Difference between pages "Windows Shadow Volumes" and "Mobile malware"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
(QR Codes)
 
Line 1: Line 1:
==Volume Shadow Copy Service==
+
Mobile malware is software created to infect or gain access to mobile devices such as [[cell phones]], [[tablets]], and [[PDAs]].
Windows has included the Volume Shadow Copy Service in it's releases since Windows XP.  The Shadow Copy Service creates differential backups periodically to create restore points for the user.  Windows 7 Professional and Ultimate editions include tools to work with and manage the Volume Shadow Copy Service, including the ability to [[mount shadow volumes on disk images]].
+
  
== Also see ==
+
== History ==
* [[Mount shadow volumes on disk images]]
+
Mobile malware was initially considered to be a hoax until it became obvious that malicious software existed and functioned on mobile devices. The earliest recorded mobile malware was called Cabir. It was released in 2004 and was designed to infect [[Symbian]] OS platforms via a Bluetooth connection. It was essentially harmless, but nonetheless proved to the public that worms could be found on mobile devices.
  
== External Links ==
+
== Recent Trends==
* [http://computer-forensics.sans.org/blog/2008/10/10/shadow-forensics/ VISTA and Windows 7 Shadow Volume Forensics], by [[Rob Lee]], October 2008
+
Since mobile devices usually contain private and valuable information, mobile malware has recently began moving toward having a specific purpose (usually exploiting information) as opposed to viruses created solely for bragging rights.
* [http://forensic4cast.com/2010/04/19/into-the-shadows/ Into The Shadows] and [http://www.forensic4cast.com/2010/04/presentation-into-the-shadows/ Presentation], by [[Lee Whitfield]], April 2010
+
* [http://windowsir.blogspot.ch/2011/01/accessing-volume-shadow-copies.html Accessing Volume Shadow Copies], by [[Harlan Carvey]], January 2011
+
* [http://code.google.com/p/libvshadow/downloads/detail?name=Volume%20Shadow%20Snapshot%20%28VSS%29%20format.pdf Volume Shadow Snapshot format], by the [[libvshadow|libvshadow projects]], March 2011
+
* [http://journeyintoir.blogspot.ch/2011/04/little-help-with-volume-shadow-copies.html A Little Help with Volume Shadow Copies], by [[Corey Harrell]], April 2011
+
* [http://toorcon.techpathways.com/uploads/VolumeShadowCopyWithProDiscover-0511.pdf Volume Shadow Copy with ProDiscover], May 2011
+
* [http://computer-forensics.sans.org/blog/2011/09/16/shadow-timelines-and-other-shadowvolumecopy-digital-forensics-techniques-with-the-sleuthkit-on-windows/ Shadow Timelines And Other VolumeShadowCopy Digital Forensics Techniques with the Sleuthkit on Windows], by [[Rob Lee]], September 2011
+
* [http://windowsir.blogspot.ch/2011/09/howto-mount-and-access-vscs.html HowTo: Mount and Access VSCs], by [[Harlan Carvey]], September 2011
+
* [http://encase-forensic-blog.guidancesoftware.com/2012/06/examining-volume-shadow-copies-easy-way.html Examining Volume Shadow Copies – The Easy Way!], by [[Simon Key]], June 2012
+
* [http://justaskweg.com/?p=351 Getting Ready for a Shadow Volume Exam], by [[Jimmy Weg]], June 2012
+
* [http://justaskweg.com/?p=466 Mounting Shadow Volumes], by [[Jimmy Weg]], July 2012
+
* [http://justaskweg.com/?p=518 Examining the Shadow Volumes with X-Ways Forensics], by [[Jimmy Weg]], July 2012
+
* [http://justaskweg.com/?p=710 “Weg, I’m afraid that I don’t have VMware. How do I Examime Shadow Volumes?”], by [[Jimmy Weg]], August 2012
+
  
