Android Malware March 2012 Roundup

 Originally posted by elmo.

Date	Name
Mar 14, 2012	Faketoken
Mar 15, 2012	Boxer
Mar 20, 2012	Antammi
Mar 22, 2012	TGLoader
Mar 29, 2012	DKFBootKit

Read More

Fake Google Play

Originally posted by elmo.

This fake google play site serves a malicious file called, google_play.apk which tricks russian users into thinking that they are the legitimate site.

Read More

Google Authenticator updated

Originally posted by elmo.

Google recently updated Google Authenticator to version 2.15.

What's in this version:
1. New entry for Google Play, same great app
2. Updated look and feel
3. "Scan barcode" and "Manually add account" options moved to Menu > Add account.

When your phone is not connected to any network, Google Authenticator can be used to generate a valid verification code.

The verification code generated is then used in Google's 2-step verification process when signing in from a new device or phone.

Please visit this site for more info.

[gallery]

Read More

VX Heavens goes offline

Originally posted by elmo.

Read More

NSA Mobility Program

Originally posted by elmo.

The NSA or National Security Agency recently established the NSA Mobility Program to focus on delivering secure mobile capability using commercial technologies to the United States Government (USG) and Department of Defense (DOD).

They have also identified 5 major categories of the mobile ecosystem in a document called Mobility Capability Package:
1. Secure Voice
2. OS/Apps & Mobile Device
3. Mobile Transport (Carrier)
4. Mobile Enterprise Infrastructure
5. Interoperability

You may visit this site for more info.

Read More

The 2012 Cyber Defence University Challenge

Originally posted by elmo.

To raise awareness in cyber security, the Australian government in partnership with Australian universities  and Telstra challenges university undergraduates to join in the Challenge.

The Challenge is 24 hour competition related to security and will start on April 3 and end on April 4, 2012.

The winner will have the opportunity to travel to Las Vegas, USA in July 2012 to join in Black Hat's 2012 Conference.

For more info, you may visit this site.

Read More

Double Winrar self-executable archive packed Fakeav

Originally posted by marc.

Malware authors have been using packers/compression programs to confuse AV detection engines. Here's one mildly annoying technique that I stumbled upon last week.

Step 1. Pack file with Asprotect packer

Step 2. Create a password protected Winrar sfx archive using the file in step 1.

Step 3. Create another Winrar sfx archive using the file created in step 2, but this time, include the password in the execution script.


Most AV engines will usually have some trouble unpacking password protected files wherein the password is in another compression layer of the file. A quick Virus Total scan shows that this is indeed the case.

Password protected RAR SFX archive
Avast Win32:FakeAV-CYX [Trj]
DrWeb Trojan.Fakealert.29018
GData Win32:FakeAV-CYX
Kaspersky Trojan-Dropper.RAR.Agent.a
McAfee Generic Dropper.ady
Microsoft Rogue:Win32/FakePAV
VIPRE Win32.Malware!Drop

Unpacked file
AntiVir TR/Fraud.Gen
Avast Win32:FakeAV-CYL [Trj]
AVG Suspicion: unknown virus
ClamAV PUA.Packed.ASPack
GData Win32:FakeAV-CYL
Kaspersky HEUR:Trojan.Win32.Generic
McAfee FakeAlert-FCG!F72024F90A24
Microsoft Rogue:Win32/FakePAV
NOD32 a variant of Win32/Adware.WintionalityChecker.AA
Panda Suspicious file
Sophos Mal/FakeAV-MJ
VIPRE WindowsShieldTool

Notice how some AV engines didn't even bother detecting the password protected archive and how the same AV engine detects the same malware with two different names. This usually means that the AV vendor couldn't automatically unpack the file and had the write two different detections, one for the password protected file and one for the unpacked file.

An advantage of this technique is that when hosting the file on hacked servers, or when going through email gateways, there is a greater chance that the file remains undetected, since the file is never executed, and the underlying asprotected file is never revealed.

On a related note, here's a screenshot of a variant of the same malware, except this time with excerpts from Romeo and Juliet included in its winrar script. This is done to change the file hash and give AV detection automation a hard time. The process is most likely automated too, so they could be generating thousands of files containing the same malware with a different file hash with each click of a button.

Read More

Fake Skype Vouchers website leads to Java Exploits

Originally posted by kazmot.

I stumbled upon a fake website that targets Skype users through vouchers or gift certificates. Below is the definition of Skype vouchers from their website:

Skype vouchers are electronic Skype Credit vouchers sold in various retail outlets. You don’t have to pay for the vouchers online and they make a great gift for family and friends so that you can keep in touch through Skype.

Vouchers are sometimes included with Skype accessories, or as part of a promotion.

Let's have a look of what is inside the said fake page:

[caption id="attachment_514" align="aligncenter" width="300" caption="Figure 1: Source of the fake website"][/caption]

Figure 1 shows the misleading title. You can also see a hidden iframe connecting to a different website.

Following the hidden iframe, we will now get an obfuscated script.

