by RSS Axelle Apvrille  |  Nov 09, 2017  |  Filed in: Security Research

Welcome back to our monthly review of some of the most interesting security research publications.

Past editions:

In this edition, I focus on talks at Virus Bulletin Conference, but check out some other very nice conferences at the end of this post. My own presentation at VB 2017 is available here, including some videos of demos.

Update November 10: (1) the first author for the ATM paper is Thiago Marques (2) added the link to the Industroyer paper.

Marques et al, Mariachis and jackpotting: ATM malware from Latin America, VB 2017

The talk started with a video of "classical" (but efficient) ATM robbing. The criminal opens an ATM, places a bomb inside, waits for the bomb to explode and crack the ATM open, then it's time to come back and collect the money. With computer malware, this attack is enhanced. For instance, the Plotus malware tells the attackers what amount of money they are going to find in the ATM, letting them decide if it's worth it or not.

The talk was great and Marquest and  Assolini are well known for his research on banking trojans and ATM malware in Latin & South America. If you wonder what's the status in the rest of the world for this, you should read R. Garrote and R. Rodenas, The Lord Of The ATMs (Rooted Con 2017). In particular, their slides mention Cobalt and Padpin, which seem to be active in Europe.

Rowland Yu, Webview is far more than a view, Virus Bulletin [slides]

On Android, developers have the possibility to use a WebView object to provide an Internet browser experience to their application. Many app developers use that, especially because it eases development across different platforms, consequently reducing the number of lines of code to maintain.

For malware analysts, the problem is that webview offer far more features than just Internet browsing.Precisely, the issue comes from the addJavascriptInterface() method of the WebView class. As documented by Google, this method "injects a supplied Java object into this WebView".

The injected object's methods are then available through JavaScript. Consequently, a malware analyst now needs to check both the application's Java code and JavaScript the application uses.Another trick: note the WebView can be made "invisible" by setting its size to 1x1 pixel...

In brief: If you are an Android malware analyst, don't forget to check WebView calls and JavaScript pages...

P. Wardle, Offensive malware analysis: dissecting OSX/FruitFly.B via a custom C&C server, Virus Bulletin

The speaker explains a common "offensive" methodology of malware reversing via implementation of a fake C&C. It consists in:

  1. Reverse engineering a given sample up to the point where you are able to construct a fake C&C. This step involves code disassembling, but also network/file/keyboard/mouse monitoring.

  2. Implement a fake C&C

  3. Run the malware and have it connect to the fake C&C. In the case of FruitFly, via reverse engineering, the speaker has found that the address of a custom C&C can be supplied to the malware. This is how he is able to have the malware connect to his own fake C&C.

  4. Use that to analyze the rest of the malware, by sending given commands, with given arguments etc.

The paper is interesting for 2 aspects: (1) this methodology applies to non-Mac botnets too, and (2) it provides a detailed analysis of FruitFly. In particular, this malware uses obfuscated Perl code (which, I believe, is not common).While this methodology is not new, it is particularly adapted to full teardowns of malware, or situations where we want to take down botnets.

A. Cherepanov and R. Lipovsky, Industroyer: biggest threat to industrial control systems since Stuxnet, Virus Bulletin [slides] [paper]

Simplified schematic of Industroyer components - taken from the paper

Win32/Industroyer is a malware which targets power grids. It is suspected to be at the origin of the power cut on Ukraine's capital in December 2016.

The malware attacks 4 different industrial control protocols:

  • IEC 101. The malware attempts to kill the legit process in charge of this protocol on the infected machine, and send commands instead of it. It will then basically send on/off commands to Remote Terminal Units the protocol is meant to handle.

  • IEC 104. Again, the malware attempts to terminate the legit process and interact with devices. It can log information and output debug information of the controlled devices.

  • IEC 61850. The malware connects to target host and retrieves information from it.

  • OPC DA - similarly to Havex malware in 2014. OPC DA stands for OLE for Process Control for Data Access. This protocol is used to exchange data in a client - server model. The malware attempts to change the state of OPC items it discovers.

The malware also has a data wiper component, a port scanner, a DoS tool.The author made their point that this malware was crafted by attackers who are very skilled on SCADA/ICS systems.

Some non technical talks: interesting too!

There were a few non technical but neverthess interesting talks. Some of those, in particular, have potential to fuel novative research or different research areas to look into:

  • Amnesty International talk: this talk was given by Claudio Guarnieri, who works as a technologist and researcher at Amnesty International. He explains it is a big challenge to secure communications between human rights defenders and the victims as the problems occur in politically complex situations and sometimes with poor or no Internet connections. It is difficult for both ends not to fall in traps set up by their opponents...

Very interesting though a bit depressing because AFAIK I see no technical solution :(

  • Failure is as an option: keynote insisting on the fact we should 1/ plan for failure and 2/ learn from it. Interesting comparison with the airspace industry which have process to handle aircraft failures or crashes, which enables them to reduce the number of incidents per flight over the years. The cyber industry does not seem to have this maturity.

  • Child abuse: this talk was given by Mick Moran who is police officer. He discussed child abuse, with one optimistic message: the very fact that abusers now share videos online of the assault makes it easier to spot them and identify victims. His talk also mention some organizations (wearethorn.org, netclean.com, technologycoalition.org), including tech ones, who try to help those kids by various actions online.

There were many other talks (advergaming, chkrootkit, bayrob etc) which inspired me for this or that reason and that I would love to report on, but the blog post would be too long. I'll leave it up to you to read the proceedings :)

Other conferences in October

There are many other conferences in October. Check those for other interesting papers:

-- the Crypto Girl

Sign up for our weekly FortiGuard intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.

by RSS Axelle Apvrille  |  Nov 09, 2017  |  Filed in: Security Research