Full disclousure deep technical analisys below. Beware !!!

Dec 2, 2011

Carrier IQ is on iOS 5.0.1...wh's behind!!

CarrierIQ: a better to DISABLE "diagnostic tool" acting as a rootkit on Android phone and founded also in Iphone iOS. Luckly it does appears to be related with diagnostics switch enabled on iOS 5; older versions may send back information in more cases. Because of that, if you want to DISABLE Carrier IQ agent on your iOS 5 device, turn off “Diagnostics and Usage” in Settings-> Info.

(following info extracted from /usr/bin/awd_ice2 binary file on iOS 5.0.1)

Endpoint URI
http://collector.stic.sprintspectrum.com:10001/collector/c
https://collector.stic.sprintspectrum.com:10003/collector/c
http://collector.argus.coremobility.com:7001/collector/c?ciq_bill=1
http://collector.argus.coremobility.com:7001/collector/c?ciq_bill=0
https://collector.argus.coremobility.com:7002/collector/c?ciq_bill=1
https://collector.argus.coremobility.com:7002/collector/c?ciq_bill=0
http://209.143.234.34:7001/collector/c?ciq_bill=1
http://209.143.234.34:7001/collector/c?ciq_bill=0
https://209.143.234.34:7002/collector/c?ciq_bill=1
https://209.143.234.34:7002/collector/c?ciq_bill=0
https://209.143.234.34:443/collector/c?ciq_bill=1
https://209.143.234.34:443/collector/c?ciq_bill=0
http://collector.sky.carrieriq.com:7001/collector/c?cm_sl=5
http://collector.sky.carrieriq.com:7001/collector/c?ciq_bill=1
http://collector.sky.carrieriq.com:7001/collector/c?ciq_bill=0
https://collector.sky.carrieriq.com:7002/collector/c?ciq_bill=1
https://collector.sky.carrieriq.com:7002/collector/c?ciq_bill=0
https://collector.sky.carrieriq.com:443/collector/c?ciq_bill=1
https://collector.sky.carrieriq.com:443/collector/c?ciq_bill=0
https://collector.iota.spcsdns.net:10003/collector/c

Endpoint FQDN
collector.stic.sprintspectrum.com -> NXDOMAIN
collector.argus.coremobility.com -> canonical name = collector.argus.carrieriq.com->204.235.122.222
collector.sky.carrieriq.com -> canonical name = collector.argus.carrieriq.com -> 204.235.122.222
collector.iota.spcsdns.net -> 68.28.7.244
209.143.234.34


Endpoint IP info

204.235.122.222


NetRange:204.235.122.0 - 204.235.123.255
CIDR:204.235.122.0/23
OriginAS:AS19214, AS1239
NetName:CARRIERIQ
NetHandle:NET-204-235-122-0-1
Parent:NET-204-0-0-0-0
NetType:Direct Assignment
RegDate:2010-10-08
Updated:2010-10-15
Ref:http://whois.arin.net/rest/net/NET-204-235-122-0-1
OrgName:Carrier IQ, Inc.
OrgId:CARRI38
Address:1200 Villa St., Ste 200
City:Mountain View
StateProv:CA
PostalCode:94041
Country:US
RegDate:2010-08-02
Updated:2010-08-02
Ref:http://whois.arin.net/rest/org/CARRI38

 68.28.7.244


NetRange:68.24.0.0 - 68.31.255.255
CIDR:68.24.0.0/13

OriginAS:

NetName:SPRINTPCS
NetHandle:NET-68-24-0-0-1
Parent:NET-68-0-0-0-0
NetType:Direct Allocation
RegDate:2001-12-14
Updated:2010-02-23
Ref:http://whois.arin.net/rest/net/NET-68-24-0-0-1
OrgName:Sprint Nextel Corporation
OrgId:SPRIN-86
Address:6391 Sprint Parkway
City:Overland Park
StateProv:KS
PostalCode:66251-4300
Country:US
RegDate:2009-12-17
Updated:2011-05-18
Comment:Please send abuse issues to XXXXXXXXXXX@sprint.com ONLY. Law Enforcement requests should call the Corporate Security Hotline at 800-877-7330, option 3
Ref:http://whois.arin.net/rest/org/SPRIN-86

209.143.234.34



Savvis SAVVIS (NET-209-143-224-0-1) 209.143.224.0 - 209.143.255.255
Core Mobility, Inc. SAVV-S230864-3 (NET-209-143-234-0-1) 209.143.234.0 - 209.143.234.255


Endpoint company
Carrier IQ -> http://www.carrieriq.com/
Sprint Nextel Corporation -> http://www.sprint.com/
Core Mobility -> http://www.smithmicro.com/

Have fun!!

Oct 5, 2011

My "tiny" personal MRE machine...