[caption id="attachment_512" align="aligncenter" width="300" caption="Figure 2: Obfuscated script"][/caption]

Some variables are highlighted in Figure 2. These variables will eventually become a window.eval() function when the script is executed. Now, let us modify the script in order for our script emulator to capture the result of the eval() function:

[caption id="attachment_510" align="aligncenter" width="300" caption="Figure 3: Modification part 1"][/caption]

Figure 3 shows that we need to remove some "if-statements" to make sure that our script will execute. You will also notice that one if-statement checks for the current year. The script will not run properly if it was not satisfied. In addition, proper deobfuscation of the script also depends on the value of the integer in the year check. We will tackle more about this in a while. For now, let's just deobfuscate this script.

[caption id="attachment_511" align="aligncenter" width="300" caption="Figure 4: Modification part 2"][/caption]

Figure 4 shows which variable will become the eval() function. After the modifications, execute the script and then dump the eval result. Figure 5 below will show you the result.

[caption id="attachment_513" align="aligncenter" width="300" caption="Figure 5: Deobfuscated script code"][/caption]

Now, you will see another set of hidden iframes that connect to another site. The said site will now load 2 malicious Java files:

[caption id="attachment_515" align="aligncenter" width="300" caption="Figure 6: Load Java applets"][/caption]

Sample 1: Java Exploit
MD5 hash: d3f933524c85c96a76f7ffd516d335c0
Virus Total scan result available here

Sample 2: Java Exploit
MD5 hash: 58db6e6e25d9b8e4742f2ef9b43c3818
Virus Total scan result available here

These Java files exploit the following vulnerability:

CVE-2011-3544 - Oracle Java Applet Rhino Script Engine Remote Code Execution

Going back to the date check and value change, Figure 7 shows that we changed the integer value from "012" to "011".

[caption id="attachment_524" align="aligncenter" width="300" caption="Figure 7: Integer value modification"][/caption]

Now, let's dump the result to a file.

[caption id="attachment_521" align="aligncenter" width="300" caption="Figure 8: Result of the wrong value"][/caption]

You can see in Figure 8 that the result is now just a bunch of non-readable strings.

Source:
malwaredomainlist


References:
Skype
Virustotal
cve.mitre.org
Sourceforge

Read More

AV-TEST Report on Android Anti-Malware Solutions

Originally posted by elmo.

AV-Test an independent IT security company recently published a test report on different anti-malware product available for android.

It is worth noting that they have tested 41 anti-malware products!

Too many in such a short period and some of the solutions have 0% detections.

So choose wisely and pick an anti-malware product in the top half.

Read More

Justin Bieber Facebook Spam

Originally posted by elmo.

Title: LOL!!! There was a hidden c@mera in Justin's bedroom

Read More

Fake Intuit Quickbooks Page Leads to Black Hole Exploit

Originally posted by kazmot.

The Blackhole Exploit kit is still a very popular attack on the web. Malwares use this exploit kit to propagate and infect unsuspecting users. Here is a detailed analysis of a fake Intuit page that leads to the exploit kit and the obfuscation technique used by the attack. In this specific targeted attack, we were able to download a Cridex worm, 2 PDF files, and an obfuscated Javascript.

Let's see first what the fake page looks like:

[caption id="attachment_380" align="aligncenter" width="300" caption="Figure 1: Fake Intuit Page"][/caption]

In the above screenshot, we can immediately notice that it is really fake. You may view the legitimate site of Intuit Quickbooks here. The title on the web browser shows "Intuit" but you will see on the status bar that a hidden connection goes to a different remote site.

Now, Let's see what is in this HTML file...

[caption id="attachment_386" align="aligncenter" width="300" caption="Figure 2: Content of the Fage Page"][/caption]

I used Malzilla to connect to the site and get its content. You can see that, other than the usual title and header shown earlier, it also contains an obfuscated script.

Now to decode this script...

You will notice that I highlighted some variables in Figure 2. These variables will become a window.eval() function when the script is executed. window.eval() is a javascript function that executes an argument. This function was used to execute the "deobfuscated" code. Malicious scripts commonly use this technique to avoid script debuggers/emulators that hook this function to create a dump of the deobfuscated code.

So now, we need to modify the script so that Malzilla will be able to get the argument of the eval() function...

[caption id="attachment_388" align="aligncenter" width="300" caption="Figure 3: Removing IF conditions"][/caption]

Figure 3 shows that in this specific sample, we need to remove some IF statements to make sure that the script is executed.

[caption id="attachment_389" align="aligncenter" width="300" caption="Figure 4: Run script and Show Eval() results"][/caption]

If you take a look again at the highlighted variables in Figure 2, you will see that the variable "e" will become the window.eval() function. Figure 4 shows the modifications that we applied. Run the script and then hit the "Show eval() results" button. At the bottom box of Figure 4, you will see the deobfuscated code. It is a hidden iframe that connects to a remote site.

Let's follow this site, shall we...

Again using Malzilla, you need to repeat the steps in order to analyze this remote site. On the Download tab, paste the URL and then hit the "Get" button.

[caption id="attachment_394" align="aligncenter" width="300" caption="Figure 5: Contents of the remote site."][/caption]

Figure 5 shows that this site contains two script tags, so we need to use "Send all scripts to Decoder". Again, like the first site, you can see here that it uses the same technique where window.eval has been assigned to a variable "e". Apply the same modification that we did earlier, run the script, and then get the eval result. Figure 5 also shows which part of the script you need to change.

