Rock appround the Clock: Tracking Malware Developers

Video thumbnail (Frame 0) Video thumbnail (Frame 997) Video thumbnail (Frame 4212) Video thumbnail (Frame 5635) Video thumbnail (Frame 6708) Video thumbnail (Frame 7577) Video thumbnail (Frame 8591) Video thumbnail (Frame 9263) Video thumbnail (Frame 10064) Video thumbnail (Frame 10876) Video thumbnail (Frame 11926) Video thumbnail (Frame 12845) Video thumbnail (Frame 15787) Video thumbnail (Frame 17949) Video thumbnail (Frame 18774) Video thumbnail (Frame 20506) Video thumbnail (Frame 21292) Video thumbnail (Frame 22942) Video thumbnail (Frame 24247) Video thumbnail (Frame 25232) Video thumbnail (Frame 26547) Video thumbnail (Frame 28281) Video thumbnail (Frame 29263) Video thumbnail (Frame 30023) Video thumbnail (Frame 30872) Video thumbnail (Frame 33110) Video thumbnail (Frame 33979) Video thumbnail (Frame 35431) Video thumbnail (Frame 36127) Video thumbnail (Frame 38289) Video thumbnail (Frame 39333) Video thumbnail (Frame 42409) Video thumbnail (Frame 43207) Video thumbnail (Frame 44182) Video thumbnail (Frame 45262) Video thumbnail (Frame 46062) Video thumbnail (Frame 47008) Video thumbnail (Frame 47687) Video thumbnail (Frame 50052)
Video in TIB AV-Portal: Rock appround the Clock: Tracking Malware Developers

Formal Metadata

Rock appround the Clock: Tracking Malware Developers
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Are you a malware developer for Android devices? We have very bad news for you: the Android-SDK packager (aapt) is leaking your time zone! We have found a bug inside this Android-SDK's component that relies in not properly setting the value of a variable used as an argument for localtime() function, when setting the "Last Modified" field for the Android App's files. Because of this, the time zone of anyone using the Android-SDK packager to generate their APKs is leaked. The curious thing is that, despite of this bug inside aapt, the problem goes even beyond aapt itself: its roots goes deep into an incorrect handling errors in the operative system functions localtime() (Windows) and localtime r() (UNIX). Because of in the world of Threat Intelligence determining the attacker's geographical location of is one of the most valuable data for attribution techniques, we focused our research in taking advantage of this bug for tracking Android malware developers. In addition to this, we have discovered another very effective way to find out the developer's time zone, based on a calculation of times extracting the GMT timestamp from the Android's app files and the UTC timestamp of the self-signed,"disposable" certificate added to the application (most common cases in malware developers). This is what we call: Rock appround the clock! Using these two different techniques, we have crunched some numbers with our 10 million apps database to determine how these leaked time zones (with one or another technique) are related with malware and which are the countries that generate more Android malicious applications, what is the possible relation between time zone and"malware likelihood" among other interesting numbers. But that's not all, we have another bad news for malware developers: no IDE (even Android Studio) removes metadata from the files added to the Android app. We will show examples with real cases in which, after analyzing the metadata of files inside the .apk, we got to know country, language, or even more specific geographical location of the developer and -in some cases- the name of the suppose-to-be-anonymous developer! Finally, we will share the scripts we have built to get all this information with just a simple click.
