I've uploaded Sisscan to Sourceforge.
Sisscan scans one SIS file at a time. Identification is based on hash matching so coverage is traded for speed. The included hash files cover only up to Fontal, none of the recent trojans are currently included. It is relatively easy to add a new hash set and names for new malware.
SIScan is in CVS but the detection data files are not.
Info on mobile phone antivirus, anti-malware software and commentary on mobile security.
Thursday, April 21, 2005
52 New Trojans arrive on the scene
Somebody has a lot of time on their hands.
This is the type of situation I had in mind which would require a tool like Sisscan. Apparently the set of 52 trojans consists of a number of previously known trojans(Fontal?) and a few new items.
Running a scan on a suspect SIS file would give you an indication of how much of the file consists of Cabir variants. :) It would also help in avoiding running some of them more troublesome malware. Your standard on-demand AV scanner does the same thing albeit with more flexible identification methods and a bit more overhead. AV firms tend to already have similar lightweight analysis tools in house.
An AV firm whose specialty is Symbian malware has reported having the samples as of Monday, it is now Thursday. This set of trojans has even slowed their pace. If the trend keeps up their might be more demand for 'Mobile Phone Virus Researchers'.
This is the type of situation I had in mind which would require a tool like Sisscan. Apparently the set of 52 trojans consists of a number of previously known trojans(Fontal?) and a few new items.
Running a scan on a suspect SIS file would give you an indication of how much of the file consists of Cabir variants. :) It would also help in avoiding running some of them more troublesome malware. Your standard on-demand AV scanner does the same thing albeit with more flexible identification methods and a bit more overhead. AV firms tend to already have similar lightweight analysis tools in house.
An AV firm whose specialty is Symbian malware has reported having the samples as of Monday, it is now Thursday. This set of trojans has even slowed their pace. If the trend keeps up their might be more demand for 'Mobile Phone Virus Researchers'.
Monday, April 18, 2005
Sisscan, perl virus hash scanner
The scanner is essentially ready, the data is taking longer. I've got most samples except for Hobbes. Detections are compatible with ClamAV simple signatures(MD5). To speed up scans, I've added a stage that checks hashes for pure samples.
So far sisscan is useful for seeing which files to ignore in large collections like Skulls.
Sisscan should be up in the next few days.
Next step after that is graphing SIS files.
So far sisscan is useful for seeing which files to ignore in large collections like Skulls.
Sisscan should be up in the next few days.
Next step after that is graphing SIS files.
Tuesday, April 12, 2005
F-Secure is looking for a Mobile Phone virus researcher
F-secure is looking to add a Mobile Phone researcher to their team.
Symbian programming(Series 60 most relevant) and reverse engineering experience (not symbian specific, think) are necessary.
ARM assembly experience or any embedded(non x86) experience is a plus.
Virus writers are out, but HW hackers should fit right in.
Job info: http://www.f-secure.com/jobs/ click on 'Mobile phone virus researcher '
Symbian programming(Series 60 most relevant) and reverse engineering experience (not symbian specific, think) are necessary.
ARM assembly experience or any embedded(non x86) experience is a plus.
Virus writers are out, but HW hackers should fit right in.
Job info: http://www.f-secure.com/jobs/ click on 'Mobile phone virus researcher '
Monday, April 11, 2005
SISHash utility added to toolkit
I've added the SISHash utility to the Sis Analysis toolkit. It functions like md5sum over all files in a given SIS file.
Collect the signatures for known bad files and you've got yourelf a quick and dirty malware scanner. This is only useful for static malware, such as most trojans and some network worms.
An implementation, SISscan, will be added in a few days.
SISHash
* Accquire MD5 and SHA1 hashes of each file within the SIS file.
* Identify previously seen files.
Usage:
SIShash - Get Hashes from SIS File
Copyright 2005 Jimmy Shah All rights reserved.
Usage: SisHash.pl [-as] filename
Options:
-a Display both Md5 and SHA1 hashes.
-s Display only SHA1 hashes.
Default is MD5 only.
Command Line:
SisHash.pl -a Caribe.sis
Output:
Collect the signatures for known bad files and you've got yourelf a quick and dirty malware scanner. This is only useful for static malware, such as most trojans and some network worms.
An implementation, SISscan, will be added in a few days.
SISHash
* Accquire MD5 and SHA1 hashes of each file within the SIS file.
* Identify previously seen files.
Usage:
SIShash - Get Hashes from SIS File
Copyright 2005 Jimmy Shah All rights reserved.
Usage: SisHash.pl [-as] filename
Options:
-a Display both Md5 and SHA1 hashes.
-s Display only SHA1 hashes.
Default is MD5 only.
