Sep 28 2012

Payment Processor Stripe Buys Into Transparency and User Rights

Photo: Jim Merithew/Wired

Stripe, the fast-growing online payment processor known for its ease of use, announced Friday that it is committing to transparency and user rights, following the path blazed by Google and Twitter.

“Our goal with Stripe is to help build the economic infrastructure of the internet,” general counsel Jon Zieger wrote in a blog post. “Economic infrastructure, like other fundamental layers of the internet, requires trust and transparency.”

Specifically, Stripe, which makes it simple for sites to accept payments online, says that if it gets a legal request from a third party to stop doing business with a user, it will post the request to the Chilling Effects Clearinghouse website. That site publishes copyright takedown notices sent to web companies, and its most prominent contributors are Google, Twitter and GitHub.

As Stripe will be the first payment processor to submit takedown requests, Chilling Effects is creating a new category on the site.

Co-founder Patrick Collison hastened to say that the company isn’t changing its policies about which companies it will serve nor should people take the post as an indication that it’s gotten a lot of such notices.

“This is much more about getting the right policy in place for the future,” Collison said, noting that Stripe just began accepting payments for Canadian companies, its first step outside of the U.S.

It’s not clear how often payment processors get asked to stop working with a site or on what grounds. But the power and lack of transparency by the net’s dominant payment intermediaries was demonstrated in the fall of 2010, Visa, Mastercard and PayPal all cut off donations to WikiLeaks after the publication of a trove of U.S. diplomatic cables.

The companies cut off WikiLeaks on the grounds it was engaged in illegal activities, though the site has never been prosecuted in the U.S. and many legitimate news sites also published many of the cables, without retribution from the payment companies.

“We concerned about intermediaries being used to control what kind of content is available on the internet,” Zieger said, while noting that there are about 50 categories of users it doesn’t work with.

Stripe also says it’s instituting the same subpoena notification policy as Twitter, committing to informing a user, when not barred from doing so, that someone is subpoenaing their record. This allows the targeted user to try to quash the subpoena in court. Twitter has spent significant resources fighting to allow its users to resist government subpoenas — including winning the right for WikiLeaks associates to try to quash a grand jury subpoena for their Twitter records.

The company also said that it would be trying to figure out how to provide transparency reports regularly about how many requests it gets, a practice that was pioneered by Google and then followed by a number of companies including Dropbox, Github and Twitter.

“It’s a really important movement,” Collison said. “There’s almost a coalition forming. It is coalescing.”

Sep 28 2012

Encrypted Scripts From Trojan Can Surprise Angry Birds Players

The huge popularity of games such as Angry Birds Space, currently in the Top 50 of the most popular Free Apps in the Google Play Market, makes them a perfect cover for malware authors to distribute new malicious code and to target many users. Recently a new malware that downloads and rates apps in the background without the user’s consent was found injected in several applications in third-party Android markets. One of the affected apps is Angry Birds Space:

The malware pretends to be the premium version of the game but it is in fact one of the first free versions of the app that is already in the Google Play Market. A comparison between the decompiled code of the Trojan version and the clean one reveals the injected code that is executed every time the user opens the game (or when the device is restarted): 

 

This code starts a service named “MyService,” which runs in the background and is part of one of the injected packages that contains malicious code:

After starting the service, the malware registers the infected device in a remote server by sending device identifiers such as IMEI, IMSI, and SIM serial number. In return, the server sends a value that starts an annoying routine of pop-up dialogs every one-and-a-half minutes asking the user to install other apps to earn points and permanently remove the adware:

In English the dialog says: “Currently, your consumption points are 0, less than 50, you can earn more consumption points by downloading free advertisement, then the advertisement in the game would be removed permanently. To ensure that the consumption points are going to your account, please open the application being installed a sometime later.”

Once the initialization phase is complete, the injected code downloads the main payload of the malware by sending the IMEI and a specific identifier to a remote server. The password is obfuscated in the code, but it can be easily obtained after analyzing the algorithm used to create it. The file inside the Zip is code written in FScript, a scripting language that can be easily embedded in other Java programs–even in small or embedded devices–by using FScriptME, the FScript version for J2ME environments. The downloaded code is dynamically loaded and each function in the script is executed from the dex file using the instruction “callScriptFunction” implemented in the FScript package.

In this specific case, the downloaded script started the communication with the control server to register the device and get the initial parameters (URL to download the APK (Android application) and web page to execute the click in the ad):

Other parameters include the “sleep” value, which the malware uses to calculate the time to wait between every execution (loop) of the routine. Once the configuration is loaded and without the user’s consent, the script downloads the application in the background along with the complete web page specified in the parameter “click.” All the files are placed in the SD card under the folder “download”:

After all the files are in place, the information in the parameters “Title” and “Intro” are used to create a notification on the device. When the user clicks on it, instead of showing the traditional installation screen, the malware shows the downloaded web page in which the user can see more details of the app such as screenshots and more description:

 

If the user taps on “Free Download” from that page, instead of starting the download the malware will intercept that event and install an already downloaded APK from the SD card. This app could be different from the one shown.

The process above was executed because the parameters sent by the remote server were “type=5” and “godown=2,” which lead to the execution of the function “pushdownapk.” Malware authors can also execute other commands, such as getting all of the installed applications on the device or executing automated mobile click fraud. The latter occurs by downloading apps from third-party markets and sending network traffic to specific mobile advertisement websites to report that an app has been successfully downloaded and installed.

