Defeating spyware and forensics on the black berry draft
Defeating Spyware & Forensic Acquisitionon BlackBerry HandheldsSheran A. GunasekeraZenConsult Labshttp://chirashi.zensay.comE-mail: firstname.lastname@example.orgABSTRACTMalware has proven to be the scourge of the convergingdesktop and mobile ecosystems. With more powerful mobiledevices, comes the proportionate growth of a myriad ofmalware. Traditionally, malware on the desktop platform hasbeen thought to be the work of individuals out to make theirmark on society and find their 15 minutes of notoriety. This isno longer the case. Malware is now used for anything fromorganized crime to spying on cheating spouses.Commercial entities have made their business models aroundthe sale of ‘commercial spyware’ designed to put the power ofspying into the hands of the layperson [2,3]. Other companiesmaintain a low-profile and sell similar products only to lawenforcement agencies. [4,5]The foundation on which all of these malware products isbuilt is the exfiltration of relevant information. Whether it isemail, call records or GPS co-ordinates, data is collected andforwarded either at timed intervals or in real-time to acollection end-point. This paper discusses some of the keypoints of how to render this collected information useless. Tocounter malware, the traditional approach has been to developdetection and removal tools. This has limits in that onlyknown malware can be detected. An alternate approach is tofeed malware with an abundance of useless information or asignificantly reduced Signal-to-noise ratio. This paper willdiscuss and provide examples of how such a technique can beimplemented on a BlackBerry handheld.INTRODUCTIONMalware on a BlackBerry handheld operates in apredictable manner. Third party applications will run in asandboxed environment with many granular controls andpermissions that limit its functional capabilities. So why thendoes malware thrive on the platform? Because a user is stillrequired to administer these controls or permissions.Invariably, a user’s ‘click-through-to-reach-your-goal’ attitudewill have pop-up windows with requests for permission to begranted. Blaming a user is not going to solve the problem.Educating the user is. Providing a user with free tools to detectspyware is another way to solve the problem. However, lettinga user continue to use his device with little to no interventionwhile at the same time confounding the people spying on himseems by far a more elegant solution.To properly understand how to achieve this, a goodunderstanding of how malware works is necessary. Next,knowledge of data repositories within the BlackBerry handheldneed to be identified and altered in a manner that will notinconvenience the end-user, but will significantly reduce theSignal-to-noise ratio for the data-collector. These are all topicsthat will be covered in this paper. As a bonus, techniques onhampering a forensic investigation of the device will beincluded.ACTORSLets first identify the actors in this ecosystem. There is theend-user who is the owner of the device and the informationcontained therein. Then there is the data-collector or spy whowill be the person or entity collecting and sifting through theend-user’s information without his consent.HOW MALWARE WORKSFor the purposes of this paper, the term malware is used tomean malicious applications installed on an end-user’s deviceto collect and extract private information without consent.Malware usually targets several information repositories onthe BlackBerry handheld and will go after specific types ofinformation. These repositories are listed in Table 1 below:Repository Type of InformationEmail Folders Incoming & outgoing email messagesSMS/MMSFolders**Incoming & outgoing Short Messagesand Multimedia MessagesCall HistoryLogIncoming & outgoing phone call numbersand call durationsPhone Book Contact information like name, address,phone numberBlackBerryMessengerChatsIncoming & outgoing instant messagesexchanged between users or groupsGPSModule**Physical location of the handset and end-userTable 1. Information Repositories** It is not entirely possible to defeat malware that hooks theserepositories.The BlackBerry API consists of a set of Listeners that aidthe developer in writing event-driven applications. Listenersalert the program when certain tasks take place. In therepositories listed in Table 1, every repository can have aListener added to run some code when an event is received.Due to a bug, either deliberate or inadvertent, the BlackBerryMessenger Listener does not work to its fullest capability andthus alternate methods are generally used by the malwarevendors.MALWARE CRIPPLING TECHNIQUESThe premise of this paper is to discuss new or alternatemethods for defeating malware. Rather than attempting to findand remove the malware, these techniques attack the source ofinformation that the malware is attempting to capture. Thesetechniques will poison the information stores in a manner thatonly affects malware (Fig. 1). This will serve to reduce thequality of information presented to a data-collector. The costto the end-user is minimized. Some of the techniquesdescribed may elicit unexpected behavior from malware which
