Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hacking Exposed Live: Mobile Targeted Threats

3,610 views

Published on

http://www.hackingexposed7.com/

Published in: Technology
  • Be the first to comment

Hacking Exposed Live: Mobile Targeted Threats

  1. 1. George Kurtz, President & CEO, CrowdStrike Georg Wicherski, Senior Security Researcher, CrowdStrike Alex Radocea, Senior Security Researcher, CrowdStrike© 2012 CrowdStrike, Inc. All rights reserved.
  2. 2. BEFORE WE GET STARTED… •  Questions – Via GoToWebinar in the Questions tab –  All ?’s will be addressed at the end of the session – Via Twitter –  Engage real-time: @CrowdStrike #hackingexposed72 © 2012 CrowdStrike, Inc. All rights reserved.
  3. 3. A LITTLE ABOUT US GEORGE KURTZ President & CEO, CrowdStrike •  In security for ~20 years •  Former CTO, McAfee •  Former CEO, Foundstone •  Co-Author, Hacking Exposed •  Twitter: @George_Kurtz •  Blog: www.securitybattlefield.com3 © 2012 CrowdStrike, Inc. All rights reserved.
  4. 4. A LITTLE ABOUT US GEORG WICHERSKI Senior Security Researcher, CrowdStrike •  Focuses on analyzing advanced threats •  Likes to put himself in the attackers’ shoes •  Loves working low level on bytecode •  New interest in ARM architecture •  Twitter: @ochsff4 © 2012 CrowdStrike, Inc. All rights reserved.
  5. 5. A LITTLE ABOUT US ALEX RADOCEA Senior Engineer, CrowdStrike •  Application Security Assessment at Matasano •  Product Security Team at Apple •  Dabbles in hardware reverse engineering •  Upcoming talk: Ekoparty 2012 •  Twitter: @defendtheworld5 © 2012 CrowdStrike, Inc. All rights reserved.
  6. 6. THREAT EVOLUTION AND OUTLINE Commercial Targeted RATs Advanced RATs Threats •  Manually •  Observed Real •  Demo of installed World Attacks Browser based •  “Spy on your •  Simple, regular compromise girlfriend” Apps •  What are we just not seeing?6 © 2012 CrowdStrike, Inc. All rights reserved.
  7. 7. WHAT IS A RAT? •  Remote Access Tools, better known as RATs •  Post-exploitation tool •  Allows administrative controls over the compromised system •  Adversaries have been targeting conventional computing platforms (PC) for many years7 © 2012 CrowdStrike, Inc. All rights reserved.
  8. 8. RAT FUNCTIONALITY •  Backdoor functionality and a host of other nefarious features –  Activate video cameras and microphones –  Take pictures of remote systems –  Exfiltration - send back files –  Run remote commands –  Log keystrokes8 © 2012 CrowdStrike, Inc. All rights reserved.
  9. 9. GRANDDADDY OF RATS Back Orifice Netbus9 © 2012 CrowdStrike, Inc. All rights reserved.
  10. 10. WHAT IS UBIQUITIOUS?10 © 2012 CrowdStrike, Inc. All rights reserved.
  11. 11. HAS A CAMERA?11 © 2012 CrowdStrike, Inc. All rights reserved.
  12. 12. HAS A MICROPHONE?12 © 2012 CrowdStrike, Inc. All rights reserved.
  13. 13. KNOWS WHERE YOU ARE?13 © 2012 CrowdStrike, Inc. All rights reserved.
  14. 14. IS ALWAYS ON?14 © 2012 CrowdStrike, Inc. All rights reserved.
  15. 15. …AND STORES YOUR SENSITIVE INFORMATION?15 © 2012 CrowdStrike, Inc. All rights reserved.
  16. 16. 16 © 2012 CrowdStrike, Inc. All rights reserved.
  17. 17. DAWN OF A NEW ERA Mobile RATs •  Mobile RATs •  Smartphones are PCs that fit in the palm of your hand •  Perfect tool to: –  Intercept calls –  Intercept TXTs –  Intercept emails –  Capture remote video –  Listen to sensitive conversations –  Track location via GPS17 © 2012 CrowdStrike, Inc. All rights reserved.
  18. 18. © 2012 CrowdStrike, Inc. All rights reserved.
  19. 19. COMMERCIAL RAT DELIVERY •  Usually require physical access to target device •  The attacker must know the target’s password or the device must be unlocked •  Manual installation via web page or 3rd party market •  iOS devices require a jail break19 © 2012 CrowdStrike, Inc. All rights reserved.
