SISscan now up on Sourceforge

I've uploaded Sisscan to Sourceforge.

Sisscan scans one SIS file at a time. Identification is based on hash matching so coverage is traded for speed. The included hash files cover only up to Fontal, none of the recent trojans are currently included. It is relatively easy to add a new hash set and names for new malware.

SIScan is in CVS but the detection data files are not.

52 New Trojans arrive on the scene

Somebody has a lot of time on their hands.

This is the type of situation I had in mind which would require a tool like Sisscan. Apparently the set of 52 trojans consists of a number of previously known trojans(Fontal?) and a few new items.

Running a scan on a suspect SIS file would give you an indication of how much of the file consists of Cabir variants. :) It would also help in avoiding running some of them more troublesome malware. Your standard on-demand AV scanner does the same thing albeit with more flexible identification methods and a bit more overhead. AV firms tend to already have similar lightweight analysis tools in house.

An AV firm whose specialty is Symbian malware has reported having the samples as of Monday, it is now Thursday. This set of trojans has even slowed their pace. If the trend keeps up their might be more demand for 'Mobile Phone Virus Researchers'.

Sisscan, perl virus hash scanner

The scanner is essentially ready, the data is taking longer. I've got most samples except for Hobbes. Detections are compatible with ClamAV simple signatures(MD5). To speed up scans, I've added a stage that checks hashes for pure samples.

So far sisscan is useful for seeing which files to ignore in large collections like Skulls.

Sisscan should be up in the next few days.

Next step after that is graphing SIS files.

F-Secure is looking for a Mobile Phone virus researcher

F-secure is looking to add a Mobile Phone researcher to their team.

Symbian programming(Series 60 most relevant) and reverse engineering experience (not symbian specific, think) are necessary.

ARM assembly experience or any embedded(non x86) experience is a plus.

Virus writers are out, but HW hackers should fit right in.

Job info: http://www.f-secure.com/jobs/ click on 'Mobile phone virus researcher '

SISHash utility added to toolkit

I've added the SISHash utility to the Sis Analysis toolkit. It functions like md5sum over all files in a given SIS file.


Collect the signatures for known bad files and you've got yourelf a quick and dirty malware scanner. This is only useful for static malware, such as most trojans and some network worms.
An implementation, SISscan, will be added in a few days.

SISHash

* Accquire MD5 and SHA1 hashes of each file within the SIS file.

* Identify previously seen files.




Usage:

SIShash - Get Hashes from SIS File
Copyright 2005 Jimmy Shah All rights reserved.

Usage: SisHash.pl [-as] filename

Options:
-a Display both Md5 and SHA1 hashes.
-s Display only SHA1 hashes.

Default is MD5 only.

Command Line:

SisHash.pl -a Caribe.sis
Output:

988ff12b5f9819ce8a84a14245c2297f *caribe.rsc
75e1e12706649fa45c289c92f2f9775d2437c13f
12a0af974995c3d9428eb751e8da638b *flo.mdl
3cfdcecd905c509f319346db40c193821d77e3d8
05fbae15bb8a0042a7755e898d18c439 *caribe.app
49e753fe862c9a0ceb04f1984933e53017bec524


Mabir and Fontal

The past week has brought some new malware. A short time after the release of commwarrior, we've got a mass mms sending/Bluetooth worm . The bit where it sends its SIS file via MMS exploits the automatic running of install files under Symbian. If sent to any non-Symbian phone the result is simply the cost of the MMS message. I assumed from Vallez's notes on Cabir that he had decided against MMS as a transport mechanism in part because there is no way to tell if the recipient can run the worm. On Win32 , due to market penetration , it is very likely that addresses in the address book belong to other Win32 machines. Symbian phones do not currently have a similar market distribution.

--

Font files that prevent warm rebooting. Troublesome. It used to be common for people with Psion handhelds to backup their data in case of dead or dying batteries. Restoring from a backup after a cold boot was a rare but occasionally necessary part of maintenance. Users doing the same today with Symbian smartphones is more than we can expect. Few users would know how or even if they have all the right equipment(cables, I/R port, mmc reader). Malware that kills its host doesn't travel very far.

Blackhat Europe 2005, Symbian security

I recently noticed the presentation of Job de Haas of ITSX. It's not likely that I'll be attending any Black Hat conferences outside of the country so I wouldn't have been able to see it live.

The presentation mentions a Python toolkit for handling ROM images. If it gets released publicly I might not get around to writing a ROM file dumper.

Currently, I believe IDA is the only other software that handles Symbian ROM files. The python toolkit apparently allows one to browse the rom image, file to file.

The presentation also mentions acquiring the ordinals for the functions in the ARM binaries by converting from the emulator binaries while debugging with symbols. Nope, I misread that. It appears to state retrieving the ordinals from the Libs, a reference to the import libraries in the SDK. Makefn does something similar. The output from the nm in the Symbian SDK can also be used with suitable polishing. Using the emulator binaries with debug symbols is good for exploring the OS itself, but not as useful with analyzing ROM format malware. The python toolkit's browising capability provides the necessary ROM context in this case.

Good pointers on the Symbian 7.0 base porting guide. The guide includes the ROM formats with hex offsets. Clearer than the header files.

DumpSIS updated, moved to Sourceforge

DumpSIS handles multilanguage SIS files with option blocks.

DumpSIS is now avilable as part of the SIS Analysis Toolkit project on Sourceforge. Current working source code is available through CVS.