490 likes | 514 Views
Find out the “ Bad guys ” on the Symbian. Jie Zhang Fortinet Inc. Agenda. 1. Symbian OS. 2. Mobile Malware. 3. Discover Virus. 4. Identify Suspicious. 5. Track Record. 6. Conclusion. 7. Thank You. What's Symbian?.
E N D
Find out the “Bad guys”on the Symbian Jie Zhang Fortinet Inc
Agenda 1 Symbian OS 2 Mobile Malware 3 Discover Virus 4 Identify Suspicious 5 Track Record 6 Conclusion 7 Thank You
What's Symbian? Symbian OS is a proprietary operating system, designed for mobile devices, with associated libraries, user interface frameworks and reference implementations of common tools, produced by Symbian Ltd.
Symbian OS History 1 EPOC16 1991-1998 2 EPOC OS 1-3 1997 3 EPOC 4 1998 4 EPOC 5 1999 5 ER5U Symbian OS 5.1 2000 6 Symbian 6.0 and 6.1 2001 7 Symbian 7.0 and 7.0s 2003 8 Symbian 8.x (EKA1, EKA2) 2004 9 Symbian 9.0 2004 10 Symbian 9.1 2005 11 Symbian 9.2 and 9.3 2006 12 Symbian 9.5 2007
The S60 Platform UIQ by UIQ Technology S60 and UIQ
Mobile Malware 1 Symbian OS 2 Mobile Malware 3 Discover Virus 4 Identify Suspicious 5 Track Record 6 Conclusion 7 Thank You
About Mobile Malware • Concept: Mobile malware is an electronic virus that targets mobile phone and PDA. In fact, it is often of the few similar pieces of code or programs. • About: Today, there are more than 400 families of mobile malware. And we expect to see more and more of them in the near future. There are much more variants for some of the families, such as: Cabir, CommWarrior, Fontal, Skull, Cardtrap, and so on. Most of them are very similar.
Mobile Malware Category • Worm: Cabir, Mabir, CommWarrior, CardTrap • Trojan / Backdoor / RAT: Flexispy, X-wodi, PbStealer • Doom: Fontal, Drever, Skull • Misc: Infected virus, Exploit worm, WAP attacker or worm
Threat from Mobile Malware • Critical - Now, mobile becomes more and more important from individuals to business. Once mobile function was failed, our loss may be immeasurable. • Cost - Cell communications almost cause cost, such as: call, SMS/MMS, GPRS and so on. For widely spreading itself, malware will send them through one or more ways. That mean, each spread for the malware will bring the cell owner a terrible cost. • Sensitive - Today, people become to pay more attention to their own personal privacy. They often store many things on phone. Of course, there may be some private data. Once virus obtained the data, it will suffer to serious consequences.
Discover Virus 1 Symbian OS 2 Mobile Malware 3 Discover Virus 4 Identify Suspicious 5 Track Record 6 Conclusion 7 Thank You
Discover "Bad guys" • Abnormal behaviors • High cost • Suspicious process and file
Identify Suspicious 1 Symbian OS 2 Mobile Malware 3 Discover Virus 4 Identify Suspicious 5 Track Record 6 Conclusion 7 Thank You
Choose your weapon • Fix API name and dance with IDA • Extract SIS archive • Break into compressed application
Fix API name and dance with IDA - 1 As we know, the hardware platform of the mobile is less powerful than PC. And the memory for mobile is limited. In order to reduce the program file size, the API names will not be saved in the Import Address Table by the programs on Symbian platform, but just be imported with API order. As the result, we couldn’t obtain the invoked API names from the analyzing program. Therefore, we must improve the API examine system so that the IDA could correctly identify the API names used in the program.
For the acquisition of the API names, first of all, we must install Symbian SDK. In this paper, as we mainly search on the S60 2nd Symbian 7.0s, we need to download the S60 2nd SDK from the Nokia official website. Enter %S60_SDK%\Epoc32\release\armi\urel\, and look up the current directory in the command mode. After inputing the command line, we will get the result. Fix API name and dance with IDA - 2
Fix API name and dance with IDA - 4 For example: Get the API name for the "WAPP_1" functio in IDA. What does WAPP_1 mean? WAPP_1 = WAPP + 1 WAPP => Library Name 1 => Export Order
Fix API name and dance with IDA - 5 objdump –syms wapp.lib
Fix API name and dance with IDA - 6 Let's compile our received data:
Fix API name and dance with IDA - 7 Alternative method: ar2idt Library IDT zipids IDS efd
Extract SIS archive • You could get the Unsis tool from symbian official home page to extract the .SIS file on the PC • And also, you could choose UnMakeSIS to do the same thing, but it's a shareware and you should purchase it. • For receiving more info, I wrote a tool sisdump to help us.