[caption id="attachment_397" align="aligncenter" width="300" caption="Figure 6: Black Hole exploit code."][/caption]

Figure 6 shows the result. You will now see here the "Please wait page is loading...". This display page is very common on Black Hole exploit codes. Initially, the code is in a single line which makes reading it a little bit hard. You can use a "javascript formatter" to insert newlines and tabs in the script. An example is jsbeautifier.org.

Let's now take a look at the exploit code...

It searches for vulnerable applications installed in the target system. In this sample, it checks for the following:

• Adobe Reader


• Flash Player

[caption id="attachment_413" align="aligncenter" width="300" caption="Figure 7: Check installed applications."][/caption]

It deploys an MDAC exploit (CVE-2006-0003 - IE6 COM CreateObject Code Execution) to download and execute a malicious file.

• File: Cridex worm


• MD5 hash: c3124a2981d8e1b9e13e8c21c96448f7


• Virustotal Scan Results

[caption id="attachment_418" align="aligncenter" width="300" caption="Figure 8: Deploying MDAC exploit."][/caption]


It deploys the following PDF exploits:

• CVE-2008-2992 - Adobe Reader util.printf




• File: Pdfjsc exploit


• MD5 hash: 8ad89d5477fe5b074b1767a826207c8a


• Virustotal Scan Results





• CVE-2009-0927 - Adobe Reader Collab GetIcon




• File: Pdfjsc exploit


• MD5 hash: 84fbc15c2d3e460183b853c566bf3ccf


• Virustotal Scan Results

[caption id="attachment_419" align="aligncenter" width="300" caption="Figure 9: Deploying PDF exploits."][/caption]

It deploys HCP exploit (CVE-2010-1885):

[caption id="attachment_417" align="aligncenter" width="300" caption="Figure 10: Deploying HCP exploit."][/caption]

The file in the link is an obfuscated script. When the deobfuscated code is saved in a file:

• File: Javascript iframe


• MD5 hash: 1f082ef7e2bc87efa2926a81925e6c46


• Virustotal Scan Results

[caption id="attachment_426" align="aligncenter" width="300" caption="Figure 11: Deobfuscated HCP exploit script"][/caption]

Finaly, it deploys a flash player exploit (CVE-2011-0611 - Adobe Flash Player Memory Corruption):

[caption id="attachment_414" align="aligncenter" width="300" caption="Figure 12: Deploying Flash exploit."][/caption]

More Information:
Black Hole exploit kit

Sample source:
malwaredomainlist.com

References:
Imperva
ZScaler ThreatLab

Read More

AXMLPrinter2

Originally posted by elmo.

AXMLPrinter2 or AXMLPrinter version 2 is a tool that uses AXmlResourceParser to convert a binary xml file to readable xml document.

Prerequisite:
JDK (java development kit) needs to be installed in your system.

Download:
AXMLPrinter2.jar

Syntax:
1. go to the folder where you downloaded AXMLPrinter2
2. open a command prompt
3. type and execute "java -jar AXMLPrinter2.jar <location of xml file> >> <ouput file>"
e.g. d:\tools>java -jar AXMLPrinter2.jar d:\test\AndroidManifest.xml >> out.log
4. open <output file> or out.log

Read More

Black Hole exploit kit

Originally posted by kazmot.

The Black Hole exploit kit is an unethical off-the-shelf Web application.  The first instance - v.1.0.0 beta - has appeared on the black market and was advertised in August 2010 as a "System for network testing".  As with most of  the exploit kits, it is based on PHP and a MySQL backend. The payload of this kit usually targets Windows operating systems and applications installed on those systems, but depends on the criminals' end goal.

The Black Hole exploit kit uses several protection mechanisms such as:

• Integrated Antivirus based on an API of popular blackhats' AVCheck services


• Forms database of blacklists based on referrers and IP addresses including ranges to block access to the system

Below is a running list of vulnerabilities that have been used with the Black Hole exploit kit:

• CVE-2011-0611 - Adobe Flash Player Memory Corruption Vulnerability


• CVE-2010-1885 - HCP


• CVE-2010-1423 - Java argument injection vulnerability in the URI handler in Java NPAPI plugin


• CVE-2010-0886 - Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE


• CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability


• CVE-2010-0840 - Java trusted Methods Chaining Remote Code Execution Vulnerability


• CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll


• CVE-2009-0927 - Adobe Reader Collab GetIcon


• CVE-2008-2992 - Adobe Reader util.printf


• CVE-2007-5659 - Adobe Reader CollectEmailInfo


• CVE-2006-0003 - MDAC (IE6 COM CreateObject Code Execution)

Related topic:
Fake Intuit Quickbooks Page Leads to Black Hole Exploit

Sources:
Websense

Read More

CrimePack exploit kit

Originally posted by kazmot.

CrimePack exploit kit is just like any other exploit kits. It contains various codes that exploit vulnerabilities in a system and also in some of the applications installed. Commonly, these exploit codes download and execute an arbitrary file in the system. We were able to download a Dorkbot Worm in one of the malicious link we got from malwaredomainlist.com (MD5 hash: 9210a2635c63a58af18ed5dffb8f01e8, VirusTotal Scan Result available here).

