Per their blog, Kaspersky has received a couple of Cabir variants with a threat from the author.
Something about having the source code and releasing more dangerous versions of Cabir.
As 29a has been getting attention from the authorities lately and with rumors about the arrest of some of its members, I doubt Vallez is the one making such a threat.
according to Kaspersky, the new variants have not managed as yet to disable the OS install warning.
I do not currently have samples of these variants.
-----
On a side note, McAfee has added a generic detection for Cabir as of the 22 of December.
Friday, December 24, 2004
Thursday, December 23, 2004
Python for Series 60 released
The official Symbian Python distribution for the various Series 60 versions has been released.
I haven't installed the SDK yet, though I notice that there is a Bluetooth example in the package. From the readme it appears that aside from some console display and time issues most scripts should work fine.
Aside from Win32.remabl, I'm not yet aware of any python worms. The cost of entry for Symbian malware authors is now much lower.
Given the size of trojans like Skulls, I would not be surprised if the Python interpreter was installed on a large number of S60 phones by the middle of next year if not sooner. Never underestimate the lure of a free lunch.
I haven't installed the SDK yet, though I notice that there is a Bluetooth example in the package. From the readme it appears that aside from some console display and time issues most scripts should work fine.
Aside from Win32.remabl, I'm not yet aware of any python worms. The cost of entry for Symbian malware authors is now much lower.
Given the size of trojans like Skulls, I would not be surprised if the Python interpreter was installed on a large number of S60 phones by the middle of next year if not sooner. Never underestimate the lure of a free lunch.
Wednesday, December 22, 2004
More Cabir variants
A spate of minor Cabir variants has arisen in the past few weeks. Looks like it's up to G now.
Not really of much interest except that F-Secure now has a generic detection for Cabir. Considering that most "variants" are simply the Cabir worm with a few internal strings modified it is interesting that it has taken until now.
The size of detection databases has been a point of discussion on the Win32 side for some time. It is even more relevant with regard to the relatively limited resources of smartphones. As mentioned recently, types of detections can sometime be an indication of the limitations of a given scan engine. Six to seven independent detections for highly similar variants is a bit wasteful.
Unlike certain Win32 trojans and worms, the source code for Cabir has not been made available. Lacking source code but having a number of functional descriptions it is of note that no copycat/clones of Cabir have been released. The existing variants are minor "script kiddie" alterations. Essentially, the threat is minimal and could have been handled by a generic detection around the time of the C and D variants.
Not really of much interest except that F-Secure now has a generic detection for Cabir. Considering that most "variants" are simply the Cabir worm with a few internal strings modified it is interesting that it has taken until now.
The size of detection databases has been a point of discussion on the Win32 side for some time. It is even more relevant with regard to the relatively limited resources of smartphones. As mentioned recently, types of detections can sometime be an indication of the limitations of a given scan engine. Six to seven independent detections for highly similar variants is a bit wasteful.
Unlike certain Win32 trojans and worms, the source code for Cabir has not been made available. Lacking source code but having a number of functional descriptions it is of note that no copycat/clones of Cabir have been released. The existing variants are minor "script kiddie" alterations. Essentially, the threat is minimal and could have been handled by a generic detection around the time of the C and D variants.
Monday, December 06, 2004
Trend releasing new mobile AV
Just got the press release yesterday. Trend Micro is announcing Mobile Security.
Some points of note:
Some points of note:
- The current download is for Windows Mobile 2003 for Smartphone 2003 only. Other Windows Mobile 2003 editions next month.
Very useful if you have a copy of wince.duts on your phone. Duts.1520 asks permission to infect, so this is not yet that useful.
- The Symbian version ,also due next month, is written to use the UIQ UI instead of Series 60.
Timely if Cabir should ever be ported to UIQ. Still useful if some new fool decides to pull the Skulls trick with UIQ phones.
Wednesday, November 24, 2004
Skulls stuff
I have received a sample of the skulls trojan.
Except for your rom based applications nothing else on your phone is affected. The funny thing is that unless you already have antivirus software or a file manager installed on your phone there is essentially no way to remove Skulls short of rebooting the phone.
The author has apparently left a note promising more malware in the near future.
Except for your rom based applications nothing else on your phone is affected. The funny thing is that unless you already have antivirus software or a file manager installed on your phone there is essentially no way to remove Skulls short of rebooting the phone.
The author has apparently left a note promising more malware in the near future.
Friday, November 19, 2004
Interesting week: Cabir and new Trojan
Per F-Secure, a new sis containing Cabir-b is in the wild. The only significant difference is a new installation directory. No files or filenames have been changed. I believe most, if not all, Cabir fixtools already handle this by scanning the entire drive.
There is also a new "skulls" trojan making the rounds. The file is named "7610.extended.theme.manager.sis". I do not have a sample at the current time.
There is also a new "skulls" trojan making the rounds. The file is named "7610.extended.theme.manager.sis". I do not have a sample at the current time.
Monday, November 08, 2004
Cabir, in the wild, in India's largest city?
Techtree is reporting that Cabir is in the wild in Mumbai, India's most populous city.
The article mentions a "Nokia Priority Dealer" offering to clean an infected phone for 850 rupees. The exchange rate is approximately 1 US dollar to 45 Indian rupees. About $18-$19 a phone. Adjusting for cost of living ($ * 5) gives an effective rate of US$90-$95. It's never cheap to live in the big city.
Speaking of viruses written by 29a members , The Register is reporting that Benny of the same group has turned over a new leaf and has joined the ranks of the AV community. An interesting situation.
The article mentions a "Nokia Priority Dealer" offering to clean an infected phone for 850 rupees. The exchange rate is approximately 1 US dollar to 45 Indian rupees. About $18-$19 a phone. Adjusting for cost of living ($ * 5) gives an effective rate of US$90-$95. It's never cheap to live in the big city.
Speaking of viruses written by 29a members , The Register is reporting that Benny of the same group has turned over a new leaf and has joined the ranks of the AV community. An interesting situation.
Monday, October 25, 2004
J2ME, interesting stuff
I've just seen Adam's post on the Full-Disclosure list. Apparently Sun has been informed but no Sun Alert is forthcoming. Considering that unlike the recent JRE XSLT issue the KVM is a harder to update. Most phones would require their ROMs reflashed, meaning a trip to the nearest cell technician or return to factory.
UPDATE: Acoording to a tecchannel interview , licensees(Nokia,Siemens, others) have been provided with a fixed reference implementation. So it is now up to the licensees to update their various products.
The presentation pdf was quite large so I've converted it to .chm format for ease of reading. From 53MB to a bit more than 8. Most of the work was automated with pdf2html and pngcrush and the Html Help compiler.
For those looking for the original pdf, it's currently available through Packetstorm and mirrors.
UPDATE: Acoording to a tecchannel interview , licensees(Nokia,Siemens, others) have been provided with a fixed reference implementation. So it is now up to the licensees to update their various products.
The presentation pdf was quite large so I've converted it to .chm format for ease of reading. From 53MB to a bit more than 8. Most of the work was automated with pdf2html and pngcrush and the Html Help compiler.
For those looking for the original pdf, it's currently available through Packetstorm and mirrors.
Friday, October 22, 2004
Adam Gowdiak's Research on J2ME Vulnerabliites
I never really looked at the Hack in the Box conferences;this year it was in Kuala Lumpur. The Register has an article mentioning Adam Gowdiak's presentation at the latest conference.
The PDF of his presentation comes in at about 53 MB(91 pages).
There was a also presentation on .net self compiling viruses .
I haven't gone through the whole thing yet, but here are some interesting quotes from the J2ME presentation:
on future threats -
on the rest of his research -
J2Me might be the "in" malware needed that bluetooth wasn't . I'm not sure how worried I'd be that "closed" mobile devices are at risk, as they usually lack in memory and additional networking capabilities compared to "open" systems. Still, anywhere from 3-6 months to find out. :)
* Hack in the Box is putting out videos of the conference via BitTorrent within the next 4 weeks.
The PDF of his presentation comes in at about 53 MB(91 pages).
There was a also presentation on .net self compiling viruses .
I haven't gone through the whole thing yet, but here are some interesting quotes from the J2ME presentation:
on future threats -
- The fact that there are more users of mobile devices than
PC’s makes it very attractive target for attackers and worm writers- It should be expected that remote vulnerabilities for
mobile devices will be published within next 6 months- Vendors and antivirus industry are not prepared for this kind
of threats (there are no means to protect users of the so called „closed” mobile devices against malicious code)- Open platforms (PalmOS, Symbian OS, Windows CE)
seem to be easier to protect, but they are also at the most risk.
on the rest of his research -
- Research paper with all the details including some
additional material that didn’t fit into this 90min talk will be
published in a couple of months
J2Me might be the "in" malware needed that bluetooth wasn't . I'm not sure how worried I'd be that "closed" mobile devices are at risk, as they usually lack in memory and additional networking capabilities compared to "open" systems. Still, anywhere from 3-6 months to find out. :)
* Hack in the Box is putting out videos of the conference via BitTorrent within the next 4 weeks.
Wednesday, October 06, 2004
On emulation
I've been looking into fx!32. Due to the nature of the Symbian emulator and the cost of actual hardware, this might be the most feasible/lazy way to analyze most malware. Sort of a phone-bochs. Of course, it's a different story for scanning.
The GBA emu scene is also useful .
The GBA emu scene is also useful .
F-Secure Releases Cabir Fixtool
F-Secure has finally released a fixtool for Cabir. It weighs in at about 11KB. Kapsersky still wins on size. :) The purpose of Thumb encoding is to reduce size with a tradeoff in speed.
Considering this is a fixtool speed is not that important. The tool does make it clear that it just removes Cabir from your system and it is not a general AV scanner.
Other fixtools are also available, as mentioned previously.
F-Secure's tool is available in two packages, with instructions or separately.
F-Secure blog
Considering this is a fixtool speed is not that important. The tool does make it clear that it just removes Cabir from your system and it is not a general AV scanner.
Other fixtools are also available, as mentioned previously.
F-Secure's tool is available in two packages, with instructions or separately.
F-Secure blog
Monday, October 04, 2004
Cabir in Singapore
F-Secure's blog is reporting news of Cabir in Singapore.
On a related note, I've just noticed that Trend Micro has an updated pattern file for their Pc-cillin for EPOC scanner. The scanner will only run on EPOC/Symbian devices. I have it installed on my Mako. Due to the EIKON dependency and perhaps STDLIB, the scanner will not run on the Series 60 phones.
The recent "outbreak" of Cabir in the Philippines is notable. Not so much for any infections but mainly for the rise of the Cabir disinfection business. Considering that people were willing to spend the cost of living equivalent of US$26+ to get rid of real and suspected infections. The scams were large enough to get press coverage outside of the Philippines. Looks like there is a business case for producing a Series 60 scanner. Especially if it's in your own backyard.
PC-cillin for Epoc sis (EPOC/Symbian ver 5 devices only)
Pattern file 349 (Cabir Detection added, file date July 26,2004)
Porting Psion Revo/5MX Applications to Series 60.pdf :)
On a related note, I've just noticed that Trend Micro has an updated pattern file for their Pc-cillin for EPOC scanner. The scanner will only run on EPOC/Symbian devices. I have it installed on my Mako. Due to the EIKON dependency and perhaps STDLIB, the scanner will not run on the Series 60 phones.
The recent "outbreak" of Cabir in the Philippines is notable. Not so much for any infections but mainly for the rise of the Cabir disinfection business. Considering that people were willing to spend the cost of living equivalent of US$26+ to get rid of real and suspected infections. The scams were large enough to get press coverage outside of the Philippines. Looks like there is a business case for producing a Series 60 scanner. Especially if it's in your own backyard.
PC-cillin for Epoc sis (EPOC/Symbian ver 5 devices only)
Pattern file 349 (Cabir Detection added, file date July 26,2004)
Porting Psion Revo/5MX Applications to Series 60.pdf :)
Tuesday, September 21, 2004
Trusecure Betrusted Merger
The information security space seems to be consolidating fast these days. Reminiscent of the many US defense industry mergers. Not to mention the various cellular industry mergers.
I'm not very familiar with Betrusted but they are similar in both products and market with Trusecure. Trusecure covering North America and Betrusted holding Europe and Asia.
ICSA labs, a subsidiary of Trusecure, is looking for a Malicious Code Security Analyst. They're very friendly at ICSA labs. I believe that notwithstanding what it says in the job description they will be willing to offer relocation for the well qualified cadidate. Good opportunity at what is now a larger company.
I'm not very familiar with Betrusted but they are similar in both products and market with Trusecure. Trusecure covering North America and Betrusted holding Europe and Asia.
ICSA labs, a subsidiary of Trusecure, is looking for a Malicious Code Security Analyst. They're very friendly at ICSA labs. I believe that notwithstanding what it says in the job description they will be willing to offer relocation for the well qualified cadidate. Good opportunity at what is now a larger company.
Friday, September 17, 2004
AV buying Network Security firms
I might have gotten the situation backwards previously. Symantec has just bought @stake. With McAfee buying Foundstone last month, the situation actually becomes AV firms moving into Network Security and Security consulting.
The moves into the AV market by the various network security companies may have been lures to encourage acquisition by the larger AV firms. This is not to say that these firms were not actually looking for virus analysts.
In the case of Foundstone , pre-acquisition, they were looking for one person to bring them up to speed on virus analysis. Given the nature of newer malware threats , one expert is not sufficient for the task. Gaps in knowledge would reduce response time behind that of your competitors. Actively interviewing candidates from a small pool, such as AV people, does bring your firm to the attention of larger firms . An expert working for you is not working for them; even if you are not a large competitor you do reduce their effectiveness. This may have been the case with McAfee.
I don't believe @stake was entering the AV market. They do have experience with investigating cell phones and other embedded devices. MobilePenTester, PDAZap and RedFang come to mind.
Regarding virus analysts Symantec seems to be looking for a virus analyst with phone experience:
"Experience with operating systems for handheld devices such as Palm OS, Pocket PC, Symbian OS and/or Windows Mobile software for Smart phones a distinct advantage."
Perhaps Airscanner might be receiving an offer in the near future.
The moves into the AV market by the various network security companies may have been lures to encourage acquisition by the larger AV firms. This is not to say that these firms were not actually looking for virus analysts.
In the case of Foundstone , pre-acquisition, they were looking for one person to bring them up to speed on virus analysis. Given the nature of newer malware threats , one expert is not sufficient for the task. Gaps in knowledge would reduce response time behind that of your competitors. Actively interviewing candidates from a small pool, such as AV people, does bring your firm to the attention of larger firms . An expert working for you is not working for them; even if you are not a large competitor you do reduce their effectiveness. This may have been the case with McAfee.
I don't believe @stake was entering the AV market. They do have experience with investigating cell phones and other embedded devices. MobilePenTester, PDAZap and RedFang come to mind.
Regarding virus analysts Symantec seems to be looking for a virus analyst with phone experience:
"Experience with operating systems for handheld devices such as Palm OS, Pocket PC, Symbian OS and/or Windows Mobile software for Smart phones a distinct advantage."
Perhaps Airscanner might be receiving an offer in the near future.
Thursday, September 09, 2004
On FPs and behavior blocking; another Malware Analysis opening
False positives (FP) are a troublesome problem in the AV industry. Sometimes innocent products share enough behavioral characteristics with malware that we initially classify them as malware.
Mistakes like this affect your credibility and the credibility of your product, so fixing FPs is usually a very high priority. Therefore it was interesting to see that earlier this week one of the top 3 AV vendors was having some trouble with a good sized FP. It was something to do with ISP connection software. The detections were of course fixed quickly but the good will lost with customers may not easily be repaired.
The rate of FPs is also the reason why behavior blocking (or as it's known in the Homeland Security business , "profiling" ) has been so late in entering the market. Blocking someone's ISP software because it uses your modem to dial your ISP is forgivable if done by a human. After all, we all have deadlines and other pressures. If you are unable to connect to your ISP once every 2 weeks due to your computer security software, you are unlikely to be as forgiving.
Handling false positives usually requires human intervention. Speaking of which, There is an opening at McAfee :
Research Scientist
"Knowledge of various file formats and operating systems a plus, namely PE and ELF formats and Linux and MacOS operating systems."
ELF? ELF knowledge as a requirement for malware analysis seems to be getting more popular.
I'd think after PE, Mach-O knowledge would be more important given market share. Or even Symbian PE.
Mistakes like this affect your credibility and the credibility of your product, so fixing FPs is usually a very high priority. Therefore it was interesting to see that earlier this week one of the top 3 AV vendors was having some trouble with a good sized FP. It was something to do with ISP connection software. The detections were of course fixed quickly but the good will lost with customers may not easily be repaired.
The rate of FPs is also the reason why behavior blocking (or as it's known in the Homeland Security business , "profiling" ) has been so late in entering the market. Blocking someone's ISP software because it uses your modem to dial your ISP is forgivable if done by a human. After all, we all have deadlines and other pressures. If you are unable to connect to your ISP once every 2 weeks due to your computer security software, you are unlikely to be as forgiving.