Cybersex Execution unit Cybersex Execution unit Source code Digital signal Information security Disk read-and-write head Information security Disk read-and-write head
Android (robot) Trail Presentation of a group Building Computer file Multiplication sign Frustration Disk read-and-write head Public key certificate Theory Computer programming Attribute grammar Neuroinformatik Revision control Malware Mathematics Energy level Time zone Addition Information Software developer Bit Line (geometry) Cartesian coordinate system Uniform resource locator Data management Software Personal digital assistant Calculation
Time zone Process (computing) Computer file Information Code Multiplication sign 1 (number) Right angle Netiquette Field (computer science) Computer programming Neuroinformatik
Type theory Computer file Case modding Code Multiplication sign Parameter (computer programming) Netiquette System call
Session Initiation Protocol Type theory Computer file Multiplication sign Source code Parameter (computer programming)
Time zone Functional (mathematics) Sign (mathematics) Computer file Moment (mathematics) Electric dipole moment Real-time operating system Line (geometry) Data structure Parameter (computer programming)
Point (geometry) Time zone Functional (mathematics) Electronic data interchange Computer file System administrator Multiplication sign Moment (mathematics) Debugger Source code MIDI Drop (liquid) Parameter (computer programming) Neuroinformatik Algebraic closure Computer cluster
Metropolitan area network Time zone Functional (mathematics) Group action Electronic data interchange User interface Demo (music) Multiplication sign Computer-generated imagery Videoconferencing Real-time operating system Timestamp
User interface Computer file PRINCE2 Decimal Multiplication sign Data center Debugger Parameter (computer programming) Software bug Timestamp Mathematics Number Prime ideal Analog-to-digital converter Computer cluster Flag Computer multitasking Identity management Physical system
Email Time zone Process (computing) Uniformer Raum Computer file Information Algebraic closure State of matter Multiplication sign Real-time operating system Netiquette Junction (traffic)
Time zone Functional (mathematics) Electronic data processing Computer file Key (cryptography) Multiplication sign Moment (mathematics) Set (mathematics) Bit Parameter (computer programming) Field (computer science) Neuroinformatik Number Personal digital assistant Calculation Videoconferencing Data structure Abstraction
Time zone Divisor Computer file Information Source code Plastikkarte Parameter (computer programming) Field (computer science) Neuroinformatik Number Pell's equation Algebraic closure Personal digital assistant Factory (trading post) Table (information)
Functional (mathematics) Graph (mathematics) Personal digital assistant Multiplication sign Software developer Cartesian coordinate system Window
Word Computer file File format Multiplication sign File system Cartesian coordinate system Public key certificate Field (computer science) 2 (number) Physical system
Time zone Computer file Key (cryptography) State of matter Multiplication sign Moment (mathematics) 1 (number) Public key certificate Field (computer science) 2 (number) Electronic signature Mathematics Telecommunication File system Right angle Compilation album
Area Time zone Email Information Computer file Multiplication sign Software developer Moment (mathematics) Peg solitaire Cartesian coordinate system Public key certificate 2 (number) Electronic signature Mathematics
Statistics Personal digital assistant Multiplication sign Set (mathematics) Database Cartesian coordinate system Public key certificate Resultant Leak
Computer virus Malware Malware Information Multiplication sign Sampling (statistics) Cartesian coordinate system Mereology Leak
Antivirus software Time zone Malware Computer file Different (Kate Ryan album) Multiplication sign Telecommunication Public-key infrastructure Sampling (statistics) Public key certificate
Time zone Frequency Mathematics Malware Multiplication sign Daylight saving time 1 (number) Point cloud Hill differential equation Public key certificate Theory Neuroinformatik
Multiplication sign Time zone Random number Randomization Manufacturing execution system Computer file Multiplication sign Computer file 1 (number) Sampling (statistics) Set (mathematics) Database Bit rate Cartesian coordinate system Public key certificate Inclusion map Malware Malware Sample (statistics) Bit rate Website System identification Sinc function
Windows Registry Game controller Hoax Computer file Database Cartesian coordinate system Public key certificate Theory Power (physics) Type theory Malware Word Googol Wallpaper group Password
Malware Malware Sampling (statistics) Public key certificate Compilation album
Android (robot) Default (computer science) Computer file Information File format Software developer Multiplication sign Cartesian coordinate system Metadata Formal language Element (mathematics) Word Message passing Software Configuration space Text editor Right angle Office suite Rhombus
Android (robot) Default (computer science) Information Computer file Software developer Translation (relic) Netiquette Metadata Formal language Malware Personal digital assistant Hypermedia Intrusion detection system String (computer science) Text editor
Type theory String (computer science) Software developer Translation (relic) Formal language
Modul <Datentyp> Cartesian coordinate system Symbol table Formal language
Domain name Multiplication sign Cartesian coordinate system Public key certificate Formal language
Domain name
Dialect Algorithm Statistics User interface Information Multiplication sign View (database) Sampling (statistics) Virtual machine Public key certificate Field (computer science) Metadata Neuroinformatik 2 (number) Pell's equation Malware Goodness of fit Machine learning Personal digital assistant Moving average Figurate number Office suite
Execution unit Computer file Computer-generated imagery Text editor Digital signal Office suite Information security Mereology Disk read-and-write head Formal language
without further ado here are the speakers on apt hi it's something called wrong since because of the shot right okay I'm circular Santos I come from Spain head of security and laugh in 11 paths which is the telef?nica cyber security unit I'm 23 years old and I came from actually in the world threat
intelligence Army in the attacker theoretical location up is one of the most high level data for attribution techniques however in some cases tracking a malware developer can turn into a pretty difficult thing under researchers target in math and even feels a little bit frustrated that's why
we are always paying attention to new technique that might help to track Network developers reach the potential addition of a malware campaign in this presentation will focus on Android first talking about two new technique that we've found to Jack Android malware developers my head in there by getting the dark zone of them the first thing that has to do with a bag inside the Android SDK totally in the back sure this practice makes a time zone disclosure of the computer where the developers have compiled the in network and the second technique is related to a calculation of creation times between the certificate of the apk and some files inside it so at our talk will get deep in these two new techniques and finally we talk about how we can do an accurate from the time song that we got to an a specific country so let us start talking about the Android back when we download the Android SDK it comes with a 2-lane apt we can found this tool inside the SDK folder and build tools API version if we run editing you can observe in the first line that this is the Android application tool so we can use this program from command line to add some files to an apk dontoh file see their information among others here related to add case management deuteron and it
captures the pkzip standard every file inside it has some data on time of last modified however when we use apt for adding some files to an etiquette we notice something strange in this date and time fields they are not the real ones instead the right date and time information we usually saw something like 0 1 0 180 an hour as your zero that three in the our field cut our tension because if we change the time son of the computer to for example GMT plus 8.3 turn into an eight and if we change the time zone to Chien t plus for the hour what for so what the hell is happening here this a kind of she and he upset well after we notice that we started to
analyze the school scope of apt it is published on google get and inside the path of apt there are several files that compose the school code of this program so we put our attention in those files related to CB n-- process inside the zip file dot c++ that isn't methyl name add
common the decent book for every file that will be added to one a decade as we can observe this method receive as parameters the file name decides some other seem related to the file being stored into an etiquette so analyzing
the code of this metal we observe that there is a call to another metal name set mod one using our parameter the mod when variable is we look for this violently we can we find that is a time tip type is initialized to zero it should be used inside the set mod one method so let's check this code said
manuel is located into the SIP n 3 dot c++ file of the source code of apt there
we have the method and parameter remember that when is equal to zero inside this method there is another vial
of time T type his name even and the value of even is the value of one so even is equal to CO 2 but the question here is the even viable use for anything at all
but immediately after the lines that we some for even is used as parameter for local time function EDM is a TMX structure where local time will save you free food and after that the hood is
used for a sign the last modified fill for every file that will be added to an advocate so at this moment we have a
problem in that file in LT local time function is receiving as parameter the even value is 0 when the expecting argument for local time function is all real time stop so let's analyze it in writing here we
are attached to a PT we have run the debugger with parameters for adding a file we put a red point on the subroutine that we were analyzing in the source code and at this moment we can observe the even viable with value 0 being passed to local time function as an admin the resume of this Oscar is the
one that we were seeing for the time so nice closure of the computer but what will happen if we pass through
a local time function the expected armament that means our real time stamp well now we have altered a value of urine putting a time stamp of UNIX epoch a surprise the date and time of last modified was the correct one so let's show you our video demo with all this in action
okay consider releasing him t plus 3 we
have run the debugger with two parameters parameters for added to files we put a rake phone we reach the
flagpole for the first file but this time we won't fix anything just we will live in the even value to zero as normal execution but for the second file we will fix this bug we'll put real-time some UNIX epoch of guarding excellent one
we are changing the value of even from zero to the real time zone you continue the process if we finish so
we can use now apt for extracting details of any applique so now we can see this etiquette with the first file with this black making the Junction's closure and the second file with this one fixed yes so in the bright state and time information
well at this moment we are convinced
that there is a box inside apt but why does this and sing at times on the structure of the computer well local time function makes a calculation to put the current hour in the hours field it takes the the UNIX epoch coming from the parameter this UTC's video makes a sound our substation with the time zone of the computer for example if the time zone of the computer is Chien key player 3 it makes the unix epoch plus 3 hours and if the time zone is G and T min 3 it makes the saturation the unis people means 3 hours with that local time function gets the current hour in the local computer but in apt where we found this file local time is making a sound or saturation over 0 so G and T plus 3 is just 0 plus 3 that's why we will see the in the our field the 3 number in the case of shinty min 3 is the saturation 0 me 3 but this abstraction affects day 2 now we'll see December 31 of 79 under 21 in the hour that 21 is very true love the saturation 24 min 3 so those GMT up set of CNT minutes whatever might look a little bit confused so for that we may not have suitable that we wish also later underside of the day when we use a PT instead of Cu some bursaries 31 of 17 9 we see an 18 in the year field that is
because of a correction factor in the method that we were analyzing in the source code there we have a need we say which says that if the year is less than 80 the year is 8 so easily the other day but let us know that we are analyzing it card
so you have the opposite table in the case of G and T plus something is very easy because it's the same number so for example here T plus 5 will put a 5 in the our field in the case of CNT meaning something we have to do the saturation 24 means the local kind of the computer for example 24 ministry for GMT ministry that is funny one and 21 will be they upset in the hour step what will happen here is mapping the GMT that we guess it is with the file date in the apk itself so you can check the file and then get back to the GMT and the local time some of the who under compile it after all good question is should local time return this but in certain documentation we can see the local diner at your annual in this case instead this information is closure because 0 is not a valid argument so however we can see in the
ideas friend shot there at all of this function to be sure that it's not a dying the one that is not handling the eros currently they are in red we can see the she'll T oxen-free in this case was GMT plus 3 we have to know that this value is present on Windows Linux are Austin so Android developers using apt will be licking their time sorry I got at the graph are on day out bill
okay once we know technique by based on back in AAPC let's talk about another technique that has nothing to do with the back but with the way attackers or creators of applications usually work
and we have said apks are basically did seed files and every seed file has a date inside at a hidden hour they take it from the last modified field in the local system of the user and it gets permanent permanently inside the zip file on the other hand an application apk has to be signed by a certificate most of the times the certificates are created with no CA there are self Cygnus so there's no CA and you create it just a few minutes before a few seconds before you can pilot oh yeah or in other words to create this possible certificates for signing this apk you're creating
certificates are in X dot 509 format that means that for the creative creation time feel in their own certificate they take the time from the file system as well so if you compile it in this date the certificate will take the date from the file system but they do it in UTC time without not handsome at all so the thing about it if there's
a signature file inside the IP key files that is the last ones to get in the zip file they advocate is the last one when it takes the last modified field from the local from the local system or from the file system and we have this certificate that if we think of we assumed that this certificate is being created basically in the same moment or few seconds before the compilation you get the time in UTC the same time but we annuda see in the files they have time coming true so in the examples you can see that if you think that the certificate has been created 15 seconds the certificate has been created 60 60 50 seconds before the compilation the states are the same hours of the same I mean especially a few seconds here you
can do the math between both dates and times and you will have a possible TMT or local to local or time zone for example here is TMT mincer let's have another example emailing that this certificate has been created four seconds before the compilation so the last file in the IP K gets the date on the left and the certificate has the date on the on the right you have UTC and on side and the local time with the time song of the person in the left side so that means that this person is maybe in GMT plus 1 so in an axle a so many
minutes and seconds are closing time when you create the certificate and you compile the application and the certificates and the application appearing together we have information enough to reduce the GMT or time zone of the person comparing because just we can do the math between the UTC in the certificate and time in the file but it's less created when you compile for example here would be eight hours or whatever so it works we have created a
little Python tool that checks one hand such a certificate creation date in UTC time on the other hand it checks a signature file date if we assume they were created that my same moment the developed time zone will be UTC plus 3 because signature file was created one second after the certificate so result seems quite accurate we thought this is a fine example because in the email you can check that is dot ER which is here it's area and this is you to see plus 3 but this is basically a consonant and as you can check in the certificate it seems to come from Russia which is UDC plus 3 as well
so now we have these two techniques to check but buy a book and buy a bag in a apt and this is certificate technique to know the TMDL time some of the person compiling the applications let's do some statistics we have a million 10 million
application set or database now we have to get for fall for both techniques the tension leakage my 8a apt but we have two thousand more or less epic IP case with this and the tension leakage by day times and certificates we have almost half a million of them in our database as you can check as you can imagine many of them will share results so for example with UTC +7 we have like 3,000 applications that has both problems and they leak the same you discipler seven so this confirmed more or less these techniques and complement each other
once we had all this information what we did is taking a thousand hundred thousand samples with each leak a thousand of you deceived as serious as you know you deceived us one with the a apt time from disclosure back some of them were we didn't have enough for example UTC -7 really had six of them because this is America some more in the middle of the Pacific and we think there are not too many applications created there so we check it out against different viruses want to plus free antivirus and check how many malware was there this is what we got we got that
GMT plus four which is Russia well not Russell initially passed free but a part of Russia is first for GMT plus a plus eight which is China and GMT minus 7 which is us a West Coast GMT plus 11 and ent minus eight and not good enough because we didn't have enough samples
we did the same again with the file certificate Dayton's disclosure technique we took thousand samples with every time from different time zones with a thousand of them and check against different engines with anti viruses and this is what we got we got
the TMT plus five DMT + 8 + y n T's minus 6 where they want with more malware in there if you might agree with what is little different with with the other technique here well we think that
this is because the DHT time daylight-saving time that this technique is relays from the local time of the complete of the computer so it may change but if you think about it GMT plus 8 which is China and do not if DST changes remains the same so we can conclude that we should have done this better we should have take into account the the the period of the year with you to change the DST but basically what we can conclude is that Russia sees GMT plus 4 in the past year 5 GMT plus 8 which is China and West middle nearly USA or west coast other ones creating more my work and it with this with this technique they are creating this possible certificates as well you have to take this into account they're creating this possible certificates so this makes sense because maybe we think it's just a theory that the cloud is too many many computers in the USA in the west coast and the q8 certificates in there this possible and that's why we have so many malware in there
we're here the other way around but we to be sold in my where we had with this leakage and check for the UTC or DMT time zone this is what we got again with one technique the file certificate date and technique we got that UTC -6 and you this is blast site we're the ones with more merit and with the other technique that taught the AAP ke back time from disclosure we have basically the same you need to see +8 I need to see +4 and
what this is useful for what we did as well is check our database we have 10 million of things and we had got several sets of a thousand applications and we have a rate of 6 percent malware in there and we took a set of a thousand a peaky samples with these leakages or disclosures and compared each other and we conclude that the chances for example with the comparing our standard rate thousand applications with his 6 percent of mouth and a random set of applications with you deceived us 8 makes it six times more likely to be malware than our standard rate in our database this is some some examples with
real-life Marwar for example this Deathwing by locating some telephones had this file certificate dating problem that it was leaking the the transom I mean and it was Korea you to see I'm -9 and so this theory malware which I did which had this a apt types on disclosure black back it was Korea as well this is
a malware we found feeling years ago it was a very interesting malware that is once the mobile was affected it took some users and password from the database of the attacker pre-loaded a user and password came through the came through the telephone that was infected registry with this telephoning in a and and everything in Google Play got the talking back to the to the attacker and with this talking the word associated with the telephone he was able to give five stars and download fake applications fake users registered to real telephones voting and unloaded fake applications just to get up high in the in the Google Play Store this is : well we found it focusing on this but DM team for eight with China and some other things like connecting to a PHP command control having this get account permissions and hiding behind wallpapers applications focusing on that we were able to find and define this power and we alerted we will play and they remove it and perfect nice to to research the so Lamar will come from
China no we have for a simple he that that we took a few samples from them
which this malware had both techniques you could check that with techniques that it came from GMT plus three which is Russia again and aside here you can yes in a way that certificates are always created about two or three minutes before the compilation which lead us to think that they were like automated this possible certificates traded in an automated way and coming from Russia okay with the
technique that we were analyzing thoroughly we'll get the time shot of the engine network developer now we see quickly how we can do inaccurate from the Diamonds not to one specific country
inside an apk there are some fights pretty common one of them are the RTF document usually they are used for agreement elements inside Android applications related to this kind of file types we had an experience all month ago when one akari occurs because this race or shows message in multiplet language using cyril RTF documents this is funny same trick with word office in RTF files when you create an RTF file with War Office you get inside the RTF metadata it's called lash deaf blank this is your the foul language in your word or text editor so every one of us has a default language in your our word so Nick through RTF files and maybe if you have your it's quite possible that your word file has the final languages is your native languages so in legacy or maybe you're not even which to active at the F files that you create with work yes we made our research for getting information about Warnock right and among other things we check those RTF documents for Mirada and Herschel we found that Korean is the default language configure in the text editor of Warren Christ developer
well he had an example of an Android malware which I'm on it's fire there is an RTF document we have to know that either Android studio nor others IDs remove that metadata from the media files added by the developer to an 80 K so we can check this kind of of media file - and get some lenders and information in this case we found that Arabic is the default language in the outdoors text editor
there is another trick to AcuRite the country is we can get the strings type manually by the developer it's may be helpful for now in the native language of heart we can use apt for extracting strength of an apk but there's a problem because even if the ?poca is tremulous simple there will be a lot of strings are then automatically by the ID just for translations purposes so in the screenshot we can see doubts on how the strings all of hands were added by the idea automatically in a very very simple etiquette so we can do a little bit of
magic using apt for extracting all the resources filtering via strings Usinger it together with rags a pretty nice comment analyzing the out boodles is command we found a way to differentiate both strings added automatically by Daddy from those writen by the developer basically we are checking the region of the strings removing those coming from resources were strings of translation are after all the only thing we have to do is to check what could be the native language of the developer shall see in the string style type manually by him
and we created a tool as well which is all aligned yet
this is not the best symbols in the
world sorry but you can drag and drop an application and it will try to deduce
the possible dmg and check for another techniques to get the country and the languages the country means basically
sometime it comes from these techniques
we have explain it or maybe with the certificate itself or maybe in analyzing the strange dot XML we have show or even sometimes maybe from from the the TLD
domains the thought whatever that the applications has inside so you can
deduce with these different techniques
which is the kimchi time some or other language the native languages of the person this tool takes all these techniques together and once you drag
and drop whatever apk you will check
different techniques to to get in there even the RTF that we have just talked about so how this tool with will be
online soon the other one is radio online this one for example Cecily comes from from Russia and has some domains with tlvs and the
certificate is the standard one for the go in so is not useful
so what are the conclusions here is that
we presented different ways for not just leaking time some but as well that possibly tainting automatic malware creation because of this is possible certificates that I created few seconds four minutes before the computation is done possible Mara machine learning features in detecting apk malware remember that we said some statistics that could be useful once you create a machine learning algorithm is useful to have neat features features to to have a better understanding so I think this is pretty one from pretty good one for for machine learning and detecting malware the most are created with this possible certificates or comes from one time some or another and a tool for cute a quick view of all this information roll IP case metadata field work figure work as a preset should be should take into account the DST so it's more activate these techniques and maybe have a little more sample more than a thousand samples of each office disclosure technique or whatever and this is pretty much all
thank you if you have any questions no residents one not too difficult I'll not with more part and restock doesn't work just work with war we checked because it has the foul language define in there warpath for example you can create a RTF file with work but you don't have a language take into account that this language is the one you have defining your text editor to to the syntax correction so I don't know any any other office package but with work with office where it happens okay other question thank you hope to see you in some out of that