SlideShare una empresa de Scribd logo

Defeating spyware and forensics on the black berry draft

idsecconf
idsecconf

Mobile Malware defense and possibly Anti-forensics - Sheran Gunasekera

Tecnología
1 de 6
Descargar para leer sin conexión
Defeating Spyware & Forensic Acquisition on BlackBerry Handhelds Sheran A. Gunasekera ZenConsult Labs http://chirashi.zensay.com E-mail: sheran@zenconsult.net ABSTRACT Malware has proven to be the scourge of the converging desktop and mobile ecosystems. With more powerful mobile devices, comes the proportionate growth of a myriad of malware. Traditionally, malware on the desktop platform has been thought to be the work of individuals out to make their mark on society and find their 15 minutes of notoriety. This is no longer the case. Malware is now used for anything from organized crime[1] to spying on cheating spouses. Commercial entities have made their business models around the sale of ‘commercial spyware’ designed to put the power of spying into the hands of the layperson [2,3]. Other companies maintain a low-profile and sell similar products only to law enforcement agencies. [4,5] The foundation on which all of these malware products is built is the exfiltration of relevant information. Whether it is email, call records or GPS co-ordinates, data is collected and forwarded either at timed intervals or in real-time to a collection end-point. This paper discusses some of the key points of how to render this collected information useless. To counter malware, the traditional approach has been to develop detection and removal tools. This has limits in that only known malware can be detected. An alternate approach is to feed malware with an abundance of useless information or a significantly reduced Signal-to-noise ratio. This paper will discuss and provide examples of how such a technique can be implemented on a BlackBerry handheld. INTRODUCTION Malware on a BlackBerry handheld operates in a predictable manner. Third party applications will run in a sandboxed environment with many granular controls and permissions that limit its functional capabilities. So why then does malware thrive on the platform? Because a user is still required to administer these controls or permissions. Invariably, a user’s ‘click-through-to-reach-your-goal’ attitude will have pop-up windows with requests for permission to be granted. Blaming a user is not going to solve the problem. Educating the user is. Providing a user with free tools to detect spyware is another way to solve the problem. However, letting a user continue to use his device with little to no intervention while at the same time confounding the people spying on him seems by far a more elegant solution. To properly understand how to achieve this, a good understanding of how malware works is necessary. Next, knowledge of data repositories within the BlackBerry handheld need to be identified and altered in a manner that will not inconvenience the end-user, but will significantly reduce the Signal-to-noise ratio for the data-collector. These are all topics that will be covered in this paper. As a bonus, techniques on hampering a forensic investigation of the device will be included. ACTORS Lets first identify the actors in this ecosystem. There is the end-user who is the owner of the device and the information contained therein. Then there is the data-collector or spy who will be the person or entity collecting and sifting through the end-user’s information without his consent. HOW MALWARE WORKS For the purposes of this paper, the term malware is used to mean malicious applications installed on an end-user’s device to collect and extract private information without consent. Malware usually targets several information repositories on the BlackBerry handheld and will go after specific types of information. These repositories are listed in Table 1 below: Repository Type of Information Email Folders Incoming & outgoing email messages SMS/MMS Folders** Incoming & outgoing Short Messages and Multimedia Messages Call History Log Incoming & outgoing phone call numbers and call durations Phone Book Contact information like name, address, phone number BlackBerry Messenger Chats Incoming & outgoing instant messages exchanged between users or groups GPS Module** Physical location of the handset and end- user Table 1. Information Repositories ** It is not entirely possible to defeat malware that hooks these repositories. The BlackBerry API consists of a set of Listeners that aid the developer in writing event-driven applications. Listeners alert the program when certain tasks take place. In the repositories listed in Table 1, every repository can have a Listener added to run some code when an event is received. Due to a bug, either deliberate or inadvertent, the BlackBerry Messenger Listener does not work to its fullest capability and thus alternate methods are generally used by the malware vendors. MALWARE CRIPPLING TECHNIQUES The premise of this paper is to discuss new or alternate methods for defeating malware. Rather than attempting to find and remove the malware, these techniques attack the source of information that the malware is attempting to capture. These techniques will poison the information stores in a manner that only affects malware (Fig. 1). This will serve to reduce the quality of information presented to a data-collector. The cost to the end-user is minimized. Some of the techniques described may elicit unexpected behavior from malware which
further serves to alert the end-user that, ‘something is not right’ with the handheld. Arbitrary Data Source Artificial Data Source Malware Real Information Fake Information Fig. 1 - Poisoning the data POEPFLOOD POEP, which stands for Phony Object Escalation Process, is a technique that can be used to introduce an overwhelming amount of false data to a watched resource. For example, if malware is watching a folder and collecting objects that are introduced to this folder, then conducting a POEPFlood attack will initiate the process of adding collections of fake objects to this watched folder in increasing order of magnitude. This results in the malware collecting not only legitimate objects, but fake ones as well. This large amount of false positives provides a diluting effect on legitimate information and if done correctly, will make the data-collector’s task very difficult. An attacker that hopes to spy on a device like this will have to sift through hundreds or thousands of pieces of inaccurate, irrelevant data. This achieves the goal of reducing the Signal- to-noise ratio. PWNGOAL PWNGoal is a flooding attack where certain sacrifices will need to be made such as financial expenditure. The idea of the PWNGoal attack is to create an Artificial Data Source (Fig. 1) using the help of a third party. This attack will be most useful when it is not feasible to create an Artificial Data Store on the BlackBerry device. For example, consider the case where SMS or MMS messages need to be spoofed. The two main ways to achieve this are 1) Write a routine where the handheld sends messages to itself 2) Use a third party messaging gateway to generate these messages. The accompanying source code covers scenario 1). Scenario 2) is currently beyond the scope of this paper. Either way, an additional cost is incurred in either sending SMS messages through the carrier or cost of messages on the messaging gateway. DDTS The DDTS technique, or Don’t Drop The Soap technique, is better suited to defeating a forensic analysis of the BlackBerry handheld. This technique can be used to disallow or prevent access to the USB Port on the BlackBerry handheld. Generally, a forensic analysis will aim to gather information from the BlackBerry through the USB Port. DDTS will watch for any connections to the USB Port and take appropriate action when one is detected. This can be achieved by setting an IOPortListener or USBPortListener and triggering an action when a connectionRequested(). Alternatively, setting a S y s t e m L i s t e n e r 2 a n d t r i g g e r i n g a n a c t i o n o n usbConnectionStateChange() is also a possibility. The DDTS technique by itself often serves no purpose. Instead, DDTS should be coupled with one of the other types of attacks so that appropriate action can be taken when a USB Connection is requested. Typically, a complete DDTS attack will employ a POEPFlood, PWNGoal or FMLog attack to destroy or overwrite the contents of a BlackBerry handheld. FMLog The FMLog attack or Flush My Log attack is another technique used to defeat forensic analysis of BlackBerry devices. The BlackBerry handheld has a built-in event logging mechanism that system and third-party applications can write to. This event log can be viewed on the BlackBerry handheld by invoking the key combination <ALT> + LGLG (Holding down the Alt key and type LGLG). The entire size of this log is 16Kb [ref to log size] and any third party application can write to this log using the EventLogger class on the device. To conduct this attack, a timed process that writes more than 16Kb of data to the log is all that is required. Further, this attack can be enhanced by using the DDTS attack to only flush the log when a USB cable is connected to the handheld. Figure 2 and 3 depicts a ‘before’ and ‘after’ look at the FMLog attack. Event Log Log Entry 1 Log Entry 2 Log Entry3 Log Entry n-2 Log Entry n-1 Log Entry n ... 16Kb Log Size New entries written to the bottom Old entries are ejected Fig. 2 - Event Log operation before FMLog attack Event Log Log Entry 1 Crap Crap Crap Crap Crap ... 16Kb Log Size FMLog attack writes fake data Valid Entries are deleted Fig. 3 - Event Log operation after FMLog attack EMAIL Malware Operations
Typically, BlackBerry based malware will operate by making use of the FolderListener [6] to watch specific mail folders. By then acting on either a messagesAdded() or messagesRemoved() method, specific trigger code can be executed. Often, the Inbox and Outbox (sent items) are watched for incoming and outgoing messages respectively. In this case, the messagesAdded() function is what is of most interest. A typical example of a code snippet would look something like the one in Code Snippet 1 below: Code Snippet 1 - Trigger on messagesAdded() For the sake of maintaining clarity, the code for the EvilSpywareModule has been omitted. Assume for the moment that this module’s sole purpose is to capture and exfiltrate data. Rendered graphically, this entire process may look something like the diagram depicted in Figure 4. CMIME Mail Store Inbox Outbox Misc Hooks folders through FolderListener Exfiltration Engine Captured Email trigger on messagesAdded() Fig. 4 - Malware Mail Capture The BlackBerry handheld has as many mail stores as there are email accounts configured. These mail stores can be enumerated by looking for a specific type of ServiceBook [7] that is of type CMIME. Then it is a matter of enumerating all the folders and looking for the Inbox and Outbox before hooking them using the FolderListener. How to defeat By using the same principle of hooking folders, it is possible to defeat malware using the techniques discussed previously. The POEPFlood technique is ideally suited to defeating malware targeting email. The process summary may look like this: (1)Setup a FolderListener on appropriate folders that require poisoning. (2)Prepare a function that will place a configurable, high- number of arbitrarily generated email messages in these folders. (3)Designate how the function from (2) will fire; would it be on a messagesAdded(), or randomly timed (4)Once (2) is fired, ensure to clean up the folders of fake data so as not to affect the end-user It is worthwhile noting that step (2) above will carry the largest amount of code and will contain the logic to generate fake data in a manner capable of defeating malware. Refer to the accompanying source code for details on how to prepare this logic. Some things to remember when conducting a POEPFlood attack on email: (1)Create fake emails based on real ones. For example, browse through the existing message store and randomly pick subject lines to use. (2)Fill the email message body with random, but proper words. One idea would be to fetch text from several different Internet sites. Another would be to collect random words from emails already in the folders. (3)As with (1) above, use email addresses as those found in the existing information store, but make changes to them to mask true identities. This can be optional. The key is to make the poisoned email flood look as legitimate as the real emails. This will prevent a data-collector from running automated filtering tools. The goal is to have the data-collector wade through and waste time by reading completely useless information. CMIME Mail Store Inbox Outbox Misc trigger on messagesAdded() Hooks folders through FolderListener Exfiltration Engine Overwhelming POEPFlood of email POEPFlooder Poisoned Email Fig. 5 - POEPFlood Attack on Email A practical, albeit worthless, attack example is shown in the source code snippet below. It is deemed worthless at this moment because it does not contain any logic to help make the fake emails more legitimate. It is a simple iterator generating 10 emails with a similar ‘TO’ header.