Winupdate 14/9/2011
VMWare Tools 8.8.0
VM 6.5/7.x
DHCP client enabled (without DHCP 192.168.102.1/24 GW .1)
WinUpdate DISABLED - Automatic Updates Service disabled.

>>BEHAVIOURAL<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
 -Sysinternals Suite 25-7-2011
  (procmon.exe,procexp.exe,tcpview.exe e RootkitRevealer.exe filename renamed to monproc.exe e expproc.exe viewtcp.exe rr.exe)
  (ProcMon custom filters:
   QUIET - all baseline events filtered
   MONITORING TOOLS FILTER - all monitoring events filtered (refer Capturebat,Procmon,Procexp,TCPView)
   NOT FOUND
   REGISTRY STARTUP RUN KEY
  )
 -RegShot 1.8.2
 -Process Hacker 2.21
 -HBGary Flypaper 1.0.0.1
 -ProcHeap Viewer 3.0
 >SANDBOX
  -Sandboxie 3.58 & SandBoxDiff 2.3
  -Buster Sandbox Analyzer 1.33
  -CaptureBAT 2.0.0.0 (-c -l ../desktop/log, mod default CaptureBAT filter to avoid logging Procmon,Procexp,TCPview,VMWare Tools events)

 >API MONITORING & INSTRUMENTATION
  -API Monitor 2.0r7
  -WinAPI Override 32 5.5.3 (added Mutex & CreateProcess+Thread)
  -oSPY 1.10.04
  -Dynamo RIO 2.1.0.3

 >NETWORK
  -Wireshark 1.6.2
  -Network Miner 1.1
  -SmartSniff 1.82
  -TrivialProxy 1.7.0.0
  -WinPCAP 4.1.2
  -IPtools 1.99.2.0
  -Putty 0.61 beta
  -WinSCP 4.3.4
  -ProXPN (in openvpn)
   
 >ROOTKIT DETECT
  -Tuluka anti-rootkit 1.0.394.77
  -HookExplorer 1.0.0.0
  -GMER 1.0.15.15530
  -Rootkit Hook analyzer 3.02
  -Kernel detective 1.4.1
  -Rootkit unhooker LE 3.8.342.554
  -PowerTool 3.7.1

>>CODE & DATA<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
 -VisualSTUDIO 2010 Ultimate
 -IDA PRO 6.1 ESET ***
 -OllyDbg 1.10
 -OllyDbg 2.01 Alpha 3
 -WinDBG 6.12
 -Immunity Dbg 1.82
 -Dependency Walker 2.1.3623
 -Nasm 2.07
 -W32Dasm 8.93
 -Visda 1.0a-build 118
 -CMP Disasm 0.71
 -Metasploit 3.6.0

 >IDA 6.1 Plugin
  -IDAPython 1.5.2.3 (Python 2.6)
  -IDAstealth v1.3.3
  -MyNav 1.1
  -Optimice 0.12
  -Patchdiff 2.0.10
  -Delphi 6&7 signature
  -GetKeys.py script
 
  Old IDA 5.5 Plugin not installed
  -CodeDoctor (not working)
  -PDBext_0.2 plugin (for working with symbols)
  -SABRE BinDiff2
  -Optimice v0.11 (python)
  -IDA Function String Associate 1.0B
  -IDA ExtraPass PlugIn 3.0
 >Ollydbg plugin
  -Olly Advanced 1.27
  -Olly Bookmark 1.06
  -Olly Command Line 1.10
  -CodeDoctor 0.90 Beta
  -OllyDump 3.00.110
  -OllyScript 0.94
  -Dejunk 0.13
  -HideOD 0.1.8.1
  -AdvancedOlly 1.27
  -SEHSpy 0.1.0.0
  -ODBGScript 1.82
  -Phant0m 1.54
  -OllySocketTrace 1.0

 -XP Sp3 Symbols + config IDA/OllyDBG symbols path

 >TEXT & PATTERN SEARCHING/MATCHING
  -BinTEXT 3.0.3
  -Yara 1.5
  -Yara_1.6-python_2.7

 >DECODE & DECRYPT
  -Converter (data conversion & mangling)
  -CrypTool 1.4.30
 
 >JAVA
  -JD-GUI 0.3.3 (JD-CORE 0.6.0)
  -DJ Java Decompiler 3.11.11.95
  -jEdit 4.4.1
 
 >DotNET
  -Redgate Reflector 6.6
  -ILSpy 1.0.0.655

 >VISUAL BASIC
  -Ex-Dec
  -WKTVBDE 4.3
  -vb Decompiler Lite 8.2

>ANDROID
  -Dex2Jar 0.0.7.11
  -Dexid (1.04)
  -Android SDK (include emulator)
  -APK Tool 1.4.1
  -Dedexer 1.15
  -Smali/Baksmali 1.2.8

