These are quick first looks and trend and threats


Read More >>
Written by the security and AV professionals from team K7, meant for the general audience
Read More >>
These are usually articles that go into internals of a virus or deal with security issues
Read More >>
Senior managers speak on areas of interest to them, inside and outside the industry
Read More >>

January 21st, 2015

This is the first part of a six-part blog based on the paper submitted by my colleague Gregory and myself on Advanced Persistent Threats (APT), for AVAR 2014. This first part introduces the reader to the different phases of an APT and discusses the methodology, prevention and detection techniques of the initial phase of an attack in detail.

The IT security industry is faced with the challenge of dealing with old invasion tactics that have been reborn in new avatars as Advanced Persistent Threats (APTs). APT attacks are tenacious at pursuing their targets and are played out in stages, possibly over a long period of time. With financial backing from state actors and criminal rings, APTs tend to be compound, sophisticated and difficult to detect. Each facet of the intrusion, in an idealist scenario, may be refined to such an extent that the end goal is achieved without a trace before, during or after the event.

Despite the complexity of these types of attacks, certain parameters always need to be satisfied to deliver the payload and retrieve the expected results, leading to the emergence of an attack pattern which may be placed under the microscope and flagged. These parameters include executing arbitrary code by invoking zero-day exploits for popular software, defeating security measures such as DEP & ASLR, e.g. via heap spray and ROP/JOP chains, exploiting EoP vulnerabilities, establishing remote C&C communication channels to issue commands or to exfiltrate stolen data in encrypted form, etc.

Drawing on evidence from documented real-world case studies, this paper details techniques that assist an assailant during the different phases of an APT, bypassing protection mechanisms like application-sandboxing, EMET, IDS, etc. thus attempting to fly under the defense radar at all times. Equipped with this information, we hope to explore methods of discovering each part of the life-cycle of a targeted attack as it is in progress or in the post mortem, thus reducing their efficacy and impact.

Introduction

“If you know your enemies and know yourself, you will not be imperiled in a hundred battles… if you do not know your enemies nor yourself, you will be imperiled in every single battle.” Sun Tzu

As technologies implemented in organizations are becoming advanced, the threats are rapidly evolving too. Through tenacious and coordinated attacks on one’s infrastructure, APTs are able to infiltrate and overwhelm the organization.

The threat landscape has changed. But the general principles of war remain the same.  Knowing the modus-operandi of your faceless attackers helps one evaluate, and harden one’s security measures, and gear up towards facing the attackers head on.  This paper aims to help you do just that.

APT Life-Cycle

The stages of an APT can broadly be classified as follows:

•   Target reconnaissance
•   Initial compromise
•   Expanding access and strengthening foothold
•   Data exfiltration and cleanup

 

 Target Reconnaissance

The reconnaissance phase of a targeted attack sets the stage for the rest of the threat campaign and therefore involves a high degree of planning. The perpetrators spend significant amounts of time learning about their target, collecting as much information as possible about the human, physical and virtual resources of the organization. The intelligence garnered during this stage not only helps the assailants determine key points of entry into the target network but also empowers them to navigate the victim’s network once inside more effectively & efficiently.

Reconnaissance Methodology

The target’s virtual network is plotted using publicly available resources. These resources include:

•   DNS records
•   WHOIS information
•   Email messages
•   Inadequately protected network logs
•   Misconfigured servers, etc.

The organizational structure is also studied to determine employees and their organizational access levels, using social media, search engines and the target’s own website. Profile intelligence gathered could include potential passwords, personal and official email addresses, whether the user is a regular employee, a SOHO user, or a contractor.

Based on this harvested intelligence the infrastructure needed for the attack will be acquired, the course of action to successfully execute the campaign will be determined & evasion techniques that could be followed during the attack will be planned. New domains may be registered, command and control servers set up, exploits crafted, vulnerable employees identified, custom social engineering schemes plotted for these target employees, malicious files created, etc.
 
Recently, US airport workers from over 75 airports were targeted via malicious emails based on information such as their names, titles, and email addresses that were harvested via publicly-available documents [1].

Fig.1 shows how a simple search engine query can divulge information like emails exchanged between personnel in public forums which may seem innocuous, but can be used to launch a spear phishing attack. Popular mailing lists mask this sensitive information to avoid it from being scraped and abused by bots. Valid users on the other hand are allowed access after solving a simple CAPTCHA.

Fig.1: Search result revealing email addresses and other information about employees of an organization.

Prevention/Detection

Most of the intelligence collected by the assailants during this stage is publicly available and in general doesn’t involve the attackers touching any of the internal systems. Information that was gathered from previous APT campaigns but applicable to the current one could also be reused. This makes detecting an APT during these early stages of the attack challenging.

Usual best security practices such as conducting periodic penetration tests, hardening the applications & the operating systems, etc. are still relevant, but these measures by themselves don’t stand a chance against this adversary.