Code Snippet 2 - Email Flooding Example SMS Malware Operations There is more than one way that all incoming SMS messages can be captured. These are the recommended methods [8]: (1)Use a MessageConnection by implementing the javax.wireless.messaging.MessageListener interface. (2)U s e a D a t a g r a m C o n n e c t i o n f r o m t h e javax.microedition.io package. (3)U s e a M e s s a g e C o n n e c t i o n f r o m t h e javax.wireless.messaging package. During tests conducted for this paper, the MessageListener method was used (see Code Snippet 3). Code Snippet 3 - Inbound SMS Interception How to defeat Even on examining the BlackBerry OS 7 API, there seems to be no precise way of poisoning the SMS or MMS message stores. This is due to the way that SMS messages are captured. The MessageListener interface allows for capturing when a message is received and before it is placed into a folder. Thus, conducting an attack like the POEPFlood will not work since this attack relies on poisoning a folder structure. One approach would be to consider the PWNGoal attack. As mentioned previously, the PWNGoal attacks may incur additional charges beyond that of the BlackBerry data & call package. Thus, due consideration should be given when using this attack. It is also worthwhile noting that PWNGoal attacks for SMS can be easily filtered by the data-collector due to the single number it is being received from. Obviously, the more resources dedicated to the attack will increase the chances of reducing the quality of collectible data. CALL HISTORY Malware Operations The Call History repository logs all incoming, outgoing and missed phone calls on the BlackBerry handheld. It is another repository of interest for malware and forensic analysts. The PhoneLogListener can be used to access the Call History on a BlackBerry handheld (see Code Snippet 3).
Code Snippet 4 - Call History Interception How to defeat Similar to Email, it is possible to arbitrarily introduce fake phone calls to the device Call History. To defeat malware, a POEPFlood provides the best mechanism for attack. To conduct a Call History POEPFlood, it is possible to periodically introduce fake phone calls by calling the PhoneLogs.addCall() method. As soon as this method is c a l l e d , i t w i l l t r i g g e r t h e m a l w a r e ’ s PhoneLogListener.callLogAdded() method and thus provides the opportunity to POEPFlood. Similarly, the callLogRemoved() and callLogUpdated() methods are open to attack in the same manner. When attempting to defeat a forensic analysis, a DDTS/ POEPFlood attack would prove useful. DDTS will detect when a USB connection is requested and immediately start a POEPFlood attack on the Call History repository. This will ensure that the Call History database is overwritten, or at least full of low quality information. Code Snippet x provides the source code for flooding the Call Log history: Code Snippet 5 - Flooding Call History PHONE BOOK Malware Operations The Phone Book or contact list of a BlackBerry handheld can be fair game for malware and forensic analysts alike. For data-collectors, the Phone Book provides an insight into the connections and acquaintances of an end-user. For forensic analysts, it provides a way to connect suspects to other suspects. Malware will be interested in the PIMListener interface to trigger code on the itemAdded(), itemRemoved() and itemUpdated() methods. How to defeat Defeating malware watching the Phone Book can be as easy as conducting a POEPFlood on specific PIMList instances. The base PIMList class has the methods createContact(), importContact() and removeContact(). By periodically calling these functions using POEP, it is possible to feed malware with fake objects that it will log. PIMLists themselves are divided into many different types. There can be Contact Lists, Memo Lists and To Do Lists. For the purposes of this paper, the Contact List is what is most useful. The following code snippet gives an example of how a contact can be programmatically added to the Contact List: Code Snippet 6 - Appending to the Contact List BLACKBERRY MESSENGER Malware Operations The BlackBerry Messenger service (up to version 5.0 ) has had a long standing bug [9] that does not allow developers to use its Listener interfaces. The result of attempting to obtain a BlackBerry Messenger Instance is a null response. Since version 5.0 however, the concept of backing up BlackBerry Messenger chats locally on the filesystem has been introduced. By enabling this capability, malware can hook the filesystem and watch for any changes to a specific directory or file. Then it can act whenever changes to the filesystem are made. The BlackBerry Messenger backup file is a simple CSV file that remains on the device in an unencrypted state. An example of the contents of such a backup file is depicted in Figure 6 below: Fig. 6 - A BlackBerry Messenger Conversation
This file is found under the “BlackBerry/im/BlackBerry Messenger/<Device PIN>/history” folder. As per the Fig x above, the various fields in this file are Date/Time, Sender PIN, Recipient PIN and message respectively. Code Snippet 7 shows one approach that malware use to hook the file system: Code Snippet 7 - Malware hooking the filesystem How to defeat The simplest method for defeating malware capturing BlackBerry Messages is to hook the file system journal again and write all the legitimate changes to this file to a separate file. Simultaneously, the legitimate file is flooded with fake data which the malware will collect. This type of approach will guarantee that the data-collector has to wade through a significant amount of irrelevant information before making sense of the conversation. GPS MODULE Malware Operations BlackBerry devices that have the hardware capabilities can provide location based services through its on-board GPS chip. The functionality is controlled through several APIs from the javax.microedtion.location package. The most important piece of information for malware to capture are the GPS co-ordinates comprising of the Latitude and Longitude of the device. Newer BlackBerry devices may also have the opportunity to collect information about heading and speed. To collect periodic GPS co-ordinates from the device, the easiest process is to hook the LocationListener and read the events as fired from the locationUpdated() method. ACKNOWLEDGEMENTS The author would like to acknowledge the pioneering work done by The Grugq in the field of Anti-Forensics. His seminal work, The Art of Defiling provided most of the inspiration for this paper. REFERENCES [1] Zeus Malware - http://en.wikipedia.org/wiki/ Zeus_(trojan_horse) [2] Flexispy Commercial Malware - http:// www.flexispy.com/ [3] MobileSpy Commercial Malware - http://www.mobile- spy.com/ [4] HackingTeam Remote Control System - http:// www.hackingteam.it/index.php/remote-control-system [5] Fixmo Sentinel - http://www.fixmo.com/products/ fixmo-sentinel/ [6] BlackBerry OS 5 API FolderListener - http:// www.blackberry.com/developers/docs/5.0.0api/net/rim/ blackberry/api/mail/event/FolderListener.html [7] Service Books: http://na.blackberry.com/eng/ deliverables/2584/about_service_books_32170_11.jsp and http://www.berryreview.com/2009/01/22/faq-explanation-of- each-blackberry-service-book-type/ [8] SMS Interception Methods - http:// supportforums.blackberry.com/t5/tkb/articleprintpage/tkb-id/ java_dev@tkb/article-id/207 [9] BlackBerry Messenger Bug (Requires Free Developer Account) - https://www.blackberry.com/jira/browse/ JAVAAPI-508

