Detecting Malicious Traffic between Server and Mobile Phones using MITM Proxy
Added on 2023-06-11
42 Pages15030 Words110 Views
INFORMATION SECURITY
Executive Summary
This project aims to detect and analyze the malicious activities between the server and
mobile phone, and this process is performed by making use of MITM proxy along with the use
of command and controls. This paper will discuss the problem based on the attackers, where they
steal vital information without the consent of the clients. So, this problem requires to be resolved
by detection of malware activity based on analysis of transmitted packets, between the server and
the mobile phones. This project aims to protect and inform the clients about the malware activity.
It also investigates the exfiltration of the data from the user mobile phones. The MITM proxy is
used to capture the packets and analyzes the mobile server communications to protect and inform
the clients about the malicious activities. The Man-in-the-Middle (MITM) proxy makes the
assignment to keep the information safe and secure which is complex because the proxy could be
mounted from the remote Personal computers with counterfeit locations. Therefore, interchanges
in security was to break the encryption changes. In the verification conventions, the
shortcomings are misused by MITM proxy, which are being used by the conveying parties. As
most part relates to validation, by the outsiders who issues the authentications, then the
arrangement of testament age turns into another wellspring of potential shortcoming. In this
paper, we will examine HTTPS-HTTP over SSL/TLS, the most widely recognized scrambled
system movement conventions. In a correspondence scrambled by SSL/TLS, the hosts need to
first concede with the encryption techniques and their parameters. Along these lines, the
underlying bundles contain decoded messages with data about the customer and server. This data
shifts among various customers and their renditions. The comparable customer identifier is User
Agent esteem in a HTTP header, which is usually utilized for recognizing the customer and for
characterizing the movement. It is intended to identify security threats in view of the conduct of
malware tests. The detection of malware activity based on analysis of transmitted packets
between the server and the mobile phones. It also investigates the exfiltration of the data from
the user mobile phones.
2
This project aims to detect and analyze the malicious activities between the server and
mobile phone, and this process is performed by making use of MITM proxy along with the use
of command and controls. This paper will discuss the problem based on the attackers, where they
steal vital information without the consent of the clients. So, this problem requires to be resolved
by detection of malware activity based on analysis of transmitted packets, between the server and
the mobile phones. This project aims to protect and inform the clients about the malware activity.
It also investigates the exfiltration of the data from the user mobile phones. The MITM proxy is
used to capture the packets and analyzes the mobile server communications to protect and inform
the clients about the malicious activities. The Man-in-the-Middle (MITM) proxy makes the
assignment to keep the information safe and secure which is complex because the proxy could be
mounted from the remote Personal computers with counterfeit locations. Therefore, interchanges
in security was to break the encryption changes. In the verification conventions, the
shortcomings are misused by MITM proxy, which are being used by the conveying parties. As
most part relates to validation, by the outsiders who issues the authentications, then the
arrangement of testament age turns into another wellspring of potential shortcoming. In this
paper, we will examine HTTPS-HTTP over SSL/TLS, the most widely recognized scrambled
system movement conventions. In a correspondence scrambled by SSL/TLS, the hosts need to
first concede with the encryption techniques and their parameters. Along these lines, the
underlying bundles contain decoded messages with data about the customer and server. This data
shifts among various customers and their renditions. The comparable customer identifier is User
Agent esteem in a HTTP header, which is usually utilized for recognizing the customer and for
characterizing the movement. It is intended to identify security threats in view of the conduct of
malware tests. The detection of malware activity based on analysis of transmitted packets
between the server and the mobile phones. It also investigates the exfiltration of the data from
the user mobile phones.