== Tools ==
+
== Attack Types ==
* [[EnCase]] with VSS Examiner Enscript (available from the downloads section of the GSI Support Portal)
+
=== Bluetooth ===
* [[libvshadow]]
+
Attacks via [[Bluetooth]] have the ability to infect any phone with Bluetooth capabilities and can even exploit feature phones. These proximity-based attacks use the local Bluetooth network, usually in a crowded area, to send unwarranted requests to phones. Since Bluetooth can be used to transmit files, malicious executables can be sent across the network to everybody that accepts the request and installs the software. Some of these attacks, such as the Cabir, are worms which send out the request from an infected phone without the user knowing, thus quickly spreading it from phone to phone. Protection from these attacks is simple - cell phone users should not leave Bluetooth on, and it if is left on, users should not accept requests from unknown connections.
* [[ProDiscover]]
+
* [http://www.shadowexplorer.com/ ShadowExplorer]
+
* [http://dfstream.blogspot.ch/p/vsc-toolset.html VSC Toolset]
+
* [[X-Ways AG|X-Ways Forensics]]
+
  
[[Category:Volume Systems]]
+
=== Application Marketplace ===
 +
Malicious software can be installed via application marketplaces. For example, according to webroot.com, applications disguised as Angry Birds level unlockers were available in the Android Market. Once installed, the creator had access to precious information such as browsing history, bookmarks, etc. The application also contacted a remote server that gave the phone instructions for downloading additional malware.
 +
 
 +
To protect against this kind of attack, users can judge the legitimacy of the application with a few simple guidelines. Applications that require a lot of permissions for no apparent reason should be avoided. Also, the credibility of a publisher can easily be researched if the user is unsure.
 +
 
 +
=== WiFi ===
 +
Information can be stolen from devices when they are connected to public [[WiFi]] hotspots. Users should not do banking, shopping, or other tasks that expose personal information while connected to unsecured networks. This is not an issue unique to mobile devices, but because of the nature of mobile devices, they are more likely to be used in public places on these networks.
 +
 
 +
=== SMS ===
 +
[[SMS]] attacks are generally similar to each other. Malicious software is installed on the phone by some means which continually sends unnoticed text messages from the user's phone to premium numbers which creates charges on the user's account. According to Kaspersky Labs, the SMS-Trojan was first discovered for the Android operating system in early 2011. The news report says, "The Trojan-SMS category is currently the most widespread class of malware for mobile phones, but Trojan-SMS.AndroidOS.FakePlayer.a is the first to specifically target the Android platform." To protect against these attacks, users should be cautious of what applications are installed on their devices and who the creators of the applications are.
 +
 
 +
SMS attacks can also simply be spam messages with links to malicious sites. The problem with this type of attack is that it must target specific phones in order to execute scripts that are compatible.
 +
 
 +
=== QR Codes ===
 +
Because [[QR Codes]] are completely obfuscated by nature, they provide the means of taking curious smartphone users to malicious web sites. There are three ways QR codes can be maliciously presented to a user. The first method is placing a QR code by itself with no explanation or context, causing some people to get curious and scan it. The second way of getting people to scan the code is to place a stamp or sticker over an existing one so that it is disguised as a harmless QR code. The third way of presenting malicious codes to the public would be digitally through email.
 +
 
 +
QR Code attacks work by taking the person that scans it to a website that performs malicious activities. For example, according to darkreading.com, a QR code that is distributed to target iOS devices might navigate the web browser to a site that will jailbreak the phone and then install malware on it once the built in security can be altered.
 +
 
 +
To protect against these attacks, smartphone users should only scan QR codes with software that allow them to confirm the action the code elicits.
 +
 
 +
== External Links and Resources==
 +
[http://safeandsavvy.f-secure.com/2011/06/14/a-quick-guide-to-mobile-malware-part-1-2/ A Quick Guide To Mobile Malware]
 +
 
 +
[http://www.cs.berkeley.edu/~afelt/mobilemalware.pdf A Survey of Mobile Malware in the Wild]
 +
 
 +
[http://www.readwriteweb.com/archives/6_mobile_malware_predictions_for_2012.php 6 Mobile Malware Trends for 2012]
 +
 
 +
[http://en.wikipedia.org/wiki/Mobile_virus Wikipedia entry regarding mobile malware]
 +
 
 +
[http://www.darkreading.com/mobile-security/167901113/security/news/232301147/qr-code-malware-picks-up-steam.html QR Code Malware Picks Up Steam]
 +
 
 +
[http://www.kaspersky.com/about/news/virus/2010/First_SMS_Trojan_detected_for_smartphones_running_Android First SMS Trojan Detected for Smartphones Running Android]
 +
 
 +
[http://blog.webroot.com/2011/06/10/android-plankton-angry-birds-cheating-malware-contains-bot-like-code/ Android Malware Contains Bot Like Code]
 +
 
 +
== Mailinglists ==
 +
 
 +
* [http://groups.google.com/group/mobilemalware mobile.malware Google Group]

Revision as of 16:39, 3 April 2012

Mobile malware is software created to infect or gain access to mobile devices such as cell phones, tablets, and PDAs.