 >DELPHI
  -Interactive Delphi reconstructor 2.5.2.66 Beta
  
>>TOOLS<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
 
 >PE HEADER
  -Stud_PE 2.6.0.5
  -ImpREC 1.7c
  -LordPE
  -PeID 0.9.5
  -xPELister 0.4b
  -NW PE Builder 0.7
 
 >MEMORY ANALYSIS
  -Volatility 1.3 Beta
  -Mandiant Memoryze 1.4.4200
  -Mandiant Redline
  -Mandiant audit-Viewer (for memoryze)

 >PDF & FLASH
  -PDF Streamdumper 0.9.270
  -pdf-parser v0.3.7 (command line)
  -Inflater v1.0 (command line)
  -pdftk v1.41 (command line)
  -AS3 Sorcerer 1.34 Trial
  -SWFreTool 1.4
 >REMOVER
  -Zbot & Zbot V3 remover (NoVirusThanks)
  -TDSS/TDL3 remover 1.8.0 (Esegelabs)
  -Bootkit remover 1.2.0.0 (Esegelabs)
  -CheckMutex & EnumerateMutex
  -TDSSKiller 2.5.17.0 (Kaspersky)
 
 >MACHINE CHECK
  -Securable
  -ScoopyNG
  -NX-DEP detect
 
 >WEB ANALYSIS
  -Firefox v3.6.18 + Noscript + FireBug + FiddlerHook
  -Paros v3.2.13 (nouseragent)
  -Fiddler v2.3.6.2 beta + Addons
  -NSDecoder Gui 1.0
  -SEND HTTP Tool 2.5.5
  -Mdecoder v0.67
  -jjencoder
  -server2go 1.8.2 (WAMP) apache 2.2, PHP 5.3.2, SQLite, MySQL 5.1.46
  -FileZilla 3.5.0
  -OpenVPN 2.2.1

 >OFFENSIVE
  -Havij 1.14 Pro ****
  -Havij 1.15 Pro ****
  -Albaloo 1.3 (web vulnerability scanner)
  -XCode Exploit Sept2011 Patch (SQLI/LFI/XSS/Webshell Hunter with Google Engine)
 
  -SQLMap 0.9
  -ncrack 0.4a (password checker)
  -Softperfect network scanner
  -McAfee Sharescan 1.0.0.2
  -McAfee Superscan 4
  -TSGrinder 2.03 & TSEnum 1.0 & ProbeTS 1.1

 >UNPACKER
  -UPX v3.05w
  -Qunpack 2.2
  -dumbassembly 0.4 (smartassembly unpacker)
 
 >EDITOR
  -HXD 1.7.7.0
  -Hex Workshop 6.5.1.5060 ***
  -Notepad++ v5.9.3
  -FileInsight HexEditor 2.1b90 + plugin
  -Mandiant Highlighter
  -WinHEX 16.6 SR2 ***
  -010 Editor 3.2.2 + Template + PDF Template by Didier + Scripts ***
  -Winmerge 2.12.4 

>>REF<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
 -Book "Reverse Engineering Code with IDA Pro" ***
 -Adobe Acrobat JS Reference
 -Ida Pro Unofficial guide ***
 -SEH Exploitation Paper
 -Windows Service Used Port Reference
 -PECOFF v8
 -Malicious PDF analysis book
 -Win32 API reference
 -Windows Anti-debug techniques reference
 -Anti-unpacking techniques reference
 -Symbian debugging with IDA
 -An Anti-Reverse Engineering Guide
 -Windows Autostart Entrypoint
 -Bypassing SEH Overwrite Protection
 -OllyDbg: Debugging Fundamentals for Exploit Development
 -AdobeReaders Custom Memory Management Heap of Trouble.pdf

>>CMD LINE<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
 -SquashFS tool (command line)
 -xor v0.2 (command line)
 -zpipe (command line)
 -UPX v3.05w
 -TDL FsReader

>>OTHER<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-.NET 3.5SP1
-JRE 1.6.0_27 & JSE 1.6.0_27
-Flash Player 10.3.183.7
-Adobe Reader 9.4.6.252
-WinRAR 4.01
-ActiveState Perl v5.12.4
-Python 2.6.6 & 2.7.2
-XCA 0.9.0 (Certification Authority Manager)
-Greenshoot 0.8.0-b627
-HashTab 3.0.0

>>CONFIG<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
-IP 192.168.102.2/24 GW .1 DNS .1
-On desktop HTML empty template/ TinyPE Empty template
-Remove time_update service
-Added on desktop default "NOT INFECTED" open port
-Add to regedit many startup entrypoint
-Add favorites to regedit for run key
-Add CMD Line tool dir in path
-Create Analyzed dir e modified CMD lnk to CMD currently analyzed
-Shortcut to host file on desktop
-"Open with HXD" in command file list