2
Table of Contents
1 Introduction..............................................................................................................................4
1.1 Project Goals.....................................................................................................................4
1.2 Problem Statement............................................................................................................4
1.3 Background of the MITM proxy.......................................................................................5
1.4 Detecting the Malicious Traffic between the Server and Clients.....................................6
2 Literature Review....................................................................................................................8
3 Analysis.................................................................................................................................15
3.1 Botnet..............................................................................................................................15
3.2 Aspects of Botnet............................................................................................................17
3.2.1 Platform of operation...............................................................................................17
3.2.2 Detection..................................................................................................................18
3.2.3 Takedown................................................................................................................19
3.2.4 SMS propagation.....................................................................................................19
3.3 Various kinds of IRC based products.............................................................................20
3.4 Solution Malware Detection Techniques........................................................................21
3.5 Security Methods and services........................................................................................26
3.5.1 Data availability.......................................................................................................28
3.5.2 Authentication..........................................................................................................28
3.5.3 Confidentiality.........................................................................................................29
3.5.4 Integrity....................................................................................................................29
3.5.5 Non-repudiation.......................................................................................................30
3.6 MANET..........................................................................................................................31
3.7 Working for MITM Proxy..............................................................................................31
3
1 Introduction..............................................................................................................................4
1.1 Project Goals.....................................................................................................................4
1.2 Problem Statement............................................................................................................4
1.3 Background of the MITM proxy.......................................................................................5
1.4 Detecting the Malicious Traffic between the Server and Clients.....................................6
2 Literature Review....................................................................................................................8
3 Analysis.................................................................................................................................15
3.1 Botnet..............................................................................................................................15
3.2 Aspects of Botnet............................................................................................................17
3.2.1 Platform of operation...............................................................................................17
3.2.2 Detection..................................................................................................................18
3.2.3 Takedown................................................................................................................19
3.2.4 SMS propagation.....................................................................................................19
3.3 Various kinds of IRC based products.............................................................................20
3.4 Solution Malware Detection Techniques........................................................................21
3.5 Security Methods and services........................................................................................26
3.5.1 Data availability.......................................................................................................28
3.5.2 Authentication..........................................................................................................28
3.5.3 Confidentiality.........................................................................................................29
3.5.4 Integrity....................................................................................................................29
3.5.5 Non-repudiation.......................................................................................................30
3.6 MANET..........................................................................................................................31
3.7 Working for MITM Proxy..............................................................................................31
3
4 Discussion..............................................................................................................................33
5 Conclusion.............................................................................................................................35
References......................................................................................................................................38
4
5 Conclusion.............................................................................................................................35
References......................................................................................................................................38
4
1 Introduction
This project is about detecting and analyzing the malicious activities between the server
and the mobile phones. This process is completed by making the user of MITM proxy and by
using the commands and controls. This paper will discuss the problem based on the attackers,
where they steal vital information without the consent of the clients. So, this problem requires to
be resolved by detection of malware activity based on analysis of transmitted packets, between
the server and the mobile phones. This project aims to protect and inform the clients about the
malware activity. It also investigates the exfiltration of the data from the user mobile phones.
The main objectives of this project are to protect and inform the clients about the malware
activities. This project also investigates the exfiltration of the data from the user mobile phones.
The MITM proxy is used to capture the packets and analyzes the mobile server communications
to protect and inform the clients about the malicious activities.
1.1 Project Goals
The project goal is to protect and inform the clients about the malware activities. It detects
and analyzes the malicious activities between the server and the mobile phone, by using the
MITM proxy software and the MITM proxy is used to capture the packets and analyzes the
mobile server communications to protect and inform the clients about the malicious activities.
The detection of malware activity is based on the analysis of transmitted packets between the
server and mobile phones. It also investigates the exfiltration of the data from the user mobile
phones.
1.2 Problem Statement
This paper discusses the problem based on the attackers, where they steal vital information
without the consent of the clients. So, this problem requires to be resolved by detection of
malware activity based on analysis of transmitted packets, between the server and the mobile
phones. This process is done by making the user of MITM proxy and use of command and
controls. The MITM proxy is used to capture the packets and analyzes the mobile server
communications to protect and inform the clients about the malicious activities.
5
This project is about detecting and analyzing the malicious activities between the server
and the mobile phones. This process is completed by making the user of MITM proxy and by
using the commands and controls. This paper will discuss the problem based on the attackers,
where they steal vital information without the consent of the clients. So, this problem requires to
be resolved by detection of malware activity based on analysis of transmitted packets, between
the server and the mobile phones. This project aims to protect and inform the clients about the
malware activity. It also investigates the exfiltration of the data from the user mobile phones.
The main objectives of this project are to protect and inform the clients about the malware
activities. This project also investigates the exfiltration of the data from the user mobile phones.
The MITM proxy is used to capture the packets and analyzes the mobile server communications
to protect and inform the clients about the malicious activities.
1.1 Project Goals
The project goal is to protect and inform the clients about the malware activities. It detects
and analyzes the malicious activities between the server and the mobile phone, by using the
MITM proxy software and the MITM proxy is used to capture the packets and analyzes the
mobile server communications to protect and inform the clients about the malicious activities.
The detection of malware activity is based on the analysis of transmitted packets between the
server and mobile phones. It also investigates the exfiltration of the data from the user mobile
phones.