Recomendados

The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
Ntewrok secuirty cs1
Ntewrok secuirty cs1Ntewrok secuirty cs1
Ntewrok secuirty cs1Infinity Tech Solutions
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3IJERA Editor
 
Detection and prevention of keylogger spyware attacks
Detection and prevention of keylogger spyware attacksDetection and prevention of keylogger spyware attacks
Detection and prevention of keylogger spyware attacksIAEME Publication
 
Types of attacks and threads
Types of attacks and threadsTypes of attacks and threads
Types of attacks and threadssrivijaymanickam
 
COUNTERMEASURE TOOL - CARAPACE FOR NETWORK SECURITY
COUNTERMEASURE TOOL - CARAPACE FOR NETWORK SECURITYCOUNTERMEASURE TOOL - CARAPACE FOR NETWORK SECURITY
COUNTERMEASURE TOOL - CARAPACE FOR NETWORK SECURITYIJNSA Journal
 
Internet Security
Internet SecurityInternet Security
Internet SecurityJainamParikh3
 

Recomendados

The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
Ntewrok secuirty cs1
Ntewrok secuirty cs1Ntewrok secuirty cs1
Ntewrok secuirty cs1Infinity Tech Solutions
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3IJERA Editor
 
Detection and prevention of keylogger spyware attacks
Detection and prevention of keylogger spyware attacksDetection and prevention of keylogger spyware attacks
Detection and prevention of keylogger spyware attacksIAEME Publication
 
Types of attacks and threads
Types of attacks and threadsTypes of attacks and threads
Types of attacks and threadssrivijaymanickam
 
COUNTERMEASURE TOOL - CARAPACE FOR NETWORK SECURITY
COUNTERMEASURE TOOL - CARAPACE FOR NETWORK SECURITYCOUNTERMEASURE TOOL - CARAPACE FOR NETWORK SECURITY
COUNTERMEASURE TOOL - CARAPACE FOR NETWORK SECURITYIJNSA Journal
 
Internet Security
Internet SecurityInternet Security
Internet SecurityJainamParikh3
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.pptshreyng
 
Wi-Fi password stealing program using USB rubber ducky
Wi-Fi password stealing program using USB rubber duckyWi-Fi password stealing program using USB rubber ducky
Wi-Fi password stealing program using USB rubber duckyTELKOMNIKA JOURNAL
 
Network security unit 4,5,6
Network security unit 4,5,6 Network security unit 4,5,6
Network security unit 4,5,6 WE-IT TUTORIALS
 
Network security interview questions &amp; answers
Network security interview questions &amp; answersNetwork security interview questions &amp; answers
Network security interview questions &amp; answersSimpliv LLC
 
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...IJCNCJournal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
International Conference On Electrical and Electronics Engineering
International Conference On Electrical and Electronics EngineeringInternational Conference On Electrical and Electronics Engineering
International Conference On Electrical and Electronics Engineeringanchalsinghdm
 
SMB Guide-to-Ransomware
SMB Guide-to-RansomwareSMB Guide-to-Ransomware
SMB Guide-to-RansomwareDave Augustine
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...RSIS International
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threatsKishore Kumar
 
1 ijaems sept-2015-3-different attacks in the network a review
1 ijaems sept-2015-3-different attacks in the network a review1 ijaems sept-2015-3-different attacks in the network a review
1 ijaems sept-2015-3-different attacks in the network a reviewINFOGAIN PUBLICATION
 
UNIT IV:Security Measurement Strategies
UNIT IV:Security Measurement StrategiesUNIT IV:Security Measurement Strategies
UNIT IV:Security Measurement StrategiesArnav Chowdhury
 
Intrusion Detection and Prevention System in an Enterprise Network
Intrusion Detection and Prevention System in an Enterprise NetworkIntrusion Detection and Prevention System in an Enterprise Network
Intrusion Detection and Prevention System in an Enterprise NetworkOkehie Collins
 
Ns unit 6,7,8
Ns unit 6,7,8Ns unit 6,7,8
Ns unit 6,7,8Shruthi Reddy
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKERKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Spiffy Spyware Stuff
Spiffy Spyware StuffSpiffy Spyware Stuff
Spiffy Spyware Stuffn|u - The Open Security Community
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomwareijtsrd
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paperImaging Network Technology, LLC
 
Security News bytes October 2013
Security News bytes October 2013Security News bytes October 2013
Security News bytes October 2013n|u - The Open Security Community
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiSTO STRATEGY
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
 

Más contenido relacionado

La actualidad más candente

Final project.ppt
Final project.pptFinal project.ppt
Final project.pptshreyng
 
Wi-Fi password stealing program using USB rubber ducky
Wi-Fi password stealing program using USB rubber duckyWi-Fi password stealing program using USB rubber ducky
Wi-Fi password stealing program using USB rubber duckyTELKOMNIKA JOURNAL
 
Network security unit 4,5,6
Network security unit 4,5,6 Network security unit 4,5,6
Network security unit 4,5,6 WE-IT TUTORIALS
 
Network security interview questions &amp; answers
Network security interview questions &amp; answersNetwork security interview questions &amp; answers
Network security interview questions &amp; answersSimpliv LLC
 
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...IJCNCJournal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
International Conference On Electrical and Electronics Engineering
International Conference On Electrical and Electronics EngineeringInternational Conference On Electrical and Electronics Engineering
International Conference On Electrical and Electronics Engineeringanchalsinghdm
 
SMB Guide-to-Ransomware
SMB Guide-to-RansomwareSMB Guide-to-Ransomware
SMB Guide-to-RansomwareDave Augustine
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...RSIS International
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threatsKishore Kumar
 
1 ijaems sept-2015-3-different attacks in the network a review
1 ijaems sept-2015-3-different attacks in the network a review1 ijaems sept-2015-3-different attacks in the network a review
1 ijaems sept-2015-3-different attacks in the network a reviewINFOGAIN PUBLICATION
 
UNIT IV:Security Measurement Strategies
UNIT IV:Security Measurement StrategiesUNIT IV:Security Measurement Strategies
UNIT IV:Security Measurement StrategiesArnav Chowdhury
 
Intrusion Detection and Prevention System in an Enterprise Network
Intrusion Detection and Prevention System in an Enterprise NetworkIntrusion Detection and Prevention System in an Enterprise Network
Intrusion Detection and Prevention System in an Enterprise NetworkOkehie Collins
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomwareijtsrd
 

La actualidad más candente (18)

Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Wi-Fi password stealing program using USB rubber ducky
Wi-Fi password stealing program using USB rubber duckyWi-Fi password stealing program using USB rubber ducky
Wi-Fi password stealing program using USB rubber ducky
 
Network security unit 4,5,6
Network security unit 4,5,6 Network security unit 4,5,6
Network security unit 4,5,6
 
Network security interview questions &amp; answers
Network security interview questions &amp; answersNetwork security interview questions &amp; answers
Network security interview questions &amp; answers
 
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...
THE METHOD OF DETECTING ONLINE PASSWORD ATTACKS BASED ON HIGH-LEVEL PROTOCOL ...
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
International Conference On Electrical and Electronics Engineering
International Conference On Electrical and Electronics EngineeringInternational Conference On Electrical and Electronics Engineering
International Conference On Electrical and Electronics Engineering
 
SMB Guide-to-Ransomware
SMB Guide-to-RansomwareSMB Guide-to-Ransomware
SMB Guide-to-Ransomware
 
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...A comprehensive survey ransomware attacks prevention, monitoring and damage c...
A comprehensive survey ransomware attacks prevention, monitoring and damage c...
 
