[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN

•

1 like•1,319 views

2014 CodeEngn Conference 11 안드로이드에서의 부트킷 동작방식 알아보기 부트킷 악성코드는 부팅 과정에서 악성코드를 감염시켜 악성코드가 실행 시 자신의 존재를 숨겨 백신에서 악성코드의 탐지와 치료를 어렵게 하기위해 사용되는 방식이다. 이러한 Oldboot 부트킷 악성코드가 올해초 2014년 1월에 안드로이드에서 발견되었다. 따라서 본 발표에서는 이 안드로이드 상에서 사용된 부트킷의 동작 방식과 특이점에 대해서 다룰 예정이다. http://codeengn.com/conference/11 http://codeengn.com/conference/archive

Android Bootkit Malware Analysis
Kim, Hobin
HobinKim125@gmail.com
www.CodeEngn.com
2014 CodeEngn Conference 11

What is Bootkit?
• Bootkit = Rootkit + Boot capability
• Boot sector of a disk is infecting the host
when introduced at the boot process.
• Ex) Windows MBR Rootkit

Android Boot Partition
• Android devices’ boot partition uses
RAM disk file system
• Consist of Linux kernel(zImage) & root
file system ramdisk(initrd; initial ramdisk)

Android Boot Process
Bootloader Kernel(Linux) init(init.rc)
• init process is first process on Android

Stealth Technic of Android Bootkit
• Modifying devices’ boot partition and
booting script during early stage of
system’s booting for hiding and
protecting itself
• Launching system service as root and
extracting malware app as system app

Characteristics of Android Bootkit
• Bypass built-in kernel-level security
restrictions
• Difficult to detect and cure by AV

Oldboot; The First Android Bootkit
• Oldboot
• Reported by Qihoo360 in China
• The first bootkit officially found on Android
in the wild
• More than 500,000 Android devices infected
in China
• Proof that the boot partition of Android
could be infected easily

How Android Can Be Infected?
• The attacker has a chance to physically
touch the devices, and flash a malcious
boot.img image files to the boot
partition of the disk

How Android Can Be Infected? (cont)
• Qihoo360 found the infected device in big IT
mall in Beijing
• the recovery partition has been replaced by a
custom recovery ROM. and the timestamp of
all files in the boot partition are the same.

How Android Can Be Infected? (cont)
• based on Qihoo’s cloud security technology,
they figured out almost infected devices are
only well-known device such as the Galaxy
Note II

Oldboot Bootkit’s Components
• Oldboot.a
• init.rc (modified)
• imei_chk (located at /sbin)
• libgooglekernel.so (located at /system/lib)
• GoogleKernel.apk (located at /system/app)

Analyzing init process(init.rc)
• Content of the modified init.rc
• Adding imei_chk service as root

Analyzing imei_chk (cont)
• Extract apk files

Analyzing imei_chk (cont)
• Socket listening & read

Analyzing imei_chk (cont)
• executes received commands

Analyzing GoogleKernel.apk
• GoogleKernel.apk’s AndroidManifest.xml

Analyzing GoogleKernel.apk (cont)
• GoogleKernel.apk’s AndroidManifest.xml

Analyzing GoogleKernel.apk (cont)
• BootRecv service

Analyzing GoogleKernel.apk (cont)
• EventsRecv service

Analyzing GoogleKernel.apk (cont)
• Dalvik service

Analyzing GoogleKernel.apk (cont)
• Incomplete malicious function

Analyzing GoogleKernel.apk (cont)
• Communicate with libgooglekernel.so by
JNI

Analyzing libgooglekernel.so
• Connecting to its C&C Servers to
download configuration files

Analyzing libgooglekernel.so (cont)
• Location of C&C Server

Analyzing libgooglekernel.so (cont)
• Downloading APK file

Analyzing libgooglekernel.so (cont)
• Installing downloaded APK as system
application

Analyzing libgooglekernel.so (cont)
• Deleting system application

Oldboot.a Running Flow Chart
init process init.rc
system server
imei_chk
GoogleKernel.apk libgooglekernel.so
JNI
socket

Preview point of Android Bootkit Malware
• Totally new malware attack method on
Android
• Not only apk can be infected

References
• Oldboot: the first bootkit on Android, Zihang Xiao, Qing Dong, Hao
Zhang & Xuxian Jiang, Qihoo 360
• Advanced Bootkit Techniques on Android, Zhangqi Chen & Di Shen
@SyScan360
• Android Hacker’s handbook, Drake, Oliva Fora, Lanier Mulliner, Ridley,
Wicherski, Wiley
• 인사이드 안드로이드, 송형주, 김태연, 박지훈, 이백, 임기영, 위키북스
• 안드로이드의 모든 것 분석과 포팅, 고현철, 유형목, 한빛미디어
• http://contagiominidump.blogspot.kr/

Q & A
Any question so far?
www.CodeEngn.com
2014 CodeEngn Conference 11

2014 CodeEngn Conference 10 앱의 라이브러리를 내맘대로~ 후킹은 이미 분석이나 개발등 다양한 목적으로 많이 사용되고 있다. 기존의 함수 후킹을 ARM 아키텍처 환경인 안드로이드에서 어떻게 구현했는지에 대해 알아보고 구현된 도구를 통해 안드로이드 환경에서 후킹을 어떻게 활용할 수 있는지에 대해 알아본다. http://codeengn.com/conference/10 http://codeengn.com/conference/archive

4055-841_Project_ShailendraSadhShailendra Sadh - CISSP

Native hook mechanism in Android Bionic linker

Kevin Mai-Hsuan Chia

From 'dotnet run' to 'hello world'

Matt Warren

Have you ever stopped to think about all the things that have to take place when you execute a .NET program? As the quote from Neal Ford says "Understand one level below your usual abstraction", this talk will look at why this is important and how can it help you if we apply it to the .NET framework. We will delve into the internals of the recently open-sourced .NET Core Runtime, looking at what happens, when it happens and why. Using freely available diagnostic tools such as PerfView, libraries including ClrMD and even the source code itself! Along the way we'll examine the Execution Engine, Type Loader, Just-in-Time (JIT) Compiler and the CLR Hosting API, to see how all these components play a part in making a 'Hello World' app possible.

Behavioural activity monitoring on CoreOS with Sysdig Falco

Sysdig

Swifty Serverless: How to minimise latencies and cold start period for server...

Vladimir Porokhov

CoreOS @ gluecon 2015

ifup

Linux Kernel - Let's Contribute!