Organizations should take care to both restrict the amount of information that is flowing outside and be aware of publicly available sensitive information which could potentially be used against them.

Profile Scraper

Automated bots can be used to collect publicly available information on the company, the employees, etc. from popular social networking sites and search engines, etc. The data collected can automatically be analyzed for potential sensitive leaks.

Honey Profiles

Fake profiles at different organizational levels meant to be trip wires can be set up on popular social networking sites and connection attempts and profile hits can be analyzed. This could allow organizations to both recognize if they are being targeted and predict which individual or group of individuals are being targeted.

References:
1] http://www.seculert.com/blog/2014/07/extended-apt-campaign-targeted-us-airports.html

Images courtesy of google.com

Lokesh Kumar
Manager, K7 Threat Control Lab

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
http://blog.k7computing.com/feed/

January 20th, 2015

Cyber criminals can spy on your PC or mobile phone even when there is no internet connectivity on your device, claim researchers from Georgia Institute of Technology. Apparently, low-power electronic signal emissions, called “side-channel” signals, from laptops and mobile phones can allow hackers to intercept user activities and Android smart phones are particularly prone to these kinds of attacks. Through these signals, hackers may be able to tell when you edit a document, look at photos and when you enter a password, with the help of an antenna and a microphone.

The difference in the signal emission by the processors is said to help deduce the operation that is being performed on the device. The GIT researchers asseverate that there exists a design flaw in devices that makes them vulnerable to hackers, who are able to eavesdrop on user activities from a few feet away. The victim on the other hand, will be denied even the benefit of doubt since there is no way to tell that signals from your devices are being tapped. Despite speculation about this kind of exploitation there is no evidence of any attack so far.

Cyber criminals are always on the lookout for ways to infiltrate the user’s device to steal information. Even if it were possible to gather information through side-channel emissions, we believe that cyber criminals would not opt for this route on a large scale. The nature of professional cybercrime is such that the distance between victim and attacker is generally several thousand kilometers, i.e. over a network of interconnected devices. It is hardly likely that a cybercriminal would tune into emissions from the user’s device from just a few feet away. The probability that a hacker can match a password to the corresponding website when you type in a password on your device or decide which emission comes from which particular individual’s device seems pretty low. In any case let us await independent verification of the alleged design flaw.

Image courtesy of:

http://ispyck.com/tscm-services/

Archana Sangili, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

January 12th, 2015

This is the second chapter of my blog series focusing on the vulnerabilities and exploits involved in a website compromise following on from the previous chapter covering the reasons for which website access can be blocked.

New age Internet, a web of images, videos and user-friendly interactive content, is delivered by tools like image/video gallery, sliders, gadgets, CMS, etc., for quick design and implementation.

Because of the complexity of these evolving web technologies, there is a high possibility that security vulnerabilities in web applications might be overlooked by both the developers and the quality assurance process. Such vulnerable web applications are susceptible to hackers and bots to break into a victim’s computer and to infect websites to spread malicious files or send spam messages.

The most common web application vulnerabilities are described below.

Code Injection

A huge number of data breaches happen via code injection attacks, i.e. the injection of malicious code specific to a vulnerable application either on the victim’s computer or on the website host server into a web application in order to carry out silent execution of the injected malicious code. This kind of attack includes Cross-Site Scripting (XSS), SQL Injection, XML injection, RCI, Header Injection, Log Injection and Full Path Disclosure. To have a clearer picture of code injection, let us look at the XML injection example shown below.

Let us consider the following form and actual inputs:

Name: test
Password: test123
Mail: test@test.com

Data is sent to the web host as follows:

http://vulnerable.site/add?name=test&password=test123&mail=test@test.com

Expected XML result at the server side is:

<user>

<name>test</name>
<password>test123</password>
<id>101</id>
<mail>test@test.com</mail>
</user>

A valid user id 101 is created for the user “test”.

Now, let us suppose a hacker submits an XML code as input in one of the aforesaid form fields to control a user account.

Name: test
Password: test123</password><id>0</id><!–
Mail: –><mail>test@test.com

Now, the data sent would be in the format,

http://vulnerable.site/add?name=test&password=test123</password><id>0</id><!–&mail=–></mail>test@test.com

Modified XML result is:

<user>
<name>test</name>
<password>test123</password>

<id>0</id>
<!–</password><id>101</id><mail>–>
<mail>test@test.com</mail>
</user>


In the above example, as the hacker has entered the XML code “</password><id>0</id><!–” along with the password “test123” in the password field and “–><mail>” along with the mail “test@test.com”, the website server generated id “101” is commented out and a possibly pre-existing id “0” is assigned to the user “test” via password and mail parameters provided by the attacker. Now the hacker can avail the privileges or the functionality associated with the id “0”, thus severely violating the security objective of access control.

Broken Authentication and Session Management

Many developers prefer relying on their own, custom authentication and session management schemes than using the standard authentication and session management methods. As seen in cases earlier, custom schemes regularly fail in functionalities such as password management, sign in, logout, timeouts, secret question, account update, etc.

