find out the “ bad guys ” on the symbian

Find out the “Bad guys” on the Symbian

Jie Zhang

Fortinet Inc

Agenda

11 Symbian OS Symbian OS

22 Mobile Malware Mobile Malware

33 Discover Virus Discover Virus

44 Identify Suspicious Identify Suspicious

55 Track Record Track Record

66 Conclusion Conclusion

77 Thank You Thank You

What's Symbian?

Symbian OS is a proprietary operating system, designed for mobile devices, with associated libraries, user interface frameworks and reference implementations of common tools, produced by Symbian Ltd.

Symbian OS History

1 EPOC16 1991-19982 EPOC OS 1-3 19973 EPOC 4 19984 EPOC 5 19995 ER5U Symbian OS 5.1 20006 Symbian 6.0 and 6.1 20017 Symbian 7.0 and 7.0s 20038 Symbian 8.x (EKA1, EKA2) 20049 Symbian 9.0 200410 Symbian 9.1 200511 Symbian 9.2 and 9.3 200612 Symbian 9.5 2007

S60 and UIQ

The S60 PlatformThe S60 Platform UIQ by UIQ TechnologyUIQ by UIQ Technology

Mobile Malware








About Mobile Malware

• Concept:Concept:Mobile malware is an electronic virus that

targets mobile phone and PDA.In fact, it is often of the few similar

pieces of code or programs.

• About:About:Today, there are more than 400 families of

mobile malware. And we expect to see more and more of them in the near future. There are much more variants for some of the families, such as: Cabir, CommWarrior, Fontal, Skull, Cardtrap, and so on. Most of them are very similar.

Mobile Malware Category

• Worm:Worm:Cabir, Mabir, CommWarrior, CardTrap

• Trojan / Backdoor / RAT:Trojan / Backdoor / RAT:Flexispy, X-wodi, PbStealer

• Doom:Doom:Fontal, Drever, Skull

• Misc:Misc:Infected virus, Exploit worm, WAP attacker

or worm

Threat from Mobile Malware

• Critical Critical - Now, mobile becomes more and more important from individuals to business. Once mobile function was failed, our loss may be immeasurable.

• CostCost - Cell communications almost cause cost, such as: call, SMS/MMS, GPRS and so on. For widely spreading itself, malware will send them through one or more ways. That mean, each spread for the malware will bring the cell owner a terrible cost.

• SensitiveSensitive - Today, people become to pay more attention to their own personal privacy. They often store many things on phone. Of course, there may be some private data. Once virus obtained the data, it will suffer to serious consequences.

Discover Virus








Discover "Bad guys"

• Abnormal behaviorsAbnormal behaviors • High costHigh cost• Suspicious process and fileSuspicious process and file

Identify Suspicious








Choose your weapon

• Fix API name and dance with IDAFix API name and dance with IDA• Extract SIS archiveExtract SIS archive• Break into compressed applicationBreak into compressed application

Fix API name and dance with IDAFix API name and dance with IDA - 1 - 1

As we know, the hardware platform of the mobile is less powerful than PC. And the memory for mobile is limited. In order to reduce the program file size, the API names will not be saved in the Import Address Table by the programs on Symbian platform, but just be imported with API order. As the result, we couldn’t obtain the invoked API names from the analyzing program. Therefore, we must improve the API examine system so that the IDA could correctly identify the API names used in the program.


For the acquisition of the API names, first of all, we must install Symbian SDK. In this paper, as we mainly search on the S60 2nd Symbian 7.0s, we need to download the S60 2nd SDK from the Nokia official website.

Enter %S60_SDK%\Epoc32\release\armi\urel\, and look up the current directory in the command mode. After inputing the command line, we will get the result.


For example:

Get the API name for the "WAPP_1" functio in IDA.

What does WAPP_1 mean?

WAPP_1 = WAPP + 1

WAPP => Library Name

1 => Export Order


objdump –syms wapp.lib


Let's compile our received data:

ID NAME VALUE

1 Module WAPP

2 Order 1

3 API NewL__22CMsvBIOWapAccessParserR20CRegisteredParserDllR15CMsvServerEntryR3RFs

4 Alias CMsvBIOWapAccessParser::NewL(CRegisteredParserDll &, CMsvServerEntry &, RFs &)


Alternative method:Alternative method:

LibraryLibrary zipidszipids

efdefd

ar2idtar2idt

IDTIDT IDSIDS

Extract SIS archiveExtract SIS archive

• You could get the Unsis tool from symbian official home page to extract the .SIS file on the PC

• And also, you could choose UnMakeSIS to do the same thing, but it's a shareware and you should purchase it.

• For receiving more info, I wrote a tool sisdump to help us.

Break into compressed applicationBreak into compressed application - 1 - 1

• Sometimes, we will find that few applications could not be analyzed by IDA correctly.