further serves to alert the end-user that, ‘something is not right’with the handheld.ArbitraryData SourceArtiﬁcialData SourceMalwareRealInformationFakeInformationFig. 1 - Poisoning the dataPOEPFLOODPOEP, which stands for Phony Object Escalation Process,is a technique that can be used to introduce an overwhelmingamount of false data to a watched resource. For example, ifmalware is watching a folder and collecting objects that areintroduced to this folder, then conducting a POEPFlood attackwill initiate the process of adding collections of fake objects tothis watched folder in increasing order of magnitude. Thisresults in the malware collecting not only legitimate objects,but fake ones as well. This large amount of false positivesprovides a diluting effect on legitimate information and if donecorrectly, will make the data-collector’s task very difficult. Anattacker that hopes to spy on a device like this will have to siftthrough hundreds or thousands of pieces of inaccurate,irrelevant data. This achieves the goal of reducing the Signal-to-noise ratio.PWNGOALPWNGoal is a flooding attack where certain sacrifices willneed to be made such as financial expenditure. The idea of thePWNGoal attack is to create an Artificial Data Source (Fig. 1)using the help of a third party. This attack will be most usefulwhen it is not feasible to create an Artificial Data Store on theBlackBerry device. For example, consider the case whereSMS or MMS messages need to be spoofed. The two mainways to achieve this are 1) Write a routine where the handheldsends messages to itself 2) Use a third party messaginggateway to generate these messages.The accompanying source code covers scenario 1).Scenario 2) is currently beyond the scope of this paper. Eitherway, an additional cost is incurred in either sending SMSmessages through the carrier or cost of messages on themessaging gateway.DDTSThe DDTS technique, or Don’t Drop The Soap technique,is better suited to defeating a forensic analysis of theBlackBerry handheld. This technique can be used to disallowor prevent access to the USB Port on the BlackBerry handheld.Generally, a forensic analysis will aim to gather informationfrom the BlackBerry through the USB Port. DDTS will watchfor any connections to the USB Port and take appropriateaction when one is detected. This can be achieved by settingan IOPortListener or USBPortListener and triggering an actionwhen a connectionRequested(). Alternatively, setting aS y s t e m L i s t e n e r 2 a n d t r i g g e r i n g a n a c t i o n o nusbConnectionStateChange() is also a possibility.The DDTS technique by itself often serves no purpose.Instead, DDTS should be coupled with one of the other typesof attacks so that appropriate action can be taken when a USBConnection is requested. Typically, a complete DDTS attackwill employ a POEPFlood, PWNGoal or FMLog attack todestroy or overwrite the contents of a BlackBerry handheld.FMLogThe FMLog attack or Flush My Log attack is anothertechnique used to defeat forensic analysis of BlackBerrydevices. The BlackBerry handheld has a built-in event loggingmechanism that system and third-party applications can writeto. This event log can be viewed on the BlackBerry handheldby invoking the key combination <ALT> + LGLG (Holdingdown the Alt key and type LGLG). The entire size of this logis 16Kb [ref to log size] and any third party application canwrite to this log using the EventLogger class on the device.To conduct this attack, a timed process that writes morethan 16Kb of data to the log is all that is required. Further, thisattack can be enhanced by using the DDTS attack to only flushthe log when a USB cable is connected to the handheld. Figure2 and 3 depicts a ‘before’ and ‘after’ look at the FMLog attack.Event LogLog Entry 1Log Entry 2Log Entry3Log Entry n-2Log Entry n-1Log Entry n...16KbLog SizeNew entries writtento the bottomOld entriesare ejectedFig. 2 - Event Log operation before FMLog attackEvent LogLog Entry 1CrapCrapCrapCrapCrap...16KbLog SizeFMLog attackwritesfake dataValid Entriesare deletedFig. 3 - Event Log operation after FMLog attackEMAILMalware Operations