Handling false positives usually requires human intervention. Speaking of which, There is an opening at McAfee :
Research Scientist
"Knowledge of various file formats and operating systems a plus, namely PE and ELF formats and Linux and MacOS operating systems."
ELF? ELF knowledge as a requirement for malware analysis seems to be getting more popular.
I'd think after PE, Mach-O knowledge would be more important given market share. Or even Symbian PE.
Monday, September 06, 2004
Looking into buffer overflows
CAN-2004-0143 initially looked promising when I read the heading at pentest.co.uk. Unfortunately after reading the full advisory it becomes obvious that the vulnerability type has been mis-stated. It is actually a denial of service instead of a buffer overflow. Other references listed at the CVE list correctly list it as a denial of service.
This is not quite the automatic security-bypassing download vulnerability of which whe have been warned. The main use would be in "finishing " the job after getting the malicious code past security in some yet unknown fashion. Essentially an automatic reboot to enable a boot loading component to gain control. Similar, recently to Sasser or much earlier to one or two older multipartite viruses. Regardless, an unwieldy attack.
Perhaps some of the StrongARM shellcode techniques may be more appropriate.
This is not quite the automatic security-bypassing download vulnerability of which whe have been warned. The main use would be in "finishing " the job after getting the malicious code past security in some yet unknown fashion. Essentially an automatic reboot to enable a boot loading component to gain control. Similar, recently to Sasser or much earlier to one or two older multipartite viruses. Regardless, an unwieldy attack.
Perhaps some of the StrongARM shellcode techniques may be more appropriate.
Thursday, September 02, 2004
Makefn tool added to DmpE32
As Symbian exe files import by ordinal it is very helpful for an exe dumper like DmpE32 to map the import ordinals to the original function names.
Previously I'd been generating the import function name files(.fn) for each version of the sdk. Unfortunatley the zip of the latest .fn files was in the range of 300-400 KB. Offering these for download would require more bandwidth than I pay for (>0). Additionally, in the case of the series 60 specific files the mappings were inaccurate.
I had been using nm to dump the function names and post processing the output. Unfortunately nm sorts by object module and not ordinal. In some cases the numeric portion of the object module name matches the ordinal. A lucky coincidence but definitely not reliable.
Matt Pietrek's article on COFF libraries and source code proved very helpful. GNU's dlltool source provided insight on the various idata components.
I've added a tool for generating imported function to ordinal mapping to the DmpE32 package.
COFF Lib references:
Pietrek, Matt. "Under The Hood." Microsoft System Journal
Apr. 1998 <http://www.microsoft.com/msj/0498/hood0498.aspx>.
GNU Dlltool.c , GNU Binutils package.
Previously I'd been generating the import function name files(.fn) for each version of the sdk. Unfortunatley the zip of the latest .fn files was in the range of 300-400 KB. Offering these for download would require more bandwidth than I pay for (>0). Additionally, in the case of the series 60 specific files the mappings were inaccurate.
I had been using nm to dump the function names and post processing the output. Unfortunately nm sorts by object module and not ordinal. In some cases the numeric portion of the object module name matches the ordinal. A lucky coincidence but definitely not reliable.
Matt Pietrek's article on COFF libraries and source code proved very helpful. GNU's dlltool source provided insight on the various idata components.
I've added a tool for generating imported function to ordinal mapping to the DmpE32 package.
COFF Lib references:
Pietrek, Matt. "Under The Hood." Microsoft System Journal
Apr. 1998 <http://www.microsoft.com/msj/0498/hood0498.aspx>.
GNU Dlltool.c , GNU Binutils package.
Friday, August 27, 2004
Cabir Rumors sourced to Philippines
The Register is reporting that the rumors of Cabir in the wild stem from underhanded cell phone shop owners. Some shops are advertising Cabir removal services for prices in the 500 to 1000 peso range.
To put this in perspective, you can get a 1 liter Coca-Cola for 18 pesos(~US$0.32) in the Philipines. The same size Coke costs US$1.19 -$1.30 in the U.S.A. Roughly 1/4-1/3 the cost. The scammers are charging the cost of living equivalent of US$26-$90 for a non-service. I've previously posted links to a number of more genuine Cabir fixtools. As the Boy Scouts' motto says: Be Prepared.
The source article in the Philippine Daily Inquirer suggests that Cabir is being used by techies to play pranks on their friends. The lack of a damaging threat on any of the mobile platforms is helping to create a false sense of security.
To put this in perspective, you can get a 1 liter Coca-Cola for 18 pesos(~US$0.32) in the Philipines. The same size Coke costs US$1.19 -$1.30 in the U.S.A. Roughly 1/4-1/3 the cost. The scammers are charging the cost of living equivalent of US$26-$90 for a non-service. I've previously posted links to a number of more genuine Cabir fixtools. As the Boy Scouts' motto says: Be Prepared.
The source article in the Philippine Daily Inquirer suggests that Cabir is being used by techies to play pranks on their friends. The lack of a damaging threat on any of the mobile platforms is helping to create a false sense of security.
Monday, August 23, 2004
Cabir in the wild?
According to their blog, F-secure has recieved some reports of Cabir possibly being in the wild. No confirmations yet.
F-secure blog entry
F-secure blog entry
Tuesday, August 17, 2004
Malware Analysis Jobs
On Monster...
Security Response Engineer- Virus Analyst
Anti-Virus Software Engineer/Developer (Reverse Engineering of Malicious Code )
Symantec is looking to add to their AV team. I believe both postings are referring to the same opening.
From the second listing,"Are you willing to relocate to Santa Monica, CA ? ". Santa Monica has great weather. For more on the location check out Peter Ferrie's Life in the USA series.
