This year, we had the privilege of attending the 21st Virus Bulletin International Conference in Barcelona, Spain.
Researchers from Trend Micro presented three topics in the corporate stream and one topic in the technical stream. Ethan YX Chen covered file-fraction reputation for the technical stream on day 1. For the corporate steam on day 2, Max Goncharov presented on traffic direction systems as malware distribution tools while David Sancho and Rainer Link talked about the lessons they learned while sinkholing botnets. Trend Micro global director of education David Perry talked about the missing metrics of malware.
Among the different topics that were presented in this conference, we got hooked on those in the technical stream. Here’s a rundown of what we found particularly interesting.
A Mobile Malware Jail
The presentation entitled, “An OpenBTS GSM Replication Jail for Mobile Malware,” by Axelle Apvrille discussed the challenges security researchers faced when analyzing mobile threats.
As she said, the golden rule of antivirus is not to spread any malware that we are analyzing. However, when testing malware, sometimes it is necessary to connect to the Internet or to other connections during analysis in order to verify or analyze their routines. Analysis is easier to do on malware affecting computers since it is easy to isolate them from the Internet and still be able to see what they do. Mobile malware, however, are not as easy to confine since there are no wires to unplug in order to analyze them.
Since we don’t want to risk infecting our co-workers’ smartphones while trying to analyze a mobile malware, we need a way to be able to analyze mobile malware effectively without putting other users at risk.
Ms. Apvrille’s solution for this is to create a dummy GSM service operator. This is a cheaper solution compared with building a Faraday cage but it is as effective in confining the malware. It uses OpenBTS, an open source, Unix-based application, and a Universal Software Radio Peripheral (USRP) device. How cheap is cheap? Around US$1,000. Still expensive but we believe this is a good investment for antivirus companies due to the growing number of mobile malware.