Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
7Activity
P. 1
When Developers API Simplify User-Mode Rootkits Development – Part II

When Developers API Simplify User-Mode Rootkits Development – Part II

Ratings: (0)|Views: 106|Likes:
Published by Yury Chemerkin

This series of articles is about the ease of which user-mode rootkits for BlackBerry can be developed. In a previous article, several cases were mentioned along with ideas on how a mobile rootkit could easily be built on the application level by exploiting API and privilege escalation vulnerabilities or oversight. Cases covered the top trojans for two years with the first one being Android Plankton. Instead of giving access to hidden levels of this popular game, malware sends information about the device to criminals and downloads other malicious programs.

This series of articles is about the ease of which user-mode rootkits for BlackBerry can be developed. In a previous article, several cases were mentioned along with ideas on how a mobile rootkit could easily be built on the application level by exploiting API and privilege escalation vulnerabilities or oversight. Cases covered the top trojans for two years with the first one being Android Plankton. Instead of giving access to hidden levels of this popular game, malware sends information about the device to criminals and downloads other malicious programs.

More info:

Categories:Types, Research
Published by: Yury Chemerkin on Jul 12, 2012
Copyright:Traditional Copyright: All rights reserved

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF or read online from Scribd
See more
See less

05/13/2014

pdf

 
56
04/2012
MobileSecurity
I
n a previous article, several cases were mentionedalong with ideas on how a mobile rootkit could easilybe built on the application level by exploiting API andprivilege escalation vulnerabilities or oversight. Casescovered the top trojans for two years with the first onebeing Android Plankton. Instead of giving access to hid-den levels of this popular game, malware sends infor-mation about the device to criminals and downloadsother malicious programs.From the Android Market alone, the infected pro-gram was downloaded more than 150,000 times andfrom alternative resources the number of downloadsreached 250,000. Android.Plankton does not exploitknown vulnerabilities in operating systems to elevateits own privileges. Instead, it downloads its own ser-vice in the background immediately after the launchof the infected application and begins to collect in-formation about the device and sends it to a remoteserver. Another example was the Android malware Droid-KungFu. This malware is capable of rooting the vulner-able Android phones and may successfully evade de-tection by the current mobile anti-virus software. Thismalware is identified from four Android apps that havebeen circulated among at least eight alternative Chi-nese app markets and forums. The malware will add anew service and receiver into the infected app. The re-ceiver will be notified when the system finishes bootingso that it can automatically launch the service withoutuser interaction.Geinimi Trojan includes capacities to gain for:Reading and collecting SMS messagesSending and deleting selected SMS messagesPulling all contact information and sending it to aremote server (number, name, the time they werelast contacted)Placing a phone callSilently downloading lesLaunching a web browser with a specic URLGeinimi has three different methods of starting it-self. The trojan will rst launch itself as its own ser-vice. The service allows the trojan to start while thehost application appears to functioning normally. Twoother ways Geinimi starts revolves around Broad-castReceivers Android events occurring. The trojanwill wake itself up from an SMS message. The Gein-imi trojan has encrypted the embedded data, pay-load and all communications – however, encryptionis weak. The values in the request for commandscan be used by the command and control server toidentify information about infected devices. The lon-gitude and latitude can then be used to track the lo-cation of this specic user. Also, the trojan gathers alist of applications and their activities on the device,sends an SMS to any recipient, deletes SMSs, listsSMSs to specic contacts, lists contacts and their information, calls any number, silently downloadsles and launches a web browser with a specicURL. An SMS trojan called Trojan-SMS.AndroidOS.Fake-Player, once installed, actually sends out SMS mes-sages without the user’s knowledge or consent. Us-ers are prompted to install a small file of around 13KB(have you ever seen such a small media player?). Thetrojan bundled with it then begins texting premium ratephone numbers. The criminals are actually the ones
 This series of articles is about the ease of which user-mode rootkits forBlackBerry can be developed.
When developers API
simplify user-mode rootkits development
 
www.hakin9.org/en
57
Listing 1.
 API-routines to design malware “MEDIA PLAYER IO (Input/Output)” 
import
 java.io.DataInputStream;
import
 java.io.IOException;
import
 java.io.OutputStream;
import
 javax.microedition.io.Connector;
import
 javax.microedition.io.le.FileConnection;
import
 net.rim.device.api.io.IOUtilities;
Listing 2a.
Code Example how read and write les [malware “MEDIA PLAYER IO (Input/Output)”]
public static byte[] readFile(String FullName) ///FullName includes FullPath to le 
 with
 le nameandle extension { byte[] data=null;//array of data you want to 
return
 (read)  FileConnection fconn=null;  DataInputStreamis =null;  
try
 { fconn=(FileConnection) Connector.open(FullName, Connector.READ);  s=fconn.openDataInputStream();  data=IOUtilities.streamToBytes(is);  } catch (IOException e) { }  
 nally
 { 
try
 { f (null!= is)  { s.close();  } 
if
 (null!=fconn)  { fconn.close();  } } catch (IOException e) { }  } 
return
 data;}public static void writeFile(String FullName, byte[] data) ///FullName includes FullPath to le 
 with
 le nameandle extension //dataisarray you want to put into le { FileConnection fconn=null;  OutputStream os=null;  
try
 { fconn=(FileConnection) Connector.open(FullName, Connector.READ_WRITE);  
if
 (!fconn.exists()) //create le 
if
 one doesn’t exist {

Activity (7)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
sankumi liked this
Yury Chemerkin liked this
Yury Chemerkin liked this
Yury Chemerkin liked this
Yury Chemerkin liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->