George Kurtz, President & CEO, CrowdStrike Georg Wicherski, Senior Security Researcher, CrowdStrike Alex Radocea, Senior S...
BEFORE WE GET STARTED…     •  Questions                – Via GoToWebinar in the Questions tab                   –  All ?’s...
A LITTLE ABOUT US                                                      GEORGE KURTZ                                       ...
A LITTLE ABOUT US                                                      GEORG WICHERSKI                                    ...
A LITTLE ABOUT US                                                      ALEX RADOCEA                                       ...
THREAT EVOLUTION AND OUTLINE      Commercial                                    Targeted RATs           Advanced      RATs...
WHAT IS A RAT?     •  Remote Access Tools, better known as RATs     •  Post-exploitation tool     •  Allows administrative...
RAT FUNCTIONALITY     •  Backdoor functionality and a host of other nefarious features                –  Activate video ca...
GRANDDADDY OF RATS                                Back Orifice                      Netbus9   © 2012 CrowdStrike, Inc. All...
WHAT IS UBIQUITIOUS?10   © 2012 CrowdStrike, Inc. All rights reserved.
HAS A CAMERA?11   © 2012 CrowdStrike, Inc. All rights reserved.
HAS A MICROPHONE?12   © 2012 CrowdStrike, Inc. All rights reserved.
KNOWS WHERE YOU ARE?13   © 2012 CrowdStrike, Inc. All rights reserved.
IS ALWAYS ON?14   © 2012 CrowdStrike, Inc. All rights reserved.
…AND STORES YOUR                                                SENSITIVE INFORMATION?15   © 2012 CrowdStrike, Inc. All ri...
16   © 2012 CrowdStrike, Inc. All rights reserved.
DAWN OF A NEW ERA                                                        Mobile RATs      •  Mobile RATs      •  Smartphon...
© 2012 CrowdStrike, Inc. All rights reserved.
COMMERCIAL RAT DELIVERY     •  Usually require physical access to target device     •  The attacker must know the target’s...
FlexiSPY         •  Emerged in 2006 timeframe as a consumer- marketed cell phone            spying software         •  Cap...
FlexiSPY LOGS21   © 2012 CrowdStrike, Inc. All rights reserved.
© 2012 CrowdStrike, Inc. All rights reserved.
TARGETED RATs     •  Android: Mostly regular Apps               –  Written in Java using the Android SDK and compiled to D...
CASE STUDY: LUCKY CAT (background)     •  Targeted Espionage-Type Operation               – Engineering and Research targe...
LUCKYCAT.A ANALYSIS     •  Simple Service based App that registers for BOOTUP intent               –  Starts automatically...
LUCKYCAT.A BEACON INFORMATION     •  Obtains current        phone number             –  Chinese error /               stat...
LUCKYCAT.A FILE COMMANDS     •  Only supports file based        commands               –  Directory content listing       ...
© 2012 CrowdStrike, Inc. All rights reserved.
FINSPY MOBILE FOR IOS     •  Commercial mobile RAT sold to governments               – “Enterprise” Software development  ...
FINSPY MOBILE FOR IOS INSTALLATION      •       One initial dropper, install_manager.app%      •       Ad-Hoc distribution...
FINSPY LPE MISSING LINK      •  installer.app copies binaries to /Application%and      %/System%      •  On a non-jail bro...
FINSPY LPE MISSING LINK CONT.      •  trampoline.app a no-op in our binary                 – Invoked by install_manager.ap...
UDID LEAK IMPACT      •  1,000,000 UDIDs leaked      •  UDID, APNs tokens, device name leaked from unknown         source ...
© 2012 CrowdStrike, Inc. All rights reserved.
FEASIBILITY STUDY RATIONALE     •  Mobile exploits being actively bought on the “market”               –  iOS, BlackBerry,...
ANDROID 4.0.1 BROWSER EXPLOIT     •  Vulnerability in Webkit (fixed in 4.0.2, public since Nov 2011)         –  No CVE ass...
FEASIBILITY FOR NATIVE                                                       RAT FOR ANDROID     •  Native stand-alone exe...
© 2012 CrowdStrike, Inc. All rights reserved.
http://www.youtube.com/watch?v=M2jxLDz5gE439   © 2012 CrowdStrike, Inc. All rights reserved.
•  Quarterly webcasts: Industry leaders presenting                   cutting-edge topics                •  Blogs, whitepap...
CrowdStrike is a security technology company focused on helping enterprises and governments protect their most sensitive I...
Q&A42   © 2012 CrowdStrike, Inc. All rights reserved.
© 2012 CrowdStrike, Inc. All rights reserved.
Upcoming SlideShare
Loading in …5
×

