Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Analyzing Mobile Device Malware - Honeynet Forensic Challenge 9 and Some Tools

Published: 2011-09-07
Last Updated: 2011-09-07 20:50:59 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)

The Honeynet project presented an excellent opportunity to improve your and the community's approaches for analyzing mobile device malware. The group's Forensic Challenge 9 gives you the opportunity to respond to a security incident that involved a smart phone. Honeynet's Christian Seifert provided us with the following description of the scenario:

"This challenge offers the exploration of a real smartphone, based on a popular OS, after a security incident. You will have to analyze the image of a portion of the file system, extract all that may look suspicious, analyze the threat and finally submit your forensic analysis. From File System recovery to Malware reverse-engineering and PCAP analysis, this challenge will take you to the world of Mobile Malwares."

Christian also pointed out that the Honeynet Project--as a result of its participation in Google Summer of Code--released two tools for analyzing mobile device malware. According to him:

DroidBox, authored by Patrick Lantz, is a sandbox for the Android platform. "It focuses on detecting information leaks that were derived from performing taint analysis for information-flow tracking on Android trojan applications. DroidBox is capable to identify information leaks of contacts, SMS data, IMEI, GPS coordinates, installed apps, phone numbers, network traffic and file operations."

APKInspector, authored by Cong Zheng, "is a full blown static analysis tool for the Android platform. It has resemblance of tools like IDAPro. Some functionality highlights are:

  • Graph-based UI displaying control flow of the code.
  • Links from graph view to source view.
  • Function/Object - > Method list and filter.
  • Strings list and Filter.
  • Flow in/out from a given point.
  • Function and variable renaming.

For additional resources that may help you analyze Android malware, see 8 Articles for Learning Android Mobile Malware Analysis. If you know of additional tools and references, please leave a comment.

-- Lenny

Lenny Zeltser focuses on safeguarding customers' IT operations at Radiant Systems. He also teaches how to analyze and combat malware at SANS Institute. Lenny is active on Twitter and writes a daily security blog.

 

0 comment(s)

GlobalSign Temporarily Stops Issuing Certificates to Investigate a Potential Breach

Published: 2011-09-07
Last Updated: 2011-09-07 20:15:29 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)

GlobalSign, a certificate authority (CA) based out of Belgium temporarily stopped issuing certificates. This action was taken in response to a message on Pastebin, in which the anonymous poster claimed the responsibility for the recent DigiNotar breach and singled out GlobalSign as another CA that he or she compromised. 

According to GlobalSign's press release, the company is investigating the report and "decided to temporarily cease issuance of all Certificates" until it assesses the claim that its security was breached.

An ISC reader shared with us a response that GlobalSign provided to his company regarding this matter. In that message, the company explained that it paused the issuance of certificates to allow the systems to undergo a forensic audit while they are off-line. The company reportedly downplayed the risk of the existing active certificates being at risk, referring to its security practices that involve keeping the root CA off-line. Yet, with the intermediate CAs being on-line, the risk is there in a way that is similar to the DigiNotar scenario: An attacker may be able to use intermediate CAs to issue false certificates. This could also allow an attacker to spoof certs that have already been issued.

Note, however, that we have yet to see evidence of GlobalSign being compromised. The Pastebin notice might prove to be unauthentic or otherwise false. It's not uncommon for malicious hackers to put forth claims of conquest that later turned out to be unsubstantiated... just for LOLs.

-- Lenny

Lenny Zeltser focuses on safeguarding customers' IT operations at Radiant Systems. He also teaches how to analyze and combat malware at SANS Institute. Lenny is active on Twitter and writes a daily security blog.

0 comment(s)
Diary Archives