Thursday, August 04, 2011

Forensic Challenge 9 - "Mobile Malware"

We did it again, this time, we published a new challenge on Mobile Malware. This is really an awesome challenge for us to work on since we're working with different chapters. This time, Azizan and me, team up with Franck Guenichot from French Chapter and Matt Erasmus from South Africa Chapter.

Enjoy the challenge!. :)

Here is the description of the challenge posted by the Honeynet Project:

Forensic Challenge 9 - "Mobile Malware"

Challenge 9 - Mobile Malware (provided by Franck Guenichot from French Chapter, Mahmud Ab Rahman and Ahmad Azizan Idris from Malaysia Chapter and Matt Erasmus from South Africa Chapter)
Please submit your solution using the submission template below by September 30th 2011 at
Results will be announced mid October. For any questions and inquiries, please contact
Skill Level: Intermediate
With the number of smartphone users growing exponentially (1.6 billion mobile device units sold in 2010, 19% were smartphones) mobile devices are becoming an attractive platform for cybercriminals. As a security researcher or enthusiast, you need to know your enemy and be able to defend yourself against these new kinds of threats.
This challenge offers the exploration of a real smartphone, based on a popular OS, after a security incident.
You will have to analyze the image of a portion of the file system, extract all that may look suspicious, analyze the threat and finally submit your forensic analysis. From File System recovery to Malware reverse-engineering and PCAP analysis, this challenge will take you to the world of Mobile Malwares.
1. Write an executive summary of this incident (3 pts)
2. Provide the phone brand, model, OS name and version (1 pts)
3. Extract any suspicious application (if any). Detail your extraction method. Please provide name and SHA1 for each suspicious app.(4 pts)
4. What permissions are requested by the malware(s)? Why it is suspicious ? (1 pts)
5. Please provide a solution/s to quickly identify any suspicious API (please define your suspicious API according to your understanding) (8 pts)
6. What is the malware's home server URL and where is it located? Where, in the code, is/are stored the command server(s) URL(s)(4 pts)
7. What can you say about the communications model between the malware and its C&C server? (2 pts)
8. If encryption was used for the communication, which encryption algorithm was used? What was the key used? Explain how you found it. (4 pts)
9. Please draw a graph of the decrypted communication flow, found in the pcap, between the malware and the C&C (4 pts)
10. What personnal informations were leaked during this incident? A special *secret* information was leaked, Explain how and what it was. (2 pts)
11. What particular techniques are used by the malware to harden analysis or to evade detection? What unusual behavior can be noticed? (6 pts)
12. Provide a detailled analysis of the malware behavior and features. (10 pts)
13. Please provide a method to block (or request permission from Android (similar to UAC concept)) when any suspicious call received from Android (8 pts)
SHA1: dbc378ce1807a4a2459f882b13b4224d0db8fbc7
The archive contains 2 files:
- data.bin: corrupted /data partition image of the phone
- traffic.pcap: traffic capture of the malware communications.
This work by Franck Guenichot, Mahmud Ab Rahman, Ahmad Azizan Idris and Matt Erasmus is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

Saturday, June 18, 2011

Sneaky PDF will be featured at DEFCON 19

\0/, My paper on Sneaky PDF is accepted for DEFCON 19. I'll present on how in-the-wild malicious PDF implementing their obfuscation to avoid for detection and making analysis harder. Here is my full abstract:

Sneaky PDF

Being a most prevalent document exchange format on the Internet, Portable Document Format (PDF) is in danger of becoming the main target for client-side attack. With estimation of more than 1.5 million line of code and loaded with huge functionalities, this powerful document format is suffered with several high impact vulnerabilities, allowing attackers to exploit and use it as malware spreading vector.

Until now, there are thousands of malicious PDF file spreads with little chances of getting detected.

The challenges are obfuscation techniques used by the attackers to hide their malicious activities, hence minimizing detection rate. In order to sustain the survival of malicious PDF file on the Internet, attackers circumvent the analysis process through diverse obfuscation techniques. Obfuscation methods used usually ranges from PDF syntax obfuscation, PDF filtering mechanism, JavaScript obfuscation, and variant from both methods. Because of rapid changes in methods of obfuscation, most antivirus software as well as security tools failed to detect malicious content inside PDF file, thus increasing the number of victims of malicious PDF mischief.

In this paper, we study in the obfuscation techniques used inside in-the-wild malicious PDF, how to make it more stealthy and how we can improve analysis on malicious PDF

I'm looking forward to meet old and new faces!. Will be my first time at DEFCON. :)

Sunday, March 27, 2011

Reversing Android Malware And Honeynet Project Workshop

I honored by Honeynet Project folks for allowing to present on a new topic "Reverse Engineering Android Malware" for the Honeynet Project Security Workshop in Paris, France last week. My first part of the presentation, covered on introduction into APK, Dalvik and processes involve for Android app development into packaging in details. 

For the second part of the presentation, i focused on methods and tools for reversing android malware or app. When dealing with reverse engineering android app (or malware), it is an ideal goal to be able to have decompile code in Java (normally), but unfortunately, decompiling is hard!. :). So, an understanding on disassemble code for Dalvik is a good skill to have when dealing with reverse engineering on the Android platform.

The third part the presentation is a few cases studies on various Android malwares. The malware samples are SMS.Trojon, Geinimi, ADDR and DreamDroid. These are quite interesting samples. I sorted the case study samples from simple to intermediate level of complexity of the malwares. On Geinimi and DreamDroid, I demoed on how we can perform and reverse engineering on cryptography implemented within the malware samples. 

Honeynet Project already released my presentation slide. You can get it from here


The video for my presentation is published.

#The First Part of the Presentation

#The Second Part of The Presentation