SierraDefense Malware Protection

Protect Mobile Devices with SierraDefense

Malware, Trojans and Rootkits Target Consumer Devices
Malware developers have acquired a new target of choice: embedded devices. Mobile phones, tables, smart TVs and set-top boxes are all in the crosshairs of advanced malware developers. Whether building applications that send illicit SMS messages, that steal sensitive data, or that fraudulently purchase apps from app stores, malware developers have been busy creating a host of malicious applications for embedded devices.

Researchers have identified over 20,000 unique malware strains targeting mobile devices. Mobile malware has skyrocketed in recent years; with malware strains increasing ten times year over year in recent years. With more and more consumers using their phones for electronic payment and online banking, malware developers will invest a growing amount of resources in exploiting this lucrative market.

The Malware Challenge
The rise of mobile malware hurts consumers, enterprises, and equipment manufacturers alike. Consumers that unwittingly install malware on their mobile phones can suffer losses ranging from a few dollars for SMS fraud to thousands of dollars for compromised bank account credentials. Enterprises, with their increasingly mobile workforce, must contend with the costs of cleaning up infected devices and the risk of a data breach brought on by advanced malware. Mobile phones vendors also feel the impact when consumers switch to phones they perceive are more secure.

Unfortunately, defeating malware is not easy. Most consumers don't install anti-virus software on their phones, leaving their devices exposed to malware. Even when anti-virus software is used, it can't always detect and stop zero-day threats. Malware developers today produce "polymorphing" code that can rename itself and change file size to evade detection. Malware variants even attack anti-malware software. To neutralize the threat of malware, trojans, and rootkits, phone makers must develop robust systems that can protect sensitive data and safeguard anti-malware software.

As more and more devices, from smart TVs to set-top boxes and even automobiles, roll out rich operating systems with Internet connectivity and full app stores, all of them will become targets for financially motivated cybercriminals.

The Solution: SierraDefense for Malware Protection
Sierraware offers the following solutions to combat malware. By implementing these solutions, equipment manufacturers can improve malware detection rates and prevent sensitive data from being exposed.

  • Offline File System Scanner - An offline scanner can be run at boot-up; scanning the files at rest can be more secure than once the operating system is running because it is more difficult for malware to hide. The offline scanner includes a rootkit component scanner and a hash file scan. The hash file scan can search for known malware signatures and can inspect all locations including hidden locations like "/tmp." Because malware can rename itself, the scanner can assign hash values during build time. Hash values are used to identify the files and as well as validate unauthorized file alterations performed at run time.
  • Live Application Scanner - This scanner scans for kernel module tampering, file permission levels, a binary string scanner that looks for files matching known malicious signatures, and a network scanner that catches trojans or malware "dialing home." The live application scanner will also identify hidden processes by comparing all processes against a list of the nodes in the Linux kernel process tree and the file node structure.
  • Kernel Rootkit Scanner - This scanner detect hidden modules that are not listed in standard 'lsmod.' It will scan for alternatives to syscalls in the kernel and it will monitor key Linux memory areas.
  • Keylogger, Screen Capture and Sniffer Protection - SierraDefense examines all applications that are accessing key system resources like the touch screen, frame buffer, or WIFI. It will also scan all processes in memory and identify the kernel and user processes that are accessing memory regions mapped to the I/O modules.
Unfortunately, today, it is not enough to rely on signature matching alone to find malware. Malware is developed too quickly and mutates too rapidly. SierraDefense combines multiple detection layers together to catch and remediate infections.

Example Architecture for Integrity Management and Anti-Malware Software

SierraTEE Trusted Execution Environment Protects SierraDefense
When all applications run on a single operating system, malware can manipulate legitimate apps. They can exploit vulnerabilities to install rootkits or even disable security software. The best way to protect security software is to implement a Trusted Execution Environment like SierraTEE. Using ARM TrustZone technology, SierraTEE can physically isolate sensitive applications like SierraDefense from other applications installed on the general purpose operating system.

By using SierraDefense and SierraTEE together, equipment vendors can architect systems that are highly secure and can't be attacked by underhanded users or by malicious software.