August 4, 2009 at 9:09 am
In case you are not familiar with the Symbian development process, application development features two major security meatures in Symbian OS 9.1 and greater. First, applications must specify their capabilities, i.e if an application uses Bluetooth connection, it must have the Symbian LocalServices capability. A few other interesting capabilities for malware are:
* NetworkServices: required to make a call, send HTTP requests etc.
* ReadUserData/WriteUserData: required to read/write user’s contacts.
* UserEnvironment: to use the camera.
* Location: particularly interesting for spywares, to locate the phone.
* PowerMgmt: to kill applications.
* ReadDeviceData/WriteDeviceData: typically used to get the IMEI
Second, applications must be signed: unsigned applications can no longer be installed (unless the phone is hacked). There are at least 5 ways to sign applications:
* self-sign your application: this is the quickest way to sign an application. It can easily be done, offline, with Carbide.C++ (Symbian development IDE). But, of course, the application installs with a huge security warning.
* use Symbian’s Open Signed Online: this is meant as an on-line testing facility. Applications are posted on the website, and signed in a few hours.
* get a certificate from the Chinese website OPDA: this technique was mainly useful before Symbian opened its Open Signed Online service. Now, it shows less interest, unless one speaks Chinese. Yet, several tutorials explain how to get a certificate from this website for those who do not understand a word of Chinese. The first signature is free.
* Express Signed: this can be considered as the ‘quick’ (express) but official way to get an application signed. Developers need to register using a valid email, not from a public domain (not yahoo, gmail…). Then, each signature costs US$ 20.
* Certified Signed: this is the official / professional way to get applications signed. Developers register on the same web site as for Express Signed, but must get an Application Code Signing (ACS) Publisher ID (costs US$ 200) to identify. The signing process may be long, as the application undergoes several quality tests.
The table below summarizes the limitations of each method.
Solution | Install Warning | IMEI restriction (applications are bound to a given IMEI) | Capability restriction | The application undergoes a few tests | |
---|---|---|---|---|---|
Self-signed | Yes | No | Basic capabilities only: this includes Local and Network Services,
Read/WriteUserData and UserEnvironment. From Symbian OS 9.2, it also includes the Location capabilities | No | |
Open Signed Online or OPDA | No | Yes | A few capabilities are forbidden, but most malware shouldn’t need them | No | |
Express Signed | No | No | A few capabilities are forbidden, but most malware shouldn’t need them< | Yes, but a limited. Applications are scanned against known viruses. | |
Certified Signed | No | No | Nearly all capabilities are available, apart from those granted by manufacturers | Yes. |
So, how do we identify which signing process SymbOS/Yxes variants use ?
All variants except B are similar: they install without any security warning, regardless of any IMEI, and their root certificate is issued by “VeriSign Testing-Based ACS Root for Symbian OS”, also referred to as “Symbian B”.
Figure 1. Tool SisWare showing certificates from lower to higher depth. The last certificate is a certificate issued by the root certificate, so its “issued by” field is the common name for root certificate.
For these variants, the first three signing methods can obviously be eliminated: there aren’t any security warning at installation so they are not self-signed, they install on any phone regardless of its IMEI, so they are not Open Signed nor from OPDA. This only leaves Express or Certified Signing. It is difficult to tell between those because they use the same web site accounts, use the same root certificate (see this grid at Symbian) and Yxes does not use a capability restricted to Certified Signed such as NetworkControl or DiskAdmin. Nevertheless, as Certified Signed applications take time to sign (and cost more), my best guess is they were signed using the Express Signed program. Note that I do imply malware authors would not invest US$ 200 to spread their virus, but rather that they would not want to wait to get their application signed.
SymbOS/Yxes.B!worm is different and does not install successfully on any IMEI. A dump of its certificate shows the issuer is “C=GB, ST=London, L=Southwark, O=Symbian Software Limited, CN=Symbian Developer Certificate CA 280205A/emailAddress=developercertificates@symbian.com” and experimented developers also notice an X.509 extension:
openssl x509 -text -inform DER <>This is the IMEI restriction (where the IMEI is 353966012936006). This means SymbOS/Yxes.B was signed using the Open Signed Online or OPDA website.
Finally, end-users should be relieved to know nearly all certificates corresponding to Yxes are now revoked. The revocation list (CRL) can be downloaded from http://www.trustcenter.de/crl/v2/symbian_ca_I.crl. :
openssl crl -in symbian_ca_I.crl.2 -inform DER -text ... ===> This is SymbOS/Yxes.A!worm Serial Number: C23A00010023A7D0AF48939BEE09 Revocation Date: Feb 20 09:44:24 2009 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation ... ===> This is SymbOS/Yxes.C!worm Serial Number: 86E100010023AC2B0555D23BAE61 Revocation Date: Feb 20 09:44:24 2009 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation ... ===> This is SymbOS/Yxes.D!worm Serial Number: 59D90001002343FE87A1C26833F0 Revocation Date: Jan 9 15:12:15 2009 GMT CRL entry extensions: X509v3 CRL Reason Code: Cessation Of Operation ... ==> This is SymbOS/Yxes.E!worm Serial Number: AE2C0001002329D2E4228834C243 Revocation Date: Jul 16 13:16:45 2009 GMT ... ==> This is SymbOS/Yxes.F!tr Serial Number: 0DC50001002374FC26D186DA0E2A Revocation Date: Jul 16 13:16:46 2009 GMTOnly a recent variant of SymbOS/Yxes.D!worm is missing, with serial number d4:44:00:01:00:23:99:77:8c:01:c1:42:ae:d1, but Symbian has been notified.
reflink: http://blog.fortinet.com/symbian-certificates-or-how-symbosyxes-got-signed/