This particular exploit kit has been around for several years now, version 2.0 appeared in the 1^st Quarter of 2010, and the latest, as of this writing, is version 3.1.3. Some of its features are the following:

1. Undetected from AV Scanners (Javascript & PDF/JAR/JPG files)


2. Random PDF Obfuscation (Not using static pdf file like other packs)


3. Blacklist checker & AutoChecker


4. Prevent Wepawet, Jsunpack and other JavaScript unpackers to decode your page


5. Will autocheck (can be turned off) your domain for blacklist & malware lists, and will notify you if found,  Checks the following:

• Norton SafeWeb


• My WebOfTrust


• Malc0de


• Google Safe Browsing


• Malwaredomainlist


• Mcafee SiteAdvisor


• hpHosts


• Malwareurl

Below is a running list of vulnerabilities that have been used by Crimepack exploit kit:

• CVE-2010-1885 - HCP


• CVE-2010-1423 - JRE 'WebStart' RCE


• CVE-2010-0840 - Java getValue Remote Code Execution


• CVE-2010-0806 - IE iepeers Vulnerability (IE7 Uninitialized Memory Corruption/IEPeers Remote Code Execution)


• CVE-2009-3269 - Opera TN3270


• CVE-2009-1136 - OWC Spreadsheet Memory Corruption


• CVE-2009-0927 - Adobe Reader Collab GetIcon


• CVE-2009-0355 - Firefox 3.5/1.4/1.5 exploits


• CVE-2008-5353 - Java Deserialize


• CVE-2008-4844 - Internet Explorer 7 XML Exploit


• CVE-2008-2992 - Adobe Reader util.printf


• CVE-2007-5755 - AOL Radio AmpX Buffer Overflow


• CVE-2007-5659 - Adobe Reader CollectEmailInfo


• CVE-2006-0003 - MDAC (IE6 COM CreateObject Code Execution)


• Aggressive Mode - This is a Java applet that downloads and executes you exe, the feature can be turned on and off in the admin panel

Sources:
websense
offensivecomputing
malwaredomainlist

Read More

Installing Ubuntu 10.04.1 LTS 64 bit, MongoDB 2.0.3, Lamp, and RockMongo

Originally posted by elmo.

1. Installing Ubuntu 10.04.1 LTS 64-bit

1.1 go to ubuntu download page
1.2 select Ubuntu 10.04 LTS
1.3 select 64-bit
1.4 then click Start download (you will download an iso image)
1.5 burn iso image to disc
1.6 install Ubuntu using disc

Notes:

We have selected 64-bit as MongoDB only supports 2 GB of data for 32-bit builds.

Another cool ubuntu installer is Wubi or Windows Ubuntu Installer which will allow you to install in Windows and dual boot.

To check if you are running 32-bit or 64-bit type "uname -m".
i686 for 32-bit
x64_64 for 64-bit

2. Installing Mongodb 2.0.3

2.1 go to MongoDb download page
2.2 click download under Linux 64-bit or "wget http://fastdl.mongodb.org/linux/mongodb-linux-x86_64-2.0.1.tgz"
2.3 unzip using "tar xzf mongodb-linux-x86_64-2.0.1.tgz"
2.4 move folder using "sudo mv mongodb-linux-x86_64-2.0.1 ~"
2.5 create data directory "sudo mkdir /data"
2.6 create db directory "sudo mkdir /data/db"
2.7 change permission "sudo chmod 777 /data/*"
2.8 go to mongo bin directory "cd ~/mongodb-linux-x86_64-2.0.1/bin"
2.9 start mongo server "./mongod"
2.10 "./mongo"

3. Installing LAMP - Apache, MySQL, PHP on Ubuntu

3.1 install tasksel "sudo apt-get install tasksel"
3.2 install LAMP stack "sudo tasksel install lamp-server"

4. Installing Rockmongo

4.1 install PEAR and development version of php "apt-get install php-pear php5-dev"
4.2 install driver for php mongodb "pecl install mongo"
4.3 configure php "nano /etc/php5/conf.d/mongodb.ini"
;----- start -----
extension=mongo.so
\[mongo\]
; If the driver should reconnect to mongo
mongo.auto_reconnect = true
; Whether to allow persistent connections
mongo.allow_persistent = On
; Maximum number of persistent connections (-1 means unlimited)
mongo.max_persistent = -1
; Maximum number of links (persistent and non-persistent, -1 means unlimited)
mongo.max_connections = -1
; Default host for mongo connection
mongo.default_host = www.example.com
; Default port for mongo database
mongo.default_port = 42
; When saving files to the database, size of chunks to split them into
mongo.chunk_size = 1024
; Specify an alternate character to $ to use for special db functions ($set, $push, $exists, etc.)

mongo.cmd = "$"
;----- end -----

4.4 restart apache "/etc/init.d/apache2 restart"
4.5 download rockmongo-v1.1.0.zip
4.6 unzip to "rockmongo" folder and move folder to /var/www
4.7 open a browser and type http://localhost/rockmongo/index.php
4.8 login using admin as username and password

Read More

Baksmali

Originally posted by elmo.
Baksmali means disassembler in Icelandic language and it is used to dissassemble a dex file.

Prerequisite:
JDK (java development kit) needs to be installed in your system.