Typically, BlackBerry based malware will operate bymaking use of the FolderListener  to watch specific mailfolders. By then acting on either a messagesAdded() ormessagesRemoved() method, specific trigger code can beexecuted. Often, the Inbox and Outbox (sent items) arewatched for incoming and outgoing messages respectively. Inthis case, the messagesAdded() function is what is of mostinterest. A typical example of a code snippet would looksomething like the one in Code Snippet 1 below:Code Snippet 1 - Trigger on messagesAdded()For the sake of maintaining clarity, the code for theEvilSpywareModule has been omitted. Assume for themoment that this module’s sole purpose is to capture andexfiltrate data. Rendered graphically, this entire process maylook something like the diagram depicted in Figure 4.CMIMEMail StoreInboxOutboxMiscHooks foldersthroughFolderListenerExﬁltrationEngineCapturedEmailtrigger onmessagesAdded()Fig. 4 - Malware Mail CaptureThe BlackBerry handheld has as many mail stores as thereare email accounts configured. These mail stores can beenumerated by looking for a specific type of ServiceBook that is of type CMIME. Then it is a matter of enumerating allthe folders and looking for the Inbox and Outbox beforehooking them using the FolderListener.How to defeatBy using the same principle of hooking folders, it ispossible to defeat malware using the techniques discussedpreviously. The POEPFlood technique is ideally suited todefeating malware targeting email. The process summary maylook like this:(1)Setup a FolderListener on appropriate folders that requirepoisoning.(2)Prepare a function that will place a configurable, high-number of arbitrarily generated email messages in thesefolders.(3)Designate how the function from (2) will fire; would it beon a messagesAdded(), or randomly timed(4)Once (2) is fired, ensure to clean up the folders of fakedata so as not to affect the end-userIt is worthwhile noting that step (2) above will carry thelargest amount of code and will contain the logic to generatefake data in a manner capable of defeating malware. Refer tothe accompanying source code for details on how to preparethis logic. Some things to remember when conducting aPOEPFlood attack on email:(1)Create fake emails based on real ones. For example,browse through the existing message store and randomlypick subject lines to use.(2)Fill the email message body with random, but properwords. One idea would be to fetch text from severaldifferent Internet sites. Another would be to collect randomwords from emails already in the folders.(3)As with (1) above, use email addresses as those found inthe existing information store, but make changes to them tomask true identities. This can be optional.The key is to make the poisoned email flood look aslegitimate as the real emails. This will prevent a data-collectorfrom running automated filtering tools. The goal is to have thedata-collector wade through and waste time by readingcompletely useless information.CMIMEMail StoreInboxOutboxMisctrigger onmessagesAdded()Hooks foldersthroughFolderListenerExﬁltrationEngineOverwhelmingPOEPFloodof emailPOEPFlooderPoisonedEmailFig. 5 - POEPFlood Attack on EmailA practical, albeit worthless, attack example is shown inthe source code snippet below. It is deemed worthless at thismoment because it does not contain any logic to help make thefake emails more legitimate. It is a simple iterator generating10 emails with a similar ‘TO’ header.
Code Snippet 2 - Email Flooding ExampleSMSMalware OperationsThere is more than one way that all incoming SMSmessages can be captured. These are the recommendedmethods :(1)Use a MessageConnection by implementing thejavax.wireless.messaging.MessageListener interface.(2)U s e a D a t a g r a m C o n n e c t i o n f r o m t h ejavax.microedition.io package.(3)U s e a M e s s a g e C o n n e c t i o n f r o m t h ejavax.wireless.messaging package.During tests conducted for this paper, the MessageListenermethod was used (see Code Snippet 3).Code Snippet 3 - Inbound SMS InterceptionHow to defeatEven on examining the BlackBerry OS 7 API, there seemsto be no precise way of poisoning the SMS or MMS messagestores. This is due to the way that SMS messages are captured.The MessageListener interface allows for capturing when amessage is received and before it is placed into a folder. Thus,conducting an attack like the POEPFlood will not work sincethis attack relies on poisoning a folder structure. One approachwould be to consider the PWNGoal attack. As mentionedpreviously, the PWNGoal attacks may incur additional chargesbeyond that of the BlackBerry data & call package. Thus, dueconsideration should be given when using this attack. It is alsoworthwhile noting that PWNGoal attacks for SMS can beeasily filtered by the data-collector due to the single number itis being received from. Obviously, the more resourcesdedicated to the attack will increase the chances of reducingthe quality of collectible data.CALL HISTORYMalware OperationsThe Call History repository logs all incoming, outgoingand missed phone calls on the BlackBerry handheld. It isanother repository of interest for malware and forensicanalysts. The PhoneLogListener can be used to access the CallHistory on a BlackBerry handheld (see Code Snippet 3).
