IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
•
7 gefällt mir•1,980 views
IstSec'14 Bilgi Güvenliği Konferansı Sunumları
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (20)
Ähnlich wie IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
Ähnlich wie IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis (20)
Mehr von BGA Cyber Security
Mehr von BGA Cyber Security (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
- 1. Mobil Malware Analiz Süreçlerini Otoma4kleş4rme İbrahim BALİÇ ibrahim@balicbilisim.com
- 2. Ajanda • Ben Kimim • Malware Analiz • Süreçler • Otomasyon • Örnek • Sorular
- 3. Ben Kimim? • Security Researcher @ BalichIT • Online Projeler Android Sandbox – hEp://www.androidsandbox.net Android Remote Admin/Access Tool – hEps://github.com/ibrahimbalic/AndroidRAT • Devameden Projeler iOS Sandbox – hEp://www.iossandbox.com Approwler – hEp://www.approwler.com • Offline Projeler Online Mobile App Builder – hEp://uygu.la MalTrack – hEp://maltrack.balicbilisim.com • Apple, Facebook, Opera, Google vs. @ Whitehat Hacker • Links SQLMap CSRF Bypass – hEp://www.exploit-‐db.com/wp-‐content/themes/exploit/docs/34193.pdf SoUware VulnerabiliWes – hEp://www.exploit-‐db.com/wp-‐content/themes/exploit/docs/29139.pdf Mobil Forensics 1 – hEp://www.bilgiguvenligi.gov.tr/adli-‐analiz/mobile-‐forensics-‐bolum-‐1.html Mobil Forensics 2 – hEp://www.bilgiguvenligi.gov.tr/adli-‐analiz/mobile-‐forensics-‐bolum-‐2.html Android Internals – hEp://www.bilgiguvenligi.gov.tr/mobil-‐cihaz-‐guvenligi/android-‐internals-‐part-‐i.html Bilgi Güvenliğine Giriş – hEp://www.bilgiguvenligi.gov.tr/veri-‐gizliligi/bilgi-‐guvenligine-‐giris.html
- 4. Malware Analiz “Malware, kullanıcı veya hedef sistemlere zarar veren her türlü uygulama için kullanılan “Zararlı Uygulama” kavramının genel adıdır.”
- 5. Malware Analiz Uygulama Nedir? “Elektronik araçların Önceden belirlenmiş standartları çerçevesinde bir araya geZrilmiş görevler/işlemler zinciridir.”
- 6. Malware Analiz Standartlar Nedir? • İşlemci Mimarisi (CPU) • İşleZm Sistemi (OS) • Framework (library) .... ... .
- 7. Malware Analiz + Diğer donanımlar = + OS (OperaZng System)
- 8. Malware Analiz Standartlar Nedir?
- 9. Malware Analiz main ( int arc, char **argv ) { return 0; } x64 Mips
- 10. Malware Analiz #include <stdio.h> main ( int arc, char **argv ) { return 0; } int ibrahimbalic(int a) { return 0; } ./nm –A istsecII
- 11. Malware Analiz #include <stdio.h> main ( int arc, char **argv ) { return 0; } int ibrahimbalic(int a) { return 0; } ./objdump -‐t istsecII
- 12. Malware Analiz #include <stdio.h> main ( int arc, char **argv ) { return 0; } int ibrahimbalic(int a) { return 0; } IDA
- 13. Malware Analiz int main(int argc, char *argv[]) { char mesaj[] = "IstSECn"; struct sockaddr_in dest; struct sockaddr_in serv; int istsecport; socklen_t socksize = sizeof(struct sockaddr_in); memset(&serv, 0, sizeof(serv)); serv.sin_family = AF_INET; serv.sin_addr.s_addr = htonl(INADDR_ANY); serv.sin_port = htons(PORTNUM); istsecport = socket(AF_INET, SOCK_STREAM, 0); bind(istsecport, (struct sockaddr *)&serv, sizeof(struct sockaddr)); listen(istsecport, 1); int gelenbag = accept(istsecport, (struct sockaddr *)&dest, &socksize); while(gelenbag) { prinw("Mesaj gonderildi. %sn", inet_ntoa(dest.sin_addr)); send(gelenbag, mesaj, strlen(mesaj), 0); gelenbag = accept(istsecport, (struct sockaddr *)&dest, &socksize); } close(gelenbag); close(istsecport); return 0; } ./nm –A istsecIII
- 14. Malware Analiz
- 15. Malware Analiz • StaWk Malware Analiz • Dinamik Malware Analiz
- 16. Süreçler .APK Analiz Strings Disassemble codes Decompilling Network AcWviteleri strace (), ltrace() …
- 17. Süreçler .APK Analiz Strings aapt d -‐-‐values strings test.apk String pool of 20 unique UTF-‐8 non-‐sorted strings, 20 entries and 0 styles using 828 bytes: String #0: res/drawable/elite_background.png String #1: res/drawable/elite_logo.png String #2: res/layout/acWvity_main.xml String #3: res/layout/lock_screen.xml String #4: res/layout/main_uninstall_admin_device.xml String #5: res/anim/fadein.xml String #6: res/anim/fadeout.xml String #7: res/xml/device_admin_sample.xml String #8: res/menu/main.xml String #9: res/drawable-‐mdpi/ic_launcher.png String #10: res/drawable-‐hdpi/ic_launcher.png String #11: res/drawable-‐xhdpi/ic_launcher.png String #12: res/drawable-‐xxhdpi/ic_launcher.png String #13: Angry Bird Transformers String #14: Sengs String #15: Angry Bird Transformers: A parent's care for child. String #16: To ensure the correct installaWon of Angry Bird Transformers, you must press the "ACTIVATE" buEon below. String #17: Device admin seng acWvated successfully. String #18: Elite has hacked you.Obey or be hacked. String #19: com.hellboy