Levente Kurusa

With many organizations using a sandbox to detonate suspicious files, many threats are implementing logic to detect sandbox environments, to alter their behavior and evade detection. This talk will highlight many real-world evasion tactics employed by recent malware, discussing challenges in measuring evasive behaviors and offering insights to improving the effectiveness of the sandbox. (Source: RSA Conference USA 2018)

IronRuby on Teched Japan

Shay Friedman

How to Secure Containers

Sysdig

While there have been many improvements around improving containers, there is still a large gap in securing the behavior of containers in production. Enter sysdig falco, the behavioral activity monitor for containerized environments. It can detect and alert on anomalous behavior at the application, file, system, and network level. In this session get a deep dive into falco and learn: - How does behavioral security differ from existing security solutions like image scanning? - How does falco work? What can it detect? - How do you build and customize rules for falco?

FTP Commando to Git Hero - WordCamp Denver 2013

Jeremy Green

Performance is a feature! - London .NET User Group

Matt Warren

Dock ir incident response in a containerized, immutable, continually deploy...

Shakacon

Incident response is generally predicated on the ability to examine a system post-breach, pull memory dumps, file system artifacts, system logs, etc. But what happens when that system was part of a fleet of containers? How do you pull a memory dump from an ephemeral container? How do you do forensics when the container and the host that ran the container have been gone for days? Even assuming you catch an intrusion while it's ongoing, how do you respond effectively if you can't access the systems in question because they are read-only, no SSH access? Coinbase has spent the last year attacking these challenges in a AWS-based, immutable and fully containerized infrastructure that stores over a billion dollars of digital currency. Come see how we do it.

XFLTReat: a new dimension in tunnelling

Shakacon

This presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.

[2014 CodeEngn Conference 11] 정든품바 - 웹성코드

GangSeok Lee

2014 CodeEngn Conference 11 웹페이지를 조작한다면 무엇을 해보시겠습니까 ? 우리는 매일 인터넷을 사용하지만 접속하는 웹페이지마다 변조되었다는 의심을 해보는 경우는 거의 없다. 웹브라우저가 웹페이지를 읽어오는 과정과 이를 이용해서 조작되는 과정을 알아보고 악성코드 제작자 입장이 되어 무엇을 할 수 있는지 알아보자 http://codeengn.com/conference/11 http://codeengn.com/conference/archive

Docker 102 - Immutable Infrastructure

Adrian Otto

Adrian Otto from Rackspace will present "Docker 102", This includes a summary of Docker 101 as a refresher from the August session, and builds upon that by discussing who should use a registry, and what options are available for keeping them private. We will discuss best practices for keeping your production environments evergreen with updated operating system environments, library dependencies, and maintaining an immutable infrastructure.

How to Make a Honeypot Stickier (SSH*)

Jose Hernandez

### Delivered at grrcon.com ### One of the primary data sources we use on the Splunk Security Research Team is attack data collected from various corners of the globe. We often obtain this data in the wild using honeypots, with the goal of uncovering new or unusual attack techniques and other malicious activities for research purposes. The nirvana state is a honeypot tailored to mimic the kind of attack/attacker you are hoping to study. To do this effectively, the honeypot must very closely resemble a legitimate system. As a principal security research at Splunk, co-founder of Zenedge (Now part of Oracle), and Security Architect at Akamai I have spent many years protecting organizations from targeted as well as internet-wide attacks, and honeypots has been extremely useful (at times better than threat intel) tool at capturing and studying active malicious actors. In this talk, I aim to provide an introduction to honeypots, explain some of the experiences and lessons learned we have had running Cowrie a medium interaction SSH honeypot base on Kippo. How we modified cowrie to make it more realistic and mimic the systems and attack we are trying to capture as well as our approach for the next generation of honeypots we plan to use in our research work. The audience in this talk will learn how to deploy and use cowrie honeypot as a defense mechanism in their organization. Also, we will share techniques on how to modify cowrie in order to masquerade different systems and vulnerabilities mimicking the asset(s) being defended. Finally, share example data produced by the honeypot and analytic techniques that can be used as feedback to improve the deployed honeypot. We will close off the talk by sharing thoughts on how we are evolving our approach for capturing attack data using honeypots and why.

Power forensics

nullowaspmumbai

Mission ImpAnsible - NSM at (RobotFrame)work

Adam Przybyła

Infrastructure coders logstash

David Lutz

Java Logging discussion Log4j,Slf4jRajiv Gupta

Effortless network response logging on Android

Simon Percic

Di shen pacsec_final

PacSecJP

Is ruby logger thread(process)-safe? at RubyConf 2013Naotoshi Seo

Git 101

Dimitris Tsironis

Git

Johannes Thönes

[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis KO

GangSeok Lee

[2014 CodeEngn Conference 10] 노용환 - 디버거 개발, 삽질기

GangSeok Lee

2014 CodeEngn Conference 10 MS 에게 속았어요 Windows 운영체제가 지원하는 디버거 지원 기능들과 브랜치 트레이서를 구현하기 위한 몇 가지 방법들을 소개하고, Windows 커널에 이미 구현되어있는 하드웨어 기반 브랜치 트레이서 코드 분석과 여기에 존재하는 의도된(?) 버그를 살펴본다. http://codeengn.com/conference/10 http://codeengn.com/conference/archive

What's hot

ApacheCon NA 2011 reportKoji Kawamura

Playing games-in-the-sandbox-dynamic-analysis-and-modern-evasion-tactics copy1

Priyanka Aash

IronRuby on Teched Japan

Shay Friedman

How to Secure Containers

Sysdig

FTP Commando to Git Hero - WordCamp Denver 2013

Jeremy Green

Performance is a feature! - London .NET User Group

Matt Warren

Dock ir incident response in a containerized, immutable, continually deploy...

Shakacon

XFLTReat: a new dimension in tunnelling

Shakacon

[2014 CodeEngn Conference 11] 정든품바 - 웹성코드

GangSeok Lee

Docker 102 - Immutable Infrastructure

Adrian Otto

How to Make a Honeypot Stickier (SSH*)

Jose Hernandez

Power forensics

nullowaspmumbai

Mission ImpAnsible - NSM at (RobotFrame)work

Adam Przybyła

Infrastructure coders logstash

David Lutz

Java Logging discussion Log4j,Slf4jRajiv Gupta

Effortless network response logging on Android

Simon Percic

Di shen pacsec_final

PacSecJP

Is ruby logger thread(process)-safe? at RubyConf 2013Naotoshi Seo

Git 101

Dimitris Tsironis

Git

Johannes Thönes

What's hot (20)

ApacheCon NA 2011 report

Playing games-in-the-sandbox-dynamic-analysis-and-modern-evasion-tactics copy1

IronRuby on Teched Japan

How to Secure Containers

FTP Commando to Git Hero - WordCamp Denver 2013

Performance is a feature! - London .NET User Group

Dock ir incident response in a containerized, immutable, continually deploy...