Some common flaws attributed to the failure cases are listed below:

●     Storing credentials in plain text, i.e. without hashing or encrypting them.

●     Weak account management modules (e.g. account creation, account deletion, change/update password, recover password, etc)

●     Session IDs

  1. exposed in a URL
  2. that do not properly timeout or are not validated during logout
  3. that are not updated after a specific time period once logged in.

●     Confidential data transfer over unencrypted connections.

In the example below, a movie-booking application exposes the session ID in the final URL as shown below,

http://mvie.com/hindi/book/?movie=pk(2014)&time=3,6,9 &sessionid=2QZABDJ3NDXYXK5CJ8N290

Now, if an authenticated user shares the above link with others, the allotted sessionid will also be visible to the receiver. When the receiver accesses the shared link, he/she will have the privileges associate with that session ID and can therefore hijack the session. These scenarios can cause adverse effects in case of gift vouchers, saved credit card details, etc associated with the authenticated user.

Security Misconfiguration

Secure configuration of an application stack including operating system platform, web server, application server, database, framework and code is one of the primary goals for  developers and system administrators. Security misconfiguration can occur at any level of an application stack. Exploiting such misconfigurations, ranging from failure to apply appropriate patches, use of default accounts, failure to set useful security headers on a web server, use of unnecessary services and disabling platform functionality could grant unauthorised access to an attacker.

For example, consider the scenario where the server XYZ has a few java class files (compiled Java source code files) hosted, but unfortunately has directory listing is enabled, unknown to the administrator. If an attacker manages to discover that the server XYZ’s directory listing is enabled, the attacker would be able to collect the compiled code and reverse engineer it to get source code.

Format String

Exploitation of Format String occurs when the submitted input string is misinterpreted as a command by which the attacker can trick the concerned application to read values off the stack, induce a segmentation fault, or execute a user supplied string as a code, to cause an unexpected behavior that could compromise the stability and security of an application, thus potentially allowing execution of malicious code by a remote attacker.

Intelligent fuzzers are used to automate fuzzy input supply to the application, with the intention of crashing the application and generating errors that can disclose sensitive information. The most common C runtime functions printf(), fprintf(), sprintf(), snprintf(), scanf(), etc., process data based on a format string and %x, %s, %n, %%, %p, %d, %c, %u  are some of the most common parameters used in this attack.

For example,

Let us discuss the following C code,

#include<stdio.h>
#include<string.h>
int main(int argc, char** argv)
{
char buffer[100];
strncpy(buffer, argv[1], 100);

printf(buffer);
return 0;
}

In the above C code, the printf() function takes one argument “buffer” instead of the usual two arguments, format specifier and the associated variables. An attacker can trick the printf() function in the above code by passing an input string “%p %p %p %p %p”  to the buffer where %p is the format specifier of a pointer. During execution, printf() will look at the argument as  “%p %p %p %p %p”, consider that it has 5 arguments and will print the next 5 addresses on the stack (for 32-bit architecture) from the current position. Possible output could be:

=> ./output.out “%p %p %p %p %p”
0xffffdddd 0xf7ec 0×1279 0xffffdbdf 0xffffdbde

Thus, a format string vulnerability gives the attacker the ability to read an arbitrary value from an arbitrary address and potentially perform malicious activity.

Apart from exploiting web application vulnerabilities, hackers may also avail of weak password policies, insecure FTP/HTTP connections, outdated third party add-ons and server vulnerabilities to compromise access to a website host. To accomplish an attack successfully, attackers may combine two or more vulnerabilities together on the target webserver.

In the next chapter of my blog series, I will describe the consequences faced by users  visiting a hacked website, along with a few mitigation guidelines for the webmaster.

Images Courtesy:
ronkealao.com

Priyal Viroja, Vulnerability Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

December 31st, 2014

India is rapidly becoming internet-enabled, thereby increasing her exposure to cyber-attacks. Every day new users are getting introduced to the internet, susceptible to the danger of becoming victims of cyber abuse.

Recently, the Indian home ministry disclosed that India had experienced a 40% rise in cyber crimes over the past two years. Data theft, credit card fraud, unauthorized wiring of money, exposure of confidential information and illegal hacking topped the list of reported crimes.

The picture below shows the Indian regions that are affected with different malware types in December 2014 (courtesy of our own instrumentation data plotted on our internal Google maps interface).

Microsoft’s last survey also reveals that India was the most hit region by malware over the last quarter. Malware categories like worms, Trojans, adware and other malicious exploits had predominantly affected India compared to most other developed and developing parts of the world. This unpleasant fact is alarming as India had started employing the Internet increasingly in her e-Governance infrastructure to aid the citizenry in education, health and consumer services, etc.

The mass spread of most of these threats can be attributed to the facts that much of the population is ignorant of such types of assault and inattentive to protect their computers and smart devices that connect to the internet.

Malware engages diversified ways to creep in and cause havoc, most commonly:

1. Pirated Software – There are a lot of users who install unlicensed versions of the Windows operating system to avoid payment. Cracked versions of the OS, games or other software are readily available online for “free” download. However, pirated versions do not receive critical security updates making them impotent to fight back against malware threats.

2. USB Devices – Liberally sharing USB devices, of which a high proportion are infected, among friends and colleagues easily spreads worms. Incidentally 28% of malware encountered in India were autorun worms that spread through removable devices.

3. Free Downloads – Games, screen savers, tools and any “free” software download may travel bundled with Trojans or adware that may lead to user’s personal information leaking out, cause computer slowdown or cause a change to computer settings.

A notable number of laptops and smart phones are believed to be infected by malware on a daily basis. Moreover, Microsoft claims that the computers and devices that have no anti-virus installed or expired anti-virus are four times more likely to encounter malware attacks. To defend against security threats and to cope with the growing social networking habits, users (especially from India) must gradually start understanding the importance of cyber security, good internet practices and install a reliable anti-virus product to stay secure.

Wish you all a Happy New Year and Safe Computing in 2015 … and what’s left of 2014 too!!

Archana Sangili, Content Writer
If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

December 23rd, 2014

Are you excited about the new social networking platforms, games, mobile apps and the Internet of Things? Yes? Great, but BEWARE, hackers too are excited! With the K7 product installed, while visiting a website have you ever hit upon the message, “Access denied! The access to this page has been denied by K7Total Security Safe Search”? If you have, good, you’re safe.

We at K7TCL process a huge number of suspicious website URLs everyday and identify many  malicious ones, some of which are hosted at compromised or hacked websites (websites which are owned by legitimate entities but have been forcibly taken over by hackers without the owners’ knowledge). To provide better protection to the user, URLs identified as malicious, including phishing, fraudulent and malware-payload links are blacklisted and the product denies access to them. We have stringent quality assurance processes to ensure that we don’t block access to clean websites.

As we blogged earlier, we occasionally receive URL false positive reports from our clients for the websites that are indeed compromised. So we thought it would be a good idea to educate the public with a blog series covering:

  1. How a website is typically hacked
  2. Factors to identify a hacked website
  3. Role of software vulnerabilities (defects in software that can be exploited by hackers) involved
  4. Consequences to the user in visiting a hacked website, along with a few mitigation guidelines for the webmaster

This is the first chapter of my blog series that briefly describes hacked websites and the reasons for a website to be blacklisted.

Usually hackers and their automated bots, which are malware designed to infect a user’s computer and connect back to a central command and control (C&C) server, break into targeted website hosting by exploiting a web application vulnerability on the target. Targeting a massive user base, hackers often prefer to hack renowned legitimate sites that own heavy network traffic to propagate the hosted malware and infect a large number of users, or fraudulently suck information from them, even before it is identified that the website is hacked, as in the case of the recent Ebay hack. Compromised websites are either injected with a malicious script that downloads another malware on to a user’s computer or ends up redirecting to another malicious site. Such a hacked website remains infected until the webmaster identifies, assesses, and remediates threats to his/her systems.

In response to the aforesaid incidents, we duly inform the concerned authority, i.e. the webmasters, of such infected websites about the scenario and the recommended course of action. Therefore we recommend that webmasters provide accurate, up-to-date contact details on their domain registrations and DNS records so that we know whom to contact when the need arises.

To an end user visiting a compromised website with a vulnerable browser or browser plug-in may leave the user’s computer infected with a malware without his/her knowledge. So, it is advisable that users regularly apply update patches for their operating system and the other software they use.

A blacklisted website/URL satisfies one or more of the following criteria:

1) It redirects to a malicious link or points to a malicious payload
2) It is used in spam or phishing campaigns
3) It is hosted on a compromised web server
4) It contains malicious JavaScript code

Alexa, a well-known provider of web traffic information, ranks 1 million domains and sub-domains on a daily basis according to their popularity. To get an idea of the number of compromised and popular websites used in malicious attacks, we looked at how many malicious URLs are hosted on websites listed on Alexa’s top 1 million. From our latest lab data and instrumentation, we observe that currently approximately 7500 popular domains are compromised and 10791 exploit-related URLs are blocked by our product’s site blocker. Furthermore, out of these,16 sub-domains and 16 blocked URLs have domains ranked within Alexa’s top 100.

In the next chapter of my blog series, I will describe how websites get hacked in the first place, focussing on the vulnerabilities and exploits involved.

Priyal Viroja, Vulnerability Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

December 12th, 2014

Over the years, online users have had to identify obscure images, typically worn-out text from old newspapers or street addresses, and type the contents into a box to prove their humanness. CAPTCHA (an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”), as this process is called, helped prevent robots gain illegal access to websites, in order to propagate spam (unsolicited messages), for example.

