Creating Volatility Linux Profiles (openSUSE)

1.) Install OS in your VM (e.g. openSUSE-13.1-DVD-x86_64.iso)

openSUSE-13.1 2.) Fingerprint OS and kernel
$ uname -a

3.) Install Subversion in your VM and download Volatility
$ sudo zypper install subversion
$ sudo svn checkout http://volatility.googlecode.com/svn/trunk/ volatility

4.) Installing libdwarf-tools
$ sudo zypper install libdwarf-tools

Installing libdwarf-tools 5.) Creating the kernel data structures file using libdwarf-tools

Software Manager - YaST a) Install the following packages via YaST:
make
gcc
kernel-devel

kernel-devel
b) Creating vtypes
$ sudo chown -R evild3ad /home/evild3ad/volatility/tools/linux/
$ cd /home/evild3ad/volatility/tools/linux/
$ make
$ ls -l
--> module.dwarf is created

b) Getting symbols
$ cd
$ cd ..
$ cd ..
$ cd boot
$ ls -l
--> Look for System.map-* and your current kernel release (e.g. System.map-3.11.10-7-desktop)

c) Making the profile
$ cd
$ sudo zip volatility/volatility/plugins/overlays/linux/openSUSE-13.1-x86_64_3.11.10-7-desktop.zip volatility/tools/linux/module.dwarf /boot/System.map-3.11.10-7-desktop

Making the profile Downloads:
OpenSUSE-13.1-i586_3.11.10-7-desktop.zip
OpenSUSE-13.1-x86_64_3.11.10-7-desktop.zip


Links:
Linux Memory Forensics
Volatility Linux Profiles
Volatility Linux Profiles by Ken Pryor
Volatility Linux Profiles by F-INSIGHT
Second Look | Linux Memory Images

Posted in English, Linux, Memory Forensics, Volatility | Leave a comment

Creating Volatility Linux Profiles (Debian/Ubuntu)

Debian/Ubuntu:
1.) Install OS in your VM (e.g. ubuntu-13.10-desktop-amd.iso)

2.) Fingerprint OS and kernel

$ uname --help
Usage: uname [OPTION]...
Print certain system information.  With no OPTION, same as -s.

  -a, --all                print all information, in the following order,
                             except omit -p and -i if unknown:
  -s, --kernel-name        print the kernel name
  -n, --nodename           print the network node hostname
  -r, --kernel-release     print the kernel release
  -v, --kernel-version     print the kernel version
  -m, --machine            print the machine hardware name
  -p, --processor          print the processor type or "unknown"
  -i, --hardware-platform  print the hardware platform or "unknown"
  -o, --operating-system   print the operating system
      --help     display this help and exit
      --version  output version information and exit

$ uname -a
$ uname -mrs

3.) Install Subversion in your VM and download Volatility
$ sudo apt-get install -y subversion-tools
$ sudo svn checkout http://volatility.googlecode.com/svn/trunk/ volatility
Installing Volatility 4.) Installing dwarfdump
$ sudo apt-get install dwarfdump
5.) Creating the kernel data structures file using dwarfdump
a) Creating vtypes
$ sudo chown -R evild3ad /home/evild3ad/volatility/tools/linux/
$ cd /home/evild3ad/volatility/tools/linux/
$ make
$ ls -l
--> module.dwarf is created
Creating vtypes module.dwarf is created b) Getting symbols
$ cd
$ cd ..
$ cd ..
$ cd boot
$ ls -l
--> Look for System.map-* and your current kernel release (e.g. System.map-3.11.0-17-generic)
System.map-* c) Making the profile
$ cd
$ sudo zip volatility/volatility/plugins/overlays/linux/ubuntu-13.10-desktop-amd64_3.11.0-17-generic.zip volatility/tools/linux/module.dwarf /boot/System.map-3.11.0-17-generic
Making the profile
Downloads:
Ubuntu-13.10-desktop-i386_3.11.0-17-generic.zip
Ubuntu-13.10-desktop-amd64_3.11.0-17-generic.zip


Links:
Linux Memory Forensics
Volatility Linux Profiles
Volatility Linux Profiles by Ken Pryor
Volatility Linux Profiles by F-INSIGHT
Second Look | Linux Memory Images

Posted in English, Linux, Memory Forensics, Volatility | Leave a comment

Analysis of Android.Trojan.FakeSite.A aka Perkele

Intro: What is Perkele?
Perkele is a crimeware kit used to generate Android trojans for monitoring and forwarding SMS messages containing mTANs. Perkele, made a name for itself because it can be combined with any malicious code that executes webinject attacks in the browser. It is thus a flexible cross-platform trojan that is relatively easy to create.

