Category Archives: Cell Phone (iPhone, Android, windows mobile)

Cell Phone (iPhone, Android, windows mobile)

Price of your privacy – mobile phone

3 Comments

Preface:

Google Pinyin,QQ,TouchPal,Sogou IME apps has high volume download volume in Google Play store. However user may also be vulnerable to component-hijacking attacks. Do you think whether there are more apps monitor your mobile phone silently!

Start discussion:

We heard technical terms so called predictive search and auto-correction. Google browser (Chrome) keyboard input feature apply similar technologies.

What is predictive search?

Google’s search feature uses a predictive search algorithm based on popular searches to predict a user’s search query. It requires interconnect with Google system.

What is auto-correction?

Auto correction is a feature in which an application predicts the rest of a word a user is typing. It requires interconnect with Google system.

Reality – existing situation in the market 2017

It looks that above criteria make sense, user are allow to disable this function. If mobile owner forgot to enforce the access permission setting. Seems their personal information will be forward to google during web site visiting. Their goal is going to do the web behavior analytic. As far as I know, the applications like google app, Google Zhuyin input, Google  Pinyin input  are maintain the following spy able permissions.

Google App – Reads Browser Bookmarks, Knows location by Cell-ID and WiFi, Knows location by GPS signal, Runs on device startup, Reads all SMS messages and records audio on voice calls

Google Zhuyin Input – Records Audio on Voice Calls, Runs on device startup

Google Pinyin Input – Records Audio on Voice Calls, Runs on device startup

MiTalk (China users) – knows location by GPS signal, Received all SMS messages, Records Audio on Voice calls, Knows location by Cell-ID and WiFi, Handles Outgoing calls and Runs on device startup

Attention –  critical loophole

In 2015, a group of researcher in Chinese university of Hong Kong (Wenrui Diao, Xiangyu Liu, Zhe Zhou, Kehuan Zhang, Zhou Li) found a vulnerability on Pinyin input. A vulnerability so called cross-app KeyEvent injection (CAKI) attack will be encountered on Google Pinyin input method. The flaw is that it allow 3rd party to harvest entries from the personalized user dictionary of IME through an ostensibly innocuous app only asking for common permissions.

Android CAKI vulnerability

Speculation:

We keep track of android vulnerabilities so far. I note with concerns of CVE-2016-9651.  This vulnerability is allow to collect the Invisible Private Property on your android phone. Details is shown as below:

Get all properties of an special object by d8 shell command

d8> var specialObject = new Error("test");
d8> var ownNames = Object.getOwnPropertyNames(specialObject);
d8> var ownSymbols = Object.getOwnPropertySymbols(specialObject);
d8> var ownKeys = ownNames.concat(ownSymbols)
d8> ownKeys
["stack", "message"] ---------> all public properties got by normal JavaScript
d8> %DebugPrint(specialObject)
DebugPrint: 0x3058e8cd: [JS_ERROR_TYPE]
- map = 0x53d0945d [FastProperties]
- prototype = 0x2560b9e1
- elements = 0x45384125 <FixedArray[0]> [FAST_HOLEY_SMI_ELEMENTS]
- properties = { ---------> all properties got by DebugPrint
#stack: 0x453d012d <AccessorInfo> (accessor constant)
#message: 0x453bb18d <String[4]: test> (data field at offset 0)
0x453859f1 <Symbol: stack_trace_symbol>: 0x3058e9c1 <JS Array[6]> (data field at offset 1) ---------> private property
}

If above flaw co-exists with this vulnerability. Sounds like a prefect surveillance backdoor allow 3rd to collect the information of your android phone. As a matter of fact, the surveillance program or cyber espionage keep track of our mobile activities daily. If such action is collected by your government for crime prevention purpose or big data foundation framework. From certain point of view, we have no doubt to say no. However, who can say how much is the value your personal privacy on your mobile phone?

Reference:

Mobile phone applications – access permission component

Application must have an AndroidManifest.xml file in its root directory. The manifest file provides essential information about your app to the Android system, which the system must have before it can run any of the app’s code. Manifest file capable declares the permissions (see below) that the application must have in order to access protected parts of the API and interact with other applications. It also declared the permissions that others are required to have in order to interact with the application components.

Sample – Manifest file capable declares the permissions

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.photoeffect"
android:versionCode="1"
android:versionName="1.0" >

<uses-sdk
    android:minSdkVersion="8"
    android:targetSdkVersion="18" />

<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_LOCATION_EXTRA_COMMANDS" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="com.example.towntour.permission.MAPS_RECEIVE" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.CALL_PHONE" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="com.google.android.providers.gsf.permission.READ_GSERVICES" />

Mobile apps like your wife or girlfriend. They are tracing you!

 

 

 

 

 

Cell Phone (iPhone, Android, windows mobile)

Mobile apps like your wife or girlfriend. They are tracing you!

159 Comments

 

Preface

Power is always dangerous…..Android rule the world

 

About mobile phone security

Independently conducted by antihackingonline

The attack hit rate on personal mobile devices rate high. Mobile phone user enjoy to play the game apps. In order to fulfill the application requirement, their web browser require enable the plugins like Flash and Java in order to display some interactive content.

Culprit – Android OS (Zygote)

Zygote is a software component of the Android operating system uses to start apps.  The mechanism of the Zygote process will create a process (System call fork() is used to create processes), and the child process continues where it left off, loading the app itself into the VM.

ActivityThread,main() – see below

public static void main(String[] args) {
    ...
    Environment.initForCurrentUser();
    ...
    Process.setArgV0("<pre-initialized>");
    //Create the main thread looper
    Looper.prepareMainLooper();

    ActivityThread thread = new ActivityThread();
    //attach To the system process
    thread.attach(false);

    if (sMainThreadHandler == null) {
        sMainThreadHandler = thread.getHandler();
    }

    //The main thread enters the loop state
    Looper.loop();

    throw new RuntimeException("Main thread loop unexpectedly exited");
}

Zygote require root permissions on Android OS but it is an inherit right. And therefore Process ID is 1.

Remark: ID 1: init process, invoked by the kernel at the end of the bootstrap procedure.

Android zygote security weaknesses caused by performance design

An evaluation program found that the Address Space Layout Randomization (ASLR) not effectively implement in Android OS. As a result , it leaving software components vulnerable to attacks that bypass the protection. Zygote process creation model causes two types of  memory  layout  sharing  on  Android,  which  undermine  the effectiveness of ASLR. Firstly, the code of an application is always loaded at the exact same memory location across different runs even when  ASLR  is  present;  and  secondly,  all  running apps  inherit  the  commonly  used  libraries  from  the  Zygote process (including the libc library). For more details about the weakness of ASLR on VM. Please refer to below URL for reference.

Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

 

Remark: Android 7.0 or above, library load order randomization and ASLR improved. The major improvement goal increase randomness feature. As a result it makes some code-reuse attacks decrease successful rate.