1.2 Problem Statement
This paper discusses the problem based on the attackers, where they steal vital information
without the consent of the clients. So, this problem requires to be resolved by detection of
malware activity based on analysis of transmitted packets, between the server and the mobile
phones. This process is done by making the user of MITM proxy and use of command and
controls. The MITM proxy is used to capture the packets and analyzes the mobile server
communications to protect and inform the clients about the malicious activities.
5
1.3 Background of the MITM proxy
Mitmproxy is "man-in-the-middle" that enables you to capture HTTP and HTTPS activity -
and last by manufacturing the SSL endorsements. This is extraordinarily helpful for
troubleshooting and arranges issues, particularly in the light of the fact that instruments, for
example, ethereal are unequipped for sniffing the HTTPS movement. Likewise, mitmproxy
permits altering the activity, enabling you to counterfeit system mistakes. Lamentably, the
mitmproxy variant packaged with Ubuntu (bent introduce mitmproxy) is excessively old - the
SSL declaration producing does not work accurately. Mitmproxy can decode scrambled activity
on the fly, as long as the customer confides in its implicit authentication expert. Generally, this
implies the mitmproxy CA declarations must be introduced on the customer gadget. Mitmproxy
is a support instrument that permits intelligent examination and change of HTTP movement. It
varies from mitmdump in that, all the streams are kept in memory, which implies that it's
proposed for taking and controlling smallish examples. Since mitmproxy is running, we have to
arrange issues. There are two things we have to change (Boyd and Simpson, 2013):
Movement needs to go through the intermediary. For this, we utilize the intermediary
mandate
We require httplib2 to acknowledge the manufactured declaration. We accordingly
instruct it to acknowledge mitmproxy as authentication specialist.
Man-in-the-Middle (MITM) proxy makes the assignment of securing the information, which
is complex because the proxy could be mounted from the remote Personal computers with
counterfeit locations. Therefore, interchanges in security was to break the encryption changes. In
the verification conventions, the shortcomings are misused by MITM proxy, which are being
used by the conveying parties. As most part relates to validation, by the outsiders who issues the
authentications, then the testament age arrangement turns into another wellspring of potential
shortcoming (Lee, 2012). The MITM proxy allows the interloper or the unapproved gathering to
snoop on information through the secondary passage. This intercession is additionally being
utilized by organizations to inquire upon their representatives and for adware. For instance, in
mid 2015, it was found that Lenovo PCs came preinstalled with adware called Super fish that
infuses promoting on programs, for example, Google Chrome and Web Explorer. Super fish
introduces a self-created root testament into the Windows endorsement store and after that leaves
all SSL declarations displayed by HTTPS destinations with its own particular authentication.
6
Mitmproxy is "man-in-the-middle" that enables you to capture HTTP and HTTPS activity -
and last by manufacturing the SSL endorsements. This is extraordinarily helpful for
troubleshooting and arranges issues, particularly in the light of the fact that instruments, for
example, ethereal are unequipped for sniffing the HTTPS movement. Likewise, mitmproxy
permits altering the activity, enabling you to counterfeit system mistakes. Lamentably, the
mitmproxy variant packaged with Ubuntu (bent introduce mitmproxy) is excessively old - the
SSL declaration producing does not work accurately. Mitmproxy can decode scrambled activity
on the fly, as long as the customer confides in its implicit authentication expert. Generally, this
implies the mitmproxy CA declarations must be introduced on the customer gadget. Mitmproxy
is a support instrument that permits intelligent examination and change of HTTP movement. It
varies from mitmdump in that, all the streams are kept in memory, which implies that it's
proposed for taking and controlling smallish examples. Since mitmproxy is running, we have to
arrange issues. There are two things we have to change (Boyd and Simpson, 2013):
Movement needs to go through the intermediary. For this, we utilize the intermediary
mandate
We require httplib2 to acknowledge the manufactured declaration. We accordingly
instruct it to acknowledge mitmproxy as authentication specialist.
Man-in-the-Middle (MITM) proxy makes the assignment of securing the information, which
is complex because the proxy could be mounted from the remote Personal computers with
counterfeit locations. Therefore, interchanges in security was to break the encryption changes. In
the verification conventions, the shortcomings are misused by MITM proxy, which are being
used by the conveying parties. As most part relates to validation, by the outsiders who issues the
authentications, then the testament age arrangement turns into another wellspring of potential
shortcoming (Lee, 2012). The MITM proxy allows the interloper or the unapproved gathering to
snoop on information through the secondary passage. This intercession is additionally being
utilized by organizations to inquire upon their representatives and for adware. For instance, in
mid 2015, it was found that Lenovo PCs came preinstalled with adware called Super fish that
infuses promoting on programs, for example, Google Chrome and Web Explorer. Super fish
introduces a self-created root testament into the Windows endorsement store and after that leaves
all SSL declarations displayed by HTTPS destinations with its own particular authentication.