‘Perkele is an alternative name of Ukko, the chief god of the Finnish pagan pantheon. In modern Finnish, the interjection “perkele!” is a common profanity, approximately equivalent to “the Devil!” in meaning and “fuck!” in intensity.’ [Wikipedia]

androidbot-perkele ad-perkeleFig. 1: Advertisement spotted in cybercrime underground (WMZ = WebMoney; 1 WMZ = 1 USD)

Step 1: Forcing the User to Install the App
If the Windows PC of a user is compromised with Cridex (RC4-RSA variant) for example and the user tries to browse to his or another bank website a message is shown after the ‘login’ (no successful login needed) presenting a new security solution which is now obligatory in order to use the online banking service in the future. The new solution pretends to be an Android security application that protects the phone’s SMS messages from being intercepted by a trojan installed on the smartphone.

Cridex - Webinject Fig2: You can ‘login’ with everything you want…my name is Cridex…and my password is 12345

Webinject - Sourcecode Fig. 3: First of all the webinject hides the main content of the banking website.

blank Fig. 4: How it would look like

Webinject - Sourcecode Fig. 5: Then follows the script that injects the new content.

Details (Pop-up) Fig. 6: You have to choose Android…Perkele only supports Android.

Trusteer Fig. 7: Trusteer Mobile is a mobile device security solution from the well known computer security company.

Choose your preferred way to download the app Fig. 8: There are three ways to download the malicious app: Direct-Link, QR code, and SMS with download link

Enter your Mobile Number Fig. 9: Let’s try SMS with download link…

Send SMS with download link Fig. 10: The download option via SMS didn’t work in my case! I didn’t receive a SMS.

Download the malicious app directly Fig. 11: So let’s download the malicious app directly. No need to fake the user agent!

Download started    Download finished: Copied to clipboard

Permissions    (Malicious) Application installed

Activation Code    QR-Code Preview

The malicious application has the following characteristics:

Original name: Trusteer-Mobile.apk
Package name: com.secure.android
MD5: 727e7fc80d5658a5186f6e964a0b1401
SHA-1: 0607950fa88f2fc962f768d286bf0903b94832fe
ssdeep: 384:7XWKjGB8vxDcy3XcitOVAtvQpVJPs9l/jeCTQOen:7WkGByDf3McOVHJk9l/yCT1W
File Size: 17.295 Bytes

WinRAR

Trusteer-Mobile.apk
Submission date: 2013-10-18 14:23:14 UTC
Result: 12/47
Report

Download: Perkele.rar (password is infected)

Before analyzing the Dalvik code or Java source code we have to go through the AndroidManifest.xml file to understand the application’s characteristics.

Below the manifest file:

<?xml version="1.0" encoding="utf-8"?>
<manifest android:versionCode="2" android:versionName="2.0.6" package="com.secure.android"
  xmlns:android="http://schemas.android.com/apk/res/android">
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />
    <uses-permission android:name="android.permission.RECEIVE_SMS" />
    <uses-permission android:name="android.permission.SEND_SMS" />
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="com.android.browser.permission.READ_HISTORY_BOOKMARKS" />
    <application android:label="@string/app_name" android:icon="@drawable/app" android:debuggable="true">
        <activity android:theme="@*android:style/Theme.NoTitleBar.Fullscreen" android:label="@string/app_name" android:name=".MainActivity" android:screenOrientation="portrait">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <activity android:theme="@*android:style/Theme.NoTitleBar.Fullscreen" android:label="@string/app_name" android:name=".UpdateActivity" android:screenOrientation="portrait">
            <intent-filter>
                <action android:name="android.intent.action.VIEW" />
            </intent-filter>
        </activity>
        <receiver android:name=".MessageReceiver" android:exported="true">
            <intent-filter android:priority="12345">
                <action android:name="android.provider.Telephony.SMS_RECEIVED" />
            </intent-filter>
        </receiver>
        <service android:name=".ServerSession" />
    </application>
</manifest>

## Requested Permissions ##
android.permission.ACCESS_NETWORK_STATE (view network status):
Allows an application to view the status of all networks.

android.permission.READ_PHONE_STATE (read phone state and identity):
Allows an application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and so on.

android.permission.RECEIVE_SMS (receive SMS):
Allows an application to receive and process SMS messages.
Malicious applications may monitor your messages or delete them without showing them to you.

android.permission.SEND_SMS (send SMS messages):
Allows an application to send SMS messages.
Malicious applications may cost you money by sending messages without your confirmation.

android.permission.INTERNET (full Internet access):
Allows an application to create network sockets.

com.android.browser.permission.READ_HISTORY_BOOKMARKS (read Browser’s history and bookmarks):
Allows an application to read (but not write) the user’s browsing history and bookmarks.