Inline hooking – Inline hooking is a method of intercepting calls to target functions. For instance, prepares hooks for the following system properties.

  • java.lang.System.getProperty()
  • android.app.Instrumentation.newApplication()
  • com.android.internal.telephony.SMSDispatcher.dispatchPdus()
  • android.app.ActivityManager.getRunningServices()
  • android.app.ActivityManager.getRunningAppProcesses()
  • android.app.ApplicationPackageManager.getInstalledPackages()
  • android.app.ApplicationPackageManager.getInstalledApplications()

If the software developer would like to obtains SMS data on your mobile phone (Android), he can do the following steps.

  1. Manages SMS operations such as sending data

    void sendDataMessage (String destinationAddress, 
                String scAddress, 
                short destinationPort, 
                byte[] data, 
                PendingIntent sentIntent, 
                PendingIntent deliveryIntent)

    2. The null pointer exception is directly linked to name. i.e. isms or isms2.

    3. The transact() method is redefined in the customized program “isms” (or isms2) binder realization, replacing the original.

    4. When the parent application of the customized program sends an SMS it leads to the call of the customized program transact() method.

    5. As a result, the customized program can obtains SMS data (destination number, message text, service center number) from raw PDU.

Current status

It is hard to draw into conclusion on this discussion topics this moment. We keep our eye open see whether a new vulnerability find on Zygote in 3rd quarter in 2017 . Ok, have a good sleep.  Zzzzzzz……

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Cell Phone (iPhone, Android, windows mobile)

2017 – How Android protect itself?

160 Comments

Preface:

Numbers 31:3 “So Moses spoke to the people, saying, “Arm men from among you for the war, that they may go against Midian to execute the Lord’s vengeance on Midian.”

If you are familiar with Bible, you might know who’s Midian. Some scholars have suggested that Midian was not a geographical area but a league of tribes.

Cope with nowadays cyber security world.  Sounds like Midian equivalent of a  malware. Man kind is going to find a way protect the electronic devices including computer, mobile phone and IoT devices.

2017 threats predictions (mobile phone)

We all  known ransomware aggressive 1st quarter this year and believed that similar of attacks will continue to grow. We aware that malware and malicious code embedded on Google Play store applications significant increases. And therefore the downloading apps from unknown and untrusted markets has always been more dangerous. And predicts that similar type of incidents will be happens continuously. Besides  there are hardware vulnerabilities during the last several years—including vulnerabilities in microprocessors and DRAM technology. May be you might ask? How mobile phone especially Android to protect itself?

Let’s talk a closer look see whether we can find the hints

Fundamental of Android APT

Android use the standard process isolation to split application.  The application reading each-other’s data by requesting permissions in the apk’s. By requesting permissions in the apk’s
AndroidManifest it is possible to get those granted by the PackageManager. Such permissions can result in applications being run under the same user id.

Heads-up: This is the reason Google is having a hard time getting rid of malicious Android apps

APK Installation Process

An additional Android manifest file, describing the name, version, access rights, referenced library files for the application. As such, the Manifest files plays an important role for every android application. From the perspective of security the manifest file is usually the first thing that a penetration tester will check on an engagement. The android:protectionLevel attribute defines the procedure that the system should follow before grants the permission to the application that has requested it. This is a major part of Android security feature. And this is one of the important protection feature of Android.

All the permissions that the application requests should be reviewed to ensure that they don’t introduce a security risk.

1
2
3
<permission>
android:protectionLevel="signature"
</permission>

Below is an example showing that an inherent risk found on Android manifest file. The setting lack of signature permission.

<?xml version='1.0' encoding='utf-8'?>
<manifest package="org.qtproject.example.notification" xmlns:android="http://schemas.android.com/apk/res/android" android:versionName="1.0" android:versionCode="1" android:installLocation="auto">
    <application android:icon="@drawable/icon" android:name="org.qtproject.qt5.android.bindings.QtApplication" android:label="@string/app_name">
        <activity android:configChanges="orientation|uiMode|screenLayout|screenSize|smallestScreenSize|locale|fontScale|keyboard|keyboardHidden|navigation"
                  android:name="org.qtproject.example.notification.NotificationClient"
                  android:label="Qt Notifier"
                  android:screenOrientation="unspecified">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
            <meta-data android:name="android.app.lib_name" android:value="-- %%INSERT_APP_LIB_NAME%% --"/>
            <meta-data android:name="android.app.qt_sources_resource_id" android:resource="@array/qt_sources"/>
            <meta-data android:name="android.app.repository" android:value="default"/>
            <meta-data android:name="android.app.qt_libs_resource_id" android:resource="@array/qt_libs"/>
            <meta-data android:name="android.app.bundled_libs_resource_id" android:resource="@array/bundled_libs"/>
            <meta-data android:name="android.app.bundle_local_qt_libs" android:value="-- %%BUNDLE_LOCAL_QT_LIBS%% --"/>
            <meta-data android:name="android.app.bundled_in_lib_resource_id" android:resource="@array/bundled_in_lib"/>
            <meta-data android:name="android.app.bundled_in_assets_resource_id" android:resource="@array/bundled_in_assets"/>
            <meta-data android:name="android.app.use_local_qt_libs" android:value="-- %%USE_LOCAL_QT_LIBS%% --"/>
            <meta-data android:name="android.app.libs_prefix" android:value="/data/local/tmp/qt/"/>
            <meta-data android:name="android.app.load_local_libs" android:value="-- %%INSERT_LOCAL_LIBS%% --"/>
            <meta-data android:name="android.app.load_local_jars" android:value="-- %%INSERT_LOCAL_JARS%% --"/>
            <meta-data android:name="android.app.static_init_classes" android:value="-- %%INSERT_INIT_CLASSES%% --"/>
            <meta-data android:value="@string/ministro_not_found_msg" android:name="android.app.ministro_not_found_msg"/>
            <meta-data android:value="@string/ministro_needed_msg" android:name="android.app.ministro_needed_msg"/>
            <meta-data android:value="@string/fatal_error_msg" android:name="android.app.fatal_error_msg"/>
            <meta-data android:name="android.app.splash_screen_drawable" android:resource="@drawable/logo"/>
            -->
        </activity>
    </application>
    <uses-sdk android:minSdkVersion="16" />
    <supports-screens android:largeScreens="true" android:normalScreens="true" android:anyDensity="true" android:smallScreens="true"/>
    <uses-permission android:name="android.permission.INTERNET"/>
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
</manifest>

Android-APT project page:

As we know Android APT plugin officially obsoleted. The Android Gradle plugin (version 2.2) replaced the traditional plug in (Android APT) on Oct 2016.

An announcement issued by Android studio. Annotation Processing became available in Android Gradle plugin (2.2 and later) so there is now no need to use the Android APT plugin anymore if using version 2.2 of gradle or above.

You can remove the line :

apply plugin: 'com.neenbedankt.android-apt'

Question: How about the security status who still supports Android APT plugin?

If the Android Gradle plugin not in use, it is still a Eclipse project. Currently android-apt works fine with version 2.2 of the Android Gradle plugin, but it doesn’t work with jack.

Is there security concerns on Android APT plugin?

Plugin technology was initially introduced by third parties to add additional enhancements and capabilities to Android.The plugin will find all AspectJ aspects available in the project compile classpath, plugin class and weave .class files. Meanwhile AspectJ allow to hook. AspectJ to work on Android we have to make use of some hooks when compiling our app and this is only possible using the android-library gradle plugin.

From security point of view, plugin design might contain inherent risk because of the fundamental hook process design. The Android plugin technology is an innovative application-level virtualization framework that allows a mobile application to dynamically load and launch another app without installing the app. This technology was originally developed for purposes of hot patching and reducing the released APK size. The primary application of this technology is to satisfy the growing demand for launching multiple instances of a same app on the same device, sounds like I log in my personal and business Gmail  accounts simultaneously.

Abbreviations 1: Weave (Web-based Analysis and Visualization Environment)

Abbreviations 2: AspectJ is an aspect-oriented programming (AOP) extension created at PARC for the Java programming language. It is available in Eclipse Foundation open-source projects, both stand-alone and integrated into Eclipse.

APT, AspectJ, Javassist corresponding component

Sound scary but Android have their solution to mitigate the risk?

Can we wait for Android O?

 

 

Cell Phone (iPhone, Android, windows mobile)

Digital wallet – Where to go? iphone, Android or not going to use

300 Comments

 

Preface

I’m smart brain, gave me lazy….

The implementation of the smart phone change people life style. Any time any where you can get in touch with the world. It break follow the sun operation concept. Why? Both online shopping and settlement simultaneously because of electronic payment function. Below bar chart on left hand side shown internet users in select countries who purchase items via mobile device in 2013. Less than 3 years time, a significant usage of mobile payment has been growth in Greater China (see below picture right hand side).

Cyber attack is a never ending story. Malware infection technique take the advantage of computer users negligence. Even though Bank did not have expection. The headline news shocked the world includes The Bangladesh Bank robbery. It was so called the Bangladesh Bank heist, took place in February 2016, when SWIFT instructions to steal US$951 million from Bangladesh Bank.

In order to avoid cyber incident happen on electronic payment transaction. Financial industry especially payment gateway services provider find perfection of authentication method goal enhance the reliability of payment. For instance 2 factor authentication, a second random generation of pass code go through SMS forward to you mobile phone.

Electronic wallet upside down to the world

A third-party online payment platform was launched in China in 2004 by Alibaba Group. As times goes by, now the biggest market share in China with 400 million users. The coverage near 50% of China’s online payment market in October 2016. As of today electronic wallet looks like flooding went to different countries in the world especially China. Electronic wallet initiate by mobile phone. Below table can provide an hints to you in this regard.

 

Background

A digital wallet refers to an electronic device that allows an individual to make electronic transactions

Digital wallet infrastructure elements

.

The account information and Card type lure the interest of criminals. But are you aware that there are difference in between mobile computing (electronic wallet) and traditional internet payment function (without electronic wallet). See below informatic diagram. Even though how precise and advanced encryption technology are deployed. But it is difficult to avoid a single device facing compromise. Personally I am not suggest my friend to use electronic wallet on his mobile phone. My friend was told even though money lost because of malware, it only lost the charge money value. Yes, from technical point of view it is correct. But reminded you that mobile OS is fragile. Why does it say mobile OS is fragile?

 

Why does it say mobile OS is fragile?

Android phone

(Memory)

Both the Android Runtime (ART) and Dalvik virtual machine perform routine garbage collection, this does not mean you can ignore when and where your app allocates and releases memory. Software designer need to avoid introducing memory leaks, usually caused by holding onto object references in static memory variables, and release any Reference objects at the appropriate time as defined by lifecycle callbacks.

Side effect of above defect – The easiest way to leak an Activity is by defining a static variable inside the class definition of the Activity and then setting it to the running instance of that Activity. If this reference is not cleared before the Activity’s lifecycle completes, the Activity will be leaked. So all depends on mobile apps developer design. It is hard to avoid memory leak. As you know, what is the defect of memory leak? Hacker relies on this error can implant malware.

If you would like to know more details, please refer below articles.

Heard that Android operating not secure anymore, but it is properly not.

How about IOS?

Design weakness:

Every WebKit object is RefCountedBase object

Mobile Safari and most of WebKit Apps leak address – Fill in another object and use the JS pointer of the old object to read information of the new object.

Should you have interest know the details on above matter, please refer below:

Meteor shower – Apple iPhone

Checkpoint : If above 2 technical articles make you feeling confused. Tired, you are not able to read. No problem we can jump to summary of this discussion. The information will stay here, anytime you have interest you are free to read.

Summary:

IT & cyber security technologies due to limit development life cycle. OS claim itself is safe today but is it hard to guarantee next 6 months. The most fundamental weakness in mobile device security is that the security decision process is dependent on yourself. You are allow anywhere play online games & watch on-line TV program. Because of the web browser extend feature, uncountable plug-In drivers will install to your mobile phone. How about your personal information includes your personal account information. Do you think only relies on your local antivirus. The so called malware detection program can aviod the cyber attack?

My personal suggestion is that think it over before install or make use of electronic wallet on your mobile phone.

Have a nice day, Good Bye!

 

Application Development, Cell Phone (iPhone, Android, windows mobile), IoT, System, Virus & Malware

The other side of the story on cyber attack (Electronic war between countries)

389 Comments

Preface

We heard  that the new age transformation is coming.  As a result it transform the traditional military weapons to electronic codes. The computer  technologies such as DDOS (Distributed denial of services), malware and virus similar a killer. It can disrupt the financial activities,  daily network communication and health care services. An idea bring to our attention on world war II history was that classic military power result destroyed everything (mankind and properties).  But re-built the society and operation after war. It is a harsh and difficult mission! From technical point of view, the victorious might stand on ethics view point to assists defeated side to rebuild the business and economic system. As a matter of fact, the distruction level of war created by military weapon especially missile it is hard to evaluation. And this is the reason let’s cyber warfare appears in coming future! But it started already!

Analytic result on technical articles about cyber warfare

In regards to my study on technical article issued by CSS Eth Zurich (The Center for Security Studies (CSS) at ETH Zurich).The analytic result highlights serveral key factors of Cyber warfare . Cyber warfare was cheaper than traditional military force. It provides a  “cleaner” (with less or no bloodshed) suitation. No doubt that  less risky for an attacker than other forms of armed conflict. The analytic result  defines 5 different types of cyber conflict during their study. They are Cyber War, Cyber Terrorism, Cyber Espionage, internet crime and cyber vandalism.

The specific feature of cyber weapon (in between country to country)

I was sometimes confused with the headline news on prediction on cyber technology war.  The questions on my mind is that how electronic weapon or cyber weapon replacing traditional military facilities? Think it over, the appropriate technique might adopted target into the following criteria (see below):

The capabilities of cyber attack techniques ( A transformation of traditional military force)

Type Attack technology Functional feature – objective Target – Environment Remark:
Cyber Vandalism, Cyber War IOT & BOTNET (DDOS technique) Services suspension – electronic communication services (IP-Telephony) Bank, Fund House , Stock Exchange
Cyber Espionage Malware Information gathering Bank, Fund House, Stock Exchange & government sector
Cyber War, Cyber Vandalism Ransomware Services suspension important facility fucntion nuclear facility , Airlines,TV broadcast station, Radio broadcast station & military facility Ransomware feature contained facility to supspend the computer services. Besides it capable listen to the instruction of C&C server. On the other hand, the attacker can resume the services once they win the battle.
Traditional military force Bomb Services Suspension on important facility function and destroy permanently nuclear facility, military facility, power station, airport & communiation facility (Digital phone system)
Internet Crime, Cyber war Email phishing and Scam email message Carry out  psychological warfare, implant malware activities in order to fulfill their objective nuclear facility, military facility, power station,

Let us dig out one of the attack technique to see how the cyber technology feature fulfill the goal of the cyber warfare features .

Do you think Ransomware is founded by military department?

The first ransomware appear in the world on 1989. A biologist Joseph L. Popp sent 20,000 infected diskettes labeled
“AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference.
But after 90 reboots, the Trojan hid directories and encrypted the names of the files on the customer’s computer.
To regain access, the user would have to send $189 to PC Cyborg Corp. at a post office box in Panama.

In 2006, former President George W. Bush was increasingly worried about Iranian efforts at enriching uranium, and ultimately, its hopes to build an atomic bomb. The goal of Stuxnet is going to destroy Iraq nuclear facilities driven by US government. The rumors were told Stuxnet malware destroyed roughly one-fifth of Iran’s centrifuges in 2009.

An unconfirmed  information stated that there is a separate operation called Nitro Zeus, which gave the US access into Iran’s air defense systems so it could not shoot down planes, its command-and-control systems so communications would go dead, and infrastructure like the power grid, transportation, and financial systems.

Speculation:

WannaCry infection using EternalBlue, an exploit of Windows’ Server Message Block (SMB) protocol.  The U.S. National Security Agency (NSA) had discovered the vulnerability in the past, but used it to create an exploit for its own offensive work, rather than report it to Microsoft. As we know nuclear power facilities control system OS platform relies on Microsoft OS system (see below articles). It may causes people think is there any secret action hide by NSA (National Security Agency). He aroused my interest in questioning who is the key figure to spread WannCry ransome? It looks that there is similarity with Stuxnet worm infection in 2009. Since we all fool by NSA at that time let your computer workstation transform to a cyber army then attack USA enemy.  Do you think wanncry is the rehearsal of test or pilot run?

Malware vs. nuclear power: Do you think SCADA system is the culprit of attack on nuclear power system?

Below diagram is my imagination of the modern nuclear facility environment. The SCADA system pay a key role in nuclear power facility. Ransomeware have capabilities to suspend the services of this facilities. It doesn’t need to destroy anything but the services will be totally shut it down the services. We have seen the real example in UK health care services as a reference. I will stop written here. Should you have any queries, I will try my best to written more in future.

Supplement – The other side of the story on cyber attack (Electronic war between countries) – 13th June 2017

As said on above discussion topic, since it looks not interest to visitors on reflection of comments on feedback.  However there is something on my mind need to share.

North Korea President Kim’s intention show to the world of his governance power. He is in frequent to demonstrate his military power cause US government concerns his equalize of military power in the world. To be honest, it is hard to equal the military and economics power as of today. For instance China nearly become the 1st business economic leader. We all know United state is the leader in this moment. However their economic operation chain should have difficulties to do the 2nd round of transformation. Because some of their capital business and business economy contained made in China element.  Since North Korea on finance and business economy are weak. President Kim did such things seems not make sense. I did not visit North Korea however a lot of news on TV might speculate their current situation. I strongly believed that their nuclear facility might operation in 60’s fashion. The SCADA system not possibly supply by Siemens. But learn and develop a windows based SCADA system not difficult.  From information point of view, North Korea nuclear facilities might relies on window for Control Systems instead of Linux for control system.  And therefore Ransomware type attack can specifics shot the target. Meanwhile the business industry from North Korea all work with Microsoft OS  in daily life.

Below are the hints how to eliminate the risks issued by  SCADA system vendor. Any interest?

Process control vendors require:
1. A system with a minimal attack surface, so that biweekly or monthly patches are not required
2. A consistent programming interface that will not change every four to five years, requiring a complete rewrite of their software
3. An environment that can be quickly and safely “locked down” to reduce the risk from hacking
4. A system with limited network access, only through specific ports to reduce the risk of network based attacks
5. Support for priority-based multi-tasking, preferably a real-time operating system (RTOS) that supports hard real-time requirements
6. A robust ecosystem of utilities and tools to make development, installation, debugging, and maintenance as easy as it is on consumer systems.

End of this topic

Cell Phone (iPhone, Android, windows mobile)

Must aware during web surfing – protect your personal privacy – turn off your camera on web browser

181 Comments

Preface:

What’s our objective to discussion this topic today? Our goal is going to protect user privacy. As we know, internet traffic are under surveillance. This activities not limited to China nowadays. It was includes the major leader countries in Europe, England and USA.

Situation in China

The country like China provides a clear announcement. The China government was told that all internet traffics in China are under surveillance. And thus that they build the great wall (firewall).  (Tianhe-1 and Tianhe-2 (Milkyway-2) are capable to take this responsibility.

2016 Supercomputer magazine

Situation in United State

How about the surveillance program status from NSA (National security agency) . The NSA has official announcement was that after a comprehensive review of mission needs, current technological constraints, United States person privacy interests, and certain difficulties in implementation, NSA has decided to stop some of its activities conducted under Section 702. For more details, please find below URL for references:

NSA Statement: NSA Stops Certain Section 702 “Upstream” Activities – For more detail, please refer below url for reference.

https://www.nsa.gov/news-features/press-room/statements/2017-04-28-702-statement.shtml

NSA Stops Certain Foreign Intelligence Collection Activities Under Section 702 – For more detail, please refer below url for reference.

https://www.nsa.gov/news-features/press-room/press-releases/2017/nsa-stops-certain-702-activites.shtml

NSA Transparency Report: THE USA FREEDOM Act Business Records FISA Implementation – 15 January 2016 – For more detail, please refer below url for reference.

https://www.nsa.gov/about/civil-liberties/reports/assets/files/UFA_Civil_Liberties_and_Privacy_Report.pdf

Above items given an idea to people our communications (electronic or without electronic) are under surveillance. A positive thinking of idea told yourself that such policy are going to fight against crimes. Apart from that are you aware of your personal privacy especially your mobile phone camera (Lens)? We known more secret on mobile phone recently. The execution of JavaScript or HTML5  allow access your mobile phone camera from Chrome (example shown as below):

Enable camera and microphone in packaged application for Chrome OS

navigator.webkitGetUserMedia({ audio: true, video: true },
            function (stream) {
                mediaStream = stream;
            },
            function (error) {
                console.error("Error trying to get the stream:: " + error.message);
            });

Remark: The audio and video for a <webview>-embedded page require permission. It will alert mobile phone owner. A software developer hints that the require permission might embedded audioCapture and videoCapture and put the permissions in manifest.json. The mobile phone user might not aware.

Below HTML5 program language which allow to select the source and pass it in as optional into getUserMedia. This function is available in Chrome web browser.

Step 1: Select source

MediaStreamTrack.getSources(gotSources);

Step 2: pass it in as optional into getUserMedia

var constraints = {
  audio: {
    optional: [{sourceId: audioSource}]
  },
  video: {
    optional: [{sourceId: videoSource}]
  }
};
navigator.getUserMedia(constraints, successCallback, errorCallback);

Step 3: Put the permissions on manifest.json or manifest.xml. The mobile phone user might not aware.

Above audio and video capture functions only do a reverse engineering will transform to other criteria of function receive your personal photo. Are you aware of it ?

Summary:

Refer to above information. It looks that we need to spend more job affords to close the back door on your mobile phone, right? But the easy way to do from end user side is that just disable the camera on your mobile phone browser. Or just use a sticker to disable it. It is straight forward, bye!

 

 

 

 

 

 

 

 

 

Cell Phone (iPhone, Android, windows mobile), System

Modern Malware intelligence

252 Comments

Preface:

More people pay attention on cyber security world this year, the tremendously cyber security incidents  known as ATM thieves,  NSA scandal, IoT DDOS & recently WannaCry ransomware cyber security incident. Since more and I forgot. But those incidents have common criteria. The culprits of the infection techniques are given by malware technology.

Evolution

Before the term malware was introduced by Yisrael Radai in 1990, malicious software was referred to as computer viruses. A conceptual idea categories Malware to the following elements such as trojan horses, worms, spyware, RootKit and Botnet. For more details, please refer to below diagram for references.

Defense

How modern technique fight against malware:

Preventive control mechanism

Address Space Layout Randomization (ASLR):

This feature randomizes how and where important data is stored in memory, making it more likely that attacks that try to write directly to system memory will fail because the malware can’t find the specific location it need.

Data Execution Prevention (DEP):

This feature substantially reduces the range of memory that code can run in.

How malware break the ice

Evasion technique against Sandbox

Evasion technique 1:

To avoid Sandbox detection –  Refresh the malware body (executable file) frequently (Checksum – hash) such a way benefits avoid signature-based antivirus software detection.

Evasion technique 2:

Malware can search through physical memory for the strings, new generation of malware commonly used to detect memory artifacts. For instance by default, Metasploitable’s network interfaces are bound to the NAT and Host-only network adapters, and the image should never be exposed to a hostile network (This is the vulnerability of metasploit , they fixed already). Malware contains intelligence detect sandbox status.  No activities will be taken once sandbox has been detected.

Evasion technique 3:

Sandbox might uses a pipe \\\\.\\pipe\\cuckoo for the communication between the host system and the guest system. A malware can request the file to detect the virtual environment.

Evasion technique 4:

Since open source applications are popular in IT world. And therefore a lot of security analysis will built their own sandbox. The cuckoo sandbox deployment covered certain amount of percentage. Meanwhile malware enhance their intelligence. They can detect the cuckoo agent. Cuckoo uses a python agent to interact with the host guest. By listing the process and finding python.exe or pythonw.exe or by looking for an agent.py in the system, a malware can detect Cuckoo.

Evasion technique 5:

Most of the modern workstation  has installed at least 4GB or more memory. Malware developer setup the intelligence that machines with less memory size may become a sandbox setup.

Evasion technique against Virtual machine environment
Red Pill

Red Pill is a technique to detect the presence of a virtual machine. The code display below can be used to detect whether the code is executed under a VMM or under a real environment.

Red Pill developed by Joanna Rutkowska

Swallowing the Red Pill is more or less equivalent to the following code (returns non zero when in Matrix):

     int swallow_redpill () {
unsigned char m[2+4], rpill[] = “\x0f\x01\x0d\x00\x00\x00\x00\xc3”;
*((unsigned*)&rpill[3]) = (unsigned)m;
((void(*)())&rpill)();
return (m[5]>0xd0) ? 1 : 0;
}

Remark: SIDT instruction (encoded as 0F010D[addr]) can be executed in non privileged mode (ring3) but it returns the contents of the sensitive register, used internally by operating system.

Theory: The virtual machine monitor must relocate the guest’s IDTR to avoid conflict with the host’s IDTR. Since the virtual machine monitor is not notified when the virtual machine runs the SIDT instruction, the IDTR for the virtual machine is returned. Thereby the process gets the relocated address of IDT table. It was observed that on VMWare, the relocated address of IDT is at address 0xffXXXXXX, while on Virtual PC it is 0xe8XXXXXX.

No Pill (Store Global Descriptor Table-SGDT & Store Local Descriptor Table-SLDT)

The sgdt and sldt instruction technique for VMware detection is commonly known as No Pill. The No Pill technique relies on the fact that the LDT structure is assigned to a processor not an Operating System. The LDT location on a host machine result zero. While a virtual machine result non-zero.

Evasion technique: Especially POS system

Malware use a smart way to evade of sandbox. The method is use hash to replace API program name, uses a table of hash values to ignore certain processes from being parsed by sandbox.

Intangible of attack benefits evasion of sandbox detection

We alert ourself that malware most likely using below methods to avoid sanbox antivirus or sandbox detection.

  • Hide the code which may be recognized as malicious. This is generally done using encryption.
  • Code the decryption stub in such a way it is not detected as a virus nor bypassed by emulation/sandboxing.

However we known that there are intangible of attacks on internet. Such work style of attack benefits for malware avoid the sandbox detection.

PE inject:

PE injection looks more powerful than classic code injection technique. Whereas it does not require any shell coding knowledge. The malicious code can be written in regular C++ and relies on well documented Windows System and Runtime API. Compared to DLL injection the main asset of PE injection is that you don’t need several files, the custom malicious code self inject inside another normal process and therefore it might possibilities to bypass detection.

Example for reference:

Hacker compromise a web site and lure the visitor visit the web page. During the visit an message alert the visitor that in order to display correct content, they need to download the font. From technical point of view, antivirus might detect the malicious once download if it is a known virus. Otherwise the malware can execute the following actions:

Socket creation and network access
Access to filesystem
Create threads
Access to system libraries
Access to common runtime libraries

How does malware complete the job?

Calculate the amount of memory (need to allocate)
  1. /* Get image of current process module memory*/
  2. module = GetModuleHandle(NULL);
  4. /* Get module PE headers */
  5. PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS)((LPBYTE)module + ((PIMAGE_DOS_HEADER)module)->e_lfanew);
  7. /* Get the size of the code we want to inject */
  8. DWORD moduleSize = headers->OptionalHeader.SizeOfImage;
Calculate the new addresses to set in the distant process
  1. /* delta is offset of allocated memory in target process */
  2. delta = (DWORD_PTR)((LPBYTE)distantModuleMemorySpace – headers->OptionalHeader.ImageBase);
  4. /* olddelta is offset of image in current process */
  5. olddelta = (DWORD_PTR)((LPBYTE)module – headers->OptionalHeader.ImageBase);
The relocation data directory is an array of relocation blocks which are declared as IMAGE_BASE_RELOCATION structures.
  1. typedef struct _IMAGE_BASE_RELOCATION {
  2. ULONG VirtualAddress;
  3. ULONG SizeOfBlock;
  4. } IMAGE_BASE_RELOCATION, *PIMAGE_BASE_RELOCATION;
Relocation data directory

=================================================
Relocation Block 1                                        | Relocation Block 2
VAddr|SizeofBlock|desc1|desc2|desc3| VAddr|SizeofBlock|desc1|…
32b      32b                16b       16b      16b     |
=================================================

Relocation descriptors in all relocation blocks, and for each descriptor, modify the pointed address to adapt it to the new base address in the distant process
  1. /* Copy module image in temporary buffer */
  2. RtlCopyMemory(tmpBuffer, module, moduleSize);
  3. /* Get data of .reloc section */
  4. PIMAGE_DATA_DIRECTORY datadir = &headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
  6. /* Point to first relocation block copied in temporary buffer */
  7. PIMAGE_BASE_RELOCATION reloc = (PIMAGE_BASE_RELOCATION)(tmpBuffer + datadir->VirtualAddress);
  9. /* Browse all relocation blocks */
  10. while(reloc->VirtualAddress !=0)
  11. {
  12. /* We check if the current block contains relocation descriptors, if not we skip to the next block */
  13. if(reloc->SizeOfBlock >=sizeof(IMAGE_BASE_RELOCATION))
  14. {
  15. /* We count the number of relocation descriptors */
  16. DWORD relocDescNb = (reloc->SizeOfBlock – sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
  17. /* relocDescList is a pointer to first relocation descriptor */
  18. LPWORD relocDescList = (LPWORD)((LPBYTE)reloc + sizeof(IMAGE_BASE_RELOCATION));
  20. /* For each descriptor */
  21. for(i =0; i < relocDescNb; i++)
  22. {
  23. if(relocDescList[i]>0)
  24. {
  25. /* Locate data that must be reallocated in buffer (data being an address we use pointer of pointer) */
  26. /* reloc->VirtualAddress + (0x0FFF & (list[i])) -> add botom 12 bit to block virtual address */
  27. DWORD_PTR *p = (DWORD_PTR *)(tmpBuffer + (reloc->VirtualAddress + (0x0FFF & (relocDescList[i]))));
  28. /* Change the offset to adapt to injected module base address */
  29. *p -= olddelta;
  30. *p += delta;
  31. }
  32. }
  33. }
  34. /* Set reloc pointer to the next relocation block */
  35. reloc = (PIMAGE_BASE_RELOCATION)((LPBYTE)reloc + reloc->SizeOfBlock);
  36. }

Once the code is injected, hacker can attempt to call its functions.

Overall comment on above matter:

Above details only provide an idea to reader know your current situation in Cyber World.  There are more advanced hacking technique involved.  The motivation driven myself to do this quick research. My goals is going to let’s IT users know more in this regard.

 

Coming soon!
How does the advanced technology fight with Dark Power

Advanced technology against Dark Power

 

 

 

 

 

 

 

 

 

Application Development, Cell Phone (iPhone, Android, windows mobile), System

The silent of the Flash, Be aware of RTMFP protocol! He can exacerbate network attacks.

869 Comments

 

 

Flash Player has a wide user base, and is a common format for games, animations, and graphical user interfaces (GUIs) embedded in web pages. However the trend of HTML 5  is going to replace his duty on market. Google stop running Flash display advertisement on Jan 2017.  The e-newspaper (Digital journal) foreseen that the Adobe’s Flash expected to be dead and gone by 2018. However, the software vendor Adobe release Flash Player 25 on Mar 2017. Before the discussion starts, ,  lets go through the current market status of Flash player.  Below picture show the current market position of Flash. It looks that a significant drop of the market share today.

Market position 2017

A question you may ask? If the market share of the product dropped, it is not necessary to discuss a low popularity product.  But my concerns on Adobe Flash application still valid. The fact is that even though you are not going to use. However Flash Player installed on your machine have inherent risk.  Ok, make it simple. Let jump to our main topic now. It is the real-time media flow protocol from Adobe.

What is the Real-Time Media Flow Protocol (RTMFP)?

The Real-Time Media Flow Protocol (RTMFP) is a communication protocol from Adobe that enables direct end user to end user peering communication between multiple instances of the Adobe® Flash® Player client and applications built using the Adobe AIR® framework for the delivery of rich, live, real-time communication.

The evolution of Adobe system design

The IETF technical articles issued on Dec 2014 has following security consideration.

Cryptographic aspects of RTMFP architecture:
RTMFP architecture does not define or use a Public Key Infrastructure (PKI). Clients should use static Diffie-Hellman keys in their certificates. Clients MUST create a new certificate with a distinct fingerprint for each new NetConnection. These constraints make client identities ephemeral but unable to be forged. A man-in-the-middle cannot successfully interpose itself in a connection to a target client addressed by its fingerprint/peer ID if the target client uses a static Diffie-Hellman public key.

Servers can have long-lived RTMFP instances, so they SHOULD use
ephemeral Diffie-Hellman public keys for forward secrecy. This
allows server peer IDs to be forged; however, clients do not connect
to servers by peer ID, so this is irrelevant.

For more details on above matter, please visit IETF techincal articles https://tools.ietf.org/html/rfc7425#page-46

Our observation today

  1. Since RTMFP is based on UDP. UDP (User Datagram Protocol) connectionless state which decreased latency and overhead, and greater tolerance for dropped or missing packets. RTMFP supporting groups in Flash player support multicast feature. If hacker counterfeit a malicious swf format file and deploy with spear phishing hacking technique. Since it is a multicast structure and therefore it is hard to located the original source file.