• Attempt to dump the application information with “petran” utility, you maybe get the similar following message:

How to decompress it?How to decompress it?


• The correct answer is:

Petran –nocompress <Petran –nocompress <target filetarget file>>

Reverse mobile malware - 1

• Except the basic ARM and Symbian OS knowledge, we must know how the function passes parameters:

1.System will use R0-R3 to pass the parameters, generally speaking;

2.If there are more than 4 parameters, the other parameters will be passed by stack;

3.Class method (not static) will use R0 to pass the class this pointer;

4.Return value uses R0 register;

Reverse mobile malware - 2

• Dump IAT to know your enemyDump IAT to know your enemy::

Before analyzing the target sample, we’d better scan the IAT in the sample. We would know if the sample will execute on the file, bluetooth, infrared, network, SMS/MMS, and so on.

I am not intending to describe this information further. For E32Image format, you could read related documents in reference. Use petran tool to get IAT information much more easily. I also create a utility that is called epocdep to do the same thing.

Reverse mobile malware - CommWarrior

• We will start to analyze the sample in SIS file.

• Receive SIS file information:

We could get the file related information with sisdump.

[!] ------------------------------------------------

[!] File record type: Simple File

[!] File type:

[!] File to be run during installation and/or removal

[!] Details:

[!] Run during installation only

Src name:

commwarrior.exe

Dst name:

!:\system\apps\CommWarrior\commwarrior.exe

[!] ------------------------------------------------

[!] File record type: Simple File

[!] File type:

[!] Standard File

Src name:

commrec.mdl

Dst name:

!:\system\apps\CommWarrior\commrec.mdl


• There are some important things we should know:

1. The SIS archive includes two files: "commwarrior.exe" and “commrec.mdl";

2. These two files will be installed to:

!:\system\apps\CommWarrior\commwarrior.exe

!:\system\apps\CommWarrior\commrec.mdl

Note: "!" - mean user selected installation driver;

3. During installation, commwarrior.exe will be loaded and run;


• Reverse MDL1. What’s MDL?

MDL is a MIME recognizer Dynamic Library.

2. MDL Purpose:MDL is a plug-in code that can examine data in a file, or sample data supplied in a buffer, and return, if recognized, its data type. A data type is also commonly known as a MIME type.

3. Why most of malware include this file:Malware always intends to load itself with system boot time. That's the reason.

4. MDL Loads flow: Symbian OS MDL loader invokes order:

<1> E32Dll(TDllReason) // Exported as entry point<2> CreateRecognizer() // Exported by MDL, order =

1


• Although the commwarrior.exe file will be running first, but I still intend to analyze MDL file in advance. Because the file is very easy to be understood and it will be launched when OS boots.

• We have know that MDL has two exported functions, they are:

E32Dll(TDllReason)

CreateRecognizer()

So, we will choose them to start our journel.


• E32Dll:

Original assemble codes:

C++ codes:

.text:10000000 EXPORT start

.text:10000000 start

.text:10000000 B 0x100002F8

.text:100002F8 loc_100002F8 ; CODE XREF: startj

.text:100002F8 MOV R0, #0

.text:100002FC BX LR

GLDEF_C TInt E32Dll(TDllReason /*aReason*/)

{

return KErrNone;

}


• CreateRecognizer (order 1):

.text:100002C8 EXPORT commrec_1

.text:100002C8 commrec_1

.text:100002C8 STMFD SP!, {R4,LR}

.text:100002CC MOV R0, #0x128

.text:100002D0 BL CBase::__nw(uint)

.text:100002D4 SUBS R4, R0, #0

.text:100002D8 BEQ loc_100002E8

.text:100002DC MOV R0, R4

.text:100002E0 BL loc_10000004

.text:100002E4 MOV R4, R0

.text:100002E8

.text:100002E8 loc_100002E8 ; CODE XREF: start+2D8j

.text:100002E8 BL loc_10000068

.text:100002EC MOV R0, R4

.text:100002F0 LDMFD SP!, {R4,LR}

.text:100002F4 BX LR

new function, for CBase and its inherited clas

s

class constructor call

virus core invoke


• After converting, we wil get the C++ source codes:

EXPORT_C CApaDataRecognizerType * CreateRecognizer()

{

CApaDataRecognizerType * rg = new CMyRecognizer(); // loc_10000004

do_exe_virus_body(); // loc_10000068

return rg;

}

// Or other format, if you like!

EXPORT_C CApaDataRecognizerType * CreateRecognizer()

{

CApaDataRecognizerType * rg = new CMyRecognizer(); // loc_10000004

CMyRecognizer::do_exe_virus_body(); // loc_10000068

return rg;

}

There is no difference to analyst, right?


• We will talk about class CMyRecognizer later, for there is no harmful codes in the class.

