Hacking Exposed Live: Mobile Targeted Threats

© 2012 CrowdStrike, Inc. All rights reserved. © 2012 CrowdStrike, Inc. All rights reserved.

George Kurtz, President & CEO, CrowdStrike Georg Wicherski, Senior Security Researcher, CrowdStrike Alex Radocea, Senior Security Researcher, CrowdStrike

© 2012 CrowdStrike, Inc. All rights reserved. 2

•  Questions – Via GoToWebinar in the Questions tab

–  All ?’s will be addressed at the end of the session

– Via Twitter –  Engage real-time: @CrowdStrike #hackingexposed7

BEFORE WE GET STARTED…


GEORGE KURTZ President & CEO, CrowdStrike

•  In security for ~20 years

•  Former CTO, McAfee

•  Former CEO, Foundstone

•  Co-Author, Hacking Exposed

•  Twitter: @George_Kurtz

•  Blog: www.securitybattlefield.com

A LITTLE ABOUT US


GEORG WICHERSKI Senior Security Researcher, CrowdStrike

•  Focuses on analyzing advanced threats

•  Likes to put himself in the attackers’ shoes

•  Loves working low level on bytecode

•  New interest in ARM architecture

•  Twitter: @ochsff

A LITTLE ABOUT US


ALEX RADOCEA Senior Engineer, CrowdStrike

•  Application Security Assessment at Matasano

•  Product Security Team at Apple

•  Dabbles in hardware reverse engineering

•  Upcoming talk: Ekoparty 2012

•  Twitter: @defendtheworld

A LITTLE ABOUT US


Commercial RATs

•  Manually installed

•  “Spy on your girlfriend”

Targeted RATs

•  Observed Real World Attacks

•  Simple, regular Apps

Advanced Threats

•  Demo of Browser based compromise

•  What are we just not seeing?

THREAT EVOLUTION AND OUTLINE


WHAT IS A RAT?

•  Remote Access Tools, better known as RATs •  Post-exploitation tool •  Allows administrative controls over the compromised

system •  Adversaries have been targeting conventional

computing platforms (PC) for many years


RAT FUNCTIONALITY

•  Backdoor functionality and a host of other nefarious features –  Activate video cameras and microphones

–  Take pictures of remote systems

–  Exfiltration - send back files

– Run remote commands

–  Log keystrokes


GRANDDADDY OF RATS Back Orifice Netbus


WHAT IS UBIQUITIOUS?


HAS A CAMERA?


HAS A MICROPHONE?


KNOWS WHERE YOU ARE?


IS ALWAYS ON?


…AND STORES YOUR SENSITIVE INFORMATION?



DAWN OF A NEW ERA Mobile RATs

•  Mobile RATs •  Smartphones are PCs that fit in the palm of your hand •  Perfect tool to:

–  Intercept calls –  Intercept TXTs –  Intercept emails – Capture remote video – Listen to sensitive conversations – Track location via GPS



•  Usually require physical access to target device

•  The attacker must know the target’s password or

the device must be unlocked

•  Manual installation via web page or 3rd party market

•  iOS devices require a jail break

COMMERCIAL RAT DELIVERY


•  Emerged in 2006 timeframe as a consumer- marketed cell phone spying software

•  Capabilities include: –  Monitoring email

–  Monitoring SMS/MMS

–  Monitoring chat/Facebook/WhatsApp

–  Number flagging

–  Call intercept (only live calls)

–  Hot Mic

–  SMS C2

FlexiSPY


FlexiSPY LOGS



•  Android: Mostly regular Apps – Written in Java using the Android SDK and compiled to Dalvik code – Often not even obfuscated (original names retained)

– There are public SDK tools to conceal at least names of non-exported classes and members

–  Easy process to reverse to Java code (.dex%→%.class%→%.java) –  Visibility issue or principle of least effort required?

•  iOS targeted RAT ecosystem largely unexplored –  But commercial RATs well-known and documented – Happening for sure but just no good visibility

TARGETED RATs


•  Targeted Espionage-Type Operation – Engineering and Research targets – Political activists

•  Windows Malware Attributed to Chinese developers – Likely government sponsored civil hacktivism – First seen in June 2011

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf

•  Android malware LuckytCat.A found on C2 servers

CASE STUDY: LUCKY CAT (background)


•  Simple Service based App that registers for BOOTUP intent –  Starts automatically when phone is turned on

•  Reports general information (phone number, IMEI, …) on connect

•  Can read and write arbitrary files and list directories –  Linux is Unix, “Anything is a file” –  All logic and parsing on C2 (client) side, not exposed to analysis