Recognizing security threats
Recognizing security threatsRecognizing security threats
Recognizing security threats
 
1 ijaems sept-2015-3-different attacks in the network a review
1 ijaems sept-2015-3-different attacks in the network a review1 ijaems sept-2015-3-different attacks in the network a review
1 ijaems sept-2015-3-different attacks in the network a review
 
UNIT IV:Security Measurement Strategies
UNIT IV:Security Measurement StrategiesUNIT IV:Security Measurement Strategies
UNIT IV:Security Measurement Strategies
 
Intrusion Detection and Prevention System in an Enterprise Network
Intrusion Detection and Prevention System in an Enterprise NetworkIntrusion Detection and Prevention System in an Enterprise Network
Intrusion Detection and Prevention System in an Enterprise Network
 
Ns unit 6,7,8
Ns unit 6,7,8Ns unit 6,7,8
Ns unit 6,7,8
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKER
 
Spiffy Spyware Stuff
Spiffy Spyware StuffSpiffy Spyware Stuff
Spiffy Spyware Stuff
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomware
 

Similar a Defeating spyware and forensics on the black berry draft

When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiSTO STRATEGY
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiYury Chemerkin
 
Meet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportMeet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportEran Goldstein
 
FNC Corporate Protect Workshop
FNC Corporate Protect WorkshopFNC Corporate Protect Workshop
FNC Corporate Protect Workshopforensicsnation
 
03.fnc corporate protect workshop new
03.fnc corporate protect workshop new03.fnc corporate protect workshop new
03.fnc corporate protect workshop newforensicsnation
 
Known Knowns, Unknown Unknowns and Anti Virus stuff yadayadayada
Known Knowns, Unknown Unknowns and Anti Virus stuff yadayadayadaKnown Knowns, Unknown Unknowns and Anti Virus stuff yadayadayada
Known Knowns, Unknown Unknowns and Anti Virus stuff yadayadayadanamblasec
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)JIEMS Akkalkuwa
 
Pocket virus threat
Pocket virus threatPocket virus threat
Pocket virus threatAli J
 
mobile security.pptx
mobile security.pptxmobile security.pptx
mobile security.pptxTapan Khilar
 
Cyber Crime Multi-State Information Sharing and Analysis Center
Cyber Crime Multi-State Information Sharing and Analysis CenterCyber Crime Multi-State Information Sharing and Analysis Center
Cyber Crime Multi-State Information Sharing and Analysis Center- Mark - Fullbright
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
Report of android hacking
Report of android hackingReport of android hacking
Report of android hackingdiv2345
 
Information System for Manager solution.pdf
Information System for Manager solution.pdfInformation System for Manager solution.pdf
Information System for Manager solution.pdfDiamondPlastics
 
Bitdefender - Solution Paper - Active Threat Control
Bitdefender - Solution Paper - Active Threat ControlBitdefender - Solution Paper - Active Threat Control
Bitdefender - Solution Paper - Active Threat ControlJose Lopez
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Joseph White MPA CPM
 
A Survey of Keylogger in Cybersecurity Education
A Survey of Keylogger in Cybersecurity EducationA Survey of Keylogger in Cybersecurity Education
A Survey of Keylogger in Cybersecurity Educationijtsrd
 

Similar a Defeating spyware and forensics on the black berry draft (20)

Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paper
 
Security News bytes October 2013
Security News bytes October 2013Security News bytes October 2013
Security News bytes October 2013
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
Meet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportMeet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis Report
 
FNC Corporate Protect Workshop
FNC Corporate Protect WorkshopFNC Corporate Protect Workshop
FNC Corporate Protect Workshop
 
03.fnc corporate protect workshop new
03.fnc corporate protect workshop new03.fnc corporate protect workshop new
03.fnc corporate protect workshop new
 
FNC Corporate Protect
FNC Corporate ProtectFNC Corporate Protect
FNC Corporate Protect
 
Known Knowns, Unknown Unknowns and Anti Virus stuff yadayadayada
Known Knowns, Unknown Unknowns and Anti Virus stuff yadayadayadaKnown Knowns, Unknown Unknowns and Anti Virus stuff yadayadayada
Known Knowns, Unknown Unknowns and Anti Virus stuff yadayadayada
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)
 
Pocket virus threat
Pocket virus threatPocket virus threat
Pocket virus threat
 
mobile security.pptx
mobile security.pptxmobile security.pptx
mobile security.pptx
 
Cyber Crime Multi-State Information Sharing and Analysis Center
Cyber Crime Multi-State Information Sharing and Analysis CenterCyber Crime Multi-State Information Sharing and Analysis Center
Cyber Crime Multi-State Information Sharing and Analysis Center
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.
 