• Let’s see the do_exe_virus_bodydo_exe_virus_body () () function first:

.text:10000068 STMFD SP!, {R4,R5,LR}

.text:1000006C SUB SP, SP, #0x18

.text:10000070 MOV R0, #4

.text:10000074 BL __builtin_new

.text:10000078 SUBS R5, R0, #0

.text:1000007C LDRNE R3, =0xFFFF8001

.text:10000080 STRNE R3, [R5]

.text:10000084 ADD R0, SP, #0x10

.text:10000088 LDR R1, =aCommrec

.text:1000008C BL TPtrC16::TPtrC16(ushort const *)

.text:10000090 MOV R3, #0x100

.text:10000094 STR R3, [SP,#arg_0]

.text:10000098 STR R3, [SP,#arg_4]

.text:1000009C MOV R4, #0

.text:100000A0 STR R4, [SP,#arg_8]

.text:100000A4 MOV R3, #1

.text:100000A8 STR R3, [SP,#arg_C]

.text:100000AC MOV R0, R5

.text:100000B0 ADD R1, SP, #0x10

.text:100000B4 LDR R2, =loc_100000FC

.text:100000B8 MOV R3, #0x2000

.text:100000BC BL RThread::Create(TDesC16 const &,int (*)(void *),int,int,int,void *,TOwnerType).text:100000C0 BL User::LeaveIfError(int).text:100000C4 MOV R0, R5.text:100000C8 MOV R1, R4.text:100000CC BL RThread::SetPriority(TThreadPriority).text:100000D0 MOV R0, R5.text:100000D4 BL RThread::Resume(void).text:100000D8 MOV R0, R5.text:100000DC BL RHandleBase::Close(void).text:100000E0 B loc_100000F0.text:100000F0.text:100000F0 loc_100000F0.text:100000F0 ADD SP, SP, #0x18.text:100000F4 LDMFD SP!, {R4,R5,LR}.text:100000F8 BX LR

void do_exe_virus_body(){ RThread* bootThread = new RThread(); TPtrC ptr(KTxtVirusName); // and Start it User::LeaveIfError( bootThread->Create(

ptr,ThreadProc,0x2000,0x100,0x100,NULL,EOwnerThread)

); bootThread->SetPriority(EPriorityNormal); bootThread->Resume(); bootThread->Close();}

TInt ThreadProc(TAny * /* arg */)

{

TRequestStatus r; // 4

TTime tm; // 8

RTimer timer; // 10

TInt ret;

timer.CreateLocal();

tm.HomeTime();

tm += (TTimeIntervalSeconds)5;

timer.At(r, tm);

User::WaitForRequest(r);

CActiveScheduler * scheduler = new CActiveScheduler;

CTrapCleanup * cleanup;

if (!scheduler) {

ret = 0xFFFFFFFC;

goto quit_proc;

}

CActiveScheduler::Install(scheduler);

cleanup = CTrapCleanup::New();

if (!cleanup) {

ret = 0xFFFFFFFC;

goto quit_proc;

}

TRAP(ret, exe_virus_bodyL());

delete cleanup;

quit_proc:

return ret;

void exe_virus_bodyL ()

{

RFs aFs;

User::LeaveIfError(aFs.Connect());

CleanupClosePushL(aFs);

TFindFile aFindFile(aFs);

User::LeaveIfError(

aFindFile.FindByDir(

KTxtVirusApp, KTxtNull)

);

CApaCommandLine * aCmdLine = CApaCommandLine::NewLC();

aCmdLine->SetLibraryNameL(aFindFile.File());

aCmdLine->SetCommandL(EApaCommandOpen);

RApaLsSession aSession;

User::LeaveIfError(aSession.Connect());

CleanupClosePushL(aSession);

User::LeaveIfError(aSession.StartApp(*aCmdLine));

CleanupStack::PopAndDestroy(3);

}


• Although the class CMyRecognizer is no useful here, but we still need to analyze it. Because there is a much more important concept we should know. That is vtable and vptr.

• We will talk about more information based on the codes.

• But first of all, let’s see some definitions.

class CBase{

public:IMPORT_C virtual ~CBase();inline TAny* operator new(TUint aSize,TAny *aBase);IMPORT_C TAny* operator new(TUint aSize);inline TAny* operator new(TUint aSize, TLeave);IMPORT_C TAny* operator new(TUint aSize,TUint anExtraSize);

protected:IMPORT_C CBase();

private:CBase(const CBase&);CBase& operator=(const CBase&);IMPORT_C static TAny* newL(TUint aSize);};

We found that all classes that is inherited from CBase contained at least one vptr and the first virtual function must be destructor.