Break into compressed application - 1 • Sometimes, we will find that few applications could not be analyzed by IDA correctly.
Break into compressed application - 2 • Attempt to dump the application information with “petran” utility, you maybe get the similar following message: How to decompress it?
Break into compressed application - 3 • The correct answer is:
Reverse mobile malware - 1 • Except the basic ARM and Symbian OS knowledge, we must know how the function passes parameters: • System will use R0-R3 to pass the parameters, generally speaking; • If there are more than 4 parameters, the other parameters will be passed by stack; • Class method (not static) will use R0 to pass the class this pointer; • Return value uses R0 register;
Reverse mobile malware - 2 • Dump IAT to know your enemy: Before analyzing the target sample, we’d better scan the IAT in the sample. We would know if the sample will execute on the file, bluetooth, infrared, network, SMS/MMS, and so on. I am not intending to describe this information further. For E32Image format, you could read related documents in reference. Use petran tool to get IAT information much more easily. I also create a utility that is called epocdep to do the same thing.
Reverse mobile malware - CommWarrior • We will start to analyze the sample in SIS file. • Receive SIS file information: We could get the file related information with sisdump.
Reverse mobile malware - CommWarrior • There are some important things we should know: 1. The SIS archive includes two files: "commwarrior.exe" and “commrec.mdl"; 2. These two files will be installed to: !:\system\apps\CommWarrior\commwarrior.exe !:\system\apps\CommWarrior\commrec.mdl Note: "!" - mean user selected installation driver; 3. During installation, commwarrior.exe will be loaded and run;
Reverse mobile malware - CommWarrior • Reverse MDL 1. What’s MDL? MDL is a MIME recognizer Dynamic Library. 2. MDL Purpose: MDL is a plug-in code that can examine data in a file, or sample data supplied in a buffer, andreturn, if recognized, its data type. A data type is also commonly known as a MIME type. 3. Why most of malware include this file: Malware always intends to load itself with system boot time. That's the reason. 4. MDL Loads flow: Symbian OS MDL loader invokes order: <1> E32Dll(TDllReason) // Exported as entry point <2> CreateRecognizer() // Exported by MDL, order = 1
Reverse mobile malware - CommWarrior • Although the commwarrior.exe file will be running first, but I still intend to analyze MDL file in advance. Because the file is very easy to be understood and it will be launched when OS boots. • We have know that MDL has two exported functions, they are: E32Dll(TDllReason) CreateRecognizer() So, we will choose them to start our journel.
Reverse mobile malware - CommWarrior • E32Dll: Original assemble codes: C++ codes:
Reverse mobile malware - CommWarrior • CreateRecognizer (order 1): new function, for CBase and its inherited class class constructor call virus core invoke
Reverse mobile malware - CommWarrior • After converting, we wil get the C++ source codes: There is no difference to analyst, right?