  20. 20. FlexiSPY •  Emerged in 2006 timeframe as a consumer- marketed cell phone spying software •  Capabilities include: –  Monitoring email –  Monitoring SMS/MMS –  Monitoring chat/Facebook/WhatsApp –  Number flagging –  Call intercept (only live calls) –  Hot Mic –  SMS C220 © 2012 CrowdStrike, Inc. All rights reserved.
  21. 21. FlexiSPY LOGS21 © 2012 CrowdStrike, Inc. All rights reserved.
  22. 22. © 2012 CrowdStrike, Inc. All rights reserved.
  23. 23. TARGETED RATs •  Android: Mostly regular Apps –  Written in Java using the Android SDK and compiled to Dalvik code –  Often not even obfuscated (original names retained) – There are public SDK tools to conceal at least names of non- exported classes and members –  Easy process to reverse to Java code (.dex%→%.class%→%.java) –  Visibility issue or principle of least effort required? •  iOS targeted RAT ecosystem largely unexplored –  But commercial RATs well-known and documented –  Happening for sure but just no good visibility23 © 2012 CrowdStrike, Inc. All rights reserved.
  24. 24. CASE STUDY: LUCKY CAT (background) •  Targeted Espionage-Type Operation – Engineering and Research targets – Political activists •  Windows Malware Attributed to Chinese developers – Likely government sponsored civil hacktivism – First seen in June 2011 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/ wp_luckycat_redux.pdf •  Android malware LuckytCat.A found on C2 servers24 © 2012 CrowdStrike, Inc. All rights reserved.
  25. 25. LUCKYCAT.A ANALYSIS •  Simple Service based App that registers for BOOTUP intent –  Starts automatically when phone is turned on •  Reports general information (phone number, IMEI, …) on connect •  Can read and write arbitrary files and list directories –  Linux is Unix, “Anything is a file” –  All logic and parsing on C2 (client) side, not exposed to analysis •  Utilizes custom “encryption” / obfuscation algorithm25 © 2012 CrowdStrike, Inc. All rights reserved.
  26. 26. LUCKYCAT.A BEACON INFORMATION •  Obtains current phone number –  Chinese error / status message •  Beacons –  Phone number as MAC –  Current IP –  Per-incident identifier26 © 2012 CrowdStrike, Inc. All rights reserved.
  27. 27. LUCKYCAT.A FILE COMMANDS •  Only supports file based commands –  Directory content listing –  Download / upload file from / to phone •  Any interaction with system must be done with this simple mechanism27 © 2012 CrowdStrike, Inc. All rights reserved.
  28. 28. © 2012 CrowdStrike, Inc. All rights reserved.
  29. 29. FINSPY MOBILE FOR IOS •  Commercial mobile RAT sold to governments – “Enterprise” Software development – Proper encryption, communication protocol, ... •  Analyzed iOS sample stolen demo binary – Courtesy of CitizenLab.org •  Capabilities similar to previous commercial RATs •  iOS variant requires jail broken device or LPE exploit29 © 2012 CrowdStrike, Inc. All rights reserved.
  30. 30. FINSPY MOBILE FOR IOS INSTALLATION •  One initial dropper, install_manager.app% •  Ad-Hoc distribution with hardcoded UDIDs to run on •  Certificate registered to Gamma International, Inc. •  Drops the four FinSpy binaries to suid’able directories – installer, manages persistence in system – logind.app, daemon wrapper invoked by launchd on boot – trampoline.app, a broken no-op in our sample – SyncData.app, the main backdoor that calls home30 © 2012 CrowdStrike, Inc. All rights reserved.
  31. 31. FINSPY LPE MISSING LINK •  installer.app copies binaries to /Application%and %/System% •  On a non-jail broken device prohibited by sandbox •  installer.app requests root privilege with seteuid(0)% •  Typical for a program started with suid bit •  install_manager.app searches suid’able partitions31 © 2012 CrowdStrike, Inc. All rights reserved.