So far the purpose of these scripts that are downloaded by the infected app is to report installations and generate fraudulent revenue. However, this situation can change at any time by changing the script to add another function or by changing the parameters sent by the control server to install malicious applications.

McAfee Mobile Security detects this threat as Android/Backscript.A.

Sep 28 2012

Reverse Engineering by Tracking Function Calls

As McAfee Labs researchers examine malware, we often have to reverse-engineer those binaries when we don’t have the source code. Because reverse engineering depends heavily on the state of the binaries, most of the time it is a tedious manual task. Any tool or technique that speeds our work is a big help.

A lot of great tools have been developed to accelerate reverse engineering, but there is still room for innovation. Most of the time when we analyze malware or normal applications we try to find the key functions, which may reside deep inside the binary. Finding them manually with debuggers is very time consuming.

One effective way to accelerate reverse-engineering tasks is to plot every call from the binary (function to function, function to API) on a directed graph using runtime event captures. The graph displays the relationships between the calls inside the binary; these relationships can show us which code chunks are most important.

As a proof of concept, we have developed a plug-in that uses the IDA database to enumerate the functions inside the binary. We used Python modules pefile and pydbg to hook on the APIs and to capture calls. Then we used pydot and the Graphviz libraries to plot calls on the graph. We generated a relationship graph using the following steps.

  • Assign node1 to caller and node2 to callee (node1 –> node 2)
  • Inside node 2, node 2 becomes node1 and new callee becomes node2 (node2(node1) –>node2(new))
  • Similarly, we can created a relationship call graph for the entire binary

 

class idafunction:
”’
class to enumerate the functions from the current IDA database
”’
def __init__(self):
self.func_dict = {}
def functions(self):
for seg_ea in Segments():
for func_ea in Functions(seg_ea,SegEnd(seg_ea)):
self.func_dict[func_ea] = GetFunctionName(func_ea)
return self.func_dict

def idafun_generic(self,dummy=None):
”’
generic call back function for breakpoint handling.
”’
EIP = self.dbg.context.Eip
try:
esp = self.dbg.context.Esp
paddr = self.dbg.read_process_memory(esp,4)
addr = struct.unpack(“L”,paddr)[0]
addr = int(addr)
CallFrom = GetFunctionName(addr)
if not CallFrom:
CallFrom = hex(addr)
log(“FUNCTION ADDRESS: %x\tCALL FROM: %s \tFUNCTION NAME: %s” % (EIP,CallFrom,self.func_dict[EIP]))
logn(“FUNCTION ADDRESS: %x\tCALL FROM: %s \tFUNCTION NAME: %s” % (EIP,CallFrom,self.func_dict[EIP]))
SetColor(EIP,CIC_FUNC,FUNC_COLOR)

 

The relationship graph will also contains calls to APIs from the respective functions. These will help us identify the most sensitive areas inside the binary, and will also allow us to track the entire path from the main function.

If the binary is unpacked, then our technique will greatly minimize analysis time. If the binary is packed, then in most cases our technique can provide a fair amount of details about the binary that might be useful in unpacking, or in identifying new allocations, calls from new allocations, and type of calls from new allocations (to unknown or known addresses, etc.).

 

Real-Life Examples

Here is a look at the functions call relationship graph of the Herpsnet bot:

 

By looking at the graph we can say that the function sub_4070E0 is the most valuable function in the binary because it calls the following important functions:

  • sub_4044b0
  • sub_406Fc0

Inside the function sub_4044b0 we can see calls to other interesting functions:

  • sub_404880. By looking into the type of API calls from this function, it appears to be used for process enumeration (running processes). This function calls the function sub_404550, which seems to check user privileges.
  • sub_404350. This function is used to inject code into other processes. It also calls the function sub_4041E0, which adjusts the privileges of the processes, probably to “se_debug” because we saw a function above that calls some injection-related APIs.

Inside the function sub_406fc0 we can also see one interesting call to the function sub_403034. In our manual analysis we found that this function is used for strings decryption.

If we look back into sub_4070E0, we can see that it also calls APIs such as CreateThread and CreateMutexA. So overall the graph gives us some pretty good information about this malware, and saves us a significant amount of analysis time.

Now let’s look at the functions call relationship graph of the Alureon bot:

 

In this graph we can see that sub_402450, sub_4026E0, sub_402665, sub_40507A, and sub_402E52 are the most interesting functions.

 

Conclusion

Our technique for speeding up reverse engineering and malware analysis has the same problems as those of any similar tool, but we have found it useful in our analysis. Nonetheless, we would be happy with a more robust program. Currently in the proof-of-concept state, pydbg hooking is not that stable. Moreover, it can be easily found by debugger detection techniques.

If you have any other ideas, please share them with us.

Acknowledgements:

I would like to thank my colleagues Neeraj Thakar and Vikas Taneja for their valuable input.

References:

http://www.labri.fr/perso/fleury/courses/PdP/SoftwareVisualization/bohnet_Softvis06.pdf

http://www.futureinternet.fi/publications/seminar_2011/Kostakis_Lundstrom.pdf

Sep 28 2012

Adobe Releases Security Bulletin About Code Signing Certificate

Adobe has released a security bulletin to address an issue with a current Adobe code signing certificate. The certificate to be revoked has been used to sign malicious code. The certificate will be revoked on October 4, 2012 for all software code signed after July 10, 2012. Adobe is issuing a new digital certificate for all affected products.

US-CERT encourages users and administrators to review the Adobe Security Bulletin ASPA12-01 and take any necessary actions to help mitigate the risk.

This product is provided subject to this Notification and this Privacy & Use policy.