History

Mobile malware was initially considered to be a hoax until it became obvious that malicious software existed and functioned on mobile devices. The earliest recorded mobile malware was called Cabir. It was released in 2004 and was designed to infect Symbian OS platforms via a Bluetooth connection. It was essentially harmless, but nonetheless proved to the public that worms could be found on mobile devices.

Recent Trends

Since mobile devices usually contain private and valuable information, mobile malware has recently began moving toward having a specific purpose (usually exploiting information) as opposed to viruses created solely for bragging rights.

Attack Types

Bluetooth

Attacks via Bluetooth have the ability to infect any phone with Bluetooth capabilities and can even exploit feature phones. These proximity-based attacks use the local Bluetooth network, usually in a crowded area, to send unwarranted requests to phones. Since Bluetooth can be used to transmit files, malicious executables can be sent across the network to everybody that accepts the request and installs the software. Some of these attacks, such as the Cabir, are worms which send out the request from an infected phone without the user knowing, thus quickly spreading it from phone to phone. Protection from these attacks is simple - cell phone users should not leave Bluetooth on, and it if is left on, users should not accept requests from unknown connections.

Application Marketplace

Malicious software can be installed via application marketplaces. For example, according to webroot.com, applications disguised as Angry Birds level unlockers were available in the Android Market. Once installed, the creator had access to precious information such as browsing history, bookmarks, etc. The application also contacted a remote server that gave the phone instructions for downloading additional malware.

To protect against this kind of attack, users can judge the legitimacy of the application with a few simple guidelines. Applications that require a lot of permissions for no apparent reason should be avoided. Also, the credibility of a publisher can easily be researched if the user is unsure.

WiFi

Information can be stolen from devices when they are connected to public WiFi hotspots. Users should not do banking, shopping, or other tasks that expose personal information while connected to unsecured networks. This is not an issue unique to mobile devices, but because of the nature of mobile devices, they are more likely to be used in public places on these networks.

SMS

SMS attacks are generally similar to each other. Malicious software is installed on the phone by some means which continually sends unnoticed text messages from the user's phone to premium numbers which creates charges on the user's account. According to Kaspersky Labs, the SMS-Trojan was first discovered for the Android operating system in early 2011. The news report says, "The Trojan-SMS category is currently the most widespread class of malware for mobile phones, but Trojan-SMS.AndroidOS.FakePlayer.a is the first to specifically target the Android platform." To protect against these attacks, users should be cautious of what applications are installed on their devices and who the creators of the applications are.

SMS attacks can also simply be spam messages with links to malicious sites. The problem with this type of attack is that it must target specific phones in order to execute scripts that are compatible.

QR Codes

Because QR Codes are completely obfuscated by nature, they provide the means of taking curious smartphone users to malicious web sites. There are three ways QR codes can be maliciously presented to a user. The first method is placing a QR code by itself with no explanation or context, causing some people to get curious and scan it. The second way of getting people to scan the code is to place a stamp or sticker over an existing one so that it is disguised as a harmless QR code. The third way of presenting malicious codes to the public would be digitally through email.

QR Code attacks work by taking the person that scans it to a website that performs malicious activities. For example, according to darkreading.com, a QR code that is distributed to target iOS devices might navigate the web browser to a site that will jailbreak the phone and then install malware on it once the built in security can be altered.

To protect against these attacks, smartphone users should only scan QR codes with software that allow them to confirm the action the code elicits.

External Links and Resources

A Quick Guide To Mobile Malware

A Survey of Mobile Malware in the Wild

6 Mobile Malware Trends for 2012

Wikipedia entry regarding mobile malware

QR Code Malware Picks Up Steam

First SMS Trojan Detected for Smartphones Running Android

Android Malware Contains Bot Like Code

Mailinglists