XFLTReat: a new dimension in tunnelling

[2014 CodeEngn Conference 11] 정든품바 - 웹성코드

Docker 102 - Immutable Infrastructure

How to Make a Honeypot Stickier (SSH*)

Power forensics

Mission ImpAnsible - NSM at (RobotFrame)work

Infrastructure coders logstash

Java Logging discussion Log4j,Slf4j

Effortless network response logging on Android

Di shen pacsec_final

Is ruby logger thread(process)-safe? at RubyConf 2013

Git 101

Git

Viewers also liked

[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis KO

GangSeok Lee

[2014 CodeEngn Conference 10] 노용환 - 디버거 개발, 삽질기

GangSeok Lee

[2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study EN

GangSeok Lee

2014 CodeEngn Conference 11 IE 원데이로 시작하는 실전 익스플로잇! BOF, FSB, UAF 등의 메모리 커럽션 취약점을 워게임, CTF 통해서 배우게 되지만 비교적 더 낮은 난이도에도 불구하고 실제 상용 프로그램에 대해서는 막연한 느낌뿐인 학생들이 많은 것 같다. 웹브라우저에서 발견되는 취약점 중 가장 흔한 UAF에 대해 설명하고 비교적 최신에 발견된 CVE-2014-0322, CVE-2014-1776 두가지 전형적인 IE 브라우저 UAF 취약점을 익스플로잇하는 방법을 설명하려고 한다. 추후 사례로 소개되는 두 가지 취약점에 대해 직접 학습이 가능하도록 단계별 튜토리얼을 별도 제공하고자한다. http://codeengn.com/conference/11 http://codeengn.com/conference/archive

[2013 CodeEngn Conference 09] 김홍진 - 보안컨설팅 이해 및 BoB 보안컨설팅 인턴쉽

GangSeok Lee

[2014 CodeEngn Conference 11] 이경식 - 동적 추적 프레임워크를 이용한 OS X 바이너리 분석

GangSeok Lee

2014 CodeEngn Conference 11 DTrace를 보안 관점에서 활용해보자! DTrace 프레임워크는 솔라리스 기반으로 개발된 동적 추적 프레임워크로 현재 Solaris, Mac OS X, BSD 등에 적용되고 있다. 프레임워크는 운영체제 개발 시점에 커널에 통합된 프레임워크로 사용자 및 커널 레벨의 다양한 정보(메모리나 CPU, 파일시스템, 네트워크 자원의 모니터링이나 특정 함수의 인자 추적 등)를 동적으로 분석할 수 있게 하여 애플리케이션 테스팅에 주로 활용되고 있다. 이러한 장점을 활용하여 최근에는 보안 관점에서 프레임워크를 사용하는 경우가 늘어나고 있다. 퍼징 모니터링이나, 바이너리 동적 분석과 같은 취약점 분석, 악성코드 동적 분석, 루트킷 개발이 한 예이다. 본 발표에서는 DTrace가 무엇인지 살펴보고, 윈도우의 filemon의 기능을 구현해보도록 한다. 이 발표를 통해 분석가에게 생소할 수 있는 Mac OS X의 바이너리 분석에 도움이 될 것이라 생각한다. http://codeengn.com/conference/11 http://codeengn.com/conference/archive

[2014 CodeEngn Conference 11] 박한범 - 가상화 기술과 보안

GangSeok Lee

2014 CodeEngn Conference 11 가상화와 보안의 합작 가상화 기술은 대상체를 추상화된 리소스로 가상화하여 활용할 수 있는 기술이다. 가상화 기술이 하드웨어 차원에서 지원되기 시작한 이후로 CPU가 제어하는 자원을 하드웨어 레벨에서 가상화 할 수 있게 되었다. CPU가 하드웨어 수준에서 가상화를 지원하기 위해 설계된 구조와 인터페이스가 존재하는 계층이 기존에 운영체제에서 사용하던 Ring 0~3 계층 상위에 추가되면서 이를 보안에서 활용하는 시도들이 있어왔으며 대표적으로 ARM TrustZone 아키텍처가 있다. TrustZone과 같은 아키텍처는 운영체제와는 다르게 오직 보안에 관련된 서비스와 기능만을 탑재한 보안전용운영체제를 먼저 상주시킨다. 운영체제가 특권/사용자 계층을 나누어 사용자 계층에서 하드웨어 자원에 접근하는 것을 막고 대신 요청을 받아 처리함으로서 하드웨어 자원을 보호했던 것과 유사하게 보안/일반 계층으로 나눠 보안이 필요한 동작시에 보안전용운영체제가 요청을 받아 처리하는 구조를 갖고, 일반 계층은 격리되어 보안 계층에 접근할 수 없으므로 보안성을 한층 높힌 구조이다. 본 발표는 가상화 기술에 대한 개괄적 설명과 이를 활용한 PS/2 키로거를 제작 I/O를 가로채는 과정을 살펴보고 운영체제 상위 권한이 어떤 의미를 갖는지 그리고 CPU하드웨어 레벨의 강력한 권한을 체험하는 것을 통해 가상화 기술의 특성을 파악해보자 한다. http://codeengn.com/conference/11 http://codeengn.com/conference/archive

[2014 CodeEngn Conference 11] 남대현 - iOS MobileSafari Fuzzer 제작 및 Fuzzing

GangSeok Lee

2014 CodeEngn Conference 11 모바일환경에서 Borwser Fuzzing을 하고 싶었고, 나만의 Fuzzing시스템을 만들고 싶었다. iOS(Jailbreak환경)에서 MobileSafari를 대상으로 24시간/7일, Fuzzing 도중 Crash가 발생하여 MobileSafari가 종료되더라도 MobileSafari를 재시작시켜서 Fuzzing을 시도하는 시스템을 제작하였다. 어떻게 구성했고, ASLR을 어떻게 극복하였는지 공유하고자 한다. http://codeengn.com/conference/11 http://codeengn.com/conference/archive

[2014 CodeEngn Conference 11] 김기홍 - 빅데이터 기반 악성코드 자동 분석 플랫폼

GangSeok Lee

2014 CodeEngn Conference 11 악성코드도 모으면 돈이 된다! 일반적으로 하나의 악성코드를 분석하기 위해서는 정적 분석, 동적 분석, 디스어셈블 등의 여러 가지 분석 방법이 동원된다. 하지만 수십, 수백만의 악성코드를 분석하기 위해서는 우리가 할 수 있는 방법은 어떤 것들이 있을까? 또한 하나의 악성코드에 연관된 여러가지 팩트들을 어떻게 연결시켜서 분석 할 수 있을까? 하나가 아닌 수십만의 악성코드를 분석했을 때 추가적으로 추출 할 수 있는 정보는 없을까? 이러한 질문들을 해결 하기 위해서 요즘 빅데이터 기반의 악성코드 분석 기법이 많이 사용된다. 빅데이터 기반의 악성코드를 분석하기 위한 방법과 주요 팩트 들은 어떤 것들이 있을지 알아보고 이를 자동화 하기 위한 플랫폼 개발에 대한 이야기를 해볼 수 있도록 한다. http://codeengn.com/conference/11 http://codeengn.com/conference/archive

기업 IT 인프라 환경 최적화를 위한 하이브리드 클라우드 적용 방안 - AWS Summit Seoul 2017

Amazon Web Services Korea

Viewers also liked (9)

[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis KO

[2014 CodeEngn Conference 10] 노용환 - 디버거 개발, 삽질기

[2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study EN

[2013 CodeEngn Conference 09] 김홍진 - 보안컨설팅 이해 및 BoB 보안컨설팅 인턴쉽

[2014 CodeEngn Conference 11] 이경식 - 동적 추적 프레임워크를 이용한 OS X 바이너리 분석

[2014 CodeEngn Conference 11] 박한범 - 가상화 기술과 보안

[2014 CodeEngn Conference 11] 남대현 - iOS MobileSafari Fuzzer 제작 및 Fuzzing

[2014 CodeEngn Conference 11] 김기홍 - 빅데이터 기반 악성코드 자동 분석 플랫폼

기업 IT 인프라 환경 최적화를 위한 하이브리드 클라우드 적용 방안 - AWS Summit Seoul 2017

Similar to [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN

CNIT 128 6. Analyzing Android Applications (Part 3)

Sam Bowne

CNIT 128 6. Analyzing Android Applications (Part 3 of 3)

Sam Bowne

Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...

FFRI, Inc.

Kubernetes Robotics Edge Cluster System

Tomoya Fujita

Sony R&D Center has been though robotics history and products for years. As robotics platform and Robotics Operating System (ROS) getting matured, there is a requirement to handle the distributed system integration. Using Kubernetes on edge cluster system, there are a lot of advantages such as application lifecycle, deployment and recovery. Also using CNI and ROS Data Distributed System, it can construct distributed system on edge cluster, so that multiple robots can connect directedly and work collaboratively for the specific task. We will share how we can use Kubernetes on edge including deployment robotics application and possible problems based on our experience. Furthermore, we will share our approach to support edge dependent platform with device-plugin to attach hardware resources and even virtual devices which access to the host system such as 3rd party application.

Android Things Internals

Opersys inc.

CNIT 128 6. Analyzing Android Applications (Part 1)

Sam Bowne

Project Malware AnalysisCS 6262 Project 3Agenda.docx

briancrawford30935

Project: Malware Analysis CS 6262 Project 3 Agenda • Part 1: Analyzing Windows Malware • Part 2: Analyzing Android Malware Scenario • Analyzing Windows Malware • You got a malware sample from the wild. Your task is to discover what malware does by analyzing it • How do you discover the malware’s behaviors? • Static Analysis • Manual Reverse Engineering • Programming binary analysis • Dynamic Analysis • Network behavioral tracing • Run-time system behavioral tracing(File/Process/Thread/Registry) • Symbolic Execution • Fuzzing Scenario • In our scenario, you are going to analyze the given malware with tools that we provide. • The tools help you to analyze the malware with static and dynamic analysis. • Objective 1. Find which server controls the malware (the command and control (C2) server) 2. Discover how the malware communicates with the command and control (C2) server • URL and Payload 3. Discover what activities are done by the malware payload • Attack Activities Scenario • Requirement • Make sure that no malware traffic goes out from the virtual machine • But, updating of malware (stage 2), and downloading payload (stage 3) are required to be allowed (set as default option) • The command and control server is dead. You need to reconstruct it • Use tools to reconstruct the server, then reveal hidden behaviors of the malware • Analyze network traffic on the host, and figure out the list of available commands for the malware • Analyze network traffic trace of the host, and figure out what malware does • Write down your answer into assignment-questionnaire.txt Project Structure • A Virtual Machine for Malware analysis • Please download and install the latest version or update your virtual box. • https://www.virtualbox.org/wiki/Downloads • Download the VM • Download links • http://ironhide.gtisc.gatech.edu/vm_2018.7z • http://bombshell.gtisc.gatech.edu/vm_2018.7z • Verify the md5 hash of the 7z file: 537e70c4cb4662d3e3b46af5d8223fd • Please install 7zip or p7zip • Windows, Linux and MacOs: http://www.7-zip.org/download.html • Unarchive the 7z file • Password: GTVM! https://www.virtualbox.org/wiki/Downloads http://ironhide.gtisc.gatech.edu/vm_2018.7z http://bombshell.gtisc.gatech.edu/vm_2018.7z http://www.7-zip.org/download.html Project Structure • Open VirtualBox • Go to File->Import Appliance. • Select the ova file and import it. • For detailed information on how to import the VM, see: • https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html • VM user credentials • Username: analysis • Password: analysis https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html Project Structure • In the Virtual Machine (VM) • Files • init.py • This initializes the project environment • Type your Georgia Tech username (same login name as Canvas) after running this • update.sh • This script updates the VM if any further update has been made by TA • DO NOT execute the scri.

Android Things Internals

Opersys inc.

Steelcon 2015 Reverse-Engineering Obfuscated Android Applications

Tom Keetch

Android Things: Android for IoT

Opersys inc.

openioc_scan - IOC scanner for memory forensics

Takahiro Haruyama

Indicator of Compromise (IOC) is a piece of information that can be used to search for or identify potentially compromised systems. openioc_scan is an open-source IOC scanner for memory forensics and implemented as a plugin of Volatility Framework. By checking IOCs in RAM images (e.g., code injection sign, used/hooked API functions, unpacked code sequences), we can detect malware faster and deeper than disk-based traditional IOCs. In this presentation, I explain how to define and improve IOCs for openioc_scan, introduce IOC examples including not only IOCs for specific malware but also ones focusing on generic traits of malware. I also show remote malware triage automation combining with F-Response.

BlueHat v18 || Return of the kernel rootkit malware (on windows 10)

BlueHat Security Conference

Matt Oh, Microsoft We are seeing new technique used everyday by malware. But, it is very hard to find any impressive techniques used in the wild. Recently there was huge buzz about Detrahere malware which used internally known issues with certificate signing in Windows 10 kernel driver. Even though the certificate check bypass technique itself is very interesting, also I found that the tactics used by the malware is more impressive. Even though the malware is mainly focused on Ad-hijacking functionality through Netfilter driver installation, but it also has rootkit ability through file system driver hooking. This feels like old days coming back with various new arsenals. The rootkit detects kernel debugging settings and will destroy the system when it finds one. The unpacking process can be very challenging job, too as it uses kernel driver image hollowing technique (something similar to process hollowing) to deobfuscate itself and run unpacked code. Our patchguard doesn't seem like triggering on this action, because all the sections are pre-allocated with execute permission already. Through this talk, I want to present various techniques used by this malware focusing on the kernel level obfuscation and anti-analysis tactics. This will give us new insights on how new Windows rootkit malware might look like in the future and how detecting them from security systems and detonation systems can be a challenge.

Webinar–Mobile Application Hardening Protecting Business Critical Apps

Synopsys Software Integrity Group

During this talk, we looked at some of the typical controls that Android/iOS applications exhibit, how they work, how to spot them, and how to sidestep them. We’ll demonstrate analysis and techniques using free open source tooling such as Radare and Frida, and for some parts, we’ll use IDA Pro. And since “automation” is the buzzword of the year, we’ll discuss how to automate some of these activities, which typically take up most of the assessment window. For more information, please visit our website at www.synopsys.com/software

Android overview

Mostofa Kamal Rasel Rasel

Learning AOSP - Android Booting Process

Nanik Tolaram

Windows container security

Docker, Inc.

"The majority of the container security discussion revolves around containers on Linux while the security of containers in Windows is left as a mystical black box. In this talk we'll peel back the curtain and dive in to how Windows containers are secured. Does Windows have namespaces? How does it compose the layers of a container's filesystem? How does it limit resource usage of containers? I heard there's a Hyper-V isolation thing, what's that about? We'll answer all these questions and more!"

DevOpsDays Houston 2019 - Shaun Ladewig, Robert Stone - From OverTheWallOps t...

DevOpsDays Houston

Is your organization suffering from “Over the Wall Ops?” The road to production is fraught with danger and risks, learn how Endurance is tackling the problem, lowering risk, and speeding up launches by having Development and Operations work hand in hand leveraging OpenShift! Join us for a real-world case study from both sides, Shaun Ladewig (System Architect) presents lessons learned in understanding, deploying, and managing an OpenShift cluster while Robert Stone (Principal Software Engineer) outlines how that cluster is used to stand up, deploy, and re-tool our monoliths to fit a more container-based architecture.

Kandroid for nhn_deview_20131013_v5_finalNAVER D2

CI in the mobile world

Godfrey Nolan

Android AttacksMichael Scovetta

Similar to [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN (20)

CNIT 128 6. Analyzing Android Applications (Part 3)

CNIT 128 6. Analyzing Android Applications (Part 3 of 3)

Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...

Kubernetes Robotics Edge Cluster System

Android Things Internals

CNIT 128 6. Analyzing Android Applications (Part 1)

Project Malware AnalysisCS 6262 Project 3Agenda.docx

Android Things Internals

Steelcon 2015 Reverse-Engineering Obfuscated Android Applications

Android Things: Android for IoT

openioc_scan - IOC scanner for memory forensics

BlueHat v18 || Return of the kernel rootkit malware (on windows 10)

Webinar–Mobile Application Hardening Protecting Business Critical Apps

Android overview

Learning AOSP - Android Booting Process

Windows container security

DevOpsDays Houston 2019 - Shaun Ladewig, Robert Stone - From OverTheWallOps t...

Kandroid for nhn_deview_20131013_v5_final

CI in the mobile world

Android Attacks

More from GangSeok Lee

[2014 CodeEngn Conference 11] 최우석 - 자바스크립트 난독화 너네 뭐니?

GangSeok Lee

2014 CodeEngn Conference 11 웹브라우저 구조에 따른 자바스크립트 난독화 알아보기 이제는 인터넷 없이 생활조차 하기 힘든 세상으로 킬러 어플리케이션로 자리잡았다. 이러한 인터넷 환경에서 웹 사이트 방문만으로 악성코드에 감염 될 수 있다. 이 공격을 드라이브-바이 다운로드 (Drive-By Download)로 불리며, 웹 해킹, 소프트웨어 취약점, 악성코드를 같이 사용하는 공격 기술이다. 그리고 공격에 사용되는 별개의 기술들을 하나로 묶어 주는 것이 자바스크립트로 탐지와 분석을 어렵게 하기위해 난독화를 사용한다. 그러면, 왜 자바스크립트 난독화가 생길 수 있는지 브라우저 컴포넌트 구조를 통해 알아보고, 종류에 대해 알아본다. 그리고 자바스크립트 난독화를 해제하기 위한 방법론에 대해서도 알아본다. http://codeengn.com/conference/11 http://codeengn.com/conference/archive

[2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO

GangSeok Lee

[2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다

GangSeok Lee

2014 CodeEngn Conference 10 열혈 취약점 헌터들의 고분군투기! 취약점을 찾게되면 어떤 일이 벌어질까? 급전이 필요한 외롭고 찌질한 대한민국 해커들의 급전을 위한 취약점 찾기 여행기. 과연 우리는 취약점을 찾고 급전을 만들어 외롭고 찌질한 이 상황을 타개할 수 있을 것인가? http://codeengn.com/conference/10 http://codeengn.com/conference/archive

[2013 CodeEngn Conference 09] x15kangx - MS Office 2010 문서 암호화 방식 분석 결과

GangSeok Lee

2013 CodeEngn Conference 09 컴퓨터로 문서 작성 시 주로 사용되는 프로그램 중 MS Office가 문서에 암호를 설정 할 때 동작하는 과정을 발표하고자 한다. 알고리즘 분석은 IDA와 ollydbg를 활용하여 분석하였으며, 결과적으로 Brute force 공격 가능성 여부에 대한 생각 또한 공유하고자 한다.. http://codeengn.com/conference/09 http://codeengn.com/conference/archive