Report of android hacking
Report of android hackingReport of android hacking
Report of android hacking
 
Information System for Manager solution.pdf
Information System for Manager solution.pdfInformation System for Manager solution.pdf
Information System for Manager solution.pdf
 
Bitdefender - Solution Paper - Active Threat Control
Bitdefender - Solution Paper - Active Threat ControlBitdefender - Solution Paper - Active Threat Control
Bitdefender - Solution Paper - Active Threat Control
 
Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014Target Data Breach Case Study 10242014
Target Data Breach Case Study 10242014
 
A Survey of Keylogger in Cybersecurity Education
A Survey of Keylogger in Cybersecurity EducationA Survey of Keylogger in Cybersecurity Education
A Survey of Keylogger in Cybersecurity Education
 

Más de idsecconf

idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf
 
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf
 
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf
 
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf
 
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfAli - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfidsecconf
 
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...idsecconf
 
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfRama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfidsecconf
 
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...idsecconf
 
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfNosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfidsecconf
 
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...idsecconf
 
Utian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfUtian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfidsecconf
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
 
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika TriwidadaPerkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidadaidsecconf
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullahidsecconf
 
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaHacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaidsecconf
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...idsecconf
 
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi DwiantoDevsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwiantoidsecconf
 

Más de idsecconf (20)

idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
 
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
 
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
 
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
 
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
 
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfAli - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
 
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
 
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfRama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
 
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
 
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfNosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
 
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...
 
Utian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfUtian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdf
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika TriwidadaPerkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullah
 
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaHacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
 
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi DwiantoDevsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
 

