Friday, June 7, 2013

[Reverse Engineering] Android - Backdoor.AndroidOS.Obad.a

Reversing Backdoor.AndroidOS.Obad.a


So were going a little off track on this one, we will take a look at the NEW Android Trojan called "Backdoor.AndroidOS.Obad.a"

Kaspersky Article on Backdoor.AndroidOS.Obad.a: http://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan


The tools we will attempt to use:
  1. apktool
  2. dex2jar
  3. jd-gui

MD5:
E1064BFD836E4C895B569B2DE4700284

Lets start reversing it shall we.


To start we will extract the files from the .apk file:

Lets look at that directory now.

$ tree
.
├── AndroidManifest.xml
├── apktool.yml
├── res
│   ├── drawable
│   │   └── lcolooo.png
│   ├── layout
│   │   └── occcclc.xml
│   ├── values
│   │   ├── public.xml
│   │   └── strings.xml
│   └── xml
│       └── ccclocc.xml
└── smali
    └── com
        └── android
            ├── internal
            │   └── telephony
            │       ├── IExtendedNetworkService$oCIlCll.smali
            │       └── IExtendedNetworkService.smali
            └── system
                └── admin
                    ├── CClIOcc.smali
                    ├── cCloIOCC.smali
                    ├── CcOCoIcO.smali
                    ├── cCOIcIlo.smali
                    ├── cCoIOIOo.smali
                    ├── CCOIoll.smali
                    ├── CIcIoICo.smali
                    ├── CICoICCo.smali
                    ├── cIcoIIl.smali
                    ├── CIlOCClc.smali
                    ├── cIoCcIo.smali
                    ├── COcCccl.smali
                    ├── CoccOIo$oCIlCll.smali
                    ├── CoccOIo.smali
                    ├── COOlOIl.smali
                    ├── cOoOCCo.smali
                    ├── CoooOIIO.smali
                    ├── CoOOoOo.smali
                    ├── IcCcCOIC.smali
                    ├── ICcIIlo.smali
                    ├── ICclCcoC.smali
                    ├── IccOlCc.smali
                    ├── ICICcOCo.smali
                    ├── IcIOoOC.smali
                    ├── ICOColc.smali
                    ├── ICOIoCl.smali
                    ├── IlIIlCI.smali
                    ├── IololoI.smali
                    ├── IOOICOcI.smali
                    ├── lcclOlO.smali
                    ├── lCICoIO.smali
                    ├── lclOOCl.smali
                    ├── lIcoclC.smali
                    ├── lOCIOICC.smali
                    ├── lOClOOI.smali
                    ├── loOcccoC.smali
                    ├── loooIlo.smali
                    ├── MainService.smali
                    ├── OCICooCI.smali
                    ├── OcIcoOlc.smali
                    ├── oCIlCll$CIcIoICo.smali
                    ├── oCIlCll$oCIlCll.smali
                    ├── oCIlCll$oIlclcIc.smali
                    ├── oCIlCll.smali
                    ├── OCllCoO.smali
                    ├── OcOCclc.smali
                    ├── OCOcCOll.smali
                    ├── oICClCI.smali
                    ├── oIlclcIc.smali
                    ├── oIOccOcl.smali
                    ├── oIOocIlo.smali
                    ├── OlCCcIl.smali
                    ├── olcCIIC.smali
                    ├── ollIIIc.smali
                    └── OOIlIcCc.smali

12 directories, 64 files
Ok so now we can see some of the resources and we have the .smali files.
We can use the xml and yml files to gather some basic info about the app.
Some of you are probably wondering what smali files are.... ill explain.

The smali files are the disassembly of the Java Virtual Machine (JVM).  In the grand scheme of things these smali files give us a really accurate picture of what the code does.You just have to be able to read them, which can be time consuming.

For the sake of this tutorial we will not go into that now, but we will attempt to get the java src code or do the best we can and look at the smali files in another post.

To attempt to get the java src we will use dex2jar on the apk file:




In the above screenshot we can see that there are some errors. This is because the authors of the malware found a bug in dex2jar and used it to prevent the conversion of Dalvik bytecode into Java bytecode.  dex2jar is a popular tool to convert the bytcode into a jar file that we can then use jd-gui to read the java output.

