YURY_CHEMERKIN__ICITST-2012_Proceedings.pdf

Vulnerability Elimination by Force of New Mobile OS
Comparative Research of Security Techniques on BlackBerry OS (incl. PlayBook)

Yury Chemerkin
Independent Security Researcher
Russian State University for the Humanities (RSUH)
Moscow, Russia



Abstract - This paper proposes a new security research covers
BlackBerry issues relating their own features relied on highest
possible way of integration and aggregation with data, service
and application that simplifies management. Such way
integration shapes developer's outlook as well as malware
writer's outlook led to the bypass security methods. Despite of
that, BlackBerry is full of holes to the brim if consumer has a
flexible IT Policy even because current security techniques
implemented in BIS (BlackBerry Internet Service) or BES
(BlackBerry Enterprise Server) are indecisive argument to be
sure in security and privacy and do not provide enough controls.
As opposite to smartphone, the tablets (PlayBook) are quite new,
QNX-based and have the most known technologies, such Adobe
Air, HTML5, and Android Dalvik-Runtime, are implemented
widely. However, they have a poor application environment and
a little those feature known on non-QNX BlackBerry device. This
makes security more difficult and unstable to reliably use it by
end-users. Research shows that additional third party security
solutions often ruin security while native environment allows
intercepting, blocking, stealing, misleading, substitute data in
real-time bypassing security controls that, finally, reveal sensitive
information and turn security solutions to the malware agents.
Keywords: mobile security, blackberry, blackberry playbook,
application pentesting, real-time data manipulation, security issues
I. INTRODUCTION
Today the mobile devices provide amount of features to
integrate all possible communications following aggregation
with data on BlackBerry as well as others. The native and third
party applications often connect to the email, maps, IM and
social applications. Mobile environment makes itself as very
attractive target to the attackers. Personal or financial
information compromised very easy because devices are part of
day-to-day user activities. A BlackBerry includes inherent
virus protection and spyware protection designed to contain
and prevent the spread of viruses and spyware to other
applications. Security is the cornerstone of the BlackBerry
system that allows users to confidently access to the sensitive
information [1].
A rootkit is a kind of malware that intercepts API to modify
or filter OS messages to keep itself usually hidden. For
example, it intercepts requests to the file explorer to keep
certain files hidden from display, or reports false file sizes.
Rootkits designed to maintain access to the targeted computers,
to disable the firewall/antivirus tools (or any else security tools)
by replacing files, changing settings or modifying information
shows. The non-malware applications may use such
techniques, e.g. firewall hooks API to watch any incoming or
outgoing network traffic. The legitimizing effect of commercial
“malware” software led away from user-mode towards the
kernel-mode techniques at first glance. However, user-mode
rootkits or spyware are still effective to bypass security
applications because they have simple APIs calling kernel
methods.
This research examines and highlights a range of issues
referred to the incorrect approach to the security techniques
development. It draws security management level of
inefficiency outside isolated environment as well as old-attack
techniques possibility of application for new BlackBerry
device known as Playbook. The research presents pressing
issues for fundamental and application BlackBerry security
cases, exploitation of native applications built in OS. In
additional, third-party security applications are going to be
examined for security holes and misunderstanding BlackBerry
security concepts.
II. U
SER-MODE ROOTKIT AND SPYWARE
There are several kinds of rootkits; they are bootkits,
firmware, user-mode, kernel, and hypervisor. User-mode
rootkits involve system hooking in the user or application
space. User-mode rootkits are very similar to the spyware
because most spyware is installed without users' knowledge, by
using deceptive tactics, or by deceiving users by bundling itself
with desirable software. User-mode rootkits have different
ways to intercept and modify behaviour of APIs those include:
 vendor-supplied extensions or third-party plugins that
extend functionality throughout the public interfaces.
 interception of system messages.
 exploitation of security vulnerabilities.
 hooking or patching APIs.
Techniques shown in [2-11] to steal the password, screen
information, chats messages, etc. are possible on user-mode
level that has an ability to the wide spreading, easy distribution,
misleading and finally developing more easy. All trends in the
security field place the most popular solutions is to operate as
always under attack. Well-established products will provide the Copyright ? 2012 ICITST-2012 Technical Co-Sponsored by IEEE UK/RI Computer Chapter 483