Spyware AntiVirus Researcher
Intermute, makers of AdSubtract and SpySubtract, are looing for an SQA manager with AV experience.
The positions with network security firms appear to still be open.
Security Response Engineer- Virus Analyst
Anti-Virus Software Engineer/Developer (Reverse Engineering of Malicious Code )
Symantec is looking to add to their AV team. I believe both postings are referring to the same opening.
From the second listing,"Are you willing to relocate to Santa Monica, CA ? ". Santa Monica has great weather. For more on the location check out Peter Ferrie's Life in the USA series.
Spyware AntiVirus Researcher
Intermute, makers of AdSubtract and SpySubtract, are looing for an SQA manager with AV experience.
The positions with network security firms appear to still be open.
DumpRSC getting along
DumpRSC recognizes version 1(ER5 - RSC format) and version 2 (For s60+ , unicode version of version 1 RSC). Currently only dumps resources as strings, structs not recognized. A hex dump of the resources would be nice.
Wednesday, August 11, 2004
Confirmed - Mosquito Trojan -> Copy protection
F-secure has confirmed with the manufacturer that the Mosquito-trojan is really a form of copy protection.
Users had suspected on various forums that this might have been a ploy by the manufacturer to preempt and discredit the pirate software distribution channels.
Bit of an issue where it takes over users resources and causes economic loss without going through the courts. Isn't this the kind of activity for which we jail virus writers?
F-Secure write-up
Users had suspected on various forums that this might have been a ploy by the manufacturer to preempt and discredit the pirate software distribution channels.
Bit of an issue where it takes over users resources and causes economic loss without going through the courts. Isn't this the kind of activity for which we jail virus writers?
F-Secure write-up
Tuesday, August 10, 2004
More on Mosquito Trojan
Some messages on the handy forum at www.download-und-hilfe.com from late December suggest that perhaps the trojaned Mosquitos is not quite trojaned. I may be misreading, but it appears that the "trojaned" program automatically orders a 1 month license for Mosquitos from mobile ringtone and software distributor Jamba.de.
A similar set of messages(NB:obscenity-laden) from the NokiaFree forum also mentions that the program sends subscription orders to Jamba ("Europe's leading sales platform for mobile content").
I get the impression that this may just be self-help against people who haven't paid for the game.
A similar set of messages(NB:obscenity-laden) from the NokiaFree forum also mentions that the program sends subscription orders to Jamba ("Europe's leading sales platform for mobile content").
I get the impression that this may just be self-help against people who haven't paid for the game.
New Symbian SMS trojan in warez game
The Register has an article on the first trojan for Symbian phones. Apparently a pirated copy of the game Mosquitos 2.0 has an SMS sending trojan attached. It appears to be distributed via various p2p networks and pirated software sharing forums.
I have now accuired a sample.
The trojan appears to have been released earlier this year, perhaps in February. The team at Airscanner have written a preliminary analysis of the trojan for InformIT. No sharing :(
Airscanner's analysis makes a good point that the game does not require any SMS capability. It is odd that the necessary libraries are imported by the binary. Possibility of warez deterrent?
Interesting SMS numbers, no?
Symbian has posted a press release covering the Mosquito trojan.
I have now accuired a sample.
The trojan appears to have been released earlier this year, perhaps in February. The team at Airscanner have written a preliminary analysis of the trojan for InformIT. No sharing :(
Airscanner's analysis makes a good point that the game does not require any SMS capability. It is odd that the necessary libraries are imported by the binary. Possibility of warez deterrent?
Interesting SMS numbers, no?
Symbian has posted a press release covering the Mosquito trojan.
Thursday, August 05, 2004
PocketPC Backdoor - Brador.a
First PocketPC backdoor trojan Brador.a; perhaps this is the beginning of the Pocket PC malware spike. I doubt this trojan has anything to do with the information released at the recent DEFCON. Per Kaspersky's press release Brador is another simple trojan lacking any of the detection evasion techniques of its Win32 cousins. Apparently the backdoor's author is also attempting to make some cash by selling the client to interested parties.
I was expecting, after reading Airscanner's presentation, that any new trojans and backdoors for the PocketPC would be more creative. The first wave of even more troubling viruses and trojans may be upon us soon.
Kaspersky's write-up on Brador.a
Symantec's write-up
I was expecting, after reading Airscanner's presentation, that any new trojans and backdoors for the PocketPC would be more creative. The first wave of even more troubling viruses and trojans may be upon us soon.
Kaspersky's write-up on Brador.a
Symantec's write-up
Wednesday, August 04, 2004
DEFCON stuff
I don't go to Vegas anymore, but I've been looking over the presentations from the recent DEFCON. Airscanner's presentation( "Laid out foundation..." ) on Windows mobile security looks nice. I'm not sure how large the audience was for the presentation but I'm sure there will be another spike in CE malware in the next few weeks. I'm also pretty sure EOR is the mnemonic for exclusive OR on the ARM.
Airscanner's presntations are available on their publications page.
Airscanner's presntations are available on their publications page.
Thursday, July 29, 2004
Microsoft Antivirus plans
Ziff-Davis France has an exclusive on MS's AV plans. Further details from Computerworld,New Zealand .
signature scanner
behavior blocking
distributed av network - clients sharing info over secure channel
Maybe it's just me but that last one makes me nervous, though it does have great promise. No mention of a Linux scanner.
Considering Microsoft already has an ARM emulator for their Pocket PC platform I would think they have a good lead in the Windows CE AV market. Neither does Virtual PC hurt them in the PC market.
Maybe it's just me but that last one makes me nervous, though it does have great promise. No mention of a Linux scanner.
Considering Microsoft already has an ARM emulator for their Pocket PC platform I would think they have a good lead in the Windows CE AV market. Neither does Virtual PC hurt them in the PC market.