Download:
baksmali-x.x.x.jar

Syntax:
1. go to the folder where you downloaded baksmali
2. open a command prompt
3. type and execute "java -jar baksmali-x.x.x.jar <location of dex file>"
e.g. d:\tools>java -jar baksmali-1.3.2.jar d:\test\classes.dex
4. the dissassembled file is located in the "out" folder located in the baksmali directory

Read More

Ubuntu for Android

Originally posted by elmo.

Reference:
Ubuntu

Read More

Android Malware February 2012 Roundup

Originally posted by elmo.

Date	Name
Feb 03, 2012	RootSmart
Feb 06, 2012	FakeRun
Feb 13, 2012	PushBot
Feb 14, 2012	FakeClick
Feb 15, 2012	Gappusin
Feb 17, 2012	Loicdos
Feb 20, 2012	LeadBolt
Feb 23, 2012	Fakeapp
Feb 23, 2012	Opfake.B
Feb 25, 2012	FakeAngry
Feb 25, 2012	Moghava

Read More

TitanMist Tutorial

Originally posted by Frederic Vila.

[caption id="" align="aligncenter" width="240" caption="TitanMist Logo"][/caption]

The intended audience for this brief tutorial requires knowledge on using Windows command line tools and some basic debugging. It also requires installation of the following free tools or applications.

1. Python 2.7 (http://www.python.org/ftp/python/2.7/python-2.7.msi)


2. TitanMist 2.0 (http://www.reversinglabs.com/download/TitanMist.rar)


3. OllyDbg 2.0 (http://www.ollydbg.de/odbg200.zip)


4. MPRESS 2.17 packer (http://www.matcode.com/mpress.217.zip)


5. Host File: Win XP calc.exe (C:\Windows\System32\calc.exe)

There are two parts in creating a pattern for TitanMist, the first part is to create a signature for detecting the file and the last part is to create an unpacker to extract the host file but first we need to set our environment.

Setting The Environment

Install Python in its default directory and extract or copy all the rest to C:\TitanMist folder. We will use Windows XP’s calc.exe as our host file and all the indicated virtual addresses will be based from it. Create another copy of calc.exe in the same directory as calc2.exe. With all the tools and applications ready in TitanMist folder, the folder should look like below.

[caption id="" align="aligncenter" width="414" caption="Titanmist Working Folder"][/caption]

In order to create a TitanMist detect and unpack patterns, first, we need to have a protected or packed executable.  We will use MPRESS packer, a free tool from Matcode Software. Open a command window in C:\TitanMist folder. Pack the host file with MPRESS packer using the command line below:

[plain]mpress.exe calc.exe[/plain]

It should have the expected output as displayed below:

[caption id="" align="aligncenter" width="492" caption="Mpress Syntax"][/caption]

This will shrink calc.exe’s file size from 112 KB down to 55 KB. Open calc.exe and calc2.exe on two separate OllyDbg windows. Notice the difference between the two.  Looking at the image below, the one on the left (calc2.exe) is the original version of calc.exe while the one in the right is packed with MPRESS.

[caption id="" align="alignnone" width="1024" caption="OllyDbg Comparison"][/caption]

Some useful commands for OllyDbg can be found at Appendix A.

Creating a Detection

Detection for MPRESS packer is made by packing many samples and getting the packer code that are common among them. Comparing calc.exe with other MPRESS packed files, you will notice that there are 41 bytes which are common from the entry point. Open calc.exe in OllyDbg then select the codes from 0101F16F to 0101F19C. Copy the codes by pressing CTRL+Insert (binary copy) and paste them over to your favorite text editor, save the code as code.txt for later use (see image below).

[caption id="" align="aligncenter" width="458" caption="Code from the packed File"][/caption]

Now open the TitanMist database file (C:\TitanMist\TitanMist \db.xml) with the same editor used for code.txt. The database file is an XML file containing all the signatures to detect the packer or protector that loads the corresponding unpack pattern. Looking at some of the detect patterns , we get the idea of how the detection works. Copy the entry element with the name attribute tELock and paste them below the last element.

We will replace some of the copied tELock’s entry attributes. Change the name from tELock to MPRESS and the author to Matcode Software. The above changes are required to give users information on the executable being scanned on the command window. Since we are making a TitanScript unpacker, the type attribute of unpacker element should be changed from native to titanscript and the value should be mpress.txt instead of MisttElock.dll. This will load mpress.txt if our signature matches the file.

Going to the signature element, we will retain the start attribute of ep since we require our unpacker to start from entry point (ep). Change the version attribute to 2.17 - the version of the MPRESS we’re going to unpack. Replace the signature value with the contents of code.txt. The four bytes starting from the 9^th byte, which is 5A 0B 00 00, is specific to calc.exe. In order for us to detect other MPRESS packed file, we’ll replace this with a 4 byte wildcard ?? ?? ?? ??  (see image below).

[caption id="" align="aligncenter" width="625" caption="Mpress Detection"][/caption]

Creating an Unpacker

So let’s start debugging and see what unpack pattern we can produce. It is recommended that you have another packed file opened in OllyDbg along side calc.exe.  This way we won’t get signature that is specific to calc.exe. Open C:\TitanMist\TitanMist\unpackers\titanscript folder using Windows explorer and create a text file named mpress.txt.

