Chapter 8: Building Your Own Sandbox (5/10)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

149

Building your own sandBox

Store, is to sign a certicate and generate an executable le that has

an APK extension.

When we are interested or in the case that the application where the

malware is not signed, this will not be executed on any Android device.

e signature must be done by the developer, manufacturer, or Google.

is process is generated employing the Keytool, whose default

location is in /usr/bin.

$ keytool -genkey -v -keystore keystorename.keystore

-alias aliaskeystore -keyalg RSA -keysize 2048

-validity 100

KeyTool Output:

Issuer

DN: C=CN, ST=Neverland, L=Neverland,

O=AndroidMalwareAuthor, OU=AndroidMalwareAuthor,

CN=AndroidMalwareAuthor

C: CN

CN: AndroidMalwareAuthor

L: Neverland

O: AndroidMalwareAuthor

S: Neverland

OU: AndroidMalwareAuthor

Subject

DN: C=CN, ST=Neverland, L=Neverland,

O=AndroidMalwareAuthor, OU=AndroidMalwareAuthor,

CN=AndroidMalwareAuthor

Tools for Dynamic Analysis

We next show a summary of the tools that are oered by the open source

community to realize analysis in a dynamic way to arm the sandbox.

TaintDroid

TaintDroid (Figure 8.9) is a very intelligent extension that may renew

the concept of systems of protection for private information because

it permits users to see what apps they have downloaded and are doing

moment to moment, thanks to the use of a similar Dalvik VM version

150

android Malware and analysis

(Java for Android SO) and a kernel module that intercepts system

activities in real time.

When the application begins sending the private information pro-

cess to an external network, a pop-up appears that warns the user of

such a maneuver. For this, it is necessary to install the APK in the

TaintDroid environment.

DroidBox

DroidBox is a project to monitor in real time, created by several U.S.

universities and Intel. For now, DroidBox makes a report after the

execution of an application and returns the following information:

• Operations of reading and writing les

• Cryptographic API activity

• Open network connections

• Out of trac

• Information leakage via SMS les or networks

• Attempts to send SMS

• Calls

Untrusted ApplicationTrusted Application

Trusted Library

DalvikVM

Interpreter

DalvikVM

Interpreter

Binder IPC LibraryBinder IPC Library

Binder Kernel Module

Taint Source

Taint Sink

Virtual Taint Map

Binder Hook Binder Hook

Virtual Taint Map

(1)

(2)

(3) (7)

(9)

(8)

(4) (6)

(5)

Interpreted CodeUserspaceKernel

Figure 8.9 How TaintDroid works.

151

Building your own sandBox

DECAF

DECAF (Dynamic Executable Code Analysis Framework) is the

successor of the analysis techniques of binary developed for TEMU

(dynamic analysis component of BitBlaze). is oers many callback

return interfaces for developers. e callback is invoked at runtime, so

that it may enable or disable in a dynamic way, and register or unreg-

ister callbacks.

e callback with these interfaces may recover the semantic at the

system operating level, including processes, api system, keystroke, and

network, completely out of the manual system. is type of data pro-

vides basic knowledge necessary for developing plug-ins for DECAF.

On the other hand, DECAF recently incorporated DroidScope.

DroidScope displays the structure of compiled packages, helping in the

analysis of malware. is module contains many graphics functions and

easily provides to the analysts a set of tools in a graphical environment.

Its functionalities are:

• CFG

• Call Graph

• Static Instrumentation

• Permission Analysis

• Dalvik codes

• Smali codes

• Java codes

• APK Information

TraceDroid Analysis Platform

TraceDroid, a scalable and automated framework for dynamic analy-

sis of Android applications, detects suspicious and possibly malicious

applications. Specically, it employs a complete METHOD layout

design. is framework aids in the identication of packages as mali-

cious or benign.

Volatility Framework

Volatility Framework is a complete set of open source tools, written in

Python under the GNU license, for the analysis of the volatile memory

152

android Malware and analysis

(RAM). Its objective is to introduce people to the complex techniques

of extraction digital devices of volatility memory images (RAM), and

provide a platform for future work within the research area.

$ cd ~/android-volatility/

$ python vol.py— info | grep Linux

Volatile Systems Volatility Framework 2.3_alpha

LinuxGolfish-2_6_29x86 - A Profile for Linux Golfish-2.6.29

x86

$ python vol.py— profile=LinuxGolfish-2_6_29x86 -f ~/lime.

dump linux_pslist

Volatile Systems Volatility Framework 2.3_alpha

Offset Name Pid Uid Gid DTB Start Time

---------- ---------- --- --- --- ---------- ----------

0xf3812c00 init 1 0 0 0x33b04000 2013-02-25

16:42:16 UTC+0000

0xf3812800 kthreadd 2 0 0 ---------- 2013-02-25

16:42:16 UTC+0000

0xf3812400 ksoftirqd/0 3 0 0 ---------- 2013-02-25

16:42:16 UTC+0000

.....

Volatility is a unique and coherent framework that analyzes mem-

ory RAM dumps of 32 and 64 bits for Windows, Linux, Mac, and

now is also able to analyze a memory dump of Android.

e volatility modular design allows you to endure new operating

systems and architectures as soon as they are published. All devices

are targets for attacks; this is the reason it is not limited to Windows

computers.

Sandbox Lab (Codename AMA)

AMA (Android Malware Analyzer) is a Python-based script that

works in conjunction with dierent open source tools to automatically

collect, analyze, and report on runtime indicators of malware. In a

nutshell, it allows you to run your malware, hit a keypress, and get a

simple text or html report of the sample’s activities (Figure8.10).

AMA allows you to not only run malware similar to a sandbox

but to also log systemwide events while you manually run malware in

ways particular to making it run. For example, it can listen as you run

malware that requires varying command line options, or watch the

system as you step through malware in a debugger.

153

Building your own sandBox

Architecture

e architecture we may use to create the sandbox may be based in

any system *nix, although to realize this lab we recommend employing

Linux CrunchBang. CrunchBang is a distribution created by Philip

Newborough and is based on the known distribution Debian GNU/

Linux. In spite of this, it is not recognized as an ocial Debian-

derived distribution. It employs an Openbox advantages manager and

GTK + applications.

is distribution is designed to provide an excellent balance

between speed and functionality. It is as stable as Debian and it

incorporates a default modern minimalist interface that may be

highly customized, making it a perfect distribution to computers

with limited resources.

You may employ any Linux distribution you wish. e preferred

install is Ubuntu LTS, ArchLinux, Slackware, and so on. We have

chosen this because we are fans of minimalism and speed.

Next we will go over considerations for preparing your host operat-

ing system and will also indicate some knacks if you want to execute

AMA inside a VPS/virtualized system.

VirusTotal Match

Suspicious Strings

Manifest Parsing

System Traces

AppTraces

Method Traces

Network Capture

Screenshots

Report Result

Suspicious AP

Dynamic

Static Analysis

Figure 8.10 AMA.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 8: Building Your Own Sandbox (5/10)

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 8: Building Your Own Sandbox (5/10)