Friday, July 23, 2004
Pocket PC Emulator
Update: I misread the download page for Pocket PC 2003. Only VS 2005 contains the rewritten emulator. Still waiting for VS 2005.
Thursday, July 22, 2004
On WinCE and Symbian Emulators
Development on Symbian involves 1 set of source files and two different compilers(x86 & ARM). The situation on WinCE was very similar, with write once and compile with 3-4 diferent backends(MIPS,SH3,ARM,x86). Advantage Symbian.
Recently WinCE had reduced the number of chips supported down to 2(x86 & ARM). Perhaps a tie? No, Microsoft has apparently improved their PocketPC emulator. The emulator was previously x86 based, requiring a separate emulator build(x86) and release build(ARM,MIPS,...). The new version, available with the Visual Studio 2005 beta, is now an ARM emulator capable of running release build software. Build for the hardware and then test on your dev platform. Advantage Windows CE.
A complete emulator allowing you to run suspicious code possibly with debugging and trace support. Why couldn't we have this two months ago? :) Of course, it is as they say 'dual-use'.
The nice thing is that the emulator plays nice in PC emulators like MS Virtual PC. That Connectix purchase may already be paying off dividends to the developer market.
Recently WinCE had reduced the number of chips supported down to 2(x86 & ARM). Perhaps a tie? No, Microsoft has apparently improved their PocketPC emulator. The emulator was previously x86 based, requiring a separate emulator build(x86) and release build(ARM,MIPS,...). The new version, available with the Visual Studio 2005 beta, is now an ARM emulator capable of running release build software. Build for the hardware and then test on your dev platform. Advantage Windows CE.
A complete emulator allowing you to run suspicious code possibly with debugging and trace support. Why couldn't we have this two months ago? :) Of course, it is as they say 'dual-use'.
The nice thing is that the emulator plays nice in PC emulators like MS Virtual PC. That Connectix purchase may already be paying off dividends to the developer market.
WinCe and Symbian Reverse Engineering Site
ka0s.net started out with an emphasis on Windows CE but has recently increased their coverage of Symbian. Though the tutorials break little new ground for either professional analysts or skilled amateurs, the site does have a good tool section with IDA signature files for CE and a number of small Symbian utilities.
A nice little utility is ERL, Epoc Resource Lister(UPX-packed,VB command line) . Pop it in the same directory as the app and rsc files. Pass it the filename of the app and receive a text file with a listing of all resources with possible types. Very handy, unfortunately it seems to take issue with newer apps, possibly due to Unicode.
A nice little utility is ERL, Epoc Resource Lister(UPX-packed,VB command line) . Pop it in the same directory as the app and rsc files. Pass it the filename of the app and receive a text file with a listing of all resources with possible types. Very handy, unfortunately it seems to take issue with newer apps, possibly due to Unicode.
Tuesday, July 20, 2004
Version incompatibilities
I've just installed the verson 2.1 s60 sdk. I haven't gone over the documentation yet but I've heard StartApp is not supported by the upgrade. :)
Three versions of RSC files, well only two active. Maybe still worthwhile.
Three versions of RSC files, well only two active. Maybe still worthwhile.
Saturday, July 17, 2004
First Windows CE file infector proof of concept released
First Symbian worm last month and first Windows CE virus this month. Summer's heating up. :)
It 's interesting as the number of different processors Windows CE is capable of running on has shrunk (3 to 1), the first file infector arrives. The single platform certainly reduces costs for developers .
I don't think there is as large a market in pirated Windows CE software as other PDA platforms like Symbian and Palm. Larger traffic in pirated software('warez') provides ready cover for the distribution of viruses and other malware. Until recently with the N-Gage, there has not been a very active Symbian warez market. With newer devices running on a standard platform, we may yet see Windows CE catch up with the other operating systems.
Analyses of WinCE.Duts
F-Secure's - nice pictures :)
Symantec's - good naming, with the OS indicated; without OS implies DOS
It 's interesting as the number of different processors Windows CE is capable of running on has shrunk (3 to 1), the first file infector arrives. The single platform certainly reduces costs for developers .
I don't think there is as large a market in pirated Windows CE software as other PDA platforms like Symbian and Palm. Larger traffic in pirated software('warez') provides ready cover for the distribution of viruses and other malware. Until recently with the N-Gage, there has not been a very active Symbian warez market. With newer devices running on a standard platform, we may yet see Windows CE catch up with the other operating systems.
Analyses of WinCE.Duts
F-Secure's - nice pictures :)
Symantec's - good naming, with the OS indicated; without OS implies DOS
Wednesday, July 14, 2004
Some confirmation from Symbian ver. 7 docs
Finally looked at the UIQ/ver 7 sdk documents. I corrupted the install initially ,trying to get out of installing an earlier Java runtime, and then tried deleting the installed files and install information. Took me a few days, during which I unzipped some of the install packages to get at the Rcomp binary. End result is that the installed2.xml file had to have the bad install entries removed.
Regarding the various RSC formats and offset 0x2, from the sdk....
v5.1-v6.1 legacy Unicode resource format
The only change was to distinguish between the Unicode and non-Unicode files. "older, now obsolete":) Designing a resource file that uses the same 4 uid header as most of their other system files would have been better, allowing a simpler interface. Good thing that's what Symbian did with the version 7 rsc format.
v7.0 dictionary-compressed resource format
This version is designed to compress all Unicode strings without the occasional expansion trouble of Unicode standard compression.
v7.0 compressed Unicode resource format
Comments in the source for Rcomp refers to a "dictionary-compressing program" other than Rcomp itself. This reduces the varieties of RSC files in the wild to two, the series 60 uncompressed Unicode file and the UIQ 4 Uid header file.