The first goal was to find where MPRESS jumps to the original entry point. Experience tells us that there are packers whose return code is at the end of a function or the last code in the code section. In this exercise, two JMP instructions located at 0101F23D and 0101FCCA are candidates for inspection. Scroll down the OllyDbg window and click the address at 0101F23D. Press F4 to direct the instruction pointer (ip) to this address and it will automatically process the instructions in its path. Fortunately, 0101F23D points to our second address of 0101FCCA. Press F8 twice to allow us to single step these two JMP instructions, which will eventually lead us to a decrypted routine.  Going to the last code of this routine, we can see that there is a JMP instruction at 010136A4 whose constants points to calc.exe’s original entry point of 01012475.

The code in Listing 1 is the resulting code that automatically does the step we did earlier. Copy the code to C:\TitanMist\TitanMist\unpackers\titanscript\mpress.txt, which we will test after some explanation.

[plain]
start:
find eip,#ABE80000000058#
mov target, $RESULT
add target, c
go target
sto
sto
find eip,#E8000000005F81C7EEFEFFFFB0E9AAB81E010000AB61#
mov target, $RESULT
add target, 16
go target
sto
log eip
StopDebug
ret
[/plain]

Listing 1: Code to find OEP

The code find eip,#ABE80000000058# enables us to find the address of 0101F231 which is 12 bytes away from 0101F23D. The result for the find command is stored in $RESULT which is copied to target variable, where we subsequently added c which is hexadecimal for 12. The code go target is followed by two sto which represents doing F4 and two F8 in OllyDbg.

Same goes with find eip,#E8000000005F81C7EEFEFFFFB0E9AAB81E010000AB61# which, from the decrypted routine, enables us to find 0101368E address which is 22 bytes away from our jump instruction leading to the original entry point 01012475. The go target and sto instructions direct us to the original entry point. The log eip provides a command output of the actual instruction pointer while we debug. The StopDebug is a TitanEngine API that stops the application from debugging while ret returns the control back to TitanMist.

[plain]TitanMist.exe -i C:\TitanMist\calc.exe[/plain]

Open a command window in C:\TitanMist\TitanMist folder. Using the command line above results to the output seen below:

[caption id="" align="aligncenter" width="492" caption="TitanMist Output"][/caption]

Now, we require the memory to be dumped to a file. With no time to RTFM, let’s open some existing patterns to get the idea of how TitanScript’s unpackers do their stuff. You’ll notice that all of the patterns end with the EntryJump procedure. The EntryJump procedure in rl.MEW.txt gives us the EntryJump template common to the existing TitanScript patterns. Copy this procedure, its variables, variable declarations and variable initializations. With some modification, the expected output should be in Listing 2.

[plain]
var cTrunkAddress
var cTargetAddress
var FileHandle
var FileSize
var FileMap
var FileMapVA
start:
GetPE32Data $INPUTFILE,0,ue_imagebase
mov fileImageBase,$TE_RESULT
ImporterInit 0C800,fileImageBase
gpi MAINBASE
mov fileLoadBase,$RESULT
find eip,#ABE80000000058#
mov target, $RESULT
add target, c
go target
sto
sto
find eip,#E8000000005F81C7EEFEFFFFB0E9AAB81E010000AB61#
mov target, $RESULT
add target, 16
go target
EntryJump:
sto
mov epAddress,eip
gpi HPROCESS
mov hProcess,$RESULT
DumpProcess hProcess,fileImageBase,$OUTPUTFILE,epAddress
ImporterEstimatedSize
AddNewSection $OUTPUTFILE,".TEv2",$TE_RESULT + 200
mov mImportTableOffset,$TE_RESULT
add mImportTableOffset,fileLoadBase
StaticFileLoad $OUTPUTFILE,ue_access_all,false,FileHandle,FileSize,FileMap,FileMapVA
ConvertVAtoFileOffset FileMapVA,mImportTableOffset,true
ImporterExportIAT $TE_RESULT,FileMapVA
RealignPE FileMapVA,FileSize,2
mov FileSize,$TE_RESULT
StaticFileUnload $OUTPUTFILE,false,FileHandle,FileSize,FileMap,FileMapVA
MakeAllSectionsRWE $OUTPUTFILE
StopDebug
ret
[/plain]

Listing 2: Initial memory dump code

Having the TitanMist to unpack the file will give us a corrupted dump. Using a hex editor such as HIEW, we can verify if the import table in the dumped file was not restored properly.  The problem is that the DLL and API references were virtual addresses from the runtime memory which the OS cannot use for loading the application.  Going back to the calc.exe’s OllyDbg, the decrypted code that we saw earlier was actually the Import Table restoration used by MPRESS. The instructions at 01013654 are used to load the imported DLL while its APIs are extracted at address 0101367C. We need hooks after these addresses so that everytime the instruction pointer (ip) passes, we will be able to get the processed register values and use it to rebuild our own import table.