•  Utilizes custom “encryption” / obfuscation algorithm

LUCKYCAT.A ANALYSIS


LUCKYCAT.A BEACON INFORMATION

•  Obtains current phone number

–  Chinese error / status message

•  Beacons –  Phone number as

MAC –  Current IP –  Per-incident

identifier


•  Only supports file based commands –  Directory content listing –  Download / upload file from / to

phone

•  Any interaction with system must be done with this simple mechanism

LUCKYCAT.A FILE COMMANDS



•  Commercial mobile RAT sold to governments – “Enterprise” Software development

– Proper encryption, communication protocol, ... •  Analyzed iOS sample stolen demo binary

– Courtesy of CitizenLab.org •  Capabilities similar to previous commercial RATs •  iOS variant requires jail broken device or LPE

exploit

FINSPY MOBILE FOR IOS


•  One initial dropper, install_manager.app%•  Ad-Hoc distribution with hardcoded UDIDs to run on •  Certificate registered to Gamma International, Inc. •  Drops the four FinSpy binaries to suid’able directories

– installer, manages persistence in system – logind.app, daemon wrapper invoked by launchd on boot – trampoline.app, a broken no-op in our sample – SyncData.app, the main backdoor that calls home

FINSPY MOBILE FOR IOS INSTALLATION


•  installer.app copies binaries to /Application%and %/System%•  On a non-jail broken device prohibited by sandbox •  installer.app requests root privilege with seteuid(0)%

•  Typical for a program started with suid bit

•  install_manager.app searches suid’able partitions

FINSPY LPE MISSING LINK


•  trampoline.app a no-op in our binary – Invoked by install_manager.app with path to installer – Includes snippets that builds paths from arguments

– Apparently cut-off / sanitized at source level •  Placeholder to disable sandbox and suid installer to

infect non-jail broken devices? – Given trampoline.app not an exploit itself

– Checked all entry points and loader behavior

FINSPY LPE MISSING LINK CONT.


•  1,000,000 UDIDs leaked •  UDID, APNs tokens, device name leaked from unknown

source •  Ad-hoc distribution profile requires UDID, each profile has

up to 100 devices – User-interaction required for installation – Code still sandboxed

•  Device information reportedly leaked from Blue Toad

UDID LEAK IMPACT



•  Mobile exploits being actively bought on the “market” –  iOS, BlackBerry, Android (loosely ordered by price) –  Remote: Baseband, Browser and SMS Apps –  Local: Really anything that gets you elevated privileges

•  Development of payload up to the customer –  FinSpy Mobile looks like good fit for LPE trampoline.app%

•  We know these attacks are out there yet we do not have conclusive evidence.

•  “If the mobile manufacturers don’t give us root privileges, only the attackers will have root privileges.”

FEASIBILITY STUDY RATIONALE


•  Vulnerability in Webkit (fixed in 4.0.2, public since Nov 2011) –  No CVE assigned, just a bug leading to degraded user experience…

•  Circumvents XN & partial ASLR on Android 4.0.1 –  Android ≥ 2.3 activates XN, comparable to x86 NX bit

– Requires hardware support but most phones do support it –  Android ≥ 4.0 adds partial ASLR

– Heap, stack and dynamic linker still at predictable address –  Android ≥ 4.1 adds full ASLR

•  Use ROP in the dynamic linker to circumvent 4.0 mitigations

ANDROID 4.0.1 BROWSER EXPLOIT


•  Native stand-alone executables are easily built using the NDK – Creating a Makefile and a “Hello World” is < 2 hours if familiar with GCC

•  Huge amount of new “App Analysis (Dalvik) Experts” – Has anyone of those ever analyzed native ARM code? – Can anyone of those handle a simple UPX packed binary?

•  No Rootkit required, people barely look at native processes – Native processes do not show up in Android or 3rd party Task Managers –  Potentially visible in ps%but trivially obfuscated

– strcpy(argv[0],%“…”)%

FEASIBILITY FOR NATIVE RAT FOR ANDROID



http://www.youtube.com/watch?v=M2jxLDz5gE4


•  Quarterly webcasts: Industry leaders presenting cutting-edge topics

•  Blogs, whitepapers, and other industry resources

•  Webcast archives for on-demand viewing

HTTP://WWW.HACKINGEXPOSED7.COM


CrowdStrike is a security technology company focused on helping enterprises and governments protect their most sensitive IP. CrowdStrike encompasses three core offerings: Services, Intelligence, and Technology. For Incident Response services: http://www.crowdstrike.com/services.html For Intelligence as a Service: Email us at [email protected] Technology (Coming soon): If you have interest in being a beta customer send your request to [email protected] Website: www.crowdstrike.com @CrowdStrike Blog: http://blog.crowdstrike.com facebook.com/crowdstrike

youtube.com/crowdstrike

© 2012 CrowdStrike, Inc. All rights reserved. 42 © 2012 CrowdStrike, Inc. All rights reserved. 42

Q & A

© 2012 CrowdStrike, Inc. All rights reserved.

Date post:	20-May-2015
Category:	Technology
Upload:	crowdstrike
View:	2,156 times
Download:	5 times