Information

The following is a guest post by email. This is the third part in a series of articles on his view of hacking. If you are interested in writing for CyberCROW, click Here. Otherwise, Enjoy.

Saturday, November 6, 2010

Basics of Viruses

Posted by glewoCROW 8:11 AM, under ,, | No comments

One of the main differences in the technology used in viruses for
mobile devices and personal computers is that, although there are
numerous mobile virus families, very few mobile viruses are truly
original. This is similar to computer viruses in the late 1980s. Back
then, there were hundreds of viruses derived from the source code of
“base” malicious code. A multitude of malicious programs were based on
just three viruses: Vienna, Stoned and Jerusalem.
In terms of mobile malware, I would identify the following programs as
the “forebears” of other mobile viruses:

  • Cabir
  • Comwar
  • Skuller.gen

Cabir served as the basis for a number of its own variants, which
differ only in terms of the file names and the contents of the sis
installation files. Cabir was also used as the basis for such seemingly
dissimilar families as StealWar, Lasco and Pbstealer.

Lasco


Lasco was the first of these ”new” families to appear. In addition
to worm functionality, programs from this family are capable of
infecting files in the phone memory. Lasco’s evolution is a good
example of what happens when virus source code is made publicly
available. A Brazilian by the name of Marcos Velasco, who calls himself a
mobile virus expert, got hold of the source code for Cabir and began
writing viruses. During the last week of 2004 he sent several variants
of Cabir that he had written to antivirus companies. Some of them were
completely non-operational and all were categorized as Cabir variants.
This did not please the author; in an attempt to become famous he
created a variant of the worm that was also capable of infecting sis
files. This is how the Lasco worm came to be in antivirus databases.

Luckily, the idea of infecting files was not further developed by
virus writers, even though Velasco published the source code of his
creation on his website.
It is still not quite clear whether Cabir was actually used as a source
for Lasco. According to Marcos Velasco, he wrote all the code
independently, but the number of files, their names and operating
principles are very similar to Cabir. It’s possible to compare the main
functions in both worms and draw your own conclusions.

The function that sends the worm via Bluetooth (Cabir):

if(WithAddress)

{

        WithAddress = 0;

        Cancel();

        TBTSockAddr btaddr(entry().iAddr);

        TBTDevAddr devAddr;

        devAddr = btaddr.BTAddr();

        TObexBluetoothProtocolInfo obexBTProtoInfo;

        obexBTProtoInfo.iTransport.Copy(_L("RFCOMM"));

        obexBTProtoInfo.iAddr.SetBTAddr(devAddr);

        obexBTProtoInfo.iAddr.SetPort(0x00000009);

        obexClient = CObexClient::NewL(obexBTProtoInfo);

        if(obexClient)

        {

                iState = 1;

                iStatus = KRequestPending;

                Cancel();

                obexClient->Connect(iStatus);

                SetActive();

        }

}

else

{

        iState = 3;

        User::After(1000000);

}

return 0;

The function that sends the worm via Bluetooth (Lasco):

if ( FoundCell )

{

        FoundCell = _NOT;

        Cancel();

        TBTSockAddr addr( entry().iAddr );

        TBTDevAddr btAddress;

        btAddress = addr.BTAddr();

        TObexBluetoothProtocolInfo obexProtocolInfo;

        obexProtocolInfo.iTransport.Copy( _L( "RFCOMM" ) );

        obexProtocolInfo.iAddr.SetBTAddr( btAddress );

        obexProtocolInfo.iAddr.SetPort( 9 );

        if ( ( iClient = CObexClient::NewL( obexProtocolInfo ) ) )

        {

                iStatus = KRequestPending;

                BluetoothStatus
= _BLUETOOTH_NOT_CONNECTED;

                Cancel();

                iClient->Connect( iStatus );

                SetActive();

        }

}

else

{

        BluetoothStatus = _BLUETOOTH_CONNECTED;

}

}

Pbstealer


The first Trojan spy for Symbian, Pbstealer, is another Cabir
“offspring”. It was created in Asia, probably in China, and was found
on a hacked Korean website devoted to Legend of Mir, an online game.
This method of distribution and the fact that the Trojan was written
with criminal intent demonstrates how the “good intentions” of Cabir’s
author paved the way for the development of further malware.

The function that enabled the Trojan to send files via Bluetooth came
from Cabir. However, authors of the Trojan made one important
modification to the original code. The Trojan searches for the phone’s
address book and sends data contained in it via Bluetooth to the first
device found. Hence the name Pbstealer, which stands for “Phonebook
Stealer”. Until then cybercriminals used various vulnerabilities in the
Bluetooth protocol to steal such information, e.g., BlueSnarf. This
Trojan, however, greatly extended the possibilities available.

And, of course, Cabir became the carrier of choice for a variety of
other Trojans. More than half of all Skuller, Appdisabler, Locknut,
Cardtrap and other “vandal” Trojan variants contain Cabir, which has
been modified to spread not only itself, but the whole Trojan package.
This sort of hybridization has led to significant difficulties in
categorizing many malicious programs. We will discuss this in greater
detail below.

Comwar


A second landmark in the development of mobile malware was Comwar,
the first worm to spread via MMS. Like Cabir, it can spread via
Bluetooth, but MMS is the principal method used, making this worm
potentially extremely dangerous.
Bluetooth operates within a distance of 10 to 15 meters and other
devices can be infected only if they are within this range. MMS has no
boundaries and can be instantly sent even to handsets in other
countries.

The author of Cabir initially considered this idea, but chose
Bluetooth for quite obvious (from the viewpoint of 29A ideology)
reasons:

«mms: Its easy to route over the agent searching
phone numbers and sending them a mms message with the worm attached, but
we have two problems:
  • We dont know what type of phone are we sending the mms. We dont know
    if that phone is able to receive mms message or if it could execute the
    worm.

  • We are spending the money of the phone.»

The second reason is telling: it means that the author of Cabir did
not wish to do financial harm to users. The author of Comwar, on the
other hand, had no qualms about this whatsoever.

Although the technology that makes it possible to send malware via
MMS is the most attractive to the authors of mobile malware, so far
we’ve only seen the usual transformations performed on the original
worm, with baby hackers changing file names and texts in the original
files without making any changes to Comwar’s functionality. This is due
to the fact that the source code for Comwar has not been published and
the script kiddies don’t know the procedure used to send infected MMS
messages.

Currently, we know of 7 modifications of this worm. Four of them include an “author’s signature”.

CommWarrior v1.0b (c) 2005 by e10d0r

CommWarrior is freeware product. You may freely distribute it in it's original unmodified form.

Comwar.b:


CommWarrior v1.0 (c) 2005 by e10d0r

CommWarrior is freeware product. You may freely distribute it in it's original unmodified form.

Comwar.c:


CommWarrior Outcast: The dark side of Symbian Force.

CommWarrior v2.0-PRO. Copyright (c) 2005 by e10d0r

CommWarrior is freeware product. You may freely distribute it

in it's original unmodified form.

With best regards from Russia.

Comwar.d:


Does not contain any distinguishing texts. MMS texts replaced with Spanish texts.

Comwar.e:


WarriorLand v1.0A (c) 2006 by Leslie

Also contains texts in Spanish.

Comwar.f:


Does not contain any distinguishing texts. MMS texts replaced with Spanish texts.

Comwar.g:


CommWarrior Outcast: The Dark Masters of Symbian.

The Dark Side has more power!

CommWarrior v3.0 Copyright (c) 2005-2006 by e10d0r

CommWarrior is freeware product. You may freely distribute it in it's original unmodified form.

In addition to the above, variant .g was the first variant to include
file infector functionality. The worm looks for other sis files in the
phone’s memory and appends its code to these files. This provides one
more propagation method in addition to the traditional MMS and
Bluetooth.

It should be noted that so far Comwar has not spawned a multitude of
other families. As mentioned above, the reason for this is that its
source code has not been published. Just like Cabir, it is used as a
carrier for other Trojan programs. Apparently, the only program using
Comwar that can lay claim to having started a new family is StealWar.
This is a worm that combines Cabir, Comwar and the Trojan Pbstealer.
This type of combination is highly dangerous and capable of spreading
widely.

However, it’s inevitable that propagation via MMS will eventually
become the most common method of propagation for mobile malware. This is
all the more likely because there is already a serious known MMS
handling vulnerability in Windows Mobile 2003, which leads to a buffer
overflow and the execution of arbitrary code. The vulnerability was
reported by Collin Mulliner in August 2006 at the DefCon conference.



Demonstration of the MMS vulnerability(Collin Mulliner, Advanced Attacks Against PocketPC Phones).

Detailed information about the vulnerability will not be available to
the general public until Microsoft releases the relevant update.
However, the absence of information doesn’t make the vulnerability any
less dangerous. If somebody creates a worm that launches itself
automatically, without the user’s participation when it gets into a
smartphone memory, this could cause a global outbreak.

Comwar also contributed to the evolution of mobile malware with a
technology implemented in variant .c; this technology could be seen as
rootkit technology. The worm conceals itself in the list of processes
and is not visible in the standard list of applications currently
running. Comwar is able to do this because its process is designated as
“system”. Although the process can easily be discovered using other
programs for viewing running processes, this masking method is
nevertheless now being used in some other malicious programs for
Symbian.

Skuller


As mentioned above, Skuller is the most numerous family of mobile
Trojans: by September 1st, 2006 we had seen 31 variants. This is not
surprising, as these programs are the most primitive malicious programs
for Symbian. Any person who can use a utility for creating sis files
will be able to create a Trojan of this kind. The rest of the work is
done by the vulnerabilities present in Symbian: it is possible to
overwrite any files, including system files, and the system becomes very
unstable when it comes across unexpected files (i.e. files that are
damaged or not standard format for the relevant version of the system).

Most Skuller variants are based on two files, which we classify as
Skuller.gen, and it’s these files that distinguish Skuller from other
families with similar functionality (e.g., Doombot or Skudoo):

  • a file with the same name as the application it
    replaces and the extension “aif”. Its size is 1601 bytes. This is an
    icon file containing the skull icon. The file also contains the
    following text string: “↑Skulls↑Skulls”;
  • a file that has the same name as the application it
    replaces and the extension “app”. Its size is 4796 bytes. This is an
    EPOC application, a “dummy” file.

0 comments:

Post a Comment