[2013 CodeEngn Conference 09] proneer - Malware Tracker

GangSeok Lee

2013 CodeEngn Conference 09 최근 조직의 침해는 조직의 보안 환경이 강화되면서 장기간에 걸쳐 일어난다. 목적을 달성할때까지 지속 매커니즘을 사용하여 시스템에 잠복하거나 다른 시스템으로 이동해간다. 이런 상황에서 악성코드가 사용하는 지속 매커니즘은 무엇이 있는지, 그리고 침해사고를 조기에 인지하여 악성코드의 유입 경로를 찾을 수 있는 방안을 살펴본다. http://codeengn.com/conference/09 http://codeengn.com/conference/archive

[2013 CodeEngn Conference 09] BlueH4G - hooking and visualization

GangSeok Lee

2013 CodeEngn Conference 09 리버서들이나 어플리케이션 분석가 들에게 hooking이란 뗄레야 뗄수가 없는 존재이다. 이러한 후킹을 위해 detours 등 매우 많은 라이브러리도 나와 있지만, 많은 수의 어플리케이션을 분석하거나, 심플하게 내부 플로우만 살펴보기에는 생각보다 손이 많이가는게 사실이다. 이를 좀 더 손쉽고 심플하도록 구현해 보고, visualization 을 도입하여 좀더 직관적으로 분석할 수 있도록 해 볼 것이다. http://codeengn.com/conference/09 http://codeengn.com/conference/archive

[2013 CodeEngn Conference 09] wh1ant - various tricks for linux remote exploits

GangSeok Lee

2013 CodeEngn Conference 09 시간이 지나면 지날수록 리눅스에서는 보안 기술에 의해 원격 공격이 힘들어지고 있다. 원격 버퍼 오버플로우 공격을 위한 몇가지 트릭을 공개할 것이다. 지금까지 공격은 주로 취약점 코드에 의존성이 높거나 brute force를 사용한 방식이였다. 이번 발표에서의 공격 기술은 NULL 을 우회하여 exploit을 1바이트씩 분할하고 취약한 서버에 파일을 생성한뒤 공격하며, 단순 brute force방식에 벗어나 ASLR를 어떻게 빨리 찾아내는지 보여줄 것이다. http://codeengn.com/conference/09 http://codeengn.com/conference/archive

[2013 CodeEngn Conference 09] 제갈공맹 - MS 원데이 취약점 분석 방법론

GangSeok Lee

[2013 CodeEngn Conference 09] Park.Sam - 게임 해킹툴의 변칙적 공격 기법 분석

GangSeok Lee

2013 CodeEngn Conference 09 게임 보안 제품의 보안성이 강화됨에 따라 해킹툴의 공격 기법 또한 다양해 지고 있다. 몇 몇 해킹툴은 게임에 접근하기 위해 OS의 디버깅 메커니즘 악용한다거나 시스템 프로세스로 위장하게 되는데 이와 같은 몇가지 변칙적인 기법에 대해 알아보고자 한다. http://codeengn.com/conference/09 http://codeengn.com/conference/archive

[2010 CodeEngn Conference 04] Max - Fighting against Botnet

GangSeok Lee

2010 CodeEngn Conference 04 사이버 전쟁의 대표적 공격 무기가 되어버린 봇넷은 네트워크가 점점 초고속화되고, 복잡해진 상황속에서 7.7 DDoS와 같은 DDoS 공격, 인터넷 계정이나 금융 정보등과 같은 개인 정보 유출 등이 봇넷을 통해 이루어지고 있는 상황이다. 이에 해당 주제 발표에서는 실제 사이버상에서 운영되고 있는 봇넷들을 분석해 보며, 그들의 추구하는 봇넷 비즈니스 모델을 찾아보려 한다. 또한, 봇넷의 설계, 운영, 관리, 대응에 관한 시연 그리고 봇넷들간의 전쟁에 대해 이야기하고자 한다. http://codeengn.com/conference/04

[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들

GangSeok Lee

2010 CodeEngn Conference 04 각종 논문 데이터나 기타 연구자료들을 살펴보면 키보드보안의 한계점에 대해 지목하고 그것에 대한 보완 대책을 논의하고 있는 내용이 많다. 물론 그러한 학문적인 접근도 중요하지만, 실제 키로깅을 하고 있는 해커의 입장에서는 어떤 식으로 키입력과 계정을 가져가는지 해커의 접근 방법을 살펴보는 것도 필요하다. 일반적으로 해커들은 커널 레벨이나 하드웨어 지식 베이스에 입각한 난해한 기법보다는, 보다 간편하며 실용적인 방법을 통해 계정을 가져간다. 그리고 그 같은 행위는 현재 키보드보안의 커버 범위를 뛰어넘는 새로운 기법을 보여주는 경우가 대다수이다. 이런 상황을 배경으로 실제 기업에서 발생하고 있는 사례나, 유저의 감염케이스를 리버스 엔지니어링으로 살펴보는 시간을 마련했다. 바이너리 해킹의 예술을 맛볼 수 있는 Art of Keylogging 발표에서 키 입력 탈취에 대한 새로운 트렌드를 소개한다. http://codeengn.com/conference/04

[2010 CodeEngn Conference 04] hahah - Defcon 18 CTF 문제풀이

GangSeok Lee

2010 CodeEngn Conference 04 2010년 5월 22~24일, 세계 최대의 해커들의 축제인 DEFCON 18의 CTF 예선이 열렸습니다. Kaist 보안동아리 GoN 팀으로 참여하면서 느낀 이번 DEFCON CTF 예선에 대한 전반적인 리뷰와 함께, 여러 문제 분야들 중 Binary l33tness, Pwtent pwnables 분야의 문제들의 풀이를 해보고자 한다. (Defcon 18 CTF 예선전 전체 529팀에서 6위로 본선진출) http://codeengn.com/conference/04

[2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Forma...

GangSeok Lee

[2009 CodeEngn Conference 03] hkpco - DEFCON CTF 2009 Binary Leetness 100-500...

GangSeok Lee

[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법

GangSeok Lee

[2009 CodeEngn Conference 03] sionics, kaientt - (파일바이러스 치료로직 개발자 입장에서 본) 파일 ...