Último

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 

Último (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 

Defeating spyware and forensics on the black berry draft

  • 1. Defeating Spyware & Forensic Acquisition on BlackBerry Handhelds Sheran A. Gunasekera ZenConsult Labs http://chirashi.zensay.com E-mail: sheran@zenconsult.net ABSTRACT Malware has proven to be the scourge of the converging desktop and mobile ecosystems. With more powerful mobile devices, comes the proportionate growth of a myriad of malware. Traditionally, malware on the desktop platform has been thought to be the work of individuals out to make their mark on society and find their 15 minutes of notoriety. This is no longer the case. Malware is now used for anything from organized crime[1] to spying on cheating spouses. Commercial entities have made their business models around the sale of ‘commercial spyware’ designed to put the power of spying into the hands of the layperson [2,3]. Other companies maintain a low-profile and sell similar products only to law enforcement agencies. [4,5] The foundation on which all of these malware products is built is the exfiltration of relevant information. Whether it is email, call records or GPS co-ordinates, data is collected and forwarded either at timed intervals or in real-time to a collection end-point. This paper discusses some of the key points of how to render this collected information useless. To counter malware, the traditional approach has been to develop detection and removal tools. This has limits in that only known malware can be detected. An alternate approach is to feed malware with an abundance of useless information or a significantly reduced Signal-to-noise ratio. This paper will discuss and provide examples of how such a technique can be implemented on a BlackBerry handheld. INTRODUCTION Malware on a BlackBerry handheld operates in a predictable manner. Third party applications will run in a sandboxed environment with many granular controls and permissions that limit its functional capabilities. So why then does malware thrive on the platform? Because a user is still required to administer these controls or permissions. Invariably, a user’s ‘click-through-to-reach-your-goal’ attitude will have pop-up windows with requests for permission to be granted. Blaming a user is not going to solve the problem. Educating the user is. Providing a user with free tools to detect spyware is another way to solve the problem. However, letting a user continue to use his device with little to no intervention while at the same time confounding the people spying on him seems by far a more elegant solution. To properly understand how to achieve this, a good understanding of how malware works is necessary. Next, knowledge of data repositories within the BlackBerry handheld need to be identified and altered in a manner that will not inconvenience the end-user, but will significantly reduce the Signal-to-noise ratio for the data-collector. These are all topics that will be covered in this paper. As a bonus, techniques on hampering a forensic investigation of the device will be included. ACTORS Lets first identify the actors in this ecosystem. There is the end-user who is the owner of the device and the information contained therein. Then there is the data-collector or spy who will be the person or entity collecting and sifting through the end-user’s information without his consent. HOW MALWARE WORKS For the purposes of this paper, the term malware is used to mean malicious applications installed on an end-user’s device to collect and extract private information without consent. Malware usually targets several information repositories on the BlackBerry handheld and will go after specific types of information. These repositories are listed in Table 1 below: Repository Type of Information Email Folders Incoming & outgoing email messages SMS/MMS Folders** Incoming & outgoing Short Messages and Multimedia Messages Call History Log Incoming & outgoing phone call numbers and call durations Phone Book Contact information like name, address, phone number BlackBerry Messenger Chats Incoming & outgoing instant messages exchanged between users or groups GPS Module** Physical location of the handset and end- user Table 1. Information Repositories ** It is not entirely possible to defeat malware that hooks these repositories. The BlackBerry API consists of a set of Listeners that aid the developer in writing event-driven applications. Listeners alert the program when certain tasks take place. In the repositories listed in Table 1, every repository can have a Listener added to run some code when an event is received. Due to a bug, either deliberate or inadvertent, the BlackBerry Messenger Listener does not work to its fullest capability and thus alternate methods are generally used by the malware vendors. MALWARE CRIPPLING TECHNIQUES The premise of this paper is to discuss new or alternate methods for defeating malware. Rather than attempting to find and remove the malware, these techniques attack the source of information that the malware is attempting to capture. These techniques will poison the information stores in a manner that only affects malware (Fig. 1). This will serve to reduce the quality of information presented to a data-collector. The cost to the end-user is minimized. Some of the techniques described may elicit unexpected behavior from malware which
  • 2. further serves to alert the end-user that, ‘something is not right’ with the handheld. Arbitrary Data Source Artificial Data Source Malware Real Information Fake Information Fig. 1 - Poisoning the data POEPFLOOD POEP, which stands for Phony Object Escalation Process, is a technique that can be used to introduce an overwhelming amount of false data to a watched resource. For example, if malware is watching a folder and collecting objects that are introduced to this folder, then conducting a POEPFlood attack will initiate the process of adding collections of fake objects to this watched folder in increasing order of magnitude. This results in the malware collecting not only legitimate objects, but fake ones as well. This large amount of false positives provides a diluting effect on legitimate information and if done correctly, will make the data-collector’s task very difficult. An attacker that hopes to spy on a device like this will have to sift through hundreds or thousands of pieces of inaccurate, irrelevant data. This achieves the goal of reducing the Signal- to-noise ratio. PWNGOAL PWNGoal is a flooding attack where certain sacrifices will need to be made such as financial expenditure. The idea of the PWNGoal attack is to create an Artificial Data Source (Fig. 1) using the help of a third party. This attack will be most useful when it is not feasible to create an Artificial Data Store on the BlackBerry device. For example, consider the case where SMS or MMS messages need to be spoofed. The two main ways to achieve this are 1) Write a routine where the handheld sends messages to itself 2) Use a third party messaging gateway to generate these messages. The accompanying source code covers scenario 1). Scenario 2) is currently beyond the scope of this paper. Either way, an additional cost is incurred in either sending SMS messages through the carrier or cost of messages on the messaging gateway. DDTS The DDTS technique, or Don’t Drop The Soap technique, is better suited to defeating a forensic analysis of the BlackBerry handheld. This technique can be used to disallow or prevent access to the USB Port on the BlackBerry handheld. Generally, a forensic analysis will aim to gather information from the BlackBerry through the USB Port. DDTS will watch for any connections to the USB Port and take appropriate action when one is detected. This can be achieved by setting an IOPortListener or USBPortListener and triggering an action when a connectionRequested(). Alternatively, setting a S y s t e m L i s t e n e r 2 a n d t r i g g e r i n g a n a c t i o n o n usbConnectionStateChange() is also a possibility. The DDTS technique by itself often serves no purpose. Instead, DDTS should be coupled with one of the other types of attacks so that appropriate action can be taken when a USB Connection is requested. Typically, a complete DDTS attack will employ a POEPFlood, PWNGoal or FMLog attack to destroy or overwrite the contents of a BlackBerry handheld. FMLog The FMLog attack or Flush My Log attack is another technique used to defeat forensic analysis of BlackBerry devices. The BlackBerry handheld has a built-in event logging mechanism that system and third-party applications can write to. This event log can be viewed on the BlackBerry handheld by invoking the key combination <ALT> + LGLG (Holding down the Alt key and type LGLG). The entire size of this log is 16Kb [ref to log size] and any third party application can write to this log using the EventLogger class on the device. To conduct this attack, a timed process that writes more than 16Kb of data to the log is all that is required. Further, this attack can be enhanced by using the DDTS attack to only flush the log when a USB cable is connected to the handheld. Figure 2 and 3 depicts a ‘before’ and ‘after’ look at the FMLog attack. Event Log Log Entry 1 Log Entry 2 Log Entry3 Log Entry n-2 Log Entry n-1 Log Entry n ... 16Kb Log Size New entries written to the bottom Old entries are ejected Fig. 2 - Event Log operation before FMLog attack Event Log Log Entry 1 Crap Crap Crap Crap Crap ... 16Kb Log Size FMLog attack writes fake data Valid Entries are deleted Fig. 3 - Event Log operation after FMLog attack EMAIL Malware Operations