## Activities ##
From the manifest we can identify the actvities between the activity tags:
        <activity android:theme="@*android:style/Theme.NoTitleBar.Fullscreen" android:label="@string/app_name" android:name=".MainActivity" android:screenOrientation="portrait">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <activity android:theme="@*android:style/Theme.NoTitleBar.Fullscreen" android:label="@string/app_name" android:name=".UpdateActivity" android:screenOrientation="portrait">
            <intent-filter>
                <action android:name="android.intent.action.VIEW" />
            </intent-filter>
        </activity>
So the two activities are com.secure.android.MainActivity and com.secure.android.UpdateActivity.

Last but not least we can also check Receivers and Services:

## Receivers ##
com.secure.android.MessageReceiver
        <receiver android:name=".MessageReceiver" android:exported="true">
            <intent-filter android:priority="12345">
                <action android:name="android.provider.Telephony.SMS_RECEIVED" />
            </intent-filter>
        </receiver>

## Services ##
com.secure.android.ServerSession
<service android:name=".ServerSession" />

Now that we’ve analysed the Manifest, we can take a look at code.

Admin Number Fig. 12: NUMBER = +79670478968 –> Russian Federation

Hardcoded URL’s:
http://gameserv.4zo.biz
http://gameserv.4zo.biz/?a=

DNS Requests:
gameserv.4zo.biz (37.228.92.168) –> Russian Federation

POST Requests:
id=DeviceId&net=test420&cmd=%23BOT_INSTALL%3A+2.0.6 (Check-in)
id=DeviceId&net=test420&data=%23INSTALLED_APPS%3A+XXX
id=DeviceId&net=test420&data=%23BROWSER_HISTORY%3A+XXX
id=DeviceId&net=test420&cmd=%23SMS_INTERCEPT_STOP
id=DeviceId&net=test420&m=%23SMS_GRABBED%3A+XXX

CMD:
#BOT_INSTALL
#BOT_UPDATE
#BROWSER_HISTORY
#CMD_ID
#INSTALLED_APPS
#SMS_INTERCEPT_START
#SMS_INTERCEPT_STOP
#SMS_GRABBED
#SMS_INTERCEPTED
#SMS_SEND

BOT_INSTALL
Queries list of installed packages:
com.secure.android.MainActivity – android.content.pm.PackageManager.getInstalledPackages

Accesses android OS build fields:
com.secure.android.ServerSession$BackgroundThread – android.os.Build$VERSION.RELEASE
com.secure.android.ServerSession$BackgroundThread – android.os.Build.BRAND
com.secure.android.ServerSession$BackgroundThread – android.os.Build.MODEL

Queries the SIM provider ISO country code:
com.secure.android.ServerSession$BackgroundThread – android.telephony.TelephonyManager.getSimCountryIso

Queries the SIM provider name:
com.secure.android.ServerSession$BackgroundThread – android.telephony.TelephonyManager.getSimOperatorName

Queries the unqiue device ID (IMEI, MEID or ESN):
com.secure.android.MainActivity –> android.telephony.TelephonyManager.getDeviceId
com.secure.android.ServerSession$BackgroundThread – android.telephony.TelephonyManager.getDeviceId
com.secure.android.ServerSession$BackgroundThread – android.telephony.TelephonyManager.getSubscriberId
com.secure.android.ServerSession$BackgroundThread – android.telephony.TelephonyManager.getLine1Number

Sets an intent to the APK data type (used to install other APKs):
com.secure.android.UpdateActivity – android.content.Intent.setDataAndType

MainActivity
URL Parameters
AxWFz = DeviceId
MzKwx = SubscriberId
NvMAk = Line1Number
FxEdM = SimOperatorName
MzYkF = SimCountryIso
HkFwA = Build.VERSION.RELEASE
dMxEw = Build.BRAND, Build.MODEL
uWeXd = BUILD_NET
vZeWA = BUILD_VER

POST Request
Step 2: The Trojan Action
After Perkele has been installed successfully, you have to enter the activation code to synchronize it with the trojan installed on your Windows system. From then on, Perkele intercepts all SMS that it can assign to online banking activities and forwards them to the criminals.