[plain]
find eip,#8BD8AC0AC0B0008846FF#
bp $RESULT
bpgoto $RESULT,GetImportedDll
find eip,#AB32C08846FFAC0AC075F6#
bp $RESULT
bpgoto $RESULT,GetImportedApi
GetImportedDll:
gstr esi,2
cmp $RESULT_1,0
je mpressExit
ImporterAddNewDll $RESULT,edi
jmp mpressResume
GetImportedApi:
mov cTargetAddress,esi
mov cTrunkAddress,edi
gstr cTargetAddress,2
cmp $RESULT_1,0
je mpressExit
ImporterAddNewAPI $RESULT,cTrunkAddress
jmp mpressResume
[/plain]

Listing 3: Breakpoint hooks and handles for our import table restoration

Getting some sigs from MPRESS’ import table restoration, we were able to add the following codes shown in Listing 3 to our pattern. We set some hooks on the instructions right below the addresses 01013654 and 0101367C with bp $RESULT. The bpgoto is used to pass the control to the assigned breakpoint handle. The gstr retrieves the string pointer which is passed to $RESULT while the string length is passed to $RESULT_1.  The cmp, je, and jmp should speak for itself.

The only thing to highlight here is the use of TitanEngine’s APIs ImporterAddNewDll and ImporterAddNewAPI. The API ImporterAddNewDll copies the string from $RESULT while the edi is the address of the DLL in the host’s code before it was packed. Same goes with ImporterAddNewAPI except that it uses an API name that belonged to the DLL that is currently being referenced by ImporterAddNewDll.  These two APIs depend on the ImporterInit, ImporterEstimatedSize and ImporterExportIAT used in Listing 2 to have a working import table.

Combining Listing 3 code with the main pattern, we will have a working MPRESS Unpacker below.

[plain]
/*
TitanMist
---------------------------------------------
Script:  MPRESS 2.17 Unpacker
Author:  zero1
Website: virusanalysts.blogspot.com
Date:    11/15/2010
Rev:     1.0
*/
var cTrunkAddress
var cTargetAddress
var FileHandle
var FileSize
var FileMap
var FileMapVA
start:
GetPE32Data $INPUTFILE,0,ue_imagebase
mov fileImageBase,$TE_RESULT
ImporterInit 0C800,fileImageBase
gpi MAINBASE
mov fileLoadBase,$RESULT
find eip,#ABE80000000058#
mov target, $RESULT
add target, c
go target
sto
sto
find eip,#8BD8AC0AC0B0008846FF#
bp $RESULT
bpgoto $RESULT,GetImportedDll
find eip,#AB32C08846FFAC0AC075F6#
bp $RESULT
bpgoto $RESULT,GetImportedApi
find eip,#E8000000005F81C7EEFEFFFFB0E9AAB81E010000AB61#
mov target, $RESULT
add target, 16
bp target
bpgoto target,EntryJump
mpressResume:
run
jmp mpressResume
GetImportedDll:
gstr esi,2
cmp $RESULT_1,0
je mpressExit
ImporterAddNewDll $RESULT,edi
jmp mpressResume
GetImportedApi:
mov cTargetAddress,esi
mov cTrunkAddress,edi
gstr cTargetAddress,2
cmp $RESULT_1,0
je GetProcAddressIsNotString
ImporterAddNewAPI $RESULT,cTrunkAddress
jmp mpressResume
GetProcAddressIsNotString:
ImporterAddNewOrdinalAPI cTargetAddress,cTrunkAddress
jmp mpressResume
EntryJump:
sto
mov epAddress, eip
gpi HPROCESS
mov hProcess,$RESULT
DumpProcess hProcess,fileImageBase,$OUTPUTFILE,epAddress
ImporterEstimatedSize
AddNewSection $OUTPUTFILE,".TEv2",$TE_RESULT + 200
mov mImportTableOffset,$TE_RESULT
add mImportTableOffset,fileLoadBase
StaticFileLoad $OUTPUTFILE,ue_access_all,false,FileHandle,FileSize,FileMap,FileMapVA
ConvertVAtoFileOffset FileMapVA,mImportTableOffset,true
ImporterExportIAT $TE_RESULT,FileMapVA
RealignPE FileMapVA,FileSize,2
mov FileSize,$TE_RESULT
StaticFileUnload $OUTPUTFILE,false,FileHandle,FileSize,FileMap,FileMapVA
MakeAllSectionsRWE $OUTPUTFILE
StopDebug
ret
mpressExit:
StopDebug
error
ret
[/plain]

Listing 4: Final MPRESS unpacker

To test Listing 4, open a command window in C:\TitanMist\TitanMist folder again and use the command line below which will create an output file named calc.unpacked.exe:

TitanMist.exe -i C:\TitanMist\calc.exe

Conclusion

To sum up, TitanMist is a great addition to a malware analyst’s arsenal of reversing tools. In its later stage, it can make some of the usual tools irrelevant and obsolete. Reversing Labs did a great job creating an unpacker framework. It is ironic though that a company that aims to provide the best file analysis and reversing tools is producing superior protection tools. Who would use their protection tools when there is already an unpacker for it?

Still, it is a promising tool which even those who are new in the security industry can build their careers upon, to say the least. Its shortcomings just proved the need for people to collaborate in this project. If that happens and if people are actually supporting the company’s goals, who knows, TitanMist might actually pave the way to our reversing Nirvana.

