by regular user message traffic
• Slow increase of queued messages
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.17
Results
Number of queued messages: global (a), one cell (b)• Messages start queuing after 2700 slots of 5 seconds (3.7 hours)• Very fast increase of queued messages– RACH saturates and no message goes through– (As opposed to GSM’s constant throughput of 8 SMS/5 sec)
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.18
Results
Number of infected phones• Malware propagation throttled by the wireless link– Internet propagation hits all 600000 mobile users– Infection slows down on UMTS and GSM– SMSs generated by malware could potentially saturate the link for other users
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.19
Conclusions
Wireless Interface• The wireless link plays an important role on malware modeling over
mobility networks– Bottleneck of SMS-based malware propagation
• No massive outbreak– Spreading rate much slower than in wired scenarios (Internet)• 10x slower in GSM• 3x slower in UMTS
Future work• Large scale nation-wide simulation (pool of 100 million users)• Background traffic• New propagation vectors– LTE– iMessage, WhatsApp, Viber, etc
• Load effects on Core Network
© 2012 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.20
Thanks!
Questions?
AT&T Security Research Centersrc.att.com