近日,黑客组织Hacking Team被攻击,超过400G的内部邮件,文档以及工具包曝露于大众视野。有人形容这是安全界的一次灾难并不为过,而且破坏力MAX。为了保护我们的移动端用户,OXID非常重视,经过研究发现大部分的工具是利用操作系统一些应用漏洞达到权限提升,任意代码执行的目的。受波及的系统有OSX, iOS, Android, Window Phone 8, Blackberry,Windows 和Linux。除此之外,攻击里面的亮点还有Windows Font 0day和 Flash 0day。举个栗子,在这些工具中广泛地利用了2个Flash 0 day 漏洞,而且截止到目前,这两个0 day 漏洞还没有被修复。
针对手机端的安全保护,0XID实验室为我们的首批客户开发了一个清除工具(0xIDHT Removal Tool)。现在为了响应广大人民群众的呼声,我们把它放到网上供所有用户使用,下载地址请猛戳:http://www.0xid.com/htrm/HTRemovalTool.apk. (sha1: c3f154b9da0602cd1d514c0ac9e3f1d53f688098)
我们已经分析了所有已知的Android样本,还在继续挥汗如雨的解决大批其他的样本和漏洞,接下来陆陆续续上传我们的云。下面列了一些已知的样本(如果你需要测试这些样本,可以访问www.virustotal.com,但是别怪我没有提醒你,测试的时候一定要慎之又慎!)
0x59a86aa2679c4e9bc686d0df5f8cf5a1ee60983d
0x39ea19a0e82dd3eb441b31b25e7257cd23e7a20c
0xa2ce70e418b7d7ff908030f39466194e4689ab9c
0x74b80902bbe123cfd8fd6fb974aff0337adcbcf9
0x945c2f717d232be9890bb9d67cf0397e0aa551bb
0xf3a35f97c77ab8e51e0bd502b4e078365bb8921b
0x91dbddf3d443bdaff03c9b406a8f513bff8ac95b
根据Virustotal,大多数的AV厂商把这些样本识别为InfoStealer。但是根据我们的行为分析,我们还没有看到payloads或者C&C连接(这和去年那些个HT的旧样本还不一样)。
随着研究的深入,我们会继续分享更多的技术成果,虽然万里长征才刚刚开始,但我还是要说精彩继续,请别走开!
动态沙箱结果:
{“apkName”:”e:\\b7b944c57164498193886b83f1f40842a6333e4a.apk”,”recvnet”: {}, “servicestart”:{“150.12599992752075″: {“type”: “service”,”name”: “com.android.contacts.calllog.CallLogNotificationsService”},”150.1159999370575″: {“type”: “service”,”name”: “com.android.musicfx.Compatibility$Service”}},”sendsms”: {“150.12599992752075″: {“message”:”TESTEST”, “tag”: [“TAINT_SMS”],”type”: “sms”, “sink”: “SMS”,”number”: “1234”}}, “cryptousage”:{“150.12599992752075″: {“operation”: “keyalgo”,”type”: “crypto”, “algorithm”: “AES”,”key”: “-51, -81, -2, -54, 98, -70, 115, 5, -116, 65, 76, -125,-114, -47, -66, -104″}}, “sendnet”: {},”accessedfiles”: {“443896862″: “/proc/782/cmdline”,”1209266560″: “/proc/913/cmdline”, “799795249”:”/proc/951/cmdline”, “66796201”:”/data/data/com.android.mms/shared_prefs/com.android.mms_preferences.xml”,”1809861913″: “/proc/965/cmdline”, “605373437”:”/dev/urandom”, “384722164”:”/proc/1076/cmdline”, “1642268030”:”/proc/963/cmdline”, “1522895157”:”/proc/995/cmdline”, “1618477769”:”/data/data/com.android.mms/shared_prefs/com.android.mms_preferences.xml”,”390407281″: “/proc/1078/cmdline”, “2099454036”:”/data/data/com.android.gallery3d/shared_prefs/com.android.gallery3d_preferences.xml”,”1277933733″: “/proc/993/cmdline”, “1087005010”:”/proc/817/cmdline”, “309013678”:”/proc/1040/cmdline”, “1085450266”:”/data/data/com.android.gallery3d/shared_prefs/com.android.gallery3d_preferences.xml”,”1594159581″: “/proc/880/cmdline”, “909215464”:”/proc/834/cmdline”, “1066883498”: “/proc/979/cmdline”,”650387980″: “/proc/1053/cmdline”, “1560911452”:”/proc/836/cmdline”, “316528265”:”/data/data/com.android.contacts/shared_prefs/com.android.contacts_preferences.xml”,”1624132889″: “/proc/1031/cmdline”, “1651029506”:”/proc/meminfo”, “2022394307”:”/proc/1068/cmdline”, “300862952”:”/proc/911/cmdline”, “2143828922”:”/proc/909/cmdline”, “1098173206”:”/proc/754/cmdline”, “1650791196”: “/proc/meminfo”,”1470734761″: “/proc/977/cmdline”, “1231762052”:”/proc/911/cmdline”, “378569751”: “/proc/770/cmdline”,”2077627825″: “/proc/meminfo”, “1305828132”:”/proc/819/cmdline”, “1709322577”:”/data/data/com.android.musicfx/shared_prefs/musicfx.xml”,”315578657″: “/data/data/com.android.providers.contacts/shared_prefs/com.android.providers.contacts_preferences.xml”,”2141085376″: “/proc/meminfo”, “1694377132”:”/proc/878/cmdline”, “1657820936”:”/proc/1029/cmdline”, “832733529”:”/proc/1066/cmdline”, “934472004”:”/proc/1042/cmdline”, “1717394796”:”/proc/1055/cmdline”, “1061260896”:”/proc/953/cmdline”, “1838999328”:”/data/data/com.android.gallery3d/shared_prefs/com.android.gallery3d_preferences.xml”},”fdaccess”: {“150.12599992752075″: {“path”:”/proc/1078/cmdline”, “operation”: “read”,”data”:”73637265656e636170002d70002f7364636172642f50696374757265732f73637265656e3035302e706e67007265732f73637265656e3035302e706e67000000000000000000000000000000000000000000000000000000000000000000000000000000″,”id”: “390407281”, “type”: “fileread”}}, “dataleaks”: {“150.12599992752075″:{“message”: “TESTEST”, “tag”: [“TAINT_SMS”],”type”: “sms”, “sink”: “SMS”,”number”: “1234”}}, “opennet”:{“150.12599992752075″: {“desthost”: “8.8.8.8”,”fd”: “136”, “destport”: “7”}},”recvsaction”: [“com.android.dvci.BM”,”com.android.dvci.listener.AR”], “dexclass”:{“150.12599992752075″: {“path”:”/system/app/Contacts.apk”, “type”: “dexload”},”150.1159999370575″: {“path”:”/system/app/PicoTts.apk”, “type”: “dexload”}},”hashes”: [“fd94113164c8efbc976b2048ce7531ad”,”b7b944c57164498193886b83f1f40842a6333e4a”,”d18c6e62dd6261330abed321b9a4b042abde4ef264c87dc5a9581d5d3bb34164″],”closenet”: {}, “phonecalls”: {}}