Hacking Exposed Live: Mobile Targeted Threats

3,055 views

Published on

http://www.hackingexposed7.com/

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,055
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
199
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Hacking Exposed Live: Mobile Targeted Threats

  1. 1. George Kurtz, President & CEO, CrowdStrike Georg Wicherski, Senior Security Researcher, CrowdStrike Alex Radocea, Senior Security Researcher, CrowdStrike© 2012 CrowdStrike, Inc. All rights reserved.
  2. 2. BEFORE WE GET STARTED… •  Questions – Via GoToWebinar in the Questions tab –  All ?’s will be addressed at the end of the session – Via Twitter –  Engage real-time: @CrowdStrike #hackingexposed72 © 2012 CrowdStrike, Inc. All rights reserved.
  3. 3. A LITTLE ABOUT US GEORGE KURTZ President & CEO, CrowdStrike •  In security for ~20 years •  Former CTO, McAfee •  Former CEO, Foundstone •  Co-Author, Hacking Exposed •  Twitter: @George_Kurtz •  Blog: www.securitybattlefield.com3 © 2012 CrowdStrike, Inc. All rights reserved.
  4. 4. A LITTLE ABOUT US GEORG WICHERSKI Senior Security Researcher, CrowdStrike •  Focuses on analyzing advanced threats •  Likes to put himself in the attackers’ shoes •  Loves working low level on bytecode •  New interest in ARM architecture •  Twitter: @ochsff4 © 2012 CrowdStrike, Inc. All rights reserved.
  5. 5. A LITTLE ABOUT US ALEX RADOCEA Senior Engineer, CrowdStrike •  Application Security Assessment at Matasano •  Product Security Team at Apple •  Dabbles in hardware reverse engineering •  Upcoming talk: Ekoparty 2012 •  Twitter: @defendtheworld5 © 2012 CrowdStrike, Inc. All rights reserved.
  6. 6. THREAT EVOLUTION AND OUTLINE Commercial Targeted RATs Advanced RATs Threats •  Manually •  Observed Real •  Demo of installed World Attacks Browser based •  “Spy on your •  Simple, regular compromise girlfriend” Apps •  What are we just not seeing?6 © 2012 CrowdStrike, Inc. All rights reserved.
  7. 7. WHAT IS A RAT? •  Remote Access Tools, better known as RATs •  Post-exploitation tool •  Allows administrative controls over the compromised system •  Adversaries have been targeting conventional computing platforms (PC) for many years7 © 2012 CrowdStrike, Inc. All rights reserved.
  8. 8. RAT FUNCTIONALITY •  Backdoor functionality and a host of other nefarious features –  Activate video cameras and microphones –  Take pictures of remote systems –  Exfiltration - send back files –  Run remote commands –  Log keystrokes8 © 2012 CrowdStrike, Inc. All rights reserved.
  9. 9. GRANDDADDY OF RATS Back Orifice Netbus9 © 2012 CrowdStrike, Inc. All rights reserved.
  10. 10. WHAT IS UBIQUITIOUS?10 © 2012 CrowdStrike, Inc. All rights reserved.
  11. 11. HAS A CAMERA?11 © 2012 CrowdStrike, Inc. All rights reserved.
  12. 12. HAS A MICROPHONE?12 © 2012 CrowdStrike, Inc. All rights reserved.
  13. 13. KNOWS WHERE YOU ARE?13 © 2012 CrowdStrike, Inc. All rights reserved.
  14. 14. IS ALWAYS ON?14 © 2012 CrowdStrike, Inc. All rights reserved.
  15. 15. …AND STORES YOUR SENSITIVE INFORMATION?15 © 2012 CrowdStrike, Inc. All rights reserved.
  16. 16. 16 © 2012 CrowdStrike, Inc. All rights reserved.
  17. 17. DAWN OF A NEW ERA Mobile RATs •  Mobile RATs •  Smartphones are PCs that fit in the palm of your hand •  Perfect tool to: –  Intercept calls –  Intercept TXTs –  Intercept emails –  Capture remote video –  Listen to sensitive conversations –  Track location via GPS17 © 2012 CrowdStrike, Inc. All rights reserved.
  18. 18. © 2012 CrowdStrike, Inc. All rights reserved.
  19. 19. COMMERCIAL RAT DELIVERY •  Usually require physical access to target device •  The attacker must know the target’s password or the device must be unlocked •  Manual installation via web page or 3rd party market •  iOS devices require a jail break19 © 2012 CrowdStrike, Inc. All rights reserved.