GangSeok Lee

2009 CodeEngn Conference 03 일반적으로 악성코드의 치료는 대부분 해당 악성코드 파일 자체를 삭제하여 제거하는 것으로 해결된다. 하지만 Virut, Sality, Parite등과 같이 정상파일에 감염되어 기생하는 파일바이러스는 반드시 원래의 정상파일로 복구시켜야 한다. 일반적인 악성코드의 악성행위를 분석하는 악성코드 분석가의 입장이 아닌 악성행위보다는 원래의 정상파일로 돌려야하는 치료로직을 개발하는 파일바이러스 치료로직 개발자 입장에서 파일바이러스를 분석해본다. http://codeengn.com/conference/03

[2013 CodeEngn Conference 08] pwn3r - Pwning multiplayer game - case Starcraf...

GangSeok Lee

2013 CodeEngn Conference 08 최근 국내/외에서는 멀티플레이어 게임이 유명세를 타고 있다. 이에 맞게 멀티플레이어 게임에 대한 보안 기술 역시 발전하고 있지만, 일반적으로 게임 보안은 게임의 룰을 깨버릴 수 있는 어뷰징(Abusing) 버그를 막는 데 주력하고 있다. 많은 멀티플레이어 게임들이 어뷰징 버그를 막는데 주력하느라, 게임 클라이언트의 취약성에 대한 보안을 놓치고 있다. 게임 클라이언트의 보안의 중요성을 강조하기 위해 BoB 1기에서 진행한 '멀티플레이어 게임 취약점 점검' 프로젝트의 결과물인 Starcraft-Broodwar remote code execution취약점을 설명하고, 취약점을 발견하기 위해 진행한 과정과 Exploit 과정들을 소개한다. http://codeengn.com/conference/08

[2013 CodeEngn Conference 08] CherishCat - 각종 취약점과 대응방안 & 해킹, 보안 문제풀이

GangSeok Lee

2013 CodeEngn Conference 08 보안사고는 사소한 취약점으로부터 시작되어 악용될 수 있다. Hard한 방법이나 별다른Hacking Tool을 사용하지 않은 간단한 발상으로 취약점을 찾아내어 보자. software부분과 Web Site부분에서 악용될 수 있는 여러 가지 취약점들을 실제 사례를 통해서 설명한다. 마지막으로 각종 해킹/보안 관련 문제들을 연습해볼 수 있는 War-Game사이트인 hack-me.org에 등록되어있는 문제들을 풀어본다. 국내외 해킹방어대회에서 다루는 문제들의 기반이 되는 기초적인 접근방법을 hack-me_Challenges를 통해서 입문자들도 알기 쉽게 각 문제유형들을 알아본다. http://codeengn.com/conference/08

[2013 CodeEngn Conference 08] Homeless - Android 악성앱 필터링 시스템

GangSeok Lee

2013 CodeEngn Conference 08 안드로이드 악성앱 필터링을 위한 시스템을 주로 다루려고 하고, 특히 요새 큰 관심이 쏠리는 스미싱 앱을 위주로 내용을 진행하면서 안드로이드 어플리케이션의 정적분석 및 동적분석 방법 그리고 해당 분석으로 얻을 수 있는 내용들이 어떤 것이 있는지를 예시를 통해 알아본다. http://codeengn.com/conference/08

[2013 CodeEngn Conference 08] manGoo - Windows 8 Exploit

GangSeok Lee

2013 CodeEngn Conference 08 Exploit으로 인한 보안 위협은 어제 오늘만의 문제가 아니다. 그에 따라서, Windows Version이 Update 되면서 다양한 Memory Protection 기능으로 Exploiting 으로 인한 공격을 방어하게 되었다. Exploiting Technique에 대한 History를 살펴 보며, Windows 8에서 Memory 관리 하는 방법 및 Memory Protection 방법에 대해서 살펴 볼 것이다. 이러한 변화로 인해 Exploiting 공격에 있어 어떤 방법으로 접근해야 될 지 알아보도록 하자. http://codeengn.com/conference/08

More from GangSeok Lee (20)

[2014 CodeEngn Conference 11] 최우석 - 자바스크립트 난독화 너네 뭐니?

[2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study KO

[2014 CodeEngn Conference 10] 심준보 - 급전이 필요합니다

[2013 CodeEngn Conference 09] x15kangx - MS Office 2010 문서 암호화 방식 분석 결과

[2013 CodeEngn Conference 09] proneer - Malware Tracker

[2013 CodeEngn Conference 09] BlueH4G - hooking and visualization

[2013 CodeEngn Conference 09] wh1ant - various tricks for linux remote exploits

[2013 CodeEngn Conference 09] 제갈공맹 - MS 원데이 취약점 분석 방법론

[2013 CodeEngn Conference 09] Park.Sam - 게임 해킹툴의 변칙적 공격 기법 분석

[2010 CodeEngn Conference 04] Max - Fighting against Botnet

[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들

[2010 CodeEngn Conference 04] hahah - Defcon 18 CTF 문제풀이

[2009 CodeEngn Conference 03] externalist - Reversing Undocumented File Forma...

[2009 CodeEngn Conference 03] hkpco - DEFCON CTF 2009 Binary Leetness 100-500...

[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법

[2009 CodeEngn Conference 03] sionics, kaientt - (파일바이러스 치료로직 개발자 입장에서 본) 파일 ...

[2013 CodeEngn Conference 08] pwn3r - Pwning multiplayer game - case Starcraf...

[2013 CodeEngn Conference 08] CherishCat - 각종 취약점과 대응방안 & 해킹, 보안 문제풀이

[2013 CodeEngn Conference 08] Homeless - Android 악성앱 필터링 시스템

[2013 CodeEngn Conference 08] manGoo - Windows 8 Exploit

Recently uploaded

Polish students' mobility in the Czech Republic

Anna Sz.

CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE

BhavyaRajput3

Palestine last event orientationfvgnh .pptx

RaedMohamed3

CACJapan - GROUP Presentation 1- Wk 4.pdf

camakaiclarkmusic

How libraries can support authors with open access requirements for UKRI fund...

Jisc

Acetabularia Information For Class 9 .docx

vaibhavrinwa19

Synthetic Fiber Construction in lab .pptx

Pavel ( NSTU)

Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.

A Strategic Approach: GenAI in Education

Peter Windle

Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction. This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.

Overview on Edible Vaccine: Pros & Cons with Mechanism

DeeptiGupta154

The Challenger.pdf DNHS Official Publication

Delapenabediema

Biological Screening of Herbal Drugs in detailed.