Fake-Code Fig. 13: Validation of activation code

Activation Fig. 14: Enter the activation code (Activation Code = DeviceId = IMEI)

block Fig. 15: After synchronization the trojan blocks the access to your banking website and starts the cashout.

SMS_GRABBED

Below the callgraph:


Links:
Perkele – Krebs on Security
G Data Mobile Malware Report H1/2013
Perkele – Wikipedia, the free encyclopedia
Manifest.permission | Android Developers

Posted in Android, Banking Trojan, English, Mobile Security | Leave a comment

Analysis of Android.Zitmo-Urlzone

Intro: What is Android.Zitmo-Urlzone?
Android.Zitmo-Urlzone is the mobile “add-on” for the banking trojan Urlzone. This app, known as a Zeus In The Mobile variant, steals incoming SMS messages and uploads them to the remote server. Its primary purpose is to defeat online banking’s two factor authentication by intercepting confirmation SMS sent by the banks to their customers (mTAN).

Step 1: Forcing the User to Install the App
If the Windows PC of a user is compromised with Urlzone and the user tries to browse to his bank website a message is shown after the login presenting a new security solution which is now obligatory in order to use the online banking service in the future. The new solution pretends to be an Android application that protects the phone’s SMS messages from being intercepted by a Trojan installed on the smartphone.

Urlzone - Webinject
Details (Pop-up)
Phone Number Validation
Waiting for activation code To complete the installation, the user has to enter an activation code generated by the malicious app.

gate_urlzone You can see the login credentials as plain text in the source code of the web page.

Download-Link    Android Security Warning

Enable the checkbox for Unknown sources    Unknown Sources Warning

Permissions    (Malicious) Application installed

Your Password!    Smart 1.2 App Security

The malicious application has the following characteristics:


Original name: SmartSecurity_ver_1_2.apk
MD5: 5f6b00bd0c7567e2a327eac8455aa4a7
SHA-1: da661e06cf48a5f7921af202589a6d6c72c5439e
ssdeep: 1536:/vWTBfBIjpOIB6GJ5I5MBHGPMKOeDIWS2Fw:XMBpIlOIBh3Iu7e1M
File Size: 103.078 Bytes

WinRAR

Android.Zitmo-Urlzone.apk
Submission date: 2013-09-12 07:28:33 UTC
Result: 23/47
Report

Download: Android.Zitmo-Urlzone.rar (password is infected)

Before analyzing the Dalvik code or Java source code we have to go through the AndroidManifest.xml file to understand the application’s characteristics.

Below the manifest file:

<?xml version="1.0" encoding="utf-8"?>
<manifest android:versionCode="1" android:versionName="1.0" package="com.guard.smart"
  xmlns:android="http://schemas.android.com/apk/res/android">
    <application android:theme="@style/AppTheme" android:label="@string/app_name" android:icon="@drawable/zamok" android:allowBackup="true">
        <activity android:label="@string/app_name" android:name="com.guard.smart.MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <service android:name=".IDLEService" android:enabled="true" />
        <receiver android:name=".SmsReceiver">
            <intent-filter android:priority="1000">
                <action android:name="android.provider.Telephony.SMS_RECEIVED" />
            </intent-filter>
        </receiver>
        <receiver android:name="com.guard.smart.TimerReceiver" />
        <receiver android:name=".onBootReceiver" android:enabled="true" android:exported="false">
            <intent-filter>
                <action android:name="android.intent.action.BOOT_COMPLETED" />
            </intent-filter>
        </receiver>
    </application>
    <uses-permission android:name="android.permission.RECEIVE_SMS" />
    <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
    <uses-permission android:name="android.permission.INTERNET" />
    <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
    <uses-permission android:name="android.permission.SEND_SMS" />
    <uses-permission android:name="android.permission.READ_PHONE_STATE" />
    <uses-permission android:name="android.permission.WAKE_LOCK" />
</manifest>