  • 3. Typically, BlackBerry based malware will operate by making use of the FolderListener [6] to watch specific mail folders. By then acting on either a messagesAdded() or messagesRemoved() method, specific trigger code can be executed. Often, the Inbox and Outbox (sent items) are watched for incoming and outgoing messages respectively. In this case, the messagesAdded() function is what is of most interest. A typical example of a code snippet would look something like the one in Code Snippet 1 below: Code Snippet 1 - Trigger on messagesAdded() For the sake of maintaining clarity, the code for the EvilSpywareModule has been omitted. Assume for the moment that this module’s sole purpose is to capture and exfiltrate data. Rendered graphically, this entire process may look something like the diagram depicted in Figure 4. CMIME Mail Store Inbox Outbox Misc Hooks folders through FolderListener Exfiltration Engine Captured Email trigger on messagesAdded() Fig. 4 - Malware Mail Capture The BlackBerry handheld has as many mail stores as there are email accounts configured. These mail stores can be enumerated by looking for a specific type of ServiceBook [7] that is of type CMIME. Then it is a matter of enumerating all the folders and looking for the Inbox and Outbox before hooking them using the FolderListener. How to defeat By using the same principle of hooking folders, it is possible to defeat malware using the techniques discussed previously. The POEPFlood technique is ideally suited to defeating malware targeting email. The process summary may look like this: (1)Setup a FolderListener on appropriate folders that require poisoning. (2)Prepare a function that will place a configurable, high- number of arbitrarily generated email messages in these folders. (3)Designate how the function from (2) will fire; would it be on a messagesAdded(), or randomly timed (4)Once (2) is fired, ensure to clean up the folders of fake data so as not to affect the end-user It is worthwhile noting that step (2) above will carry the largest amount of code and will contain the logic to generate fake data in a manner capable of defeating malware. Refer to the accompanying source code for details on how to prepare this logic. Some things to remember when conducting a POEPFlood attack on email: (1)Create fake emails based on real ones. For example, browse through the existing message store and randomly pick subject lines to use. (2)Fill the email message body with random, but proper words. One idea would be to fetch text from several different Internet sites. Another would be to collect random words from emails already in the folders. (3)As with (1) above, use email addresses as those found in the existing information store, but make changes to them to mask true identities. This can be optional. The key is to make the poisoned email flood look as legitimate as the real emails. This will prevent a data-collector from running automated filtering tools. The goal is to have the data-collector wade through and waste time by reading completely useless information. CMIME Mail Store Inbox Outbox Misc trigger on messagesAdded() Hooks folders through FolderListener Exfiltration Engine Overwhelming POEPFlood of email POEPFlooder Poisoned Email Fig. 5 - POEPFlood Attack on Email A practical, albeit worthless, attack example is shown in the source code snippet below. It is deemed worthless at this moment because it does not contain any logic to help make the fake emails more legitimate. It is a simple iterator generating 10 emails with a similar ‘TO’ header.
  • 4. Code Snippet 2 - Email Flooding Example SMS Malware Operations There is more than one way that all incoming SMS messages can be captured. These are the recommended methods [8]: (1)Use a MessageConnection by implementing the javax.wireless.messaging.MessageListener interface. (2)U s e a D a t a g r a m C o n n e c t i o n f r o m t h e javax.microedition.io package. (3)U s e a M e s s a g e C o n n e c t i o n f r o m t h e javax.wireless.messaging package. During tests conducted for this paper, the MessageListener method was used (see Code Snippet 3). Code Snippet 3 - Inbound SMS Interception How to defeat Even on examining the BlackBerry OS 7 API, there seems to be no precise way of poisoning the SMS or MMS message stores. This is due to the way that SMS messages are captured. The MessageListener interface allows for capturing when a message is received and before it is placed into a folder. Thus, conducting an attack like the POEPFlood will not work since this attack relies on poisoning a folder structure. One approach would be to consider the PWNGoal attack. As mentioned previously, the PWNGoal attacks may incur additional charges beyond that of the BlackBerry data & call package. Thus, due consideration should be given when using this attack. It is also worthwhile noting that PWNGoal attacks for SMS can be easily filtered by the data-collector due to the single number it is being received from. Obviously, the more resources dedicated to the attack will increase the chances of reducing the quality of collectible data. CALL HISTORY Malware Operations The Call History repository logs all incoming, outgoing and missed phone calls on the BlackBerry handheld. It is another repository of interest for malware and forensic analysts. The PhoneLogListener can be used to access the Call History on a BlackBerry handheld (see Code Snippet 3).
  • 5. Code Snippet 4 - Call History Interception How to defeat Similar to Email, it is possible to arbitrarily introduce fake phone calls to the device Call History. To defeat malware, a POEPFlood provides the best mechanism for attack. To conduct a Call History POEPFlood, it is possible to periodically introduce fake phone calls by calling the PhoneLogs.addCall() method. As soon as this method is c a l l e d , i t w i l l t r i g g e r t h e m a l w a r e ’ s PhoneLogListener.callLogAdded() method and thus provides the opportunity to POEPFlood. Similarly, the callLogRemoved() and callLogUpdated() methods are open to attack in the same manner. When attempting to defeat a forensic analysis, a DDTS/ POEPFlood attack would prove useful. DDTS will detect when a USB connection is requested and immediately start a POEPFlood attack on the Call History repository. This will ensure that the Call History database is overwritten, or at least full of low quality information. Code Snippet x provides the source code for flooding the Call Log history: Code Snippet 5 - Flooding Call History PHONE BOOK Malware Operations The Phone Book or contact list of a BlackBerry handheld can be fair game for malware and forensic analysts alike. For data-collectors, the Phone Book provides an insight into the connections and acquaintances of an end-user. For forensic analysts, it provides a way to connect suspects to other suspects. Malware will be interested in the PIMListener interface to trigger code on the itemAdded(), itemRemoved() and itemUpdated() methods. How to defeat Defeating malware watching the Phone Book can be as easy as conducting a POEPFlood on specific PIMList instances. The base PIMList class has the methods createContact(), importContact() and removeContact(). By periodically calling these functions using POEP, it is possible to feed malware with fake objects that it will log. PIMLists themselves are divided into many different types. There can be Contact Lists, Memo Lists and To Do Lists. For the purposes of this paper, the Contact List is what is most useful. The following code snippet gives an example of how a contact can be programmatically added to the Contact List: Code Snippet 6 - Appending to the Contact List BLACKBERRY MESSENGER Malware Operations The BlackBerry Messenger service (up to version 5.0 ) has had a long standing bug [9] that does not allow developers to use its Listener interfaces. The result of attempting to obtain a BlackBerry Messenger Instance is a null response. Since version 5.0 however, the concept of backing up BlackBerry Messenger chats locally on the filesystem has been introduced. By enabling this capability, malware can hook the filesystem and watch for any changes to a specific directory or file. Then it can act whenever changes to the filesystem are made. The BlackBerry Messenger backup file is a simple CSV file that remains on the device in an unencrypted state. An example of the contents of such a backup file is depicted in Figure 6 below: Fig. 6 - A BlackBerry Messenger Conversation
  • 6. This file is found under the “BlackBerry/im/BlackBerry Messenger/<Device PIN>/history” folder. As per the Fig x above, the various fields in this file are Date/Time, Sender PIN, Recipient PIN and message respectively. Code Snippet 7 shows one approach that malware use to hook the file system: Code Snippet 7 - Malware hooking the filesystem How to defeat The simplest method for defeating malware capturing BlackBerry Messages is to hook the file system journal again and write all the legitimate changes to this file to a separate file. Simultaneously, the legitimate file is flooded with fake data which the malware will collect. This type of approach will guarantee that the data-collector has to wade through a significant amount of irrelevant information before making sense of the conversation. GPS MODULE Malware Operations BlackBerry devices that have the hardware capabilities can provide location based services through its on-board GPS chip. The functionality is controlled through several APIs from the javax.microedtion.location package. The most important piece of information for malware to capture are the GPS co-ordinates comprising of the Latitude and Longitude of the device. Newer BlackBerry devices may also have the opportunity to collect information about heading and speed. To collect periodic GPS co-ordinates from the device, the easiest process is to hook the LocationListener and read the events as fired from the locationUpdated() method. ACKNOWLEDGEMENTS The author would like to acknowledge the pioneering work done by The Grugq in the field of Anti-Forensics. His seminal work, The Art of Defiling provided most of the inspiration for this paper. REFERENCES [1] Zeus Malware - http://en.wikipedia.org/wiki/ Zeus_(trojan_horse) [2] Flexispy Commercial Malware - http:// www.flexispy.com/ [3] MobileSpy Commercial Malware - http://www.mobile- spy.com/ [4] HackingTeam Remote Control System - http:// www.hackingteam.it/index.php/remote-control-system [5] Fixmo Sentinel - http://www.fixmo.com/products/ fixmo-sentinel/ [6] BlackBerry OS 5 API FolderListener - http:// www.blackberry.com/developers/docs/5.0.0api/net/rim/ blackberry/api/mail/event/FolderListener.html [7] Service Books: http://na.blackberry.com/eng/ deliverables/2584/about_service_books_32170_11.jsp and http://www.berryreview.com/2009/01/22/faq-explanation-of- each-blackberry-service-book-type/ [8] SMS Interception Methods - http:// supportforums.blackberry.com/t5/tkb/articleprintpage/tkb-id/ java_dev@tkb/article-id/207 [9] BlackBerry Messenger Bug (Requires Free Developer Account) - https://www.blackberry.com/jira/browse/ JAVAAPI-508