Regarding the various RSC formats and offset 0x2, from the sdk....
v5.1-v6.1 legacy Unicode resource format
This two-byte integer (in little-endian byte order) stores 1 + the size of the resource index in bytes. The addition of 1 was to distinguish this resource file format from an older, now obsolete, resource-file format.
The only change was to distinguish between the Unicode and non-Unicode files. "older, now obsolete":) Designing a resource file that uses the same 4 uid header as most of their other system files would have been better, allowing a simpler interface. Good thing that's what Symbian did with the version 7 rsc format.
v7.0 dictionary-compressed resource format
The format is supported by the resource reading APIs, but Development Kits do not currently contain a resource compiler that produces this format.
This version is designed to compress all Unicode strings without the occasional expansion trouble of Unicode standard compression.
v7.0 compressed Unicode resource format
Note that resources in either of these two formats may contain uncompressed Unicode: this is because compressing Unicode using the Standard Compression Scheme for Unicode can, in certain conditions, yield larger output than input, hence such Unicode text-strings will not be compressed as it would not be beneficial.
Comments in the source for Rcomp refers to a "dictionary-compressing program" other than Rcomp itself. This reduces the varieties of RSC files in the wild to two, the series 60 uncompressed Unicode file and the UIQ 4 Uid header file.
Tuesday, July 13, 2004
Network Security firms moving into the AV space
Pure AV firms are beginning to see some competition in the market...
ICSA Labs, Virus Lab located in Mechanicsburg, PA U.S.A.
Malicious Code Security Analyst
Internet Security Systems, based in Atlanta, GA U.S.A.
Researcher, Ref 010612 - Job search Engine
Websense, based in San Diego, CA U.S.A.
Malicious / Reverse Code Research Engineer
Foundstone, based in Mission Viejo, CA U.S.A.
Senior Virus Analyst
And with perhaps no better understanding of how our industry works, under the heading Careers-Marketing :) --
Zone Labs, based in San Francsico, CA U.S.A.
Security Researcher
ICSA Labs, Virus Lab located in Mechanicsburg, PA U.S.A.
Malicious Code Security Analyst
Internet Security Systems, based in Atlanta, GA U.S.A.
Researcher, Ref 010612 - Job search Engine
Websense, based in San Diego, CA U.S.A.
Malicious / Reverse Code Research Engineer
Foundstone, based in Mission Viejo, CA U.S.A.
Senior Virus Analyst
And with perhaps no better understanding of how our industry works, under the heading Careers-Marketing :) --
Zone Labs, based in San Francsico, CA U.S.A.
Security Researcher
Rcomp versions
Just noticed this in the list of packages on SymbianOS.org.
Explains the part in the source where a standard 4 uid header is written to the RSC file. the Rcomp versions appear to match the OS version.
The source is only one version removed, shouldn't be that hard to find the differences in the binary. :)
"NOTE! The generated output is AFAIK only compatible with Symbian OS 7.x
which contains a 16-byte UID header (invoked with the external
program uidcrc) and compressed Unicode characters.
For Nokia 9210 and Nokia Series 60 platform SDKs you will need
rcomp v6.00 which is as of today only available as win32 binaries."
Explains the part in the source where a standard 4 uid header is written to the RSC file. the Rcomp versions appear to match the OS version.
The source is only one version removed, shouldn't be that hard to find the differences in the binary. :)
Sunday, July 11, 2004
Updated Import Function Labels for DmpE32
I've updated the function labels used by DmpE32. If you've already installed DmpE32, just unpack the archive(importfn.tgz) and overwrite the files in the importfn directory. For a new install, create a subdirectory named importfn in the same directory as DmpE32.pl and unpack as above.
All functions are imported solely by ordinal in Symbian executables; the import function labels provide information that is readily available on the Win32 platform but lacking by design on Symbian. The labels don't really provide the greatest benefit to the DmpE32 script. Its larger brother DumpE32 also disassembles executables. The labels are used to comment the disassembly in a manner similar to IDA. I may integrate Eberhard Mattes' ARM disassembler from EpocEMX since it handles thumb instructions.
All functions are imported solely by ordinal in Symbian executables; the import function labels provide information that is readily available on the Win32 platform but lacking by design on Symbian. The labels don't really provide the greatest benefit to the DmpE32 script. Its larger brother DumpE32 also disassembles executables. The labels are used to comment the disassembly in a manner similar to IDA. I may integrate Eberhard Mattes' ARM disassembler from EpocEMX since it handles thumb instructions.
Thursday, July 08, 2004
It occurred to me that since there is very little overhead in the RSC file format, there is no reserved space for future expansion. Symbian changed the UID for version 2 sis files so that they would not be recognized as installation files by older versiona of the OS. I suspected that if rcomp always adds 1 to the index size it may be as a cruder version of the UID change.
Older versions of the Resource loading functions would fail on attempts to load the new modified RSC files. I modified a few RSC files and attempted to run the associated programs under the emulator. Even values at offset 0x2 bring up an error message regarding corrupt resources. So, apparently new versions of the Resource loading functions fail when attempting to load older RSC files.
I haven't yet verified this from the rcomp source.
Older versions of the Resource loading functions would fail on attempts to load the new modified RSC files. I modified a few RSC files and attempted to run the associated programs under the emulator. Even values at offset 0x2 bring up an error message regarding corrupt resources. So, apparently new versions of the Resource loading functions fail when attempting to load older RSC files.
I haven't yet verified this from the rcomp source.
Wednesday, July 07, 2004
Rcomp differences
The format for RSC binary files as mentioned in the series 60 SDk calls for offset 0x2 of the file to be the size of the file index in bytes. Each entry in the index is two bytes long. It follows that offset 0x2 can never be odd. I added this into dumprsc as something suspicious. Emxrsc also tags this as suspicous, so i assumed this was correct. Then I looked at a few actual RSC files. Offset 0x2 is always equal to 1 byte more than the size of the file index.
