|Detected||Sep 23 2010 13:55 GMT|
|Released||Sep 24 2010 15:47 GMT|
|Published||Apr 05 2011 12:29 GMT|
This program is a conditionally malicious software granting super user privileges to the user on devices running Android operating system by exploiting a vulnerability in the security system (CVE-2009-1185).
This exploit program has to be placed in one of the directories to insure that it is launched:
/data/local/tmpPermissions are assigned to this file before it is launched.
- rwx r-x r-x
If the actual user ID identifier in the current process does not match the effective user ID in the current process, then the exploit attempts to assign "root" privileges to this process, and then deletes the following files:
/sqlite_stmt_journals/data /sqlite_stmt_journals/hotplug /sqlite_stmt_journals/loading /sqlite_stmt_journals/mount /sqlite_stmt_journals/fs_type /data/local/tmp/data /data/local/tmp/hotplug /data/local/tmp/loading /data/local/tmp/mount /data/local/tmp/fs_type /data/data/com.corner23.android.universalandroot/files/data /data/data/com.corner23.android.universalandroot/files/hotplug /data/data/com.corner23.android.universalandroot/files/loading /data/data/com.corner23.android.universalandroot/files/mount /data/data/com.corner23.android.universalandroot/files/fs_typeThen it executes commands in command line. These commands are sent to the exploit as parameters: If an error occurs when executing this command, the worm will display the following message::
[-] execveThen it executes commands in command line. These commands are sent to the exploit as parameters: If an error occurs when executing this command, the worm will display the following message:
[-] readlinkIf the user ID has not been set for this file or if the effective user ID value equals "0" it will delete the content of this file:
/proc/sys/kernel/hotplugIt will then check for files:
/sqlite_stmt_journals/mount /data/local/tmp/mount /data/data/com.corner23.android.universalandroot/files/mountIf none of the files is found, it will display the following message:
It then opens "mount", "fs_type" files and reads data required for mounting. Then it re-mounts the directory:/systemIt then creates the directory/system/bin/rootshellIt copies its working directory to this directory and sets permissions for files:-rws--x--xIt will input the following lines in the command line:[*] Android local root exploid (C) The Android Exploid Crew [*] Modified by shakalaca for various devicesThen one of the base directories is entered:/sqlite_stmt_journals /data/data/com.corner23.android.universalandroot/files /data/local/tmpThe following directory is set by default:/sqlite_stmt_journalsThe following messages are then displayed in the command line:[+] Using basedir=It deletes the files from the base directory:
, path= [+] opening NETLINK_KOBJECT_UEVENT socket%BaseDir%/data %BaseDir%/hotplug %BaseDir%/loading %BaseDir%/mount %BaseDir%/fs_type %BaseDir%/remount_as_ro.shIt then creates these files and saves the information about the mounted device in these files as well as the information about the file system type for the following directory:/systemIt creates a script that will reconnect the file system:%BaseDir%/remount_as_ro.shIt then uses a vulnerability that exists during incorrect NETLINK messages processing, by enhancing "root" privileges for the current user (CVE-2009-1185). At the end it displays the following lines:[*] Try to invoke hotplug now, clicking at the wireless [*] settings, plugin USB key etc. [*] You succeeded if you find /system/bin/rootshell. [*] GUI might hang/restart meanwhile so be patient.This exploit program may run on the following devices:Google Nexus One (2.2) Google G1 (1.6) HTC Hero (2.1) HTC Magic (1.5) HTC Tattoo (1.6) Dell Streak (2.1) Motorola Milestone (2.1) Motorola XT701 Motorola XT800 (2.1) Motorola ME511 Motorola Charm Motorola Droid (2.01/2.1/2.2 with FRG01B) Sony Ericsson X10 (1.6) Sony Ericsson X10 Mini (1.6) Sony Ericsson X10 Mini Pro (1.6) Acer Liquid (2.1) Acer beTouch E400 (2.1) Samsung Galaxy Beam Samsung galaxy 5 (gt-i5500) Vibo A688 (1.6) Lenovo Lephone (1.6) LG GT540 (1.6) Gigabyte GSmart G1305
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the original program file (its location will depend on how the program originally penetrated the victim machine).
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
Exploits are programs that contain data or executable code which take advantage of one or more vulnerabilities in software running on a local or remote computer for clearly malicious purposes.
Often, malicious users employ an exploit to penetrate a victim computer in order to subsequently install malicious code (for example, to infect all visitors to a compromised website with a malicious program). Additionally, exploits are commonly used by Net-Worms in order to hack a victim computer without any action being required from the user.
Nuker programs are notable among exploits; such programs send specially crafted requests to local or remote computers, causing the system to crash.