When Developer's API Simplify User-Mode Rootkits Developing

MOBILE SECURITY When฀Developers฀ API฀Simplify฀User-mode฀Rootkits฀Developing฀ This is a series of articles about shell extensions that enhance high-level features of any operation system. However, such possibilities not only enrich platform but simplify developing trojans, exploits that leads to the new security holes. Mostly this kind of extensions are known as usermode rootkits. C ybercrime is becoming a growing threat to society. The thefts of information, website crashing or manipulating online payment traffic are also increasing. Many organizations offer various services in the battle against digital crime, such as network or data monitors and extractions tools. It is interesting mainly to authorities and financial institutions, but they are accessible to every organization. Smartphones have been equipped with operating systems that compare in complexity with those on desktop computers. This trend makes them vulnerable to lot of the same threats as desktop OS. The past several years of mobile malware are no longer only in the theory. There has been malware, loss, theft, data communication interception, exploitation, etc. This has been because of the decreasing cost of mobile devices which allowed them to enrich the software interfaces that allows users to interact better with the cyber and the physical worlds. For example, mobile devices are often pre-installed with a number of applications, including clients for location-based services and general-purpose web browsers used forchatting and social networking. The increasing number of mobile-related exploits tends to impact security breaches which have put the industry at a critical point. That’s the greatest risk to all mobile OS moving to involve the rapid development, and distribution throughout so-called app markets While most of application markets provide an ideal transportation mechanism for the delivery of malicious software to the heart ofindustry’s networks. According to Juniper Networks the following mobile malware take place: • 16 Mobile device and OS market share and mobile malware infection rates are linked • • • Mobile malware uses the same techniques as PC malware to infect mobile devices. The greatest mobile malware risk comes from rapid proliferation of applications from app stores. RIM BlackBerry, Google Android, and Apple iOS operating systems suffer predominantly from spyware applications It’s totally right. If you want to distribute malware take the most popular application or game, most popular device what you are going to infect and place malware application into „warez”-storage. For example, take any game for Android/iOS, that is not free (like angry birds) and place a supposedly cracked version on the non-official android market. The application does not even need to be the game. To prove this idea let’s go back to November 2010 when security researchers Jon Oberheide and Zach Lanier unveiled an Android exploit at an Intel security conference in Oregon. They showed that the Android security model include a security flaw that allows an application to invisibly download additional exe-applications, known as APK files, without requiring the user’s permissions. Their proof-of-concept malware did not contain any actual malicious code; it simply portrayed itself as bonus levels for Angry Birds that, once installed, would open up more levels for the player. In reality, nothing related to Angry Birds was ever included in the application. However, Oberheide and Lanier proved that users could be tricked into downloading this application, and that the application could download and install additional applications without prompting the user to approve the additional installs, or to verify and agreement required for the background applications to 02/2012 When Developers API Simplify User-mode Rootkits Developing be installed. Unfortunately, BlackBerry suffers from the same problem. Mobile environments makevery attractive targets to attackers. Important personal and financial information can easily be compromised because phone usage is a part of day-to-day user activities. For example, mobile devices are being used for chatting, email, storing personal data even financial data, pictures, videos, GPS tracks and audio notes. A rootkit is a stealth type of malicious software – designed to keep itself, other files, or network connections hidden from detection. A rootkit typically intercepts common API calls to modify or filter information from the operating system to keep itself hidden. For example, it can intercept requests to file explorer and cause it to keep certain files hidden from display, even reporting false file counts and sizes to the user. There are legitimate uses for rootkits by law enforcement, parents or employers wishing to retain remote command and control and/or the ability to monitor activity on their employee’s or children’s computer systems. Another example, rootkits are commonly used to conceal keyloggers, which steal sensitive user data, such as passwords and credit card numbers, by silently logging keystrokes. Rootkits are design to maintain access to targeted computers. Rootkits can also disable the firewall/antivirus tools by replacing files, changing settings or modifying what the antivirus application can see. None of these activities are directly visible to the user because the rootkit conceals its presence. There are several kinds of rootkits. They are bootkits, firmware user-mode kernel and hypervisor. A further discussion needs to compare kernel mode with usermode rootkits. Kernel mode rootkits involve system hooking or modification in kernel space which is the ideal place because it is at the lowest level, highest level of security and thus, is the most reliable and robust method of system hooking. As a system call’s execution path leaves user mode and enters kernel mode, it must pass through a gate. This gate must be able to recognize the purpose of the incoming system call and initiate the execution of code inside the kernel space and then return results back to the incoming user mode system call. It’s some kind of a proxy between user mode and kernel mode. One of the rootkit techniques is to simply modify the data structures in kernel memory. For example, kernel memory must keep a list of all running processes and a rootkit can simply remove themselves and other malicious processes they wish to hide from this list. Rootkits do this by inserting or patching the process that list running processes and then filter what processes are reported as running. www.hakin9.org/en User mode rootkits involve system hooking in the user or application space. Whenever an application makes a system call, the execution of that system call follows a predetermined path and after that rootkit can intercept it. One of the most common user mode techniques is the one in memory modification of system libraries. That’s why applications run in their own memory space and the rootkit needs to patch the memory space of every running application to provide selfcontrol. Moreover, the rootkits have to monitor for new applications to patch those programs’ memory space too (need to explain the security rings if they are referenced). User-mode rootkits run in Ring 3, along with other applications as user, rather than low-level system processes. They have a number of possible installation vectors to intercept and modify the standard behaviour of application programming interfaces (APIs). Some inject a dynamically-linked library like a. DLL file on Windows into processes, and are thereby able to execute inside any target process to spoof it. Injection mechanisms include: • • • • Use of vendor-supplied application extensions. For example, Windows Explorer as well as any mobile platform like BlackBerry has public interfaces that allow third parties to extend its functionality. Interception of messages. Exploitation of security vulnerabilities. Function hooking or patching of commonly used APIs, for example, to mask a running process or file that resides on a file system. Windows-based rootkits are modifying paths and system structures these methods are used to mask network activity, registry keys, and processes Rootkits modify all the things which could alert a user to the fact that a malicious program is active in the system. Implementation in user mode rootkits is relatively easy. Most often, a method based on hooking API functions is used to modify the path to executables. Many of rootkits techniques are well documented and use normal applications. Example: a desktop firewall program may use similar hooking things to watch and alert the user to any outgoing network connections while a rootkit will use it to hide their backdoor activities. The legitimizing effect of commercial rootkit software is leading away from user-mode and toward kernel-mode techniques at first glance. However, usermode rootkits still have the ability to bypass security applications Non-official market places are now widely available on the Internet therefore malware writers don’t even ponder over how to spread it. It’s very easy to integrate several technologies into one malware attack. 17 MOBILE SECURITY User-mode rootkits exist for *NIX, Windows and are known for mobile devices such as Android or BlackBerry. Why not BlackBerry? BlackBerry smartphone applications include inherent virus protection and spyware protection that is designed to contain and prevent the spread of viruses and spyware to other applications. Security is known as the cornerstone of the BlackBerry system that allows users to confidently access sensitive information. Previous attacks on BlackBerry included: several exploits, password thefts, screen information, chats messages and other data. All of these described attacks are possible to put into practice on application (user-mode) level. While root mode provides powerful ability to feel like God, application level has the ability for wide spreading, easy distribution, misleading and finally easy developing. The most popular solution in security field is to operate as always under attack. Well-established products will provide the end user with some protection. Meanwhile vendors start to develop security measures as hackers continue to develop new rootkit/exploits. That’s why an application level is one of most interesting to research and actually it will always be relevant and useful to take it under investigation. Forensic investigation can be conducted on cloud or mobile devices, but you’re still able to extract most data. (Computer and servers) However, it’s really a problem when accessing the network card on high level at first glance, but don’t forget about browser plugin, IM plugin and etc. Therefore this type of level is based on opened API for developers clearly leads to exploitation. Coming back to my previous articles I’m going to refresh some ideas of these attacks. First article discussed password protection (Is Data Secure on the Password Protected Blackberry Device? Hakin9, Figure 1. Noising password �eld 18 February 2011) mainly password masking as point of protection. It’s obvious that in most cases masking passwords doesn’t even increase security, but it does cost your business due to login failures. Visualizing the system status has always been among the most basic usability principles. Showing asterisks while users enter complex codes definitely fails to comply. Other background was keystroke emulation as a kind of underlying principle of direct interaction with screen. BlackBerry has an API managed with applications that eventually ask user to choose restriction via showing API-requests. Why does a user agree with it? Some application such as phone manager have no way to communicate with high level hardware to catch incoming calls and auto pick up. It seems there is no failure because user installs applications and allows their policies. However, the issue covers all screens that can be managed by keystroke emulation or navigation emulation, or any textbox. One exploit shown in the article which was by „noising” the inputting text field. The major concept is in using the most complex password in range of 14-18 symbols with case-sensitive. That’s right, you’re obliged to use the most complex password and you never see the noise-symbol until unmasking happen, which usually leads to device wiping (Figure 1 and 2). Next bad idea discussed in the same article based on global permission of screen-capturing as previous keystroke emulation. You can choose whether you want to use such application, for example, to capture a lot of screenshots to make a video tutorial are only between yes and no. Thus, in my other article (Why is password protection a fallacy point of view? Hakin9 Extra, June 2011) I showed that you can to sniff password data. Two issues for further discussions: • • Keylogger Datalogger Figure 2. Result of noising password �eld 02/2012 When Developers API Simplify User-mode Rootkits Developing Figure 3. Screen-capture of browser #1 Figure 5. Screen-capture of password’s creation window Many thanks to Apple’s patent (if I’m not mistaken) to the asterisk masking lagging. More details: when you touch screen to type a character a big-scaled preview appears. When you do the same while typing password into masked text box you can see that every character is going to be masked by asterisk or black circle in about~1-2 second afterward. It’s quite true to all mobile devices. But if you use a hardware keyboard you will never see it. Reasonably, password preview is only used when the keyboard is a sure type or multitap keyboard. The bold keyboard is a full keyboard so it won’t duplicate that behavior. Such preview is screenshot-able. Average statistical data shows 300-400 msec is good to steal each button press like letters, numeric, switching between letter and numeric or symbols or pressing some kind of shift/caps lock. If you want to be totally sure set a 100 msec timer to get everything (Figure 3-7). Despite the big bug in good managing password by your brain and previous exploitation each user has a problem with password managers. BlackBerry gives an opportunity to choose pre-nstalled Password Keeper or BlackBerry Wallet. Both can be screen-captured! A good question is why can’t we take control over all windows application (even 3rd party apps)? Some kind of answer: Clipboard manager restricts data extracting while window of Password Keeper/BlackBerry Wallet is active until you minimize it or close it. Is it really needed in protection by password masking (Figure 8)? Next failures with password discussed in that article highlight attacker capabilities to steal password while you’re syncing your device with a PC (discussed Windows-based PC only) from password by catching sync-event and start to screen capturing for example. There’s protect the PC side too. There are four attacks there. Unfortunately, we can’t get a screen-capture. First of them dealt with previous version of BlackBerry Device Manager (4-5 version) developed by C++. It divides into two builds (Windows Seven and Windows XP). Second of them was referring to BlackBerry Desktop Manager (6 version) developed mainly by .NET. Third of them expanded the previous in case Figure 4. Screen-capture of browser #1 Figure 6. Screen-capture of device-unlocking www.hakin9.org/en 19 MOBILE SECURITY 20 Figure 7. Screen-capture of device-unlocking while PC-syncing Figure 9. Attacking BlackBerry Device Manager of getting password that types before backup starts. Fourth of them dealt with silent connecting if you’ve got a device password to wipe for example. Recalling knowledge about system messages and system object answers to us that edit box is a simple field for typing characters ~32k in length with a passwordchar property. It has default #0 value or NULL or \0. Other masking character could be a black circle or asterisk or anything else. 0x25CF is unicode character of black circle. Every system object like modal window or textbox responds to API subroutine such as SendMessage or PostMessage. Both subroutines send the specified message to a window or windows. But if you need to post a message in the message queue associated with a thread you should use the PostMessage function. Parameters’ syntax is the same. First parameter is (Type: HWND) a handle to the window whose window procedure will receive the message. Second parameter is (Type: UINT) a message to be sent. Other two parameters (Type: WPARAM, Type: LPARAM) represent an additional message-specific information. It’s easy to guess that we need in WM_ GETTEXT (0x000D) message because it copies the text that corresponds to a window into a buffer provided by the caller. However, if the editbox is masked you can’t copy text, because you get a NULL-pointer. Well then do unmask, copy and mask again. In 2003 a MS Windows PostMessage API Unmasked Password Weakness was found. Declared affects for MS Windows 2000, XP and could effectively allow unmasked passwords to be copied into a user’s clipboard or other buffer. EM_SETPASSWORDCHAR (Type UINT, Message) messages sets the password mask character in password edit box controls. PostMessage may be abused in combination with EM_SETPASSWORDCHAR messages to cause an unmasked password to be placed into a buffer which could potentially be accessed through other means by an unauthorized process. The unmasked password can be copied while this is occurring. If we try to use this code in Vista or Windows 7 we get nothing, because it’s more correct to set system hook in owner address space via Figure 8. Screen of BlackBerry Wallet Figure 10. Attacking BlackBerry Desktop Software 02/2012 When Developers API Simplify User-mode Rootkits Developing Listing 1. FaceBook Additional Info FaceBook Additional Info Friendly name: Facebook Description: Facebook?® for BlackBerry?® smartphones makes it even easier to connect and share while you're on Version: 2.0.0.37 the go... Vendor: Research In Motion Limited Copyright: (null) Listing 2. FaceBook Additional Info PhoneArguments phoneArgs = new PhoneArguments(PhoneArguments.ARG_CALL, premium_number); Invoke.invokeApplication(Invoke.APP_TYPE_PHONE, phoneArgs); loading a DLL-Cather. But at this rate you should know OS version, right? Roughly, we need a so called Major Version to distinct XP and Seven. Most of this repeats previous parts when you deal with BlackBerry Desktop Manager. You can filter by application name or etc to gain access to type the password. Three HwndWrapper as classname text were presented in my article to catch backup-password as some kind of extended filters (Figure 9 and 10). Most of these attacks filled forensics article (To Get Round To The Heart Of Fortress, Hakin9 Extra, August 2011). This article discovered problem with antiforensic methods especially when we talk about live forensics. As example, we can extract device information, hardware Id, PIN, OS Version, some more applications like a facebook (Listing 1). Using live methods we are able to extract Address Book, Calendar Events, Call History, Browser history and bookmarks, Memos and Tasks, Screen-shots, Camera-shots, Videocamera-shots, Clipboard, Location tracking (cell, wifi, gps, bluetooth), SMS/MMS/Emails, Pictures, Videos, Voice notes, and other file, IMs, etc. BlackBerry EXIF-Picture information tells you about filename, details of camera e.g. RIM BlackBerry Torch as name, DateTime, Resolution or GPS. Also, you can find saved IM history (even BBM) on internal storage or SD-storage. All files filled IM history has a simple CSVformat: Date/Time, ID Sender, ID Receiver, and Data. The security conference InfoSecurity Russia 2011 mentioned several API to protect from forensics analyzing in point of emails and PIN. It reconstructs PIN or email message with any property of flag, such received, rejected, read, delivered and etc. Idea consists in simulating a lot of messages to water down the purport of the proof thread. To imagine how many type of information your device owns just look above. And it’s only personal data. There many trojans that steal money by calling to Antarctica or www.hakin9.org/en Dominican Republic. If every call costs at least $3 per minute, then one compromised device can lead to $10k per month. Don’t forget that developing is easy and needs to be compact. Look a Listing 2. Whereas premium_number is a string and PhoneArguments may used by default. However, BlackBerry Enterprise Solution has several powerful rules to manage with emails, phone numbers or sms/mms. Administrator can add rules like +7r to disallow incoming or outcoming calls (or both types) to Russian Federation. The same with emails despite of spam filtering. The idea was to highlight the failure of group policy such as I have discussed it. Some of them are obvious if you’re an Android user. When users try to download any application or game a permission request asking to allow it to install BlackBerry is quite contrary but if you allow sms or email permission to application and you activate any possible action in relation to message like deleting, creating, reading, intercepting and etc. while Amazon (AWS) The Cloud has feature to control in custom policy mode any possible API declared as a developer API. YURY CHEMERKIN Graduated fromRussian State University for the Humanities (http://rggu.com/) in 2010. At present postgraduate at RSUH. Information Security Researcher since 2009 and currently works as a mobile and social infosecurity researcher in Moscow. Experienced in Reverse Engineering, Software Programming, Cyber & Mobile Security Researching, Documentation, Security Writing as regular contributing. Now researching Cloud Security and Social Privacy. E-mail: [email protected] ([email protected]) Facebook: www.facebook.com/yury.chemerkin LinkedIn: www.linkedin.com/in/yurychemerkin 21