end user protect. Meanwhile vendors start to develop security
measures as do it hackers continue to develop new
rootkit/exploits. It means user-mode will always be relevant to
the investigation.
III. F
ILE SYSTEM ISSUES
GUI simplification often led to the problems that behind
registered extensions of file types. In this case, users limited to
the common types like media (audio, photo, video, camera) and
documents (MS Office, Open Office, PDF, plaintext or similar)
instead of full file explorer. It keeps from unwanted execution
of malware but provides a backdoor to store any kind of
payload information without ciphering or hiding. On another
hand, a full file explorer does often not permit accessing to the
unassociated object in plaintext even, e.g. “.csv” while any
application has unlimited access to such files. For example, as
instant messaging is a well-established means of fast and
effective communication, especially BlackBerry Messenger, it
should be protected. However, OS stores a chat history in plain
text in .csv file; neither it BlackBerry Messenger, or others
(Google, Yahoo, Windows Live, AIM/AOL) while there is
only protection is “not to save history”. Moreover, it simplifies
a search to the malware by “tag” like camera, video,
documents. These problems form user habits to divide on
“right” files (media and documents) or a “junk” that is others at
first and user forgetfulness about “junk” files at second.
On PlayBook each application has access to its own
working directory (app, data, logs, tmp, etc) in the file system,
and might access to the shared folder (sandbox) because of the
access to the files and folders governed by UNIX-style groups
and permissions (Table I). It means applications cannot create
new directories in the working directory; they can only access
the folders listed below. Despite of UNIX-style access to the
folders there is ability to recreate folder structure partially and
have read-only access to almost all files [11]. By the way,
BlackBerry smartphone does not need such permission type.
The cornerstone problem of PlayBook is protection application
data known as sandbox instead of user data protection. All user
files stored in several shared folders as “shared/documents” are
accessible widely; thereto user cannot restrict to the application
use it. It may good for extract clipboard data or forensics case
only. Moreover, RIM suggest several types application like
enterprise or personal but announce that malware is subtype of
personal application that means but a huge fail for user privacy.
A file access is available from the PC changes too. Early
OS and device software were oriented to the secure and
encryption while modern version grant full access without
asking. The old device software has only one way to explorer
device throughout internal file explorer even storage has
encryption option turn off. Now plugged device (incl.
PlayBook) will appear as an external storage as users have just
entered device’s password that led to the cross-platform
malware by self-copying from PC. Issue is in application
ability to be installed from internal/external storage or
attachment that works for smartphone only. Way to install is
placing a “.jar”/”.jad” file as a description and “.cod” file as
main executable together, but “.jar “ plus “.cod” is preferable.
TABLE I. P LAYBOOK SHARED FOLDERS STRUCTURE
Folder What data contains Access type
app The installed application’s files. read-only
data The application's private data. read & write
temp The application's temporary working
files.
read & write
logs System for an application logs (stderr
and stdout)
read & write
shared Subfolders grouped by type. no access
shared/bookmarks Web browser bookmarks that can be
shared among applications.
read & write
shared/books eBook files that can be shared among
applications.
read & write
shared/clipboard Data copied or cut from another
application (txt, html, uri format).
read & write
shared/documents Documents that can be shared among
applications.
read & write
shared/downloads Web browse r downloads. read & write
shared/misc Miscellaneous data that can be shared
among applications.
read & write
shared/music Music files that can be shared among
applications.
read & write
shared/photos Photos that can be shared among
applications.
read & write
shared/videos Videos that can be shared among
applications.
read & write
shared/voice Audio recordings that can be shared
among applications.
read & write
IV. A PPLICATION MANAGEMENT ISSUES
BlackBerry application must to be signed to not to bother
with access notification to resources. Sometimes it is enough to be only signed by RIM keys to stay silent. An application provided with “install” and “remove” feature by OS and needs
application ID to perform such action. OS grants access to the
running application and information such as name, version, ID, etc. that means there is no problem to delete another
application by accessing to the active application list even.
Although, it remove only main executable module, while
others modules need to be found and manually delete by the
same API. In addition, development SDK tools helps to
remove and upload any executable module without
notification. It might work for PlayBook SDK tools if
development mode is on only. The PlayBook was improved on
security and those live methods like application deletion API
do not work, because of an interface to manage with
application does not exist. The user’s interactions only with
BlackBerry AppWorld or gesture “delete application” on home
screen operates, while smartphone gives capability to dump or
replace installed modules via read, write APIs neither it is own
or foreign application. Outwardly, user will not decide there
must be a catch in it because application should govern with
own modules and will grant such type of permission. The
PlayBook solution mentioned above has another problem, as it
would be difficult to remove distributed malware modules or
classify them even.
V. C
LIPBOARD ISSUES
A clipboard is still unsolved security issue that does not
protect any data stored in plaintext if user copy password or
another sensitive information from the wallet because methods
like getClipboard() on BlackBerry [6], or getData() on Copyright © 2012 ICITST-2012 Technical Co-Sponsored by IEEE UK/RI Computer Chapter 484