However, these days advanced Artificial Intelligence technology with image recognition can solve CAPTCHA puzzles with astonishing accuracy, a whopping 99.8% according to Google. In an attempt to beat these more advanced bots, Google has recently launched a new API (Application Program Interface) called CAPTCHA reCAPTCHA.

With CAPTCHA reCAPTCHA , users are now directly asked to check a box as shown above. If this step is still insufficient to confirm the user’s humanness, a CAPTCHA is thrown. This CAPTCHA asks the users to match a given image with a set of images, usually animals or birds. Though this approach appears simple, Google claims that advanced risk analysis runs on the backend which monitors the user’s interaction with the CAPTCHA till the very end. This is a welcome change, especially for mobile users who face mild inconvenience in resolving the distorted images.

We hope CAPTCHA reCAPTCHA will be more effective in the fight against the bots created by cyber criminals.

Images courtesy of:

xpda.com
imgur.com

Archana, Content Writer

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

December 10th, 2014

Recently, DeathRing, the latest pre-installed Android malware supposedly from China, was spotted in popular low-end smartphones sold in Asian and African countries including India, Vietnam, Indonesia, Nigeria, Taiwan and China.

This mobile Trojan disguises itself as a ringtone application and attempts to download other malware APKs, or target the user’s personal information and act as per the remote commands from a Command & Control server operated by cyber criminals. To avoid being uninstalled by the user, this malware is packed in the device as a system application.

One should now be paranoid about trusting a new smartphone. A precautionary action of scanning the new smartphone with a Mobile AV before use, or may be even before purchase, would stand as a temporary solution, but the Antivirus might not be able to remove the malware as it resides in the restricted-privilege system area.

Now, let us look briefly at what this malware does to achieve its malicious behavior. Even though this application is pre-loaded, supposing a user installs this application at will, the group permissions requested from the user during installation will be as shown in Figure 1 below.

Figure 1.Permissions requested from user during installation

Few of the important permissions to be granted by the user are shown in Figure 2 below. With these permissions, this Trojan app gains the ability to unmount and mount the phone’s file system with its desired privileges to install another malware APK in the system area, kill other running processes, interfere with a user’s outgoing calls and receive BOOT_COMPLETE information on device power-on.

Figure 2.Permissions list

Interestingly, this malware also requests permission to inject into user events (key, touch or trackball)  to deliver the event stream  to  the main activity of the Trojan.

Figure 3.Permission to inject into a user key event

Further analysis of this malware reveals that it also registers more than one callback and several services with the android system to start its malevolent behaviour with all possible intents that include ACTION_SHUTDOWN, NEW_OUTGOING_CALL etc., as shown in Figure 4.

Figure 4.Callbacks registered by the DeathRing malware

This malware carries the code to receive the key events in the main activity by declaring click listeners to trigger the corresponding relative activity.

Figure 5.Code to receive Click Listener

One of the relative activities listens for the key press events like onClick and onKeyDown from the SHUTDOWN key as a part of its malicious functionality as shown in Figure 6.

Figure 6.Code listening on shutdown button

This malware is also interested in the network state of the user’s device by first checking the user’s network type and subscriber ID, and then enabling the network connectivity based on the subscriber’s ID type.

Figure 7.Code identifying wi-fi connection

Figure 8.Code enabling network state

As proposed to Google in our last VB paper, an updated boot and broadcast framework that enabled the AV component to load earlier than any other application, even system applications, could help detecting and removing such malware.

Also, identifying and correcting the loophole through which the malware is loaded into the life-cycle of manufacturing and delivering the device at the earliest would help prevent pre-loaded malware, unless the presence of pre-loaded malware is not accidental.

K7 Mobile Security users are protected against this malware with the detection “Trojan (0001140e1)”.

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

November 24th, 2014

Here is the second part of a two-part blog based on my paper for AVAR 2013.

Continuing from the first part of my paper…

Exploits for Android

This section would demonstrate few of the major security vulnerabilities in the Android OS.

Master Key Vulnerability:

This vulnerability has attracted a lot of interest from both security researchers and from the news media. This vulnerability resides in the cryptographic signature verification of Android Application Packages (APK). The problem here is that the files in the APK (Zip archive) are parsed (unzip of a file) and verified using Java ZipFile implementation from libcore, whereas the code that loads the data from the package is from a different C re-implementation2. The way in which these implementations handle multiple files with the same name differs, which results in verifying signature for one file with a name as per Java and installing the contents of a different file with the same name as per C.

In general, a zip format will not allow two or more files with the same name to be within an archive. But this can be circumvented with the help of some utilities available or a bit of tweaking. For example, the Android malware called Andr/MstrKey-A (Sophos) travels across with two copies of files named “AndroidManifest.xml” and “classes.dex”.

Figure 3: Malware APK with multiple files of same name

While the AndroidManifest.XML of size 2644 bytes and classes.dex of size 45228 bytes are the original files, the other two files were added by the malware author.

