Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN

893 views

Published on

2014 CodeEngn Conference 11

안드로이드에서의 부트킷 동작방식 알아보기

부트킷 악성코드는 부팅 과정에서 악성코드를 감염시켜 악성코드가 실행 시 자신의 존재를 숨겨 백신에서 악성코드의 탐지와 치료를 어렵게 하기위해 사용되는 방식이다. 이러한 Oldboot 부트킷 악성코드가 올해초 2014년 1월에 안드로이드에서 발견되었다. 따라서 본 발표에서는 이 안드로이드 상에서 사용된 부트킷의 동작 방식과 특이점에 대해서 다룰 예정이다.

http://codeengn.com/conference/11
http://codeengn.com/conference/archive

Published in: Education
  • Be the first to comment

[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN

  1. 1. Android Bootkit Malware Analysis Kim, Hobin HobinKim125@gmail.com www.CodeEngn.com 2014 CodeEngn Conference 11
  2. 2. What is Bootkit? • Bootkit = Rootkit + Boot capability • Boot sector of a disk is infecting the host when introduced at the boot process. • Ex) Windows MBR Rootkit
  3. 3. Android Boot Partition • Android devices’ boot partition uses RAM disk file system • Consist of Linux kernel(zImage) & root file system ramdisk(initrd; initial ramdisk)
  4. 4. Android Boot Process Bootloader Kernel(Linux) init(init.rc) • init process is first process on Android
  5. 5. Stealth Technic of Android Bootkit • Modifying devices’ boot partition and booting script during early stage of system’s booting for hiding and protecting itself • Launching system service as root and extracting malware app as system app
  6. 6. Characteristics of Android Bootkit • Bypass built-in kernel-level security restrictions • Difficult to detect and cure by AV
  7. 7. Oldboot; The First Android Bootkit • Oldboot • Reported by Qihoo360 in China • The first bootkit officially found on Android in the wild • More than 500,000 Android devices infected in China • Proof that the boot partition of Android could be infected easily
  8. 8. How Android Can Be Infected? • The attacker has a chance to physically touch the devices, and flash a malcious boot.img image files to the boot partition of the disk
  9. 9. How Android Can Be Infected? (cont) • Qihoo360 found the infected device in big IT mall in Beijing • the recovery partition has been replaced by a custom recovery ROM. and the timestamp of all files in the boot partition are the same.
  10. 10. How Android Can Be Infected? (cont) • based on Qihoo’s cloud security technology, they figured out almost infected devices are only well-known device such as the Galaxy Note II
  11. 11. Oldboot Bootkit’s Components • Oldboot.a • init.rc (modified) • imei_chk (located at /sbin) • libgooglekernel.so (located at /system/lib) • GoogleKernel.apk (located at /system/app)
  12. 12. Analyzing init process(init.rc) • Content of the modified init.rc • Adding imei_chk service as root
  13. 13. Analyzing imei_chk • Extract so files
  14. 14. Analyzing imei_chk (cont) • Extract apk files
  15. 15. Analyzing imei_chk (cont) • Socket listening & read
  16. 16. Analyzing imei_chk (cont) • executes received commands
  17. 17. Analyzing GoogleKernel.apk • GoogleKernel.apk’s AndroidManifest.xml
  18. 18. Analyzing GoogleKernel.apk (cont) • GoogleKernel.apk’s AndroidManifest.xml
  19. 19. Analyzing GoogleKernel.apk (cont) • BootRecv service
  20. 20. Analyzing GoogleKernel.apk (cont) • EventsRecv service
  21. 21. Analyzing GoogleKernel.apk (cont) • Dalvik service
  22. 22. Analyzing GoogleKernel.apk (cont) • Incomplete malicious function
  23. 23. Analyzing GoogleKernel.apk (cont) • Communicate with libgooglekernel.so by JNI
  24. 24. Analyzing libgooglekernel.so • Connecting to its C&C Servers to download configuration files
  25. 25. Analyzing libgooglekernel.so (cont) • Location of C&C Server
  26. 26. Analyzing libgooglekernel.so (cont) • Location of C&C Server
  27. 27. Analyzing libgooglekernel.so (cont) • Downloading APK file
  28. 28. Analyzing libgooglekernel.so (cont) • Downloading APK file
  29. 29. Analyzing libgooglekernel.so (cont) • Installing downloaded APK as system application
  30. 30. Analyzing libgooglekernel.so (cont) • Deleting system application
  31. 31. Oldboot.a Running Flow Chart init process init.rc system server imei_chk GoogleKernel.apk libgooglekernel.so JNI socket
  32. 32. Preview point of Android Bootkit Malware • Totally new malware attack method on Android • Not only apk can be infected
  33. 33. References • Oldboot: the first bootkit on Android, Zihang Xiao, Qing Dong, Hao Zhang & Xuxian Jiang, Qihoo 360 • Advanced Bootkit Techniques on Android, Zhangqi Chen & Di Shen @SyScan360 • Android Hacker’s handbook, Drake, Oliva Fora, Lanier Mulliner, Ridley, Wicherski, Wiley • 인사이드 안드로이드, 송형주, 김태연, 박지훈, 이백, 임기영, 위키북스 • 안드로이드의 모든 것 분석과 포팅, 고현철, 유형목, 한빛미디어 • http://contagiominidump.blogspot.kr/
  34. 34. Q & A Any question so far? www.CodeEngn.com 2014 CodeEngn Conference 11

×