Hacking Exposed Live: Mobile Targeted Threats

George Kurtz, President & CEO, CrowdStrike
Georg Wicherski, Senior Security Researcher, CrowdStrike
Alex Radocea, Senior Security Researcher, CrowdStrike

© 2012 CrowdStrike, Inc. All rights reserved.

BEFORE WE GET STARTED…

•  Questions
– Via GoToWebinar in the Questions tab
–  All ?’s will be addressed at the end of the session

– Via Twitter
–  Engage real-time: @CrowdStrike #hackingexposed7

2 © 2012 CrowdStrike, Inc. All rights reserved.

A LITTLE ABOUT US

GEORGE KURTZ
President & CEO, CrowdStrike
•  In security for ~20 years
•  Former CTO, McAfee
•  Former CEO, Foundstone
•  Co-Author, Hacking Exposed
•  Twitter: @George_Kurtz
•  Blog: www.securitybattlefield.com


A LITTLE ABOUT US

GEORG WICHERSKI
Senior Security Researcher, CrowdStrike
•  Focuses on analyzing advanced threats
•  Likes to put himself in the attackers’ shoes
•  Loves working low level on bytecode
•  New interest in ARM architecture
•  Twitter: @ochsff


A LITTLE ABOUT US

ALEX RADOCEA
Senior Engineer, CrowdStrike
•  Application Security Assessment at Matasano
•  Product Security Team at Apple
•  Dabbles in hardware reverse engineering
•  Upcoming talk: Ekoparty 2012
•  Twitter: @defendtheworld


THREAT EVOLUTION AND OUTLINE

Commercial Targeted RATs Advanced
RATs Threats
•  Manually •  Observed Real •  Demo of
installed World Attacks Browser based
•  “Spy on your •  Simple, regular compromise
girlfriend” Apps •  What are we
just not seeing?


WHAT IS A RAT?

•  Remote Access Tools, better known as RATs
•  Post-exploitation tool
•  Allows administrative controls over the compromised
system
•  Adversaries have been targeting conventional
computing platforms (PC) for many years


RAT FUNCTIONALITY

•  Backdoor functionality and a host of other nefarious features
–  Activate video cameras and microphones
–  Take pictures of remote systems
–  Exfiltration - send back files
–  Run remote commands
–  Log keystrokes


GRANDDADDY OF RATS
Back Orifice Netbus


WHAT IS UBIQUITIOUS?


HAS A CAMERA?


HAS A MICROPHONE?


KNOWS WHERE YOU ARE?


IS ALWAYS ON?


…AND STORES YOUR
SENSITIVE INFORMATION?


DAWN OF A NEW ERA
Mobile RATs

•  Mobile RATs
•  Smartphones are PCs that fit in the palm of your hand
•  Perfect tool to:
–  Intercept calls
–  Intercept TXTs
–  Intercept emails
–  Capture remote video
–  Listen to sensitive conversations
–  Track location via GPS


COMMERCIAL RAT DELIVERY
•  Usually require physical access to target device
•  The attacker must know the target’s password or
the device must be unlocked
•  Manual installation via web page or 3rd party market
•  iOS devices require a jail break


FlexiSPY
•  Emerged in 2006 timeframe as a consumer- marketed cell phone
spying software
•  Capabilities include:
–  Monitoring email
–  Monitoring SMS/MMS
–  Monitoring chat/Facebook/WhatsApp
–  Number flagging
–  Call intercept (only live calls)
–  Hot Mic
–  SMS C2

FlexiSPY LOGS


TARGETED RATs
•  Android: Mostly regular Apps
–  Written in Java using the Android SDK and compiled to Dalvik code
–  Often not even obfuscated (original names retained)
– There are public SDK tools to conceal at least names of non-
exported classes and members
–  Easy process to reverse to Java code (.dex%→%.class%→%.java)
–  Visibility issue or principle of least effort required?

•  iOS targeted RAT ecosystem largely unexplored
–  But commercial RATs well-known and documented
–  Happening for sure but just no good visibility


CASE STUDY: LUCKY CAT (background)
•  Targeted Espionage-Type Operation
– Engineering and Research targets
– Political activists

•  Windows Malware Attributed to Chinese developers
– Likely government sponsored civil hacktivism
– First seen in June 2011
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/
wp_luckycat_redux.pdf

•  Android malware LuckytCat.A found on C2 servers

LUCKYCAT.A ANALYSIS
•  Simple Service based App that registers for BOOTUP intent
–  Starts automatically when phone is turned on

•  Reports general information (phone number, IMEI, …) on connect

•  Can read and write arbitrary files and list directories
–  Linux is Unix, “Anything is a file”
–  All logic and parsing on C2 (client) side, not exposed to analysis

•  Utilizes custom “encryption” / obfuscation algorithm


LUCKYCAT.A BEACON INFORMATION
•  Obtains current
phone number
–  Chinese error /
status message