Perhaps this was due to a mistake in implementation of the latest version of Rcomp. I put together a few simple RSC files to see what the current version places in offset 0x2. 1 byte more, every time. I hunted down my Symbian ver. 5 SDK disk to get the previous rcomp. It produces RSC files with the proper size at offset 0x2.
More spelunking in the Rcomp source is necessary. Meanwhile even at offset 0x2 means Symbian OS 5 and odd means OS 6+.
Perhaps this was due to a mistake in implementation of the latest version of Rcomp. I put together a few simple RSC files to see what the current version places in offset 0x2. 1 byte more, every time. I hunted down my Symbian ver. 5 SDK disk to get the previous rcomp. It produces RSC files with the proper size at offset 0x2.
More spelunking in the Rcomp source is necessary. Meanwhile even at offset 0x2 means Symbian OS 5 and odd means OS 6+.
Friday, July 02, 2004
From the mention of xpetran in the emximage sources I assume it was started after the XSDK.
Emxrsc does not build on my W2K system. A number of error messages. If it doesn't compile using Msys, I no longer bother. Regardless the source is a lot cleaner than that of Symbian's Rcomp.
I should look into Python, as it's the new official scripting language for Symbian. I wonder how long it will be before the first bittorrent clients appear.
Just noticed the press release regarding Cabir on Symbian's site. Good info, with some interesting bits. "Should Cabir actually infect your phone, you should report it to your service provider and your handset manufacturer." - not sure what that has to do with cleaning your phone. Your service provider will possibly wipe the memory down at their service center and Nokia as manufacturer only warrants the hw. It does follow immediately with instructions on cleaning your phone manually, negating any need to notify provider.
Another nice quote from the press release:
"Q - How is Symbian OS protected from malware?
A - Symbian OS provides a numbers of elements that make it secure. This includes protection from malware through signature checks and virus scanners."
Symbian provides digital signature checks but they have a hands-off policy with regard to security software.
Emxrsc does not build on my W2K system. A number of error messages. If it doesn't compile using Msys, I no longer bother. Regardless the source is a lot cleaner than that of Symbian's Rcomp.
I should look into Python, as it's the new official scripting language for Symbian. I wonder how long it will be before the first bittorrent clients appear.
Just noticed the press release regarding Cabir on Symbian's site. Good info, with some interesting bits. "Should Cabir actually infect your phone, you should report it to your service provider and your handset manufacturer." - not sure what that has to do with cleaning your phone. Your service provider will possibly wipe the memory down at their service center and Nokia as manufacturer only warrants the hw. It does follow immediately with instructions on cleaning your phone manually, negating any need to notify provider.
Another nice quote from the press release:
"Q - How is Symbian OS protected from malware?
A - Symbian OS provides a numbers of elements that make it secure. This includes protection from malware through signature checks and virus scanners."
Symbian provides digital signature checks but they have a hands-off policy with regard to security software.
Thursday, July 01, 2004
RSC fun
Looking at the fun that some have had porting the Symbian resource compiler(rcomp)to Linux.
The conlcusion seems to be that a rewrite is in order to get something sensible working. One should note at this time that Eberhard Mattes rewrote most of the Symbian toolchain in order to port EMX to Symbian. The entire EpocEMX sdk is licensed under the GNU GPL and is available at SymbianOS.org. The SDK existed prior to Symbian's release of their build tools. I'm not sure if it is contemporary with the XSDK.
Emxrsc, from EpocEMX, includes a RSC dumper. It should build under any system with the GNU tools.
The conlcusion seems to be that a rewrite is in order to get something sensible working. One should note at this time that Eberhard Mattes rewrote most of the Symbian toolchain in order to port EMX to Symbian. The entire EpocEMX sdk is licensed under the GNU GPL and is available at SymbianOS.org. The SDK existed prior to Symbian's release of their build tools. I'm not sure if it is contemporary with the XSDK.
Emxrsc, from EpocEMX, includes a RSC dumper. It should build under any system with the GNU tools.
Monday, June 28, 2004
A couple of Cabir fixtools have been released ...
A couple of Cabir fixtools have been released in the past few days.
- A free download from security vendor Jamanda.com
- TSG Pacific is offering their fix for $15, including a year of updates. Available through Handango.com
- Kaspersky has released a fixtool for Cabir today. About 7k, seems to be about the minimum necessary to delete the Cabir files and directories.
Points for the WAP download. Points for being free, except for data charges on your mobile.
Points for the decabir-1.0.sis shell script. ;)
Looks like the mobile security space is going to get a bit more crowded.
I know at least one AV vendor that had a scanner for Symbian version 5. Modifying their scanner GUI for Series 60 and UIQ would have been the obvious move.
- A free download from security vendor Jamanda.com
- TSG Pacific is offering their fix for $15, including a year of updates. Available through Handango.com
- Kaspersky has released a fixtool for Cabir today. About 7k, seems to be about the minimum necessary to delete the Cabir files and directories.
Points for the WAP download. Points for being free, except for data charges on your mobile.
Points for the decabir-1.0.sis shell script. ;)
Looks like the mobile security space is going to get a bit more crowded.
I know at least one AV vendor that had a scanner for Symbian version 5. Modifying their scanner GUI for Series 60 and UIQ would have been the obvious move.
Subscribe to:
Posts (Atom)
Auto "Kill Switch", solving the wrong problem?
Consumer Watchdog, a consumer advocacy group, put out a report on the dangers of Internet connected cars. They received coverage on the nigh...
-
Consumer Watchdog, a consumer advocacy group, put out a report on the dangers of Internet connected cars. They received coverage on the nigh...
-
A number of factors drive malware on new platforms. The chance for pure discovery and experimentation, the desire to be the first, a need to...
