| 摘要(英) |
The convenience, connectivity, and popularity of computers allow a malicious user to utilize various approaches to compromise hosts which can be further organized into Botnets to illegally obtain financial gains or sensitive information. Along with the tread that more and more users use mobile devices to communicate with friends or play on-line games, mobile devices, such as smartphones, have become an indispensible part of many persons’ everyday life. Therefore, the functionality of mobile devices becomes more powerful and the structures of them become more complex, which makes them look like personal computer miniatures. However, attackers may abuse these powerful and diverse functions to impair the owner of a mobile device. Hence mobile devices are under the threats of not only some of the traditional desktop attack types but also new attack types.
Due to the trend that more and more web services, such as Google, Facebook and many auction websites, require users to open their new accounts or to login to their accounts through cell-phone-verification, cell-phone-verification has become an important function of cellular phones. However, research in our work shows that cell-phone-verification is not always reliable. This study proposes a new attack method named MAC-YURI (My ACcount, YoUr ResponsIbility) against cell-phone-verification to show one possible abuse of smartphones to people. Through MAC-YURI, an attacker can utilize a compromised smartphone as a steppingstone to accept and forward account verification code to finish the cell-phone-verification when applying a new account or logging in to an account. This paper describes the attack models of MAC-YURI. MAC-YURI uses the built-in functionality of a smartphone, such as receiving and sending short messages, to launch attacks in a stealthy way. We implemented MAC-YURI on an Android smartphone. Experimental results show that MAC-YURI can successfully assist an attacker in obtaining the verification code of an account without the awareness of a steppingstone smartphone owner. Besides, the power consumption introduced by MAC-YURI is low. Finally, this paper proposes some methods to protect a smart-phone against MAC-YURI.
|
| 參考文獻 |
[1] Android Developers Website. http://developer.android.com/index.html
[2] Android Market, https://market.android.com/
[3] Cyber threats report from Georgia Tech Information Security Center. http://www.gtiscsecuritysummit.com/pdf/CyberThreatsReport2009.pdf
[4] “Cyber Threats to Mobile Devices,” in US-CERT, April 15, 2010. http://www.us-cert.gov/reading_room/TIP10-105-01.pdf
[5] Dalvik Virtual Machine. http://en.wikipedia.org/wiki/Dalvik_(software)
[6] DroidSecurity, http://www.droidsecurity.com/
[7] Eclipse, a development tool,. http://www.eclipse.org/
[8] Enterprise Mobility – eWeek. http://www.eweek.com/c/a/Mobile-and-Wireless/New-Android-Trojans-Go-After-SMS-Messages-268345/
[9] Facebook Help Center, http://www.facebook.com/help/?page=819
[10] Facebook Statistics, http://www.facebook.com/press/info.php?statistics
[11] File Transfer Protocol, http://www.networksorcery.com/enp/protocol/ftp.htm
[12] Getting started with 2-step verification, http://www.google.com/support/accounts/bin/topic.py?hl=en&topic=28786
[13] ID Generator. http://people.debian.org/~paulliu/ROCid.html
[14] Java Virtual Machine. http://en.wikipedia.org/wiki/Java_Virtual_Machine
[15] NumberOf.net, http://www.numberof.net/
[16] NPD research. http://www.npd.com/
[17] PChome & eBay JV. http://www.ruten.com.tw/
[18] “Taxonomy of Botnets Threats,” Trend Micro, November 2006 http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/botnettaxonomywhitepapernovember2006.pdf
[19] Joan Calvet, Carlton R. Davis, Jose M. Fernandez, Jean-Yves Marion, Pier-Luc St-Onge, Wadie Guizani, “The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet,” in ACSAC, 2010. http://www.acsac.org/2010/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=221&type=2
[20] Roman Schlegel, Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, XiaoFeng Wang, “Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones,” in NDSS, 2011. https://www.cs.indiana.edu/~kapadia/papers/soundminer-ndss11.pdf
[21] Georgia Weidman, “Transparent Botnet Command and Control for Smartphones over SMS,” in Shmoocon, 2011. http://www.grmn00bs.com/Shmoocon2011_SmartphoneBotnets_GeorgiaW.pdf
[22] Cui Xiang, Fang Binxing, Yin Lihua, Liu Xiaoyi, Zang Tianning, “Andbot: Towards Advanced Mobile Botnets,” in Workshop of USENIX, 2011. http://www.usenix.org/events/leet11/tech/full_papers/Xiang.pdf
[23] Yuanyuan Zeng, Xin Hu, Kang G. Shin, “Design of SMS Commanded-and-Controlled and P2P-Structured Mobile Botnets,” Department of Electrical Science and Engineering in University of Michigan, March, 2010. http://www.eecs.umich.edu/techreports/cse/2010/CSE-TR-562-10.pdf
|
[Endnote RIS 格式]
[相關文章]
[文章引用]
[完整記錄]
[館藏目錄]
至系統瀏覽論文 ( 永不開放)
plurk
funp
live
udn
HD
myshare
netvibes
friend
youpush
delicious
baidu
Google bookmarks
del.icio.us
hemidemi
facebook
twitter
google
reddit