Ashokrao Mane college of Pharmacy Peth-Vadgaon

Biological screening of herbal drugs: Introduction and Need for Phyto-Pharmacological Screening, New Strategies for evaluating Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and Antifertility, Toxicity studies as per OECD guidelines

2024.06.01 Introducing a competency framework for languag learning materials ...

Sandy Millin

http://sandymillin.wordpress.com/iateflwebinar2024 Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error. Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials. This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.

TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...

EugeneSaldivar

"Protectable subject matters, Protection in biotechnology, Protection of othe...

SACHIN R KONDAGURI

The French Revolution Class 9 Study Material pdf free download

Vivekanand Anglo Vedic Academy

The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe. For more information, visit-www.vavaclasses.com

Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf

TechSoup

Unit 2- Research Aptitude (UGC NET Paper I).pdf

Thiyagu K

Model Attribute Check Company Auto Property

Celine George

Embracing GenAI - A Strategic Imperative

Peter Windle

Home assignment II on Spectroscopy 2024 Answers.pdf

Tamralipta Mahavidyalaya

Recently uploaded (20)

Polish students' mobility in the Czech Republic

CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE

Palestine last event orientationfvgnh .pptx

CACJapan - GROUP Presentation 1- Wk 4.pdf

How libraries can support authors with open access requirements for UKRI fund...

Acetabularia Information For Class 9 .docx

Synthetic Fiber Construction in lab .pptx

A Strategic Approach: GenAI in Education

Overview on Edible Vaccine: Pros & Cons with Mechanism

The Challenger.pdf DNHS Official Publication

Biological Screening of Herbal Drugs in detailed.

2024.06.01 Introducing a competency framework for languag learning materials ...

TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...

"Protectable subject matters, Protection in biotechnology, Protection of othe...

The French Revolution Class 9 Study Material pdf free download

Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf

Unit 2- Research Aptitude (UGC NET Paper I).pdf

Model Attribute Check Company Auto Property

Embracing GenAI - A Strategic Imperative

Home assignment II on Spectroscopy 2024 Answers.pdf

[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN

1. Android Bootkit Malware Analysis Kim, Hobin HobinKim125@gmail.com www.CodeEngn.com 2014 CodeEngn Conference 11

2. What is Bootkit? • Bootkit = Rootkit + Boot capability • Boot sector of a disk is infecting the host when introduced at the boot process. • Ex) Windows MBR Rootkit

3. Android Boot Partition • Android devices’ boot partition uses RAM disk file system • Consist of Linux kernel(zImage) & root file system ramdisk(initrd; initial ramdisk)

4. Android Boot Process Bootloader Kernel(Linux) init(init.rc) • init process is first process on Android

5. Stealth Technic of Android Bootkit • Modifying devices’ boot partition and booting script during early stage of system’s booting for hiding and protecting itself • Launching system service as root and extracting malware app as system app

6. Characteristics of Android Bootkit • Bypass built-in kernel-level security restrictions • Difficult to detect and cure by AV

7. Oldboot; The First Android Bootkit • Oldboot • Reported by Qihoo360 in China • The first bootkit officially found on Android in the wild • More than 500,000 Android devices infected in China • Proof that the boot partition of Android could be infected easily

8. How Android Can Be Infected? • The attacker has a chance to physically touch the devices, and flash a malcious boot.img image files to the boot partition of the disk

9. How Android Can Be Infected? (cont) • Qihoo360 found the infected device in big IT mall in Beijing • the recovery partition has been replaced by a custom recovery ROM. and the timestamp of all files in the boot partition are the same.

10. How Android Can Be Infected? (cont) • based on Qihoo’s cloud security technology, they figured out almost infected devices are only well-known device such as the Galaxy Note II

11. Oldboot Bootkit’s Components • Oldboot.a • init.rc (modified) • imei_chk (located at /sbin) • libgooglekernel.so (located at /system/lib) • GoogleKernel.apk (located at /system/app)

12. Analyzing init process(init.rc) • Content of the modified init.rc • Adding imei_chk service as root

13. Analyzing imei_chk • Extract so files

14. Analyzing imei_chk (cont) • Extract apk files

15. Analyzing imei_chk (cont) • Socket listening & read

16. Analyzing imei_chk (cont) • executes received commands

17. Analyzing GoogleKernel.apk • GoogleKernel.apk’s AndroidManifest.xml

18. Analyzing GoogleKernel.apk (cont) • GoogleKernel.apk’s AndroidManifest.xml

19. Analyzing GoogleKernel.apk (cont) • BootRecv service

20. Analyzing GoogleKernel.apk (cont) • EventsRecv service

21. Analyzing GoogleKernel.apk (cont) • Dalvik service

22. Analyzing GoogleKernel.apk (cont) • Incomplete malicious function

23. Analyzing GoogleKernel.apk (cont) • Communicate with libgooglekernel.so by JNI

24. Analyzing libgooglekernel.so • Connecting to its C&C Servers to download configuration files

25. Analyzing libgooglekernel.so (cont) • Location of C&C Server

26. Analyzing libgooglekernel.so (cont) • Location of C&C Server

27. Analyzing libgooglekernel.so (cont) • Downloading APK file

28. Analyzing libgooglekernel.so (cont) • Downloading APK file

29. Analyzing libgooglekernel.so (cont) • Installing downloaded APK as system application

30. Analyzing libgooglekernel.so (cont) • Deleting system application

31. Oldboot.a Running Flow Chart init process init.rc system server imei_chk GoogleKernel.apk libgooglekernel.so JNI socket

32. Preview point of Android Bootkit Malware • Totally new malware attack method on Android • Not only apk can be infected

33. References • Oldboot: the first bootkit on Android, Zihang Xiao, Qing Dong, Hao Zhang & Xuxian Jiang, Qihoo 360 • Advanced Bootkit Techniques on Android, Zhangqi Chen & Di Shen @SyScan360 • Android Hacker’s handbook, Drake, Oliva Fora, Lanier Mulliner, Ridley, Wicherski, Wiley • 인사이드 안드로이드, 송형주, 김태연, 박지훈, 이백, 임기영, 위키북스 • 안드로이드의 모든 것 분석과 포팅, 고현철, 유형목, 한빛미디어 • http://contagiominidump.blogspot.kr/

34. Q & A Any question so far? www.CodeEngn.com 2014 CodeEngn Conference 11

[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (9)

Similar to [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN

Similar to [2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN (20)

More from GangSeok Lee

More from GangSeok Lee (20)

Recently uploaded

Recently uploaded (20)

[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN