HackDig : Dig high-quality web security articles for hacker

Android/Emmental: adding cheese in emmental holes

2014-10-30 21:35

This is a follow up post on Operation Emmental. If you are not aware of Emmental, please read this white paper, and our previous blog post.

I wouldn't deserve to sign my posts as 'the Crypto Girl' if I didn't mention crypto in Android's Emmental malware (Android/Emmental.A!tr.spy) ;)

Emmental's code uses Spongy Castle. This is the (famous?) Bouncy Castle crypto library repackaged for Android. It is the first time I encounter the library in mobile malware (but it's possible I missed it in other samples).

It also loads an elliptic curve library. In particular, curve 25519, an elliptic curve used for high performance on key agreements. This certainly is the first time I see that in malware, but to be honest, it is not really used by the malicious payload of the malware, but only to have it look like a genuine SMS application.

What Emmental does use is Blowfish. Blowfish is seldom used than AES or DES, but it is nonetheless a famous block cipher, designed by Bruce Schneier. We encounter it from time to time in malware (e.g Android/SmsSpy.HW!tr.spy), but not frequently.One of its particularity is to be able to operate on key sizes from 4 to 56 bytes. Emmental uses it with a 25 bytes key to decrypt its intial configuration.

As a matter of fact, the Android Emmental malware includes two raw resources:

  • config.cfg: this is the initial configuration, encrypted using Blowfish in CBC chaining mode.
  • blfs.key: this is the blowfish key with some extra garbage. Only the first 25 bytes are used.

Want to decrypt the initial configuration? There you go!

from Crypto.Cipher import Blowfish
import base64
import binascii

def Blowfish_CBC_decrypt(key, buffer, IV):
cipher = Blowfish.new(key, Blowfish.MODE_CBC, IV)
return cipher.decrypt(buffer)

def prepare_key(file):
The key is read from blfs.key, converted to hex, and truncated to 25 bytes
return binascii.hexlify(open(file).read())[:50]

def prepare_config(file):
The config file is base64 encoded. We need to decode it first
return base64.b64decode(open(file).read())

if __name__ == '__main__':
key = prepare_key('blfs.key')
config = prepare_config('config.cfg')
IV = '12345678'
print "Decrypted config file: " + Blowfish_CBC_decrypt(key, config, IV)

and this is the XML configuration file you get:

<?xml version="1.0" encoding="utf-8"?>
<data rid="25"
shnum10="" shtext10="" shnum5="" shtext5="" shnum3="" shtext3="" shnum1="" shtext1=""
ready_to_bind="0" />

Note field phone_number is where to send SMS to. Fields url_main, url_data, url_sms and url_log are the remote C&C URLs.


-- the Crypto Girl

Source: seloh-latnemme-ni-eseehc-gnidda-latnemme-diordna/tsop/moc.tenitrof.golb

Read:1720 | Comments:0 | Tags:No Tag

“Android/Emmental: adding cheese in emmental holes”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud