Obad is the Baddest Android Trojan on the Block

obad_android_trojan

There is a new Android Trojan in town and this is one bad dude. Backdoor.AndroidOS.Obad or “Obad” as it is known on the street, is the most sophisticated Trojan ever seen, rivaling the capabilities of Windows based malware.

Yesterday a Malware Analysts Expert from Kapersky Labs released an announcement on a new Trojan that seemed like it was written for Windows and not an Android Device.

Earning it the dubious title “The Most Sophisticated Android Trojan“.

Sure it sends SMS messages to high rate numbers like many other Android malware apps, but there are several new features that really set this one apart. According to the report, Obad also has the following capabilities:

  • Downloads and installs other malware programs
  • Propagates malware to other devices via Bluetooth
  • Fully functional remote Command & Control

The ability to download other malware programs has been a Windows Trojan staple feature for a long time. But being able to use Bluetooth as a springboard to infect other devices is pretty concerning.

Obad_android_trojan01

Obad’s Command & Control features allow cyber criminals to send commands via SMS messaging, use a remote shell, download remote files, pull application & personal data from the phone, and attack other devices by using Bluetooth.

Another unique feature is that Obad can also freeze the display for up to 10 seconds to hide what it is doing from the device owner.

Using obfuscated code and several new vulnerabilities, Obad definitely raises the stakes in the mobile malware department. Thankfully it is not very well wide spread at the moment.

For more information check out the Kapersky Team’s complete analysis.

Advertisements

Basic Malware Analysis: Malicious Data Mining E-Mail Attachment

Malicious E-mail Message

Oh look, an unsolicited incoming Fax Report. Odd it is a fax transmission, but our company doesn’t even have a fax server. But it is on 2013 Recruitment Planning – I better open it!

Corporate networks are being slammed with e-mails like the one above. Looks innocent enough, but if a user did indeed open it, the malicious attachment that anti-virus didn’t detect would scan the victim’s hard drive for data and upload it to a malicious server. All undetected by the unsuspecting user.

I have seen several versions of this same attack in the last week. So let’s take a closer look.

When these attacks first started, only 2 anti-virus engines would detect the attachment as a malicious file. AV engines are catching on to it now and are detecting it as a generic Trojan. As a matter of fact, if I try to open this message today, I get a message from Microsoft Mail that the attachment is malicious:

Infected with unknown virus

So let’s take a closer look at one of these “Incoming Fax Report” attachments.

*** WARNING: Never open suspected malware on a live, network connected system. In this example I use a sandboxed virtual memory system running with very limited network capabilities. ***

The attachment, once unzipped, shows a PDF icon, but this is no PDF file. The file has an .exe extension meaning that the file is an executable and not a text file. So how can we take a closer look at the program to see what it does?

The program Dependency Walker will show us what functions that the program uses and will give us a clue as to what the program actually does. If we run Dependency Walker we can see the .dll files that the program calls and what main functions it uses:

Kernel32 Functions

Okay, it may not be very clear from the Kernel32 side, but you can see this program uses functions like CreateFile, DeleteFile, GetCurrentDirectory, GetEnvironmentVariable. It is definitely poking around the file system.

And if you look at the functions under Wininet.dll you see a whole bunch of FTP commands:

Wininet32 Functions

Any guesses on where this is going?

Now that we have a general idea of what it could do, let’s execute it in a controlled environment so we can see what it actually does. We will want to know what registry settings it touches, what network communication is attempted and as much about the running processes as we can obtain.

For this we will use the following programs:

REGSHOT

Regshot is very easy to use, just download and run it. You then have three options. 1st Shot, 2nd Shot and Compare. Simply select 1st Shot to get a baseline look at your registry. Then Run the suspicious program. Next hit 2nd Shot to capture any changes made to your registry.

Regshot

Finally select Compare to get a report of any changes made:

Registry Modifications

PROCESS MONITOR

Process Monitor is a bit more involved. Basically after you run it, you need to turn off capturing (File, then uncheck Capture Events) and clear the cache (Edit, then Clear Display). Leave the capturing off until you are ready to fire up the malware. Then turn capturing on and execute the malware.

Process Monitor

Let it run for a few minutes then you can turn off capturing so you don’t fill your system memory up with process captures.

Then finally we need to Filter for our suspicious file. So select Filter, then Filter again. Then select Process Name from the first drop down box, Leave “is” in the second box, then pick the filename of the file you want to monitor in the third box:

Process Name

Then just click “Add” and “OK”.

You can now view all the process information that is related to the malicious file.

You can further filter the data available for the file in question by using the 5 select boxes on the menu:

Process Monitor filters

With these you can view just registry activity, processes, file use activity , network use, etc.

If we look at our malicious file with Process Monitor you will see that the program searches your entire drive for user files, installed programs, security programs and patches, Installed FTP programs, file manager programs and even remote storage clients (like Dropbox).

Process Monitor Scrrenshot 1 Process Monitor Scrrenshot 2 Process Monitor Scrrenshot

WIRESHARK

Finally we want to see what network activity the virus initiates. Simply have Wireshark running before you execute the program.

Wireshark Malware Traffic

As you can see, as soon as the malware was executed, it immediately tries to connect out to a malicious server.

ANALYSIS

As you can see if a user is duped into allowing the malicious e-mail attachment to run, a basic analysis of the file shows that it is a data miner trojan. It searches your hard drive for all data that could be of interest then tries to send it out to a malicious server.