Command Line:
SisHash.pl -a Caribe.sis
Output:
988ff12b5f9819ce8a84a14245c2297f *caribe.rsc
75e1e12706649fa45c289c92f2f9775d2437c13f
12a0af974995c3d9428eb751e8da638b *flo.mdl
3cfdcecd905c509f319346db40c193821d77e3d8
05fbae15bb8a0042a7755e898d18c439 *caribe.app
49e753fe862c9a0ceb04f1984933e53017bec524
Friday, April 08, 2005
Mabir and Fontal
The past week has brought some new malware. A short time after the release of commwarrior, we've got a mass mms sending/Bluetooth worm . The bit where it sends its SIS file via MMS exploits the automatic running of install files under Symbian. If sent to any non-Symbian phone the result is simply the cost of the MMS message. I assumed from Vallez's notes on Cabir that he had decided against MMS as a transport mechanism in part because there is no way to tell if the recipient can run the worm. On Win32 , due to market penetration , it is very likely that addresses in the address book belong to other Win32 machines. Symbian phones do not currently have a similar market distribution.
--
Font files that prevent warm rebooting. Troublesome. It used to be common for people with Psion handhelds to backup their data in case of dead or dying batteries. Restoring from a backup after a cold boot was a rare but occasionally necessary part of maintenance. Users doing the same today with Symbian smartphones is more than we can expect. Few users would know how or even if they have all the right equipment(cables, I/R port, mmc reader). Malware that kills its host doesn't travel very far.
--
Font files that prevent warm rebooting. Troublesome. It used to be common for people with Psion handhelds to backup their data in case of dead or dying batteries. Restoring from a backup after a cold boot was a rare but occasionally necessary part of maintenance. Users doing the same today with Symbian smartphones is more than we can expect. Few users would know how or even if they have all the right equipment(cables, I/R port, mmc reader). Malware that kills its host doesn't travel very far.
Monday, April 04, 2005
Blackhat Europe 2005, Symbian security
I recently noticed the presentation of Job de Haas of ITSX. It's not likely that I'll be attending any Black Hat conferences outside of the country so I wouldn't have been able to see it live.
The presentation mentions a Python toolkit for handling ROM images. If it gets released publicly I might not get around to writing a ROM file dumper.
Currently, I believe IDA is the only other software that handles Symbian ROM files. The python toolkit apparently allows one to browse the rom image, file to file.
The presentation also mentions acquiring the ordinals for the functions in the ARM binaries by converting from the emulator binaries while debugging with symbols. Nope, I misread that. It appears to state retrieving the ordinals from the Libs, a reference to the import libraries in the SDK. Makefn does something similar. The output from the nm in the Symbian SDK can also be used with suitable polishing. Using the emulator binaries with debug symbols is good for exploring the OS itself, but not as useful with analyzing ROM format malware. The python toolkit's browising capability provides the necessary ROM context in this case.
Good pointers on the Symbian 7.0 base porting guide. The guide includes the ROM formats with hex offsets. Clearer than the header files.
The presentation mentions a Python toolkit for handling ROM images. If it gets released publicly I might not get around to writing a ROM file dumper.
Currently, I believe IDA is the only other software that handles Symbian ROM files. The python toolkit apparently allows one to browse the rom image, file to file.
The presentation also mentions acquiring the ordinals for the functions in the ARM binaries by converting from the emulator binaries while debugging with symbols. Nope, I misread that. It appears to state retrieving the ordinals from the Libs, a reference to the import libraries in the SDK. Makefn does something similar. The output from the nm in the Symbian SDK can also be used with suitable polishing. Using the emulator binaries with debug symbols is good for exploring the OS itself, but not as useful with analyzing ROM format malware. The python toolkit's browising capability provides the necessary ROM context in this case.
Good pointers on the Symbian 7.0 base porting guide. The guide includes the ROM formats with hex offsets. Clearer than the header files.
Sunday, April 03, 2005
DumpSIS updated, moved to Sourceforge
DumpSIS handles multilanguage SIS files with option blocks.
DumpSIS is now avilable as part of the SIS Analysis Toolkit project on Sourceforge. Current working source code is available through CVS.
DumpSIS is now avilable as part of the SIS Analysis Toolkit project on Sourceforge. Current working source code is available through CVS.
Subscribe to:
Posts (Atom)
Protecting the ‘Metaverse ecosystem’…: Openness is healthy
Meta’s Reality Labs has an opening for “Malware Reverse Engineer” . Not an uncommon role, but this particular one is a bit more specific whe...
-
Keys can be a bother. You forget them inside the apartment, they're stuck in a pocket or bag with your arms full, or you just lose them....
-
The Internet of Things is not as complex as one would think. Smart Objects(e.g. Power meters, Fridge computers, etc.) or "Things" ...