  20. 20. FlexiSPY •  Emerged in 2006 timeframe as a consumer- marketed cell phone spying software •  Capabilities include: –  Monitoring email –  Monitoring SMS/MMS –  Monitoring chat/Facebook/WhatsApp –  Number flagging –  Call intercept (only live calls) –  Hot Mic –  SMS C220 © 2012 CrowdStrike, Inc. All rights reserved.
  21. 21. FlexiSPY LOGS21 © 2012 CrowdStrike, Inc. All rights reserved.
  22. 22. © 2012 CrowdStrike, Inc. All rights reserved.
  23. 23. TARGETED RATs •  Android: Mostly regular Apps –  Written in Java using the Android SDK and compiled to Dalvik code –  Often not even obfuscated (original names retained) – There are public SDK tools to conceal at least names of non- exported classes and members –  Easy process to reverse to Java code (.dex%→%.class%→%.java) –  Visibility issue or principle of least effort required? •  iOS targeted RAT ecosystem largely unexplored –  But commercial RATs well-known and documented –  Happening for sure but just no good visibility23 © 2012 CrowdStrike, Inc. All rights reserved.
  24. 24. CASE STUDY: LUCKY CAT (background) •  Targeted Espionage-Type Operation – Engineering and Research targets – Political activists •  Windows Malware Attributed to Chinese developers – Likely government sponsored civil hacktivism – First seen in June 2011 http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/ wp_luckycat_redux.pdf •  Android malware LuckytCat.A found on C2 servers24 © 2012 CrowdStrike, Inc. All rights reserved.
  25. 25. LUCKYCAT.A ANALYSIS •  Simple Service based App that registers for BOOTUP intent –  Starts automatically when phone is turned on •  Reports general information (phone number, IMEI, …) on connect •  Can read and write arbitrary files and list directories –  Linux is Unix, “Anything is a file” –  All logic and parsing on C2 (client) side, not exposed to analysis •  Utilizes custom “encryption” / obfuscation algorithm25 © 2012 CrowdStrike, Inc. All rights reserved.
  26. 26. LUCKYCAT.A BEACON INFORMATION •  Obtains current phone number –  Chinese error / status message •  Beacons –  Phone number as MAC –  Current IP –  Per-incident identifier26 © 2012 CrowdStrike, Inc. All rights reserved.
  27. 27. LUCKYCAT.A FILE COMMANDS •  Only supports file based commands –  Directory content listing –  Download / upload file from / to phone •  Any interaction with system must be done with this simple mechanism27 © 2012 CrowdStrike, Inc. All rights reserved.
  28. 28. © 2012 CrowdStrike, Inc. All rights reserved.
  29. 29. FINSPY MOBILE FOR IOS •  Commercial mobile RAT sold to governments – “Enterprise” Software development – Proper encryption, communication protocol, ... •  Analyzed iOS sample stolen demo binary – Courtesy of CitizenLab.org •  Capabilities similar to previous commercial RATs •  iOS variant requires jail broken device or LPE exploit29 © 2012 CrowdStrike, Inc. All rights reserved.
  30. 30. FINSPY MOBILE FOR IOS INSTALLATION •  One initial dropper, install_manager.app% •  Ad-Hoc distribution with hardcoded UDIDs to run on •  Certificate registered to Gamma International, Inc. •  Drops the four FinSpy binaries to suid’able directories – installer, manages persistence in system – logind.app, daemon wrapper invoked by launchd on boot – trampoline.app, a broken no-op in our sample – SyncData.app, the main backdoor that calls home30 © 2012 CrowdStrike, Inc. All rights reserved.
  31. 31. FINSPY LPE MISSING LINK •  installer.app copies binaries to /Application%and %/System% •  On a non-jail broken device prohibited by sandbox •  installer.app requests root privilege with seteuid(0)% •  Typical for a program started with suid bit •  install_manager.app searches suid’able partitions31 © 2012 CrowdStrike, Inc. All rights reserved.