Reverse mobile malware - CommWarrior • We will talk about class CMyRecognizer later, for there is no harmful codes in the class. • Let’s see the do_exe_virus_body () function first:
.text:10000068 STMFD SP!, {R4,R5,LR} .text:1000006C SUB SP, SP, #0x18 .text:10000070 MOV R0, #4 .text:10000074 BL __builtin_new .text:10000078 SUBS R5, R0, #0 .text:1000007C LDRNE R3, =0xFFFF8001 .text:10000080 STRNE R3, [R5] .text:10000084 ADD R0, SP, #0x10 .text:10000088 LDR R1, =aCommrec .text:1000008C BL TPtrC16::TPtrC16(ushort const *) .text:10000090 MOV R3, #0x100 .text:10000094 STR R3, [SP,#arg_0] .text:10000098 STR R3, [SP,#arg_4] .text:1000009C MOV R4, #0 .text:100000A0 STR R4, [SP,#arg_8] .text:100000A4 MOV R3, #1 .text:100000A8 STR R3, [SP,#arg_C] .text:100000AC MOV R0, R5 .text:100000B0 ADD R1, SP, #0x10 .text:100000B4 LDR R2, =loc_100000FC .text:100000B8 MOV R3, #0x2000 .text:100000BC BL RThread::Create(TDesC16 const &,int (*)(void *),int,int,int,void *,TOwnerType) .text:100000C0 BL User::LeaveIfError(int) .text:100000C4 MOV R0, R5 .text:100000C8 MOV R1, R4 .text:100000CC BL RThread::SetPriority(TThreadPriority) .text:100000D0 MOV R0, R5 .text:100000D4 BL RThread::Resume(void) .text:100000D8 MOV R0, R5 .text:100000DC BL RHandleBase::Close(void) .text:100000E0 B loc_100000F0 .text:100000F0 .text:100000F0 loc_100000F0 .text:100000F0 ADD SP, SP, #0x18 .text:100000F4 LDMFD SP!, {R4,R5,LR} .text:100000F8 BX LR void do_exe_virus_body() { RThread* bootThread = new RThread(); TPtrC ptr(KTxtVirusName); // and Start it User::LeaveIfError( bootThread->Create( ptr, ThreadProc, 0x2000, 0x100, 0x100, NULL, EOwnerThread) ); bootThread->SetPriority(EPriorityNormal); bootThread->Resume(); bootThread->Close(); }
TInt ThreadProc(TAny * /* arg */) { TRequestStatus r; // 4 TTime tm; // 8 RTimer timer; // 10 TInt ret; timer.CreateLocal(); tm.HomeTime(); tm += (TTimeIntervalSeconds)5; timer.At(r, tm); User::WaitForRequest(r); CActiveScheduler * scheduler = new CActiveScheduler; CTrapCleanup * cleanup; if (!scheduler) { ret = 0xFFFFFFFC; goto quit_proc; } CActiveScheduler::Install(scheduler); cleanup = CTrapCleanup::New(); if (!cleanup) { ret = 0xFFFFFFFC; goto quit_proc; } TRAP(ret, exe_virus_bodyL()); delete cleanup; quit_proc: return ret;
void exe_virus_bodyL () { RFs aFs; User::LeaveIfError(aFs.Connect()); CleanupClosePushL(aFs); TFindFile aFindFile(aFs); User::LeaveIfError( aFindFile.FindByDir( KTxtVirusApp, KTxtNull) ); CApaCommandLine * aCmdLine = CApaCommandLine::NewLC(); aCmdLine->SetLibraryNameL(aFindFile.File()); aCmdLine->SetCommandL(EApaCommandOpen); RApaLsSession aSession; User::LeaveIfError(aSession.Connect()); CleanupClosePushL(aSession); User::LeaveIfError(aSession.StartApp(*aCmdLine)); CleanupStack::PopAndDestroy(3); }
Reverse mobile malware - CommWarrior • Although the class CMyRecognizer is no useful here, but we still need to analyze it. Because there is a much more important concept we should know. That is vtable and vptr. • We will talk about more information based on the codes. • But first of all, let’s see some definitions.
class CBase { public: IMPORT_C virtual ~CBase(); inline TAny* operator new(TUint aSize,TAny *aBase); IMPORT_C TAny* operator new(TUint aSize); inline TAny* operator new(TUint aSize, TLeave); IMPORT_C TAny* operator new(TUint aSize,TUint anExtraSize); protected: IMPORT_C CBase(); private: CBase(const CBase&); CBase& operator=(const CBase&); IMPORT_C static TAny* newL(TUint aSize); }; We found that all classes that is inherited from CBase contained at least one vptr and the first virtual function must be destructor.