## Requested Permissions ##
android.permission.RECEIVE_SMS (receive SMS):
Allows an application to receive and process SMS messages.
Malicious applications may monitor your messages or delete them without showing them to you.

android.permission.ACCESS_NETWORK_STATE (view network status):
Allows an application to view the status of all networks.

android.permission.INTERNET (full Internet access):
Allows an application to create network sockets.

android.permission.RECEIVE_BOOT_COMPLETED (automatically start at boot):
Allows an application to start itself as soon as the system has finished booting.

android.permission.SEND_SMS (send SMS messages):
Allows an application to send SMS messages.
Malicious applications may cost you money by sending messages without your confirmation.

android.permission.READ_PHONE_STATE (read phone state and identity):
Allows an application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and so on.

android.permission.WAKE_LOCK (prevent phone from sleeping):
Allows an application to prevent the phone from going to sleep.

## Activities ##
From the manifest we can identify the Main Activity between the activity tags:
        <activity android:label="@string/app_name" android:name="com.guard.smart.MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
So com.guard.smart.MainActivity is the main activity and it’ll be the first class invoked from the malware.

Last but not least we can also check Services and Receivers:

## Services ##
com.guard.smart.IDLEService
<service android:name=".IDLEService" android:enabled="true" />
## Receivers ##
com.guard.smart.SmsReceiver
com.guard.smart.TimerReceiver
com.guard.smart.onBootReceiver
        <receiver android:name=".SmsReceiver">
            <intent-filter android:priority="1000">
                <action android:name="android.provider.Telephony.SMS_RECEIVED" />
            </intent-filter>
        </receiver>
        <receiver android:name="com.guard.smart.TimerReceiver" />
        <receiver android:name=".onBootReceiver" android:enabled="true" android:exported="false">
            <intent-filter>
                <action android:name="android.intent.action.BOOT_COMPLETED" />
            </intent-filter>
        </receiver>
Now that we’ve analysed the Manifest, we can take a look at code.

The method onCreate() is what we are interested in, so here’s the code:
  protected void onCreate(Bundle paramBundle)
  {
    super.onCreate(paramBundle);
    j = getApplicationContext();
    a.c(j);
    if (!b[0].isEmpty())
      a.a(j);
    if (f.isEmpty())
    {
      setContentView(2130903040);
      ((Button)findViewById(2131165187)).setOnClickListener(new c(this));
      return;
    }

The malware is clearly able to survive the reboot. If you scroll up to the manifest explanation you’ll see that RECEIVE_BOOT_COMPLETED permission and OnBootReceiver receiver are requested in order to remain persistent on the system.

Here its code:
public class onBootReceiver extends BroadcastReceiver
{
  public void onReceive(Context paramContext, Intent paramIntent)
  {
    if ("android.intent.action.BOOT_COMPLETED".equals(paramIntent.getAction()));
    try
    {
      a.c(paramContext);
      if (!MainActivity.b[0].isEmpty())
        a.a(paramContext);
      return;
    }
    catch (Exception localException)
    {
    }
  }
}

Checks if internet connection is available:
Source: com.guard.smart.a –> API Call: android.net.ConnectivityManager.getActiveNetworkInfo
Source: com.guard.smart.a –> API Call: android.net.NetworkInfo.isConnected

Queries the unqiue device ID (IMEI, MEID or ESN):
Source: com.guard.smart.a –> API Call: android.telephony.TelephonyManager.getLine1Number
Source: com.guard.smart.a –> API Call: android.telephony.TelephonyManager.getDeviceId

## File operations ##
write /data/data/com.android.de.avguard/cfg.txt

Hardcoded URL’s:
http://appsmartsystem.com/sms/me.php
http://appsecuritysystem.com/sms/me.php

Found URLs
URL Parameters
dd=%DD%
devid=%DEVID%
login=%LOGIN%
number=%NUMBER%
phone=%PHONE%

POST Requests:
http://securesmartconnect.com/ss/app.php
http://securesmartconnect.net/ss/app.php

POST Requests TCP Stream PassiveDNS Cipher
Step 2: The Trojan Action
After the Trojan has been installed successfully, all incoming SMS messages will be intercepted and send to the attacker’s server.

Menu Panel
Below the callgraph:



Links:
APK Tool – A tool for reverse engineering Android apk files
dex2jar – Tools to work with android .dex and java .class files
Manifest.permission | Android Developers

Posted in Android, Banking Trojan, English, Malware Forensics, Mobile Security | Leave a comment