Code Snippet 4 - Call History InterceptionHow to defeatSimilar to Email, it is possible to arbitrarily introduce fakephone calls to the device Call History. To defeat malware, aPOEPFlood provides the best mechanism for attack. Toconduct a Call History POEPFlood, it is possible toperiodically introduce fake phone calls by calling thePhoneLogs.addCall() method. As soon as this method isc a l l e d , i t w i l l t r i g g e r t h e m a l w a r e ’ sPhoneLogListener.callLogAdded() method and thus providesthe opportunity to POEPFlood. Similarly, thecallLogRemoved() and callLogUpdated() methods are open toattack in the same manner.When attempting to defeat a forensic analysis, a DDTS/POEPFlood attack would prove useful. DDTS will detectwhen a USB connection is requested and immediately start aPOEPFlood attack on the Call History repository. This willensure that the Call History database is overwritten, or at leastfull of low quality information. Code Snippet x provides thesource code for flooding the Call Log history:Code Snippet 5 - Flooding Call HistoryPHONE BOOKMalware OperationsThe Phone Book or contact list of a BlackBerry handheldcan be fair game for malware and forensic analysts alike. Fordata-collectors, the Phone Book provides an insight into theconnections and acquaintances of an end-user. For forensicanalysts, it provides a way to connect suspects to othersuspects. Malware will be interested in the PIMListenerinterface to trigger code on the itemAdded(), itemRemoved()and itemUpdated() methods.How to defeatDefeating malware watching the Phone Book can be aseasy as conducting a POEPFlood on specific PIMListinstances. The base PIMList class has the methodscreateContact(), importContact() and removeContact(). Byperiodically calling these functions using POEP, it is possibleto feed malware with fake objects that it will log. PIMListsthemselves are divided into many different types. There can beContact Lists, Memo Lists and To Do Lists. For the purposesof this paper, the Contact List is what is most useful. Thefollowing code snippet gives an example of how a contact canbe programmatically added to the Contact List:Code Snippet 6 - Appending to the Contact ListBLACKBERRY MESSENGERMalware OperationsThe BlackBerry Messenger service (up to version 5.0 ) hashad a long standing bug  that does not allow developers touse its Listener interfaces. The result of attempting to obtain aBlackBerry Messenger Instance is a null response. Sinceversion 5.0 however, the concept of backing up BlackBerryMessenger chats locally on the filesystem has been introduced.By enabling this capability, malware can hook the filesystemand watch for any changes to a specific directory or file. Thenit can act whenever changes to the filesystem are made. TheBlackBerry Messenger backup file is a simple CSV file thatremains on the device in an unencrypted state. An example ofthe contents of such a backup file is depicted in Figure 6below:Fig. 6 - A BlackBerry Messenger Conversation
This file is found under the “BlackBerry/im/BlackBerryMessenger/<Device PIN>/history” folder. As per the Fig xabove, the various fields in this file are Date/Time, SenderPIN, Recipient PIN and message respectively. Code Snippet 7shows one approach that malware use to hook the file system:Code Snippet 7 - Malware hooking the filesystemHow to defeatThe simplest method for defeating malware capturingBlackBerry Messages is to hook the file system journal againand write all the legitimate changes to this file to a separatefile. Simultaneously, the legitimate file is flooded with fakedata which the malware will collect.This type of approach will guarantee that the data-collectorhas to wade through a significant amount of irrelevantinformation before making sense of the conversation.GPS MODULEMalware OperationsBlackBerry devices that have the hardware capabilities canprovide location based services through its on-board GPS chip.The functionality is controlled through several APIs from thejavax.microedtion.location package. The most important pieceof information for malware to capture are the GPS co-ordinatescomprising of the Latitude and Longitude of the device.Newer BlackBerry devices may also have the opportunity tocollect information about heading and speed.To collect periodic GPS co-ordinates from the device, theeasiest process is to hook the LocationListener and read theevents as fired from the locationUpdated() method.ACKNOWLEDGEMENTSThe author would like to acknowledge the pioneering workdone by The Grugq in the field of Anti-Forensics. His seminalwork, The Art of Defiling provided most of the inspiration forthis paper.REFERENCES Zeus Malware - http://en.wikipedia.org/wiki/Zeus_(trojan_horse) Flexispy Commercial Malware - http://www.flexispy.com/ MobileSpy Commercial Malware - http://www.mobile-spy.com/ HackingTeam Remote Control System - http://www.hackingteam.it/index.php/remote-control-system Fixmo Sentinel - http://www.fixmo.com/products/fixmo-sentinel/ BlackBerry OS 5 API FolderListener - http://www.blackberry.com/developers/docs/5.0.0api/net/rim/blackberry/api/mail/event/FolderListener.html Service Books: http://na.blackberry.com/eng/deliverables/2584/about_service_books_32170_11.jsp andhttp://www.berryreview.com/2009/01/22/faq-explanation-of-each-blackberry-service-book-type/ SMS Interception Methods - http://supportforums.blackberry.com/t5/tkb/articleprintpage/tkb-id/java_dev@tkb/article-id/207 BlackBerry Messenger Bug (Requires Free DeveloperAccount) - https://www.blackberry.com/jira/browse/JAVAAPI-508