Appendix A

Some useful OllyDbg Commands:

• Ctrl + G – locate entered address


• Ctrl + A – automatic analysis


• * (num key) – locate current instruction pointer


• F4 – go to highlighted address


• F8 – single step instruction


• Ctrl + F2 – restart debug session

References

• ReversingLabs Corporation, TitanEngine SDK References from http://www.reversinglabs.com/products/TitanEngine.php


• ReversingLabs Corporation, TitanMist References from http://www.reversinglabs.com/products/TitanMist.php

* All other trademarks, logos and copyrights are the property of their respective owners.

Read More

Bouncer

Originally posted by elmo.

Google has developed a service called Bouncer which automatically scans the official Android Market for Potentially Unwanted Programs or PUP.

Bouncer will perform the following services:
1. scans the uploaded app against known malwares and spywares.
2. use behavioral scanning to check for known malicious behavior.
3. check new developer account and prevent repeat-offending account from uploading apps.

Read More

Foncy

Originally posted by elmo.
[gallery]

Read More

FakeTimer

Originally posted by elmo.
[gallery link="file" order="DESC"]

Read More

RootSmart

Originally posted by elmo.
[gallery link="file" order="DESC"]

Read More

Smspacem

Originally posted by elmo.
[gallery]

Read More

Fakeplayer

Originally posted by elmo.

Read More

Android History

Originally posted by elmo.
A compressed android history.



Source:
Wikipedia

Read More

Android Malware History

Originally posted by elmo.

Date	Name
Aug 10, 2010	FakePlayer.a
Aug 12, 2010	TapSnake
Sep 09, 2010	FakePlayer.b
Oct 13, 2010	FakePlayer.c
Nov 12, 2010	SMS Replicator Secret
Dec 29, 2010	Geinimi
Feb 14, 2011	Adrd
Feb 22, 2011	Pjapps
Mar 01, 2011	DroidDream
Mar 04, 2011	BgServ
Mar 20, 2011	zHash
Mar 31, 2011	Walkinwat
May 07, 2011	Adsms
May 11, 2011	Zsone
May 22, 2011	Smspacem
May 30, 2011	DroidDreamLight
May 23, 2011	BaseBridge
May 31, 2011	Zitmo
May 31, 2011	DroidKungFu
Jun 05, 2011	Plankton
Jun 07, 2011	YZHCSMS
Jun 15, 2011	jSMSHider
Jun 20, 2011	GGTracker
Jun 29, 2011	DroidKungFu2
Jul 01, 2011	GoldDream
Jul 03, 2011	Crusewind
Jul 04, 2011	SndApps
Jul 08, 2011	DroidDream variant
Jul 10, 2011	HippoSMS
Jul 15, 2011	Fokonge
Jul 15, 2011	Mobilespy
Jul 20, 2011	GamblerSMS
Jul 28, 2011	Lovetrap
Jul 30, 2011	Ewalls
Jul 31, 2011	NickiSpy
Aug 01, 2011	Netisend
Aug 02, 2011	Premiumtext
Aug 04, 2011	Pirates
Aug 12, 2011	RogueSPPush
Aug 15, 2011	Dogowar
Aug 15, 2011	DroidKungFu3
Aug 18, 2011	GingerMaster
Aug 23, 2011	Gmaster
Sep 01, 2011	Goldeneagle
Sep 01, 2011	DroidDeluxe
Sep 12, 2011	DroidCoupon
Sep 13, 2011	Spitmo
Sep 14, 2011	Ozotshielder
Sep 15, 2011	AnserverBot
Sep 29, 2011	Gonesixty
Sep 29, 2011	FakeBrows
Oct 10, 2011	Fakeneflic
Oct 10, 2011	BeanBot
Oct 11, 2011	RogueLemon
Oct 17, 2011	Batterydoctor
Oct 20, 2011	DroidKungFu variant
Nov 02, 2011	SMSReplicator
Nov 04, 2011	Fakemini
Nov 05, 2011	DroidLive
Nov 12, 2011	Positmob
Nov 15, 2011	Fauxtocopy
Nov 15, 2011	Lifemonspy
Nov 15, 2011	Mobinaspy
Nov 16, 2011	Cobblerone
Nov 16, 2011	Meswatcherbox
Nov 16, 2011	Pdaspy
Nov 16, 2011	Cellshark
Nov 21, 2011	DroidKungFuSapp
Nov 23, 2011	Fjcon
Nov 25, 2011	Foncy
Dec 12, 2011	Rufraud
Dec 19, 2011	Arspam
Dec 19, 2011	Spybubble
Dec 20, 2011	Flexispy
Dec 20, 2011	Kidlogger
Jan 05, 2012	Nyearleaker
Jan 09, 2012	Steek
Jan 09, 2012	Qicsomos
Jan 10, 2012	FakeTimer
Jan 10, 2012	Fakenotify
Jan 13, 2012	FoncySMS
Jan 27, 2012	Counterclank
Feb 03, 2012	RootSmart
Feb 06, 2012	FakeRun
Feb 13, 2012	PushBot
Feb 14, 2012	FakeClick
Feb 15, 2012	Gappusin
Feb 17, 2012	Loicdos
Feb 20, 2012	LeadBolt

References:
Paolo Passeri
McAfee
Lookout
Symantec
Trend Micro
Mila Parkour

Read More