•  Beacons
–  Phone number as
MAC
–  Current IP
–  Per-incident
identifier


LUCKYCAT.A FILE COMMANDS

•  Only supports file based
commands
–  Directory content listing
–  Download / upload file from / to
phone

•  Any interaction with
system must be done with
this simple mechanism


FINSPY MOBILE FOR IOS
•  Commercial mobile RAT sold to governments
– “Enterprise” Software development
– Proper encryption, communication protocol, ...
•  Analyzed iOS sample stolen demo binary
– Courtesy of CitizenLab.org
•  Capabilities similar to previous commercial RATs
•  iOS variant requires jail broken device or LPE
exploit


FINSPY MOBILE FOR IOS INSTALLATION
•  One initial dropper, install_manager.app%
•  Ad-Hoc distribution with hardcoded UDIDs to run on
•  Certificate registered to Gamma International, Inc.
•  Drops the four FinSpy binaries to suid’able directories
– installer, manages persistence in system
– logind.app, daemon wrapper invoked by launchd on boot
– trampoline.app, a broken no-op in our sample
– SyncData.app, the main backdoor that calls home


FINSPY LPE MISSING LINK
•  installer.app copies binaries to /Application%and
%/System%
•  On a non-jail broken device prohibited by sandbox
•  installer.app requests root privilege with seteuid(0)%
•  Typical for a program
started with suid bit
•  install_manager.app
searches suid’able
partitions

FINSPY LPE MISSING LINK CONT.
•  trampoline.app a no-op in our binary
– Invoked by install_manager.app with path to installer
– Includes snippets that builds paths from arguments
– Apparently cut-off / sanitized at source level
•  Placeholder to disable sandbox and suid installer to
infect non-jail broken devices?
– Given trampoline.app not an exploit itself
– Checked all entry points and loader behavior


UDID LEAK IMPACT
•  1,000,000 UDIDs leaked
•  UDID, APNs tokens, device name leaked from unknown
source
•  Ad-hoc distribution profile requires UDID, each profile has
up to 100 devices
–  User-interaction required for installation
–  Code still sandboxed
•  Device information reportedly leaked from Blue
Toad

FEASIBILITY STUDY RATIONALE
•  Mobile exploits being actively bought on the “market”
–  iOS, BlackBerry, Android (loosely ordered by price)
–  Remote: Baseband, Browser and SMS Apps
–  Local: Really anything that gets you elevated privileges

•  Development of payload up to the customer
–  FinSpy Mobile looks like good fit for LPE trampoline.app%

•  We know these attacks are out there yet we do not have conclusive
evidence.

•  “If the mobile manufacturers don’t give us root privileges, only the
attackers will have root privileges.”


ANDROID 4.0.1 BROWSER EXPLOIT
•  Vulnerability in Webkit (fixed in 4.0.2, public since Nov 2011)
–  No CVE assigned, just a bug leading to degraded user experience…

•  Circumvents XN & partial ASLR on Android 4.0.1
–  Android ≥ 2.3 activates XN, comparable to x86 NX bit
– Requires hardware support but most phones do support it
–  Android ≥ 4.0 adds partial ASLR
– Heap, stack and dynamic linker still at predictable address
–  Android ≥ 4.1 adds full ASLR

•  Use ROP in the dynamic linker to circumvent 4.0 mitigations


FEASIBILITY FOR NATIVE
RAT FOR ANDROID
•  Native stand-alone executables are easily built using the NDK
–  Creating a Makefile and a “Hello World” is < 2 hours if familiar with GCC

•  Huge amount of new “App Analysis (Dalvik) Experts”
–  Has anyone of those ever analyzed native ARM code?
–  Can anyone of those handle a simple UPX packed binary?

•  No Rootkit required, people barely look at native processes
–  Native processes do not show up in Android or 3rd party Task Managers
–  Potentially visible in ps%but trivially obfuscated
– strcpy(argv[0],%“…”)%


http://www.youtube.com/watch?v=M2jxLDz5gE4


•  Quarterly webcasts: Industry leaders presenting
cutting-edge topics

•  Blogs, whitepapers, and other industry resources

•  Webcast archives for on-demand viewing

HTTP://WWW.HACKINGEXPOSED7.COM


CrowdStrike is a security technology company focused on helping enterprises and governments
protect their most sensitive IP. CrowdStrike encompasses three core offerings: Services,
Intelligence, and Technology.

For Incident Response services: http://www.crowdstrike.com/services.html
For Intelligence as a Service: Email us at intelligence@crowdstrike.com
Technology (Coming soon): If you have interest in being a beta customer send your request to
beta@crowdstrike.com

Website: www.crowdstrike.com @CrowdStrike
Blog: http://blog.crowdstrike.com facebook.com/crowdstrike
youtube.com/crowdstrike


Q&A


Hacking Exposed Live: Mobile Targeted Threats

More Related Content

What's hot

Viewers also liked

Similar to Hacking Exposed Live: Mobile Targeted Threats

More from CrowdStrike

Recently uploaded

Hacking Exposed Live: Mobile Targeted Threats