- 18. Süreçler .APK Analiz disassemble code dexdump –d classes.dex Processing 'classes.dex'... Opened 'classes.dex', DEX version '035' Class #0 -‐ Class descriptor : 'Landroid/support/annotaWon/AnimRes;' Access flags : 0x2601 (PUBLIC INTERFACE ABSTRACT ANNOTATION) Superclass : 'Ljava/lang/Object;' Interfaces -‐ #0 : 'Ljava/lang/annotaWon/AnnotaWon;' StaWc fields -‐ Instance fields -‐ Direct methods -‐ Virtual methods -‐ source_file_idx : 466 (AnimRes.java)
- 19. Süreçler .APK Analiz Decompilling dex2jar classes.dex private void startService() { Wmer.scheduleAtFixedRate(new mainTask(null), 0L, 500L); this.context = this; } public IBinder onBind(Intent paramIntent) { return null; } public void onCreate() { super.onCreate(); startService(); }
- 20. Süreçler .APK Analiz Network AcWviteleri emulator -‐avd "test" -‐tcpdump "test.pcap"
- 21. Süreçler .APK Analiz strace (), ltrace() adb shell strace -‐p PID -‐f [pid 447] getpid() = 447 [pid 447] getuid32() = 10003 [pid 447] epoll_pwait(39, {{EPOLLIN, {u32=64, u64=64}}, {EPOLLIN, {u32=32, u64=32}}}, 16, 0, NULL) = 2 [pid 447] read(32, "W", 16) = 1 [pid 447] recvfrom(64, "nysv0000020*3507000/#000000", 2400, MSG_DONTWAIT, NULL, NULL) = 24 [pid 447] recvfrom(64, 0xbef14a68, 2400, 64, 0, 0) = -‐1 EAGAIN (Try again) [pid 447] clock_geme(CLOCK_MONOTONIC, {240, 143333618}) = 0 [pid 447] clock_geme(CLOCK_MONOTONIC, {240, 145650900}) = 0 [pid 447] clock_geme(CLOCK_MONOTONIC, {240, 147686380}) = 0 [pid 447] writev(3, [{"4", 1}, {"Choreographer0", 14}, {"Skipped 38 frames! The applicat"..., 83}], 3) = 98 [pid 447] clock_geme(CLOCK_MONOTONIC, {240, 152925603}) = 0 [pid 447] clock_geme(CLOCK_MONOTONIC, {240, 154903354}) = 0 [pid 447] clock_geme(CLOCK_MONOTONIC, {240, 156899920}) = 0 [pid 447] recvfrom(64, 0xbef14bd8, 2400, 64, 0, 0) = -‐1 EAGAIN (Try again) [pid 447] ioctl(9, 0xc0186201, 0xbef153d0) = 0 [pid 447] clock_geme(CLOCK_MONOTONIC, {240, 162224240}) = 0
- 22. Otomasyon
- 23. Otomasyon • Android SDK(soUware development kit) • aapt (android asset packaging tool) • dexdump • emulator • adb (android debug bridge) • dex2jar • jad • cproxy(basit bir proxy yazdık) • phpword library
- 24. Otomasyon Emulator Oluştur Emulator Çalışˆr Emulator’ü -‐hEp-‐proxy ile çalışˆr cproxy istekleri kayıt et. Emulator’ü –tcpdump ile çalışˆr .pcap olarak dosya adı ver. adb adb install .apk dosyasını yükle. adb shell strace pid dosya akWviWlerini takip et adb shell monkey -‐v -‐p apkpackname 1000 shell screencap ekran görüntüsünü al Apk bilgileri Oluştur Dexdump ile disassemble codelarını görüntüle.. aapt dump ile permissionlar, launchable-‐acZvity,servisler gibi bilgileri al. dex2jar ile dex dosyasını jar’a çevir. Ve sonrasında jar dosyasını jad yardımı ile class haline çevir. Launch acWvity bul ve çalışˆr.
- 25. Otomasyon Emulator Oluştur Emulator Çalışˆr adb android create avd -‐n androidemulator -‐t TARGETID emulator -‐sdcard sdcard.img -‐avd androidemulator -‐no-‐window -‐no-‐boot-‐anim -‐noaudio -‐nojni -‐newast -‐wipe-‐data -‐verbose -‐ tcpdump networkakWviWleri.pcap -‐hEp-‐proxy hEp://127.0.0.1:1988 1.adb install test.apk 2.adb shell am start -‐a android.intent.acZon.VIEW -‐c adroid.intent.category.DEFAULT -‐n com.elite/com.elite.MainAcZvity 3.adb shell strace -‐p PID -‐f -‐s 256 -‐e open,access 4. adb shell monkey -‐v -‐p apkpackname 1000 5. adb shell screencap -‐p /sdcard/screen.png 6. adb pull /sdcard/screen.png
- 26. Otomasyon .bash script veya python veya php veya executable bir dosya oluşturarak. ornek.py test.apk word pdf db pdf
- 27. Otomasyon ornek.py test.apk word pdf .bash script veya python veya php veya executable bir dosya oluşturarak.
- 28. Örnek
- 29. Sorusu olan varmı? ? ? ?
- 30. Ibrahim BALİÇ ibrahim@balicbilisim.com Teşekkürler. (: