Wednesday, 16 April 2014

Android Malware Static Analysis



Android OS is getting popular than ever before , so is Android malware. To analyse android malware or any malware we start with static analysis techniques before jumping into dynamic analysis. In this post we will discuss about important android malware static analysis techniques and tools. Let us list all the tools while discussing what and how to work with them. All the Android applications are packaged as APK . APK is nothing but ZIP file, To see contents of the zip use your standard unarchiver on windows and unzip on Linux OS. Android Application (APK) contains several files inside its archive, two of the important files which will aid in application analysis are AndroidManifest.xml and Classes.dex.

AndroidManifest file is an encoded binary XML file which contains several vital information required for running an application. For example, package name, permissions, activities etc. As it is encoded in binary XML you can convert it to readable text using apktool, apktool is provided as part of Android SDK. The command "apktool d apkfile " will create a directory with decoded AndroidManifest file, Resource file, smali code for dex file ( discussed later). Now If you open the Android manifest in any text editor, you should be able to read its contents.

Next and very important part of APK is Classes.dex. Classes.dex is compressed form of all the code of the application, Classes.dex is the class file in dex format understandable by Dalvik VM. Most of the applications are written in Java, i.e .Java file is converted to .Class file using Java compiler and then .Class file is converted .dex file. Since dex( Dalvik Executable) is originally written in java we can convert them back to Java code by decompiling them. To convert Dex file into Java you need two tools, one is dex2jar and another is jd-gui decompiler. First step is to use "dex2jar " , this will produce classes.dex.jar ( or jar file with whatever name your dexfile was called). Now open this jar file in jd-gui , Ayla, You can see the Java code now. 
 There are certain techniques which can add anti Analysis code to avoid decompiling dex files. Like for example, some applications protected by dexguard and apkprotect packers fail to decompile using dex2jar, In those cases use smali/baksmali to decompile dex file to dalvik byte code , you can also use"dexdump d " to see the disassembled view of the dex file, dexdump is provided as part of Android SDK( under build-tools).

That's it for today, I'll write more posts about android analysis when i find time.

Sunday, 4 September 2011

Telegraph Hacked

Well Known UK News Website Telegraph.co.uk was hacked by possibly some Turkish web hackers known as "TurkGuvenligi". They hacked the website and defaced there main webpage to display some script kiddie message,they also left there twitter account details. Looks like this is done by an unknown kiddish group to gain fame by hacking famous website.

Update:
It appears that DNS records of the website was hacked and many other popular websites like Register, UPS were also redirected to this defaced webpage. The problem is solved now all the sites are restored to their normal service.

Wednesday, 27 October 2010

Critical Firefox Vulnerability

There's a critical zero day vulnerability in firefox 3.5 and 3.6. There are samples found in the wild exploiting this vulnerability, official Nobel peace prize website is compromised to host this malware. When the user visits the affected website he would download malicious file without his notice.

All firefox users are urged to disable javascript and use Noscript add on.

Tuesday, 21 September 2010

Twitter XSS Vulnerabiliy

Twitter earlier today had a XSS vulnerability in the way they process the URL's in their tweet.As described here when you tweet some URL on Twitter , it identifies and displays it. The Twitter doesn't check the url properly and quotes in particular which allows us to run custom Javascript code.
For example in this URL http://www.blah.com/”onmouseover=alert(‘You are hacked’) would display an alert box when you move over mouse on the link. The alert box can be replaced with any custom javascript to redirect users to malicious websites. According to the recent update Twitter have fixed this flaw. This is just an example of how a small sanity check error by developer could lead into a security disaster.

Thursday, 15 July 2010

Windows Zero Day on Shortcut Files

A new Windows Vulnerability is found by VirusBlokda researchers .
The Vulnerability exists in Windows Shortcut files, its basically new way of Autorunning your file even after disabling the Windows autorun feature.

This was actually exploited by a malware which is detected as Trojan Spy . There is an interesting analysis done by Kaspersky here.

Analysis says that the malware drops shortcut files (or .lnk files) and dlls (named as .tmp files ) on the infected USB drive besides other malware ( which is detected as Stuxnet/Rootkit). If you insert the infected USB drive on a clean machine and open the drive in explorer (or similar ) the malware gets executed. The init function in the dll and shortcut file makes the malware to run automatically without clicking on the file.

As of now Microsoft are working on this issue, all users should be careful not to open suspicious files or USB drives on machine.

Saturday, 12 June 2010

Microsoft Help Centre Exploit

Microsoft help centre could be exploited for a zero day vulnerability according to this disclosure.
Help centre is Microsoft's application to access online help.Using this application it is possible to access url's of the help documents. One of the implementation errors in handling url/escape sequence handling leads to remote code execution.

Microsoft advisory can be found here.

Monday, 10 May 2010

Infostealer.Banker.G ripped Part 2

Welcome back to part two of the malware analyis.

When Installed this malware drops a dll in the system folder (C:\windows\system32\msls52.dll). Dll is pretty much packed with the same packer and the entry point of the dll looks similar to the dropper.
Very Interesting thing about this malware is that it infects windows Uxtheme.dll(system folder) and renames the clean copy as Uxtheme(random char).tmp.Infected Uxtheme.dll locks the file msls52.dll, when you try to delete it you get an "access denied" message. Use Kaspersky free removal tool to get rid of the dll on reboot. 
Since you've deleted the file msls52.dll the infected Uxtheme.dll tries to load it at the startup and gives the message "Unable to load msls52.dll" and makes your machine virtually unusable. 
To make it work again restart your machine with Windows Safe Mode with command prompt (press f8 on startup to safe mode menu). Once you are in safemode delete/rename the Uxtheme.dll and rename the Uxtheme(randomchar).tmp file as Uxtheme.dll. This should make your machine usable after reboot :-).Btw the infected Uxtheme.dll is detected as W32/Patched by some vendors  

Continuing  the analysis from the previous part if you follow the calls and jumps there are couple of interesting instructions.

.00409FA2 B9 BE 80 FF 1F  mov     ecx, 1FFF80BEh
.00409FA7 EB 41                  jmp     short loc_409FEA
....

00409FF6 C1 E1 02             shl     ecx, 2  ; ECX is now 7FFE02F8
00409FF9 EB 67                  jmp     short loc_40A062

0040A062 0F B6 09             movzx   ecx, byte ptr [ecx]

Hmmm..Ecx is now 7FFE02F8 and its trying to move the contents at the ecx value back into ecx register.
So what is this 7FFE02F8 any way. 7FFE0000 is KUSER_SHARED_DATA , this address is a region of the memory mapped in every process and is called as SharedUserData.7FFE000 + 2F8  refers to TestRetInstruction .In this malware i think its mainly used for antidebugging or anti emulation purposes.
If you continue analyzing the sample on the Ollydbg , Olly gets struck at one point unable to debug any further. You need to smartly change the control flow at this point and analyze further.
I didn't have much time to unpack this malware, as the packer in the malware uses VirtualProtect api , i'm sure you should be able find the unpacking routine around this area.
Hope this analysis helps you fight the bad forces.