Of the three different samples obtained. All were similar in that they claimed to be a fax report from an internal fax server. Some looked much more believable than others. All three had an executable attachment that was masked to look like a .pdf file.

All three searched the hard drive and registry for pertinent information. And all three connected out to a suspicious server address. The funny thing is that when all three were run through the Who-is Database, all three domains pointed to the same server!

Lastly the e-mail addresses in all three seemed to be in a somewhat alphabetical order. This seems to point to a botnet type control system going through a list of e-mail addresses, breaking them down into a groups and sending them one of the malicious e-mails.

CONCLUSION

These type of automated phishing attacks are becoming very common. The best line of defense against these attacks are vigilant users who question unsolicited e-mails, especially ones with attachments. Blocking incoming and outgoing IPs from unneeded locations and ingress and egress filtering is paramount in stopping these attacks.

Network Security Monitoring with full packet capture will also help to find what, if any, data was actually compromised if the attack is a success.

This was just a very basic analysis of this malicious attachment. Want to take a closer look at these techniques and learn a whole lot more about malware analysis including advanced techniques? Check out Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig.

Analyzing E-mail .Msg files and Attachments without Outlook

I had a copy of an e-mail that had a virus in it that I wanted to analyze. The problem was that the Outlook e-mail message was in .msg format. My virtual machine that I was using to analyze malware was Windows XP based. The problem was that the included Outlook Express would not open the Outlook saved .msg file. And I did not want to install Outlook on the system.

So is there a way to read the file and recover the attachment without using Outlook?

Of course, like other Office file formats (like .docx) the .msg file is just zipped!

I tried several techniques to open the Outlook .msg file, even downloading an open source program that reads them. I could read the message but could not get to the attachment. And I needed the attachment so I could analyze it for malware. On a whim, I tried unzipping the .msg file, and it worked!

I am not sure why I didn’t try that earlier. I knew that you can unzip .docx files and get a lot of forensic information like who created the file and who modified it (This technique helped catch a collar bomber in Australia).

Sure enough unzipping the .msg file worked:

Suspicious mail unzipped

Navigating into the unzipped folder I saw this:

E-mail unzipped

A bunch of random file names and folders. But it would appear that there is a method to this madness. A quick search on the web netted an article from 2003 on decoding this cryptic .msg format. According to the article, “Each substg contains a piece of information. The first four of the eight digits at the end tells you what kind of information this is. (Property). The last four digits tells you the type (binary, ascii, unicode etc.)

Looking at the decoding chart we find the following information:

0x0C1A: Sender name
0x0C1F: Sender email
0x0E1D: Subject (normalized)
0x1000: Message body

Using this information opening the _substg1.0_0E1D001F file with a text editor and we see the subject line, “Cute Puppies!

And if we open the file containing the message body we find:

“Oh my goodness, you just have to check out these adorable puppies!!!
Just open and run the attached files.

Thanks,

Hacker Joe

Okay, someone named “Hacker Joe” wants us to open and run the attached file claiming it is about cute puppies. Yeah, this is definetly suspicious.

The “_recip” directories contain information about each recipient and the “_attach” directories contain the attachments. Bingo! Let’s take a look at the _recip directory:

Attached directory

Using the decode chart we see:

//Attachments (37xx):
0x3701: Attachment data		<- This is the binary attachment
0x3703: Attach extension
0x3704: Attach filename

Okay, if we used a text editor, we will find the attachment file name in 0x3704, it’s extension in 0x3703 and the actual file data in 3701. In this sample case, the whole filename was found in 3704:

CUTEPU~1.PNG

Okay, looks like a shortened DOS name, but we see that it is a PNG file. This may or not be true. If you thought the file was truly malicious, you could take the 3701 file (the binary data) and upload it to a site like Virustotal.com to have it scanned as we did here:

VirusTotal

The attachment was scanned with 46 different anti-virus programs and nothing malicious was found. It could still be malicious, but the chances are lower now. Let’s take a look at the actual file (3701) with a text editor.

Binary attachment data

Okay, notice the %PNG right at the beginning. This pretty much tells us that the file is indeed a .PNG or a graphic image. If we renamed the file and gave it a .png extension, it should open up and show us the image.

NOTE: this is a test file on a sandboxed virtual machine in a test analysis environment. Never open a suspicious attachment on a live, unprotected system!

Renaming the file to suspicious.png Windows now recognizes it as a picture. And if I open this file I see:

Cute Puppies

Well, would you look at that, Cute Puppies!

In our fake example, the e-mail from “Hacker Joe” was indeed just cute puppies. Again this was just a test example, the real suspicious email in question was very craftfully worded and the attachment was a newer Backdoor Trojan that only 2 AV engines detected on VirusTotal.

In this article we learned how to open and view saved Outlook e-mails without actually having Outlook. We really didn’t cover Malware Analysis which is a very interesting field. Want to learn how to dissect malware like a pro? Check out the highly recommended book Practical Malware Analysis.

Malware Analysis: How to Decode JavaScript Obfuscation

When performing malware analysis one of the techniques the bad guys uses to hide their code is obfuscation. What this means is that the program is hidden or obscured to make malware analysis much more difficult. You didn’t think they would make it easy on you did they?  🙂

I found a good intro to javascript malware analysis and video on the HIR Information Report website. It shows you one method (the Tom Liston Method) on how to take obfuscated code that looks like this:

And decode it so you get the original Javascript, like this:

Excellent article, check it out!