The full output of the failed convertion is shown below:
$ ./dex2jar.sh ~/Documents/malware/AndroidOBada/E1064BFD836E4C895B569B2DE4700284
1 [main] INFO com.googlecode.dex2jar.v3.Main - version:0.0.7.11-SNAPSHOT
7 [main] INFO com.googlecode.dex2jar.v3.Main - dex2jar /home/android/Documents/malware/AndroidOBada/E1064BFD836E4C895B569B2DE4700284 -> E1064BFD836E4C895B569B2DE4700284_dex2jar.jar
295 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[5],name:[Lcom/android/system/admin/CIcIoICo;]
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[6],name:[Lcom/android/system/admin/IcCcCOIC;]
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
461 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
461 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[11],name:[Lcom/android/system/admin/ollIIIc;]
461 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
462 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
462 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[12],name:[Lcom/android/system/admin/CClIOcc;]
462 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
503 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
503 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[14],name:[Lcom/android/system/admin/OOIlIcCc;]
503 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
504 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
504 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[15],name:[Lcom/android/system/admin/cIoCcIo;]
504 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
505 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
505 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[16],name:[Lcom/android/system/admin/oIOccOcl;]
505 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
625 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
625 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[18],name:[Lcom/android/system/admin/lCICoIO;]
625 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
626 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
626 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[19],name:[Lcom/android/system/admin/olcCIIC;]
626 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[22],name:[Lcom/android/system/admin/OlCCcIl;]
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[23],name:[Lcom/android/system/admin/cCOIcIlo;]
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
825 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
825 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[24],name:[Lcom/android/system/admin/CIlOCClc;]
825 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1091 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1091 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[29],name:[Lcom/android/system/admin/lOClOOI;]
1091 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. while accept method:[Lcom/android/system/admin/lOClOOI;.oCIlCll(Ljava/io/File;)Ljava/lang/String;]
1091 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - ... ROOT cause:
java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 1
    at java.util.Vector.get(Vector.java:694)
    at com.googlecode.dex2jar.optimize.TypeDetectTransformer.merge(TypeDetectTransformer.java:890)
    at com.googlecode.dex2jar.optimize.TypeDetectTransformer.transform(TypeDetectTransformer.java:199)
    at com.googlecode.dex2jar.v3.V3MethodAdapter.visitEnd(V3MethodAdapter.java:168)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptMethod(DexFileReader.java:547)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:319)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1092 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1092 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[30],name:[Lcom/android/system/admin/lOCIOICC;]
1092 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1242 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1242 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[33],name:[Lcom/android/system/admin/lclOOCl;]
1242 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. while accept method:[Lcom/android/system/admin/lclOOCl;.oCIlCll(Ljava/lang/String;Ljava/io/File;)Z]
1242 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - ... ROOT cause:
java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 0
    at java.util.Vector.get(Vector.java:694)
    at com.googlecode.dex2jar.optimize.TypeDetectTransformer.merge(TypeDetectTransformer.java:890)
    at com.googlecode.dex2jar.optimize.TypeDetectTransformer.transform(TypeDetectTransformer.java:238)
    at com.googlecode.dex2jar.v3.V3MethodAdapter.visitEnd(V3MethodAdapter.java:168)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptMethod(DexFileReader.java:547)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:319)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1246 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1246 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[35],name:[Lcom/android/system/admin/ICOIoCl;]
1246 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1247 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1247 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[36],name:[Lcom/android/system/admin/CoOOoOo;]
1247 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. while accept method:[Lcom/android/system/admin/CoOOoOo;.<init>()V]
1247 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - ... ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitMethod(V3ClassAdapter.java:210)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptMethod(DexFileReader.java:493)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:319)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2257 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2257 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[39],name:[Lcom/android/system/admin/CoooOIIO;]
2257 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2403 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2403 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[42],name:[Lcom/android/system/admin/ICICcOCo;]
2403 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2493 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2493 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[46],name:[Lcom/android/system/admin/IccOlCc;]
2493 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2542 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2542 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[49],name:[Lcom/android/system/admin/oIOocIlo;]
2542 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2609 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2609 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[51],name:[Lcom/android/system/admin/cCloIOCC;]
2609 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2610 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2610 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[52],name:[Lcom/android/system/admin/IololoI;]
2610 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. while accept method:[Lcom/android/system/admin/IololoI;.<init>()V]
2610 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - ... ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitMethod(V3ClassAdapter.java:210)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptMethod(DexFileReader.java:493)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:319)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
3059 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
3059 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[56],name:[Lcom/android/system/admin/loooIlo;]
3060 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
3068 [main] INFO com.googlecode.dex2jar.v3.Main - Done.

Lets take a look at the jar file that was created.

We open it in jd-gui to see the "source" code:
Above we can see the files that we have in java format, however if you notice there is an error in the java code itself.  Following the error is the bytecode.  This is what the malware authors wanted, to make it harder for us to analyze their code.

Almost every file has an error in the conversion.
Some more screenshots of other files:




That is all for this post, in the next post we will dig deeper and use some other analysis and reversing techniques and we will see what we can find.

Who knows maybe we will be able to find the Android exploit the Kaspersky article mentions, that would be fun.

Wednesday, June 5, 2013

Rootkits Part 3 - The setup & your first device driver

Rootkits Part 3 - The setup & your first rootkit


Sorry for taking so long to get this post out, it has been a busy month.

Ok so if you missed the last post take a look at it, it discusses some basic windows functionality and internals that we will need to know.  

DISCLAIMER: The following material is for information and educational use only.

now that the disclaimer has been said, lets start.

---------------------------------------------------------

There are many ways to start writing rootkits, some people use Microsofts Visual Studio 2010 (2012 sucks), which is a great option, you just need to install some tools like WinDDK which make rootkit developement easier.  To start we will just create our own files and not use a IDE to help us, that will be saved for a later post.

What you need:
  1. Windbg (for kernel debugging)
  2. Virtualization software (VMWare, KVM, Virtualbox, etc..)
  3. Windows XP (test/dev box)
  4. Windows 7 or another XP machine (remote debugging box)

Be sure to take snapshots before you start anything or run the rootkit, if you mess up you will get Blue screened real quick.

We will switch to all Windows 7 boxes after a basic understanding of development and debugging is covered.  


I decided to keep this post small so everyone can get a basic environment up and running.

Ok so once you have your environment up and running we will write a simple device driver.

We will be developing a device driver that will just print the classic "hello world", keep in mind real rootkits DO NOT print anything, this is just a basic driver, and by basic I mean basic.


TAKE A SNAPSHOT OF YOUR CLEAN MACHINE!!!!

Yes remember to take a snapshot of your clean box, you dont want to redo everything everytime, and it's not advised to just keep putting rootkits on a box, that can fuck shit up!

This code may be a little dated but it still works. (may need tweaking)
#include "ntddk.h" 
NTSTATUS DriverEntry( in PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) '
{
     DbgPrint("hello world");
    return STATUS_SUCCESS;
}
This code was taken from Rootkits - Subverting the Windows kernel

Alright that was simple right.

Load this into the kernel and you will see the dbg message.

Now your wondering how the fuck do I load this into the Kernel, right?

We will use OSR Driver Loader, it can be found here:
http://www.osronline.com/article.cfm?article=157

Yes it hasnt been updated in a while, but it still works and beats writing your own driver loader, which we will eventually do in a later post.

Once OCR Driver Loader is installed run it and select the path to your driver then start it, you can check the task manager processes or use Process Explorer to check that the driver is running.  You should also see "hello world"  debug message.


We created this basic driver to check that our environment is working and that we can run a basic driver, this is a good step in any development environment to make sure everything is functioning and running properly.


I will add screenshots from my tests so there is visual reference and you can actually see it in action......  I wrote this post on a separate box from my development/test environment.


In the next post we will cover remote debugging, so make sure you have two windows boxes and have WinDBG installed.