  32. 32. FINSPY LPE MISSING LINK CONT. •  trampoline.app a no-op in our binary – Invoked by install_manager.app with path to installer – Includes snippets that builds paths from arguments – Apparently cut-off / sanitized at source level •  Placeholder to disable sandbox and suid installer to infect non-jail broken devices? – Given trampoline.app not an exploit itself – Checked all entry points and loader behavior32 © 2012 CrowdStrike, Inc. All rights reserved.
  33. 33. UDID LEAK IMPACT •  1,000,000 UDIDs leaked •  UDID, APNs tokens, device name leaked from unknown source •  Ad-hoc distribution profile requires UDID, each profile has up to 100 devices –  User-interaction required for installation –  Code still sandboxed •  Device information reportedly leaked from Blue Toad33 © 2012 CrowdStrike, Inc. All rights reserved.
  34. 34. © 2012 CrowdStrike, Inc. All rights reserved.
  35. 35. FEASIBILITY STUDY RATIONALE •  Mobile exploits being actively bought on the “market” –  iOS, BlackBerry, Android (loosely ordered by price) –  Remote: Baseband, Browser and SMS Apps –  Local: Really anything that gets you elevated privileges •  Development of payload up to the customer –  FinSpy Mobile looks like good fit for LPE trampoline.app% •  We know these attacks are out there yet we do not have conclusive evidence. •  “If the mobile manufacturers don’t give us root privileges, only the attackers will have root privileges.”35 © 2012 CrowdStrike, Inc. All rights reserved.
  36. 36. ANDROID 4.0.1 BROWSER EXPLOIT •  Vulnerability in Webkit (fixed in 4.0.2, public since Nov 2011) –  No CVE assigned, just a bug leading to degraded user experience… •  Circumvents XN & partial ASLR on Android 4.0.1 –  Android ≥ 2.3 activates XN, comparable to x86 NX bit – Requires hardware support but most phones do support it –  Android ≥ 4.0 adds partial ASLR – Heap, stack and dynamic linker still at predictable address –  Android ≥ 4.1 adds full ASLR •  Use ROP in the dynamic linker to circumvent 4.0 mitigations36 © 2012 CrowdStrike, Inc. All rights reserved.
  37. 37. FEASIBILITY FOR NATIVE RAT FOR ANDROID •  Native stand-alone executables are easily built using the NDK –  Creating a Makefile and a “Hello World” is < 2 hours if familiar with GCC •  Huge amount of new “App Analysis (Dalvik) Experts” –  Has anyone of those ever analyzed native ARM code? –  Can anyone of those handle a simple UPX packed binary? •  No Rootkit required, people barely look at native processes –  Native processes do not show up in Android or 3rd party Task Managers –  Potentially visible in ps%but trivially obfuscated – strcpy(argv[0],%“…”)%37 © 2012 CrowdStrike, Inc. All rights reserved.
  38. 38. © 2012 CrowdStrike, Inc. All rights reserved.
  39. 39. http://www.youtube.com/watch?v=M2jxLDz5gE439 © 2012 CrowdStrike, Inc. All rights reserved.
  40. 40. •  Quarterly webcasts: Industry leaders presenting cutting-edge topics •  Blogs, whitepapers, and other industry resources •  Webcast archives for on-demand viewing HTTP://WWW.HACKINGEXPOSED7.COM40 © 2012 CrowdStrike, Inc. All rights reserved.
  41. 41. CrowdStrike is a security technology company focused on helping enterprises and governments protect their most sensitive IP. CrowdStrike encompasses three core offerings: Services, Intelligence, and Technology. For Incident Response services: http://www.crowdstrike.com/services.html For Intelligence as a Service: Email us at intelligence@crowdstrike.com Technology (Coming soon): If you have interest in being a beta customer send your request to beta@crowdstrike.com Website: www.crowdstrike.com @CrowdStrike Blog: http://blog.crowdstrike.com facebook.com/crowdstrike youtube.com/crowdstrike© 2012 CrowdStrike, Inc. All rights reserved.
  42. 42. Q&A42 © 2012 CrowdStrike, Inc. All rights reserved.
  43. 43. © 2012 CrowdStrike, Inc. All rights reserved.

×