6
This could enable programmers to possibly take delicate information like saving money
qualifications or to keep an eye on the clients' exercises. Cryptographic conventions intended to
give interchanges security over a PC arranges are a piece of Transport Layer Security (TLS)
(Kranakis, Haroutunian and Shahbazian, 2008). These conventions utilize X.509 which is an
ITU-T standard that determines standard arrangements for open key endorsements,
authentication denial records, quality declarations, and an accreditation way approval
calculation. The X.509 testaments are utilized for confirmation the counter party and to arrange a
symmetric key. As specified, authentication experts are a frail connection inside the security
framework. In electronic mail, in spite of the fact that servers do require SSL encryption,
substance are prepared and put away in plain content on the servers (Muniz and Lakhani, 2013).
The MITM proxy allows the gatecrasher or the unapproved assembling from snooping on the
data via, an optional entry. Such mediation is used by associations for interfering with their
agents and for adware. For example, during the middle of the year 2015, there was a discovery
that, the Lenovo Personal Computers originated with preinstalled adware known as, Super fish
which implants programs’ promotion. For instance, the Web Explorer and the Google Chrome.
Super fish presents a self-made root testament for supporting the Windows support store. Later,
all the SSL declarations displayed by the goals of HTTPS with its own specific verification.
Thus, it could empower the software engineers to perhaps take sensitive data such as saving
money qualifications or to watch out for the customers' activities. The cryptographic traditions
proposed to provide interchanges in security over the Personal Computers arranges are a bit of
Transport Layer Security (TLS) (Kranakis, Haroutunian and Shahbazian, 2008). Such
conventions utilize X.509 that is an ITU-T standard, which decides the standard game plans for
the open key endorsements, authentication denial records, quality declarations, along with
accreditation way of approval estimation. The testaments of X.509 are used to affirm the counter
party and to organize a symmetric key. As specified, within the security framework, the
authentication experts are quite a fragile association. In electronic mail, despite that the servers
need the SSL encryption, the substance are prepared and secured in plain content on the servers
(Muniz and Lakhani, 2013).
Features
1. Catch HTTP solicitations and reactions, then adjust them on the fly.
7
qualifications or to keep an eye on the clients' exercises. Cryptographic conventions intended to
give interchanges security over a PC arranges are a piece of Transport Layer Security (TLS)
(Kranakis, Haroutunian and Shahbazian, 2008). These conventions utilize X.509 which is an
ITU-T standard that determines standard arrangements for open key endorsements,
authentication denial records, quality declarations, and an accreditation way approval
calculation. The X.509 testaments are utilized for confirmation the counter party and to arrange a
symmetric key. As specified, authentication experts are a frail connection inside the security
framework. In electronic mail, in spite of the fact that servers do require SSL encryption,
substance are prepared and put away in plain content on the servers (Muniz and Lakhani, 2013).
The MITM proxy allows the gatecrasher or the unapproved assembling from snooping on the
data via, an optional entry. Such mediation is used by associations for interfering with their
agents and for adware. For example, during the middle of the year 2015, there was a discovery
that, the Lenovo Personal Computers originated with preinstalled adware known as, Super fish
which implants programs’ promotion. For instance, the Web Explorer and the Google Chrome.
Super fish presents a self-made root testament for supporting the Windows support store. Later,
all the SSL declarations displayed by the goals of HTTPS with its own specific verification.
Thus, it could empower the software engineers to perhaps take sensitive data such as saving
money qualifications or to watch out for the customers' activities. The cryptographic traditions
proposed to provide interchanges in security over the Personal Computers arranges are a bit of
Transport Layer Security (TLS) (Kranakis, Haroutunian and Shahbazian, 2008). Such
conventions utilize X.509 that is an ITU-T standard, which decides the standard game plans for
the open key endorsements, authentication denial records, quality declarations, along with
accreditation way of approval estimation. The testaments of X.509 are used to affirm the counter
party and to organize a symmetric key. As specified, within the security framework, the
authentication experts are quite a fragile association. In electronic mail, despite that the servers
need the SSL encryption, the substance are prepared and secured in plain content on the servers
(Muniz and Lakhani, 2013).