2. CVE-2017-2997 exploits vulnerability in the Primetime TVSDK that supports customizing ad information. Successful exploitation could lead to arbitrary code execution. However a design weakness looks appear on TVSDK , an out-of-bound read vulnerability found by FireEye on May 2016.

3. Besides, The AVM (Action script virtual machine) implements certain core features of ActionScript, including garbage collection and exceptions, and also acts as a bridge between your code and Flash Player. The use-after-free memory feature in AVM is protect by  OS system. Even though implement Address space layout randomization (ASLR)  and Data Execution Prevention (DEP) but still have way by-pass by attacker. Windows 8.1 Update 3 Microsoft introduced a new exploit mitigation technology called Control Flow Guard (CFG). CFG injects a check before every indirect call in the code in order to verify if the destination address of that call is one of the locations identified as “safe” at compile time. However overwrite Guard CF Check Function Pointer with the address of a ret instruction will
let any address pass Guard CF Check Function, and thus bypass CFG.

Overall comments on above 3 items:

It looks that Flash contained fundamental design limitation, may be there are more hidden risks does not discover yet. As far as I know, law enforcement agency relies on Flash vulnerabilities to implement the surveillance program (Reference to vulnerability on 2012). My suggestion is that it is better uninstall the Flash on your web browser especially enterprise firm IT operation environment. Since Information security is a continuous program, so stay tuned,  update will be coming soon!

Flash Architecture

Remark: out-of-bounds definition – This typically occurs when the pointer or its index is incremented or decremented to a position beyond the bounds of the buffer or when pointer arithmetic results in a position outside of the valid memory location to name a few. This may result in corruption of sensitive information, a crash, or code execution among other things.

Application platform  – Language C and C++

The chronology of attack

2012: The malicious documents contain an embedded reference to a malicious Flash file hosted on a remote server. When the Flash file is acquired and opened, it sprays the heap with shellcode and triggers the CVE-2012-0779 exploit. Once the shellcode gains control, it looks for the payload in the original document, decrypts it, drops it to disk, and executes it. Symantec detects this payload as Trojan.Pasam. The malicious files we have observed so far are contacting servers hosted in China, Korea, and the United States to acquire the necessary data to complete the exploitation. This attack is targeting Adobe Flash Player on Internet Explorer for Windows only.

2015: SWF file is used to inject an invisible, malicious iFrame

2017: (CVE-2017-2997, CVE-2017-2998,CVE-2017-2999,CVE-2017-3000,CVE-2017-3001,CVE-2017-3002 & CVE-2017-3003)

A buffer overflow vulnerability that could lead to code execution (CVE-2017-2997).
Memory corruption vulnerabilities that could lead to code execution (CVE-2017-2998, CVE-2017-2999).
Random number generator vulnerability used for constant blinding that could lead to information disclosure (CVE-2017-3000).
unpatch vulnerabilities lead to code execution (CVE-2017-3001, CVE-2017-3002, CVE-2017-3003)

 


 

 

 

 

Application Development, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Part 2:Blockchain technology situation – Malware join to bitcoin mining

838 Comments 
A moment of silence, prayer for the dead (Terrorist attack on the streets attack near U.K. Parliament 22nd Mar 2017)

A moment of silence, prayer for the dead 
Tragedy in Russia - Explosion in the St. Petersburg metro 3rd Apr 2017

Part 2: Blockchain technology situation – Malware join to bitcoin mining

We continuous the discussion topic on blockchain technology situation.  Part 1:Blockchain technology situation – A Tales of Two Cities The discussion on part 2 mainly focus on malware threats to bitcoin industry.  We understand that Bitcoin was designed to be uncensorable digital cash that could operate outside the existing financial system. As mentioned last time, it looks that the blockchain technology contained weakness on end point device (bitcoin owner workstation or mobile phone). Even though you deploy a proprietary wallet, the overall setup will become weakness once malware compromise your end point device. Below picture diagram bring an idea to reader of bitcoin wallet architecture, see whether you have different idea in this regard?

Bitfinex incident wakes up concern on endpoint security

More than US$60m worth of bitcoin was stolen from one of the world’s largest digital currency exchanges (Bitfinex) on 2nd Aug 2017. Nearly 120,000 units of digital currency bitcoin worth about US$72 million was stolen from the exchange platform Bitfinex in Hong Kong, said Reuters Technology News. Director of Community & Product Development for Bitfinex stated that the bitcoin was stolen from users’ segregated wallets. The investigation has found no evidence of a breach to any BitGo servers, said the representative of BitGo.

Since no evidence proof that security breach happened in that place but what is the possible cause?

An announcement posted by official group (Bitfinex), the company informed that there are going to secure the environment and bring down the web site and the maintenance page will be left up. From technical point of view, if  API and signing keys reside on servers. Hacker might have access with legitemate credential once a bitcoin wallet user workstation compromised.As a matter of fact if the webservice is hacked, bitcoin owner will lost the money (see above bitcoin wallet architecture comparison diagram for reference).

Our Observation

The weakness of Node.J.S trading API Framework.

The java script contain security weakness. It benefits hacker to understand the operation path. For instance

Client send his payload, his key, and the hmac of his payload with his secret key. Server retrieve user with his pk, recompute the hmac with the retrieved sk and then check if the computed hmac is equal to the retrieved hmac. (see below program syntax for reference).

 

From technical point of view, malware which contains steal private key or digital certificate function, they have capability transform to bitcoin malware. As usual, the infection technique relies on Spear phishing. The emails contained a malicious attachment with the file which contained a zero-day exploit. The exploit attacked multimedia software platform used for production of animations especially Adobe Flash to install a malware onto the victim’s computer.

Then malware obtained bitfinex private key and one of the following item.

i) bitgo’s private key

ii) bitfinex bitgo’s username and password and authy’s credentials (that allows the hacker to create new api access tokens and remove daily limits)

iii) bitfinex bitgo’s api access token

Or apply new keys gave to bitgo as new 2-3 internal bitfinex address. signed tx with bfx key, and “new key” that was just given. Meanwhile bypassing bitgo’s security checks.

Summary:

Above information detail is one of the example. It looks that quote a real incident can increase the visibility of the understanding.  Apart from that, discussion looks never ending. I believed that part 3 will be coming soon.

 

 

 

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Advanced Persistent Threat (APT) miscellaneous outline

870 Comments

For the first time I heard the “Advanced Persistent Threat”, which, for me, was a hostile conspiracy between nations. Famous network events (see below) as proof of concept. What is the purpose of announcing the APT to the world?

2010 – The Stuxnet (ATP) is believed by many experts to be a jointly built American-Israeli cyber weapon,although no organization or state has officially admitted responsibility.

2011 – Defence contractor Lockheed Martin hit by advanced persistent threat to network (specifically related to RSA’s SecurID two-factor authentication products)

2011 – APT28 has used lures written in Georgian that are probably intended to target Georgian government agencies or citizens.

2013 – APT28 Targeting a Journalist Covering the Caucasus

2013 – Kimsuki malware (APT) targets critical infrastructures and Industrial control system (ICS) in South Korea

2013 – In February 2013, Mandiant uncovered Advanced Persistent Threat 1 (APT1).Alleged Chinese attacks using APT methodology between 2004 and 2013

*2014 – BlackEnergy APT group re engineer the black energy DDOS software. Deploy SCADA‐related plugins to the ICS and energy sectors around the world.

2015 – In August 2015 Cozy Bear was linked to a spear-phishing cyber-attack against the Pentagon email system causing the shut down of the entire Joint Staff unclassified email system and Internet access during the investigation. (Cozy Bear, classified as advanced persistent threat APT29)

2016 – Onion Dog, APT focused on the energy and transportation industries in Korean-language countries

APT (Advanced Persistent Threat) design definition

It is flexible and sustainable platform, demonstrating long-term use and versatility planning.

The common APT kill chain criteria (see below diagram for reference)

However, APT 28 runs differently. A complete attack scenario with APT28 has multiple malware stages, such as Sourface/Coreshell, Eviltoss, and Chopstick. APT28 malware could persuade a trusted user to open a malicious document that includes a Sourface downloader, which downloads the Chopstick second-stage malware. We believe that hacker use the spare phishing technique.

Terminology for reference:

CORESHELL:This downloader is the evolution of the previous downloader ofchoice from APT28 known as “SOURFACE” (or “Sofacy”). This downloader, once executed, create the conditions to download and execute a second-stage(usually Eviltoss) from a C2.
EVILTOSS: This backdoor is delivered through CORESHELL downloader to gain system access for reconnaissance, monitoring, credential theft,  and shellcode execution
CHOPSTICK: This is a modular implant compiled from a software framework that provides tailored functionality and flexibility. By far Chopstick is the most advanced tool used by APT 28.

 

MIMIKATZ: Everyone of us knows this tool. In this case, this has been of devastating effects to completely compromise AD Forest

Fileless APT malware

MM Core APT: MM core is a file-less trojan

Trojan.APT.BaneChant targeted Middle Eastern and Central Asian organizations. The trojan is file-less, downloading its malicious code to memory to prevent investigators from extracting the code from the device’s hard drive.

Primary objective for advanced persistent threat

There are 2 different of objectives for advanced persistent threat till today.

Objective 1: An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization.

Objective 2: An advanced persistent threat (APT) is a set of stealthy and continuous computer hacking processes which targeted the computer hardware of nuclear facilities. The obj of the attack is try to suspend the services or mess up the operation causes destruction.

Infiltration outline
A typical scenario shown as below:
1. Attackers rename the exploit (say Titanium.zip, which takes advantage of a ZIP parsing vulnerability of the antivirus) to Titanium.wmf
2. Hold a webpage which contains <iframe src = Titanium.wmf>
3. Convince victims to visit this webpage.
4. While victims are browsing webpages, iron.wmf would be downloaded onto the victims’ computers automatically, without any user interaction.
5. If the auto-protect of the antivirus is on, the antivirus engine would parse Titanium.wmf  automatically, and then possibly get compromised immediately.
Detect: To perform a number of checks for installed security products on the victim machine. Check entries within the HKLM\Software\ registry path
The antivirus product represented by a value that is binary which might hints malware which brand of anti-virus install in victim machine (see below example):

0x08000000 : Sophos
0x02000000 : INCAInternet
0x04000000 : DoctorWeb
0x00200000 : Baidu
0x00100000 : Comodo
0x00080000 : TrustPortAntivirus
0x00040000 : GData
0x00020000 : AVG
0x00010000 : BitDefender
0x00008000 : VirusChaser
0x00002000 : McAfee
0x00001000 : Panda
0x00000800 : Trend Micro
0x00000400 : Kingsoft
0x00000200 : Norton
0x00000100 : Micropoint
0x00000080 : Filseclab
0x00000040 : AhnLab
0x00000020 : JiangMin
0x00000010 : Tencent
0x00000004 : Avira
0x00000008 : Kaspersky
0x00000002 : Rising
0x00000001 : 360

FINGING VULNERABILITIES OF ANTIVIRUS
Basically there are four kinds of vulnerabilities seen in antivirus software:
Local Privilege Escalation
ActiveX-related
Engine-based
Management (Administrative) interface

KILL THE LOCAL ANTIVIRUS PROGRAM

For instance, A zip bomb, also known as a zip of death or decompression bomb, is a malicious archive file designed to crash or render useless the program or system reading it. It is often employed to disable antivirus software.

Find zero day vulnerability compromise on victim workstation

The implant successful rate all depends on the patch management status on the workstation.

APT Malware callback

In order to avoid malware analyzer (FireEye, RSA ECAT) detect the malware callback to external CnC server. APT malware will compromise the legitimate website and then redirects the communication to the CnC server. This method can prevent malware analyzer deny the traffic to external command and control (C&C) servers.

Data Theft

The malware collects data on a victim host, then exfiltrate the data off the network and under the full control of the hacker. Hacker will erase all evidence after job complete. Since the host is compromised and therefore he can return at any time to continue the data breach.

Observation on 2017 1st quarter

Regarding to the consolidation of APT incidents, analysis reports so far.  It looks that the most efficient way to avoid APT incident happen is install a malware analyzer (FireEye, RSA ECAT) in your IT network campus. As a matter of fact, APT technique is a  advance technology which develop by country or technology group and therefore the greater possibility can break through End point defense mechanism. For instance antivirals program. However my comment is that Kaspersky is a prefect antivirus and malware defense vendor. May be he is one of he exception. However client might concern the company background (A group of developer from Russia). As we know, home users not possible to install the malware analyser. As such, I would suggest end user consider their decision when they are going to purchase antivirus program. Below matrix table not precise but can provide an idea to you which component is a the bottle neck to against APT attack.

APT (advanced persistent threat) kill chain relationship matrix table

Phase Detect Deny Disrupt Degrade Deceive Destroy
Reconnaissance 1. Managed security services
2. IDS
3. SIEM		 Firewall
Weaponization End point defense (antivirus) End point defense (antivirus) queuing and loading
Delivery SIEM Proxy Srv End point defense (antivirus)
Exploitation malware analyzer Vendor Patch End point device
Installation End point defense (antivirus) malware analyzer 1. End point device
2. Malware analyzer
C2 1. malware analyzer
2. SIEM		 malware analyzer malware analyzer DNS redirect
Actions 1. malware analyzer
2. SIEM		 malware analyzer