  32. 32. FINSPY LPE MISSING LINK CONT. •  trampoline.app a no-op in our binary – Invoked by install_manager.app with path to installer – Includes snippets that builds paths from arguments – Apparently cut-off / sanitized at source level •  Placeholder to disable sandbox and suid installer to infect non-jail broken devices? – Given trampoline.app not an exploit itself – Checked all entry points and loader behavior32 © 2012 CrowdStrike, Inc. All rights reserved.
  33. 33. UDID LEAK IMPACT •  1,000,000 UDIDs leaked •  UDID, APNs tokens, device name leaked from unknown source •  Ad-hoc distribution profile requires UDID, each profile has up to 100 devices –  User-interaction required for installation –  Code still sandboxed •  Device information reportedly leaked from Blue Toad33 © 2012 CrowdStrike, Inc. All rights reserved.
  34. 34. © 2012 CrowdStrike, Inc. All rights reserved.
  35. 35. FEASIBILITY STUDY RATIONALE •  Mobile exploits being actively bought on the “market” –  iOS, BlackBerry, Android (loosely ordered by price) –  Remote: Baseband, Browser and SMS Apps –  Local: Really anything that gets you elevated privileges •  Development of payload up to the customer –  FinSpy Mobile looks like good fit for LPE trampoline.app% •  We know these attacks are out there yet we do not have conclusive evidence. •  “If the mobile manufacturers don’t give us root privileges, only the attackers will have root privileges.”35 © 2012 CrowdStrike, Inc. All rights reserved.
  36. 36. ANDROID 4.0.1 BROWSER EXPLOIT •  Vulnerability in Webkit (fixed in 4.0.2, public since Nov 2011) –  No CVE assigned, just a bug leading to degraded user experience… •  Circumvents XN & partial ASLR on Android 4.0.1 –  Android ≥ 2.3 activates XN, comparable to x86 NX bit – Requires hardware support but most phones do support it –  Android ≥ 4.0 adds partial ASLR – Heap, stack and dynamic linker still at predictable address –  Android ≥ 4.1 adds full ASLR •  Use ROP in the dynamic linker to circumvent 4.0 mitigations36 © 2012 CrowdStrike, Inc. All rights reserved.
  37. 37. FEASIBILITY FOR NATIVE RAT FOR ANDROID •  Native stand-alone executables are easily built using the NDK –  Creating a Makefile and a “Hello World” is < 2 hours if familiar with GCC •  Huge amount of new “App Analysis (Dalvik) Experts” –  Has anyone of those ever analyzed native ARM code? –  Can anyone of those handle a simple UPX packed binary? •  No Rootkit required, people barely look at native processes –  Native processes do not show up in Android or 3rd party Task Managers –  Potentially visible in ps%but trivially obfuscated – strcpy(argv[0],%“…”)%37 © 2012 CrowdStrike, Inc. All rights reserved.
  38. 38. © 2012 CrowdStrike, Inc. All rights reserved.
  39. 39. http://www.youtube.com/watch?v=M2jxLDz5gE439 © 2012 CrowdStrike, Inc. All rights reserved.
  40. 40. •  Quarterly webcasts: Industry leaders presenting cutting-edge topics •  Blogs, whitepapers, and other industry resources •  Webcast archives for on-demand viewing HTTP://WWW.HACKINGEXPOSED7.COM40 © 2012 CrowdStrike, Inc. All rights reserved.
  41. 41. CrowdStrike is a security technology company focused on helping enterprises and governments protect their most sensitive IP. CrowdStrike encompasses three core offerings: Services, Intelligence, and Technology. For Incident Response services: http://www.crowdstrike.com/services.html For Intelligence as a Service: Email us at intelligence@crowdstrike.com Technology (Coming soon): If you have interest in being a beta customer send your request to beta@crowdstrike.com Website: www.crowdstrike.com @CrowdStrike Blog: http://blog.crowdstrike.com facebook.com/crowdstrike youtube.com/crowdstrike© 2012 CrowdStrike, Inc. All rights reserved.
  42. 42. Q&A42 © 2012 CrowdStrike, Inc. All rights reserved.
  43. 43. © 2012 CrowdStrike, Inc. All rights reserved.

×