class CApaDataRecognizerType : public CBase { // Notice: I have removed static and non-virtual methods for simplify public: IMPORT_C ~CApaDataRecognizerType(); IMPORT_C virtual TUint PreferredBufSize(); IMPORT_C virtual TDataType SupportedDataTypeL(TInt aIndex) const = 0; private: IMPORT_C virtual void DoRecognizeL(const TDesC& aName, const TDesC8& aBuffer); IMPORT_C virtual void Reserved_1(); protected: const TUid iTypeUid; const TInt iPriority; TInt iCountDataTypes; TInt iConfidence; TDataType iDataType; private: TInt iLock; TInt iSpare; }; CApaDataRecognizerType variant: id name offset 1 vptr 00 2 iTypeUid 04 3 iPriority 08 4 iCountDataTypes 0C 5 iConfidence 10 …
The vptr is pointing to the vtable. The vtable structure is as following on the Symbian: struct vtable { DCD offset; DCD unknow; // unknow, but almost 0 DCD vfunc[]; // virtual function array }; The field of vtable.offset is used by compiler to calculate the object pointer from vptr, the fomula is: object pointer = vptr + vtable.offset
.text:10000004 STMFD SP!, {R4,LR} .text:10000008 MOV R4, R0 .text:1000000C LDR R3, =dword_10000564 .text:10000010 LDR R1, [R3] .text:10000014 MOV R2, #0 .text:10000018 BL CApaDataRecognizerType::CApaDataRecognizerType(TUid,int) .text:1000001C LDR R3, =dword_100005AC .text:10000020 STR R3, [R4] .text:10000024 MOV R3, #1 .text:10000028 STR R3, [R4,#0xC] .text:1000002C MOV R0, R4 .text:10000030 B loc_1000003C .text:1000003C .text:1000003C loc_1000003C ; CODE XREF: start+30j .text:1000003C LDMFD SP!, {R4,LR} .text:10000040 BX LR CMyRecognizer class constructor .text:100005AC dword_100005AC DCD 0, 0 ; DATA XREF: start:off_10000038o .text:100005B4 DCD loc_10000538 CMyRecognizer::~CMyRecognizer .text:100005B8 DCD loc_10000044 CMyRecognizer::PreferredBufSize .text:100005BC DCD loc_1000004C CMyRecognizer::SupportedDataTypeL .text:100005C0 DCD locret_10000064 CMyRecognizer::DoRecognizeL .text:100005C4 DCD CApaDataRecognizerType::Reserved_1(void)
const TUid MyUid = {0x10001941}; CMyRecognizer::CMyRecognizer(): CApaDataRecognizerType(MyUid, 0) { iCountDataTypes=1; } • At last we got the C++ syntax source codes for constructor: • And also, we know the each virtual function entry point: .text:100005AC dword_100005AC DCD 0, 0 ; DATA XREF: start:off_10000038o .text:100005B4 DCD loc_10000538 CMyRecognizer::~CMyRecognizer .text:100005B8 DCD loc_10000044 CMyRecognizer::PreferredBufSize .text:100005BC DCD loc_1000004C CMyRecognizer::SupportedDataTypeL .text:100005C0 DCD locret_10000064 CMyRecognizer::DoRecognizeL .text:100005C4 DCD CApaDataRecognizerType::Reserved_1(void)
Reverse mobile malware - CommWarrior • Okay! We have analyze the whole MDL file in CommWarrior sample. • How does exe file work? I think you could easily analyze it in this way. But you should notice that the exe file has a CRT stub. • For more information, please reference my paper • Let’s go on, guys!
Track Record 1 Symbian OS 2 Mobile Malware 3 Discover Virus 4 Identify Suspicious 5 Track Record 6 Conclusion 7 Thank You
Track "bad guys" record - 1 • For static analysis, we can scan the IAT of target sample to find out which functions the malware used. And then we will do a full analysis with our favorite reversing tool. The advantage of this is that it identifies infections with high accuracy, but it requires analyst with good experience and knowledge. Of course, it also means more work and time. • To speed up steps, we borrow the "sandbox" ideafrom the PC platform. That will help analyst to track the suspicious samples' action records in automatic way. It will enable us to get more details for the target.
Track "bad guys" record - 2 • Depend on large number of Symbian malware analysis, we found that some of the following actions needed us to focus on: • File operation • SMS/MMS/Bluetooth/Infrared • Process Changing • Telephone • Network Communication • Sensitive data • More
Conclusion • Powerful function is a double-edged sword. It gives you a tremendous benefit, and meanwhile, it also maybe harm to you. The war always exists, perhaps only the war would keep progress. • Symbian Company also has found this point. They are strengthening their system security and making a big effort. Symbian v9.x bring us dawn. This version is introducing a signed mechanism. All unsigned application will be limited to a security ring. • But that does not mean the war is over. In fact, it's the beginning of a new war. In this no smoke battlefield, there is no always winner. We will keep up and ready for the next war coming.
Thank you! And any questions?