Features
1. Catch HTTP solicitations and reactions, then adjust them on the fly.
7
2. Spare finish HTTP discussions for later replay and examination.
3. Replay the customer side of HTTP discussions.
4. Replay HTTP reactions of a formerly recorded server.
5. Invert intermediary mode to forward activity to a predefined server.
6. Straightforward intermediary mode on OSX and Linux.
7. Roll out scripted improvements to HTTP activity utilizing Python.
8. SSL authentications for capture attempt are created on the fly.
9. Furthermore, a whole lot more.
1.4 Detecting the Malicious Traffic between the Server and Clients
The rising fame of encoded organize movement is a twofold edged sword. From one
perspective, it gives secure information transmission, ensures against spying, and enhances the
dependability of conveying. Then again, it entangles the authentic checking of system activity,
including movement order and host ID. These days, we can screen, recognize, and order plain-
content system movement, for example, HTTP; however it is difficult to break down encoded
correspondence. The more secure the association is, from the perspective of imparting
accomplices, the harder it is to comprehend the system movement and distinguish odd and
malicious action. Besides, malicious system conduct can be covered up in encoded associations,
where it is imperceptible to identification instruments (Verma and Dixit, 2016).
In this paper, we will examine HTTPS-HTTP over SSL/TLS, the most widely recognized
scrambled system movement conventions. In a correspondence scrambled by SSL/TLS, the hosts
need to first concede to encryption techniques and their parameters. Along these lines, the
underlying bundles contain decoded messages with data about the customer and server. This data
shifts among various customers and their renditions. The comparable customer identifier is User
Agent esteem in a HTTP header, which is usually utilized for recognizing the customer and
characterizing movement. Be that as it may, just the SSL/TLS handshake can be seen in a
HTTPS association without decoding the payload. In this way, we approach the issue of
distinguishing the SSL/TLS customer and grouping HTTPS activity by working up a word
reference of SSL/TLS handshake fingerprints and their comparing User-Agents and it uses the
generic classification system. It is intended to identify security threats in view of the conduct of
malware tests. The framework depends on factual highlights figured from intermediary log fields
8
3. Replay the customer side of HTTP discussions.
4. Replay HTTP reactions of a formerly recorded server.
5. Invert intermediary mode to forward activity to a predefined server.
6. Straightforward intermediary mode on OSX and Linux.
7. Roll out scripted improvements to HTTP activity utilizing Python.
8. SSL authentications for capture attempt are created on the fly.
9. Furthermore, a whole lot more.
1.4 Detecting the Malicious Traffic between the Server and Clients
The rising fame of encoded organize movement is a twofold edged sword. From one
perspective, it gives secure information transmission, ensures against spying, and enhances the
dependability of conveying. Then again, it entangles the authentic checking of system activity,
including movement order and host ID. These days, we can screen, recognize, and order plain-
content system movement, for example, HTTP; however it is difficult to break down encoded
correspondence. The more secure the association is, from the perspective of imparting
accomplices, the harder it is to comprehend the system movement and distinguish odd and
malicious action. Besides, malicious system conduct can be covered up in encoded associations,
where it is imperceptible to identification instruments (Verma and Dixit, 2016).
In this paper, we will examine HTTPS-HTTP over SSL/TLS, the most widely recognized
scrambled system movement conventions. In a correspondence scrambled by SSL/TLS, the hosts
need to first concede to encryption techniques and their parameters. Along these lines, the
underlying bundles contain decoded messages with data about the customer and server. This data
shifts among various customers and their renditions. The comparable customer identifier is User
Agent esteem in a HTTP header, which is usually utilized for recognizing the customer and
characterizing movement. Be that as it may, just the SSL/TLS handshake can be seen in a
HTTPS association without decoding the payload. In this way, we approach the issue of
distinguishing the SSL/TLS customer and grouping HTTPS activity by working up a word
reference of SSL/TLS handshake fingerprints and their comparing User-Agents and it uses the
generic classification system. It is intended to identify security threats in view of the conduct of
malware tests. The framework depends on factual highlights figured from intermediary log fields
8
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
(Solved) Information Security: Assignmentlg...
|28
|7728
|183
CVE-2014-3566- Executive Summarylg...
|3
|1049
|439
SSL/TLS VPN Technologies: Significance, Role, Advantages, and Securitylg...
|9
|2008
|427
CSI2102 - Information Security: Assignmentlg...
|17
|1220
|277
Research Paper: Heartbleed Vulnerabilitylg...
|4
|1054
|112
Security in Cryptography | Assignmentlg...
|7
|1502
|13