class CApaDataRecognizerType : public CBase{// Notice: I have removed static and non-virtual methods for simplify

public:IMPORT_C ~CApaDataRecognizerType();IMPORT_C virtual TUint PreferredBufSize();IMPORT_C virtual TDataType SupportedDataTypeL(TInt aIndex) const = 0;

private: IMPORT_C virtual void DoRecognizeL(const TDesC& aName, const TDesC8& aBuffer);IMPORT_C virtual void Reserved_1();

protected:const TUid iTypeUid;const TInt iPriority;TInt iCountDataTypes;TInt iConfidence;TDataType iDataType;

private:TInt iLock;TInt iSpare;};

CApaDataRecognizerType variant:CApaDataRecognizerType variant:idid namename offsetoffset 11 vptrvptr 0000 22 iTypeUidiTypeUid 0404 33 iPriorityiPriority 0808 44 iCountDataTypesiCountDataTypes 0C0C 55 iConfidenceiConfidence 1010……

The vptr is pointing to the vtable. The vtable structure is as following on the Symbian:

struct vtable {DCD offset;DCD unknow; // unknow, but almost 0DCD vfunc[]; // virtual function array

};

The field of vtable.offset is used by compiler to calculate the object pointer from vptr, the fomula is:

object pointer = vptr + vtable.offset

.text:10000004 STMFD SP!, {R4,LR}

.text:10000008 MOV R4, R0

.text:1000000C LDR R3, =dword_10000564

.text:10000010 LDR R1, [R3]

.text:10000014 MOV R2, #0

.text:10000018 BL CApaDataRecognizerType::CApaDataRecognizerType(TUid,int).text:1000001C LDR R3, =dword_100005AC.text:10000020 STR R3, [R4].text:10000024 MOV R3, #1.text:10000028 STR R3, [R4,#0xC].text:1000002C MOV R0, R4.text:10000030 B loc_1000003C.text:1000003C.text:1000003C loc_1000003C ; CODE XREF: start+30j.text:1000003C LDMFD SP!, {R4,LR}.text:10000040 BX LR

CMyRecognizer class constructor

.text:100005AC dword_100005AC DCD 0, 0 ; DATA XREF: start:off_10000038o

.text:100005B4 DCD loc_10000538 CMyRecognizer::~CMyRecognizer

.text:100005B8 DCD loc_10000044 CMyRecognizer::PreferredBufSize

.text:100005BC DCD loc_1000004C CMyRecognizer::SupportedDataTypeL

.text:100005C0 DCD locret_10000064 CMyRecognizer::DoRecognizeL

.text:100005C4 DCD CApaDataRecognizerType::Reserved_1(void)

• At last we got the C++ syntax source codes for constructor:

• And also, we know the each virtual function entry point:

const TUid MyUid = {0x10001941}; CMyRecognizer::CMyRecognizer():

CApaDataRecognizerType(MyUid, 0){

iCountDataTypes=1;}

.text:100005AC dword_100005AC DCD 0, 0 ; DATA XREF: start:off_10000038o

.text:100005B4 DCD loc_10000538 CMyRecognizer::~CMyRecognizer

.text:100005B8 DCD loc_10000044 CMyRecognizer::PreferredBufSize

.text:100005BC DCD loc_1000004C CMyRecognizer::SupportedDataTypeL

.text:100005C0 DCD locret_10000064 CMyRecognizer::DoRecognizeL

.text:100005C4 DCD CApaDataRecognizerType::Reserved_1(void)


• Okay! We have analyze the whole MDL file in CommWarrior sample.

• How does exe file work? I think you could easily analyze it in this way. But you should notice that the exe file has a CRT stub.

• For more information, please reference my paper

• Let’s go on, guys!

Track Record








Track "bad guys" record - 1

• For static analysis, we can scan the IAT of target sample to find out which functions the malware used. And then we will do a full analysis with our favorite reversing tool. The advantage of this is that it identifies infections with high accuracy, but it requires analyst with good experience and knowledge. Of course, it also means more work and time.

• To speed up steps, we borrow the "sandbox" idea from the PC platform. That will help analyst to track the suspicious samples' action records in automatic way. It will enable us to get more details for the target.

Track "bad guys" record - 2

• Depend on large number of Symbian malware analysis, we found that some of the following actions needed us to focus on:1.File operation

2.SMS/MMS/Bluetooth/Infrared

3.Process Changing

4.Telephone

5.Network Communication

6.Sensitive data

7.More

Conclusion

• Powerful function is a double-edged sword. It gives you a tremendous benefit, and meanwhile, it also maybe harm to you. The war always exists, perhaps only the war would keep progress.

• Symbian Company also has found this point. They are strengthening their system security and making a big effort. Symbian v9.x bring us dawn. This version is introducing a signed mechanism. All unsigned application will be limited to a security ring.

• But that does not mean the war is over. In fact, it's the beginning of a new war. In this no smoke battlefield, there is no always winner. We will keep up and ready for the next war coming.

Thank you!Thank you!

And any questions?And any questions?

find out the “ bad guys ” on the symbian

Documents