Manifest and Dex2Jar Vulnerability:

Android malware Backdoor.Android.Obad, called to be the most sophisticated, was found to exploit more than one vulnerability in the system to achieve the malevolent behaviour. The dexguarded Obad is seen to engage three of the vulnerabilities in the system to send out premium rate SMS without user’s knowledge.

Apparently, dexguard protection on this malware encrypts the strings and the class names involved, making static analysis challenging.

The figure below is a code snippet of Obad backdoor sample in Java format, highlighting some of the encrypted strings and class names.

Figure 4: Java code snippet of Backdoor Obad sample

The AndroidManifest.xml is a file which defines an application’s structure, permissions required and the launch parameters. This file plays a vital role during the installation process of the application. OBAD targets an error in the processing of AndroidManifest.XML file by modifying the XML file in such a way that it does not comply with Google standards but still gets executed properly and installs the application as usual, which stands as the first vulnerability availed.

Secondly, the Dex2Jar utility, that helps researchers to convert .dex to .jar files, has an error that it fails to convert the dex to jar properly, which takes the second place in the vulnerability order.

As third one, this malware registers as a device admin and utilises a vulnerability that it does not appear in the administrator list. By Android Framework, only user level applications (non-administrators) can be uninstalled by the user through uninstall option under settings whereas for the device administrators, uninstallation is possible only from the device administrator list. As this malware does not have any icon and runs in the background, absence of the application name in the administrator list makes it tough for an end user to identify the infection and delete the application.

It is also under discussion that because of the flaw in the XML encoding in dexguard 5.2.00 and the fact that the application is missing the associated label, which is required to display the application name in the Device administrators list, this malwares enjoying the administrator privileges without being listed under the administrators. Even though the malware does not aim at hiding itself or exploiting a vulnerability in the system, the vulnerabilities in the development environment and the supporting tools, may make it relatively tough to statically analyse a malware.

Privilege Escalation Vulnerability:

To procure the root access, there were malware instances that invoked other application in the victim’s device that require root access or driving the user to grant the root access to the application. As a step ahead, exploiting vulnerability in the Android OS to acquire administrative rights was also witnessed in case of Android TrojanSpy Droiddream that carries Exploid and RageAgainsttheCage.

The daemon process, Android Debug Bridge in Android, when started runs with the root permissions but later, the daemon drops its root permissions with the help of setuid() to run as a user process.The problem arises when there are maximum number of user processes are already running in the system.

Exactly the same happens in case of the malware Android Droiddream where RageAgainsttheCage confirms the max count of user processes (RLIMIT_NPROC) and forges the required number of processes to reach its limit. Now the exploit kills one of the processes and restarts the adb process. But as the target user’s process had already reached its maximum (RLIMIT_NPROC), setuid() fails. However, setuid() function’s return value is not verified and the adbd also fails to drop its privileges and continues to run as root.

Technical Analysis of Droiddream malware describes that RageAgainsttheCage is tried first and at the failure of which, is called Exploid, an udev exploit. This second exploit executes by using hotplug that is run by changing the state of the wi-fi adapter and resuming to its original state.  Successful execution of these exploits aids the malware with root access.

The above described vulnerabilities had a huge impact on the malware approach to silently have venomous actions in the compromised device.

Android OS Update

According to Google’s architecture for OS update, a user will receive updates from the respective device manufacturers/carriers. The reason behind is to aid the handset manufacturers/OEM versions to customize the updates for their device design. But many a time, the update process is slow that it resulted in a delay for a user to receive updates or at times the user could miss the update at all, that leaves them exposed to the dangerous vulnerabilities. Considering the data security of an Android user, Google should release increased and regular security updates without waiting for any upcoming GUI/OS update. Also it is debated many a times that updates should be directly available to the user instead of routing through the device company. User responsibility also has a share in this topic, to regularly check for updates and update the device, if any to avoid any uncool situations.

Risk Mitigation

Apparently, to mitigate the risk of vulnerability, there should be technology improvements in the Android OS that enhances the security context. The implementation of most awaited deployment SELinux3, Mandatory Access control (MAC) in Android OS could help solve the problem. With SELinux, MAC layer can control the user access to both their and the system data. Interestingly, with extra layer of security, it is possible to define system-wide policies, applicable for Super User (root) even.

It works by defining policies that describes the type of interactions a process is allowed to. For example, if a daemon process has a system-wide policy defined to access only a file with a specific label, then the process cannot access any other file. This acts as a solution to the privilege escalation vulnerability, but unfortunately SELinux is implemented only in the permissive mode. Removing the permissive mode and imposing the SELinux along with the regular OS/Security update with no delay could reduce the opportunities for exploits in the malware spread. Eventually, Google could come up with a vulnerability scanner for different versions of Android OS, which the users can make use of and proceed further to their carriers to patch the unpatched device.

Conclusion

Evidently, there is a rise in the smartphone usage around the world in both personal and business sectors. As quoted earlier, Google’s Android also contains vulnerabilities. It is a known fact that there are mobile malware in the rounds targeting the OS vulnerabilities to accomplish their noxious activities. These malware, even though, avail exploitation techniques to infect a device, their ultimate aim is at financial benefits by stealing user’s banking details, or stealing user data or personal information. Victimizing smartphones that are engaged in business communication can still intricate the situation. It is demonstrated already by Android malware to adapt to advanced evasion technique, which is expected to continue in the future as well. Hence, to overcome this scenario, regular security and/or OS updates should be made available to the user, to patch the disclosed vulnerability(s). With the enforcement of the SELinux technique in Android could considerably reduce the vulnerability risk in the system.

References:
2.  http://www.saurik.com/id/17
3. http://source.android.com/devices/tech/security/se-linux.html

Images courtesy of:
Moneycrashers.com

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

November 21st, 2014

Nowadays, major web players employ invite-only strategy, the hot trend to promote their new web services and apps. The invite-only buzz resonates exclusivity, thus making the forbidden more attractive to young users. Google Inbox, the new email app is currently channeling this fad, getting users excited about invites.

However, we observe some security concerns with this trend, as we notice suspicious campaigns doing the rounds. Few of the users, with or without invite shares, are seen to post hostile links that redirects to unsafe websites or demanding email id’s to distribute invites.

Here is an imaginary scenario that describes what could happen with an excited user who responds to an anonymous link that claims to send an invite. Consider, Sara wants an invite to the new email service “INBOX” and John tweets that he has “INBOX” invites to share as in the pictures below,

Now, Sara looks at the tweet, clicks on the link, shares her personal details with John as instructed. Possibility is that the link itself could be malicious.

Supposing the link is not malicious, it’s uncertain, if Sara would receive a link which redirects to a malicious link or would receive an invite mail from John after giving her personal information.

Wear your safety goggles; don’t share personal data on public platforms and be suspicious of links to invite-only emails and messages from unknown sources.

Priyal Viroja & Archana Sangili, K7 Team

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/

November 16th, 2014

Here is the first part of a two-part blog based on my paper submitted for AVAR 2013 that discusses the known vulnerabilities for Android OS with examples of Android malware exploiting them and few of the ways of mitigating the risk including the patch management.

Google’s Android, as any other mobile operating system, also contains a number of vulnerabilities. Android malware writers are now increasing the use of these exploits to evade detection. Early Android malware used simple ways to either spread or compromise the user’s device however with the increase in the Android malware count year-on-year and the advancement in detection techniques used by security software, malware writers have been forced to evolve new approaches to evade detection by mobile security products. A reminder of Darwin’s “Survival of the fittest”.

In the recent past, there have been a few Android malware instances that focus on exploiting vulnerabilities in the Android OS to attain root access or administrative privileges. For example, Android TrojanSpy Droiddream involved Exploid and RageAgainsttheCage exploits to obtain root access of the victim’s device.  To complicate the scenario further, the obfuscated Backdoor.AndroidOS.Obad utilises multiple system vulnerabilities in the Android OS to have its stealthy malicious behaviour. In addition there has been some publicity about the critical vulnerability in Android’s application signature check that could allow a hacker to inject malicious code into the legitimate application without even breaking the signature.

Known vulnerabilities in Android include those related to privilege escalation, common intent and so on. The exploitation of vulnerabilities provides a powerful mechanism for malware writers to compromise a system and deploy malicious code so it is imperative that we understand the scope of these attacks.

This paper provides an account of the known vulnerabilities used in the Android threat landscape with examples of Android malware exploiting them. The paper will also focus on the ways and means of mitigating the risk, including a discussion of patch management for Android.

Severity Evolution of Android Threat

Malware authors started investing time in identifying new ways to install their applications and to trick the user into installing their packages, with the focus on improving the propagation methods. Along with the early SMS Trojans, the severity of the Android threats notably increased with the emergence of other malware like fake applications, Zitmo/Spitmo, Image modifiers and so on, that really improved the complexity of the Android threats. In addition to these categories, targeted attacks, SMS worms were also predicted.

Unfortunately, in the past, there were few occurrences of malicious applications in the Android official market itself which had the outcome of Google’s Bouncer, a behavioural scanner. Even though malware writers can upload their malware package in the third party markets for Android, with the advancement in the security measures, such as Google’s Bouncer, the detection techniques involved by the mobile security products and last but not the least because of the smartphone user’s awareness on malware propagation methods, malware writers are forced to discover a new route that serves them to evade detection techniques and successfully execute their malicious code.

In the past, many Android malware required root access (administrative power) to execute the desired malefide functions on the victim’s device. For instance, Android.Droiddream involves the exploits Exploid or RageAgainsttheCage to exploit the vulnerability in the Android OS to attain root access. Notably, in the recent past, malware authors engage exploitation of the OS vulnerability increasingly to run their piece of malware and they are seen to target other functionalities in the OS apart from the root access.

Known Vulnerabilities

The saying that popularity brings in the danger of threats holds good for Google’s Android as well. Exploiting vulnerability in any OS stands as one of the best possible ways for malware authors to achieve privilege escalation or DoS.

Figure 1 below represents the count of major Android Vulnerability year on year since 20091.

Figure 1: Android Vulnerabilities by year till November 2013

The Vulnerabilities listed above were exploited to cause any adverse effects from remote code execution to denial of service attack.

Figure 2 shows the effects of exploitation of Android vulnerabilities

Figure 2: Exploitation Effects

Data from the above chart depicts that many of the exploitations are aimed at either remote code execution or performing denial of service. Malware authors may exploit one or a combination of these known vulnerabilities to reach their goal. The same example Android.Droiddream can be quoted here again for the exploitation of privilege escalation vulnerability.

The table below describes a few of the major security vulnerabilities and their security impact on the mobile device.

CVE ID TYPE COMMENT
CVE-2013-4787 Code Execution Master Key Vulnerability – flaw in cryptographic check for application’s signatures
CVE-2012-6301 DoS Browser application in android 4.0.3 allows remote attackers to cause DoS (application crash)
CVE-2012-4222 DoS KGSL kernel mode driver for Android allows remote attacker to cause Denial Of Service through Null pointer dereference
CVE-2012-4221 DoS,

Code Execution

Integer overflow in DIAG kernel mode driver allows remote attacker to cause either DoS attack or remote code execution
CVE-2012-4220 DoS,

Code Execution

DIAG kernel mode driver allows remote attacker to cause DoS/remote code execution by incorrect pointer dereference
CVE-2012-3979 Code execution Flaw in Mozilla before 15.0 allows remote attacker to execute arbitrary code via crafted webpage that loads a javascript dump function
CVE-2011-3918 Dos Zygote process in android accepts fork requests from arbitrary UID, that causes remote attackers to cause DoS by reboot loop
CVE-2011-3874 Code Execution Stack-based buffer overflow allows user-assisted remote attacker to execute arbitrary code.
CVE-2011-2357 Bypass Cross application script vulnerability in the  browser URL loading functionality allows local applications to bypass sandbox and execute  javascript
CVE-2011-1823 Code Execution

Memory Corruption

Bypass

The vold volume manager daemon on Android 3.0 and 2.x before 2.3.4 trusts messages that are received from a PF_NETLINK socket, which allows local users to execute arbitrary code and gain root privileges
CVE-2011-0680 Flaw in draft cache management by data/WorkingMessage.java in the Mms application in Android before 2.2.2 and 2.3.x before 2.3.2 allows remote attackers to read SMS messages intended for other recipients in opportunistic circumstances via a standard text messaging service.
CVE-2011-0419 DoS Stack consumption vulnerability
CVE-2010-1807 DoS

Code Execution

Flaw with floating point data validation allows remote attacker to cause DoS attack or remote code execution
CVE-2010-2656 DoS Unspecified issue in the com.android.phone process allows remote attacker to cause Dos via crafted SMS message, which is possibly related to CVE-2010-3698 and CVE-2010-2999
CVE-2009-2348 Bypass Android 1,5 CRBxx allows local users to bypass the android.permission.CAMERA and android.permission.RECORD_AUDIO configuration settings by executing an application

that does not request permission before using camera or microphone

Table 1: Android Security Vulnerabilities list till November 2013

Given below is a list of the vulnerabilities and the handset/installed app that they target:

CVE ID TYPE COMMENT
CVE-2013-4777 Privilege Escalation A certain configuration of Android 2.3.7 on the Motorola Defy XT phone for Republic Wireless uses init to create a /dev/socket/init_runit socket that listens for shell commands, which allows local users to gain privileges by interacting with a LocalSocket object.
CVE-2011-2344 Privilege Escalation Android Picasa in Android 3.0 and 2.x through 2.3.4 uses a cleartext HTTP session when transmitting the authToken obtained from ClientLogin, which allows remote attackers to gain privileges and access private pictures and web albums by sniffing the token from connections with picasaweb.google.com.
CVE-2011-1352 Privilege Escalation Memory Corruption The PowerVR SGX driver in Android before 2.3.6 allows attackers to gain root privileges via an application that triggers kernel memory corruption using crafted user data to the pvrsrvkm device.

Table 2: Specific Android Security Vulnerabilities list till November 2013

The list in Table 1 and  Table 2 above are extensive and does not include the vulnerabilities seen after the mentioned time period. Exploiting one of these vulnerabilities may help the attacker in planting the malicious application on the user’s device. Once on the device, they can behave in the way that any malicious app would,  like sending SMS messages without user’s knowledge, stealing personal/user information, Zitmo/Spitmo, etc.,

to second part

References:
1.http://www.cvedetails.com/vulnerability-list.php

Images courtesy of:
news.everest.edu

V.Dhanalakshmi
Senior Threat Researcher, K7TCL

If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

http://blog.k7computing.com/feed/