PlayBook [11] reveal all stored data. However, two native
applications (Password Keeper and BlackBerry Wallet)
developed by RIM has some kind of protection. The clipboard
access is restricted (API interface returns “null”) while those
applications are active only and do not go into “minimize” or
“exit” state. It means end-point object (application or web-
form) has not any protection. Let clipboard is insecure then
user needs to look a password to type it that may seem more
secure. It is breakable too because can easily be screen-
captured. Malware catches active application, compares ID or
name and screenshots application screen finally. Talking about
tablet, the PlayBook does not have a clipboard protection on
one hand (it allows to read a clipboard or manage clipboard file
stored in shared folder), but have no API interface to manage
with screenshots on another hand.
VI. P
HOTOSCREEN ISSUES
“Screen logger” is great solution for malware because
BlackBerry permits a key-logger on the simulator only not real
device. Despite of IT policy on BIS device or BES, it often
featured by only two states: permit or restrict screen capture to
specific application or at whole. It is afunctional because user
cannot know when application with that feature takes a screen
capture. As mentioned above it easy possible to define active
application among running to steal typed data. First, the
masking of password takes with delay when virtual keyboard is
active; in other words, this delay cracks by screen capture delay
that equals 300 milliseconds or less. By the way, it discharges
the battery by couple of days. Improved techniques [2] based
noising input field led to locking/wiping device or grabbing an
unmasked password. Second, a virtual keyboard has a scaled
preview of pressed keys that uncovers protection technique
known as masking of password field by asterisks. Also, there is
no restriction to the certain applications like password wallets,
device settings (device password, device encryption), or when
user is typing a certificate password to decipher email message.
This method can improved in extracting difference within XOR
function applied to the active screen and similar screen from
native screen themes that results the typed data only because it
eliminates noise and brings clear typed or drawn text, e.g. from
chat window or email message. Anyway, an OCR engine may
crack them. As opposite to the BlackBerry smartphone, it is
impossible to grab the screen on the PlayBook except files
stored in camera folder made by user and accessible to anyone
as it is a part of shared folder. A quite interesting fact that fake
notification helps too and gives a simple way to manipulate
user to press hardware keys associated with screen capturing.
VII.
DEVICE PASSWORD ISSUES
BlackBerry devices come with password protection and
attempt limit (not more than ten and not less three) which
exceeding let to wipe to the factory defaults. As external
storage is not part of factory configuration, all stored data will
keep on smartphone not tablet that does not have external
storage. The recovery the BlackBerry device password is
possible with Elcomsoft products if the user-selectable Device
Password security option is enabled to encrypt media card data
by password only. Second technique works like screen capture
whether user type password to unlock his own device or set-
up/change it. The last case manages with GUI vulnerability
allows to extract as plain text all data from GUI object (even
password fields masked by asterisks). Third technique,
malware may create a fake window during USB
synchronization intercepting OTA events through the API as
well as block or pause it not to let the device software shows
“Password Window” on desktop (smartphone case) [11]. There
is another issue refers to the device software installed on
Windows covers password stealing during USB
synchronization. It works because of security issues of
Windows API (PostMessage/SendMessage) on one hand, and
key-logging per specific application on another [4]. Moreover,
it works not only to grab device password but backup password
too by filtering active window/screen, tray application and
characters typing into text fields. Finally, it works very well on
smartphone and tablet.
VIII. M
ESSAGES ISSUES
Each mobile device OS provides API to intercept receiving
and sending event to third party applications but RIM makes
good progress and delegates API to create, read and delete
messages without any control except permission looks like
“grant a message access to this application”. It means malware
can easy reassemble any message instead of original (replace
the older), creates a fake message, adds any allowable
attachment even executable files, as well mark message unread,
set error of delivering status, etc. Also, an application written
for BlackBerry can catch the event when user press “send”,
“open”, “forward” and others buttons in native email
application. PIN, BBM and Email message types affected by
that API [5], [7], [8], and [9]. By-turn, a SMS message affected
by intercepting outgoing message with blocking or replacing
address number or body without notification if sent message
will be deleted my application else user sees a text
“transmission refused by application <localized name of
application>”. It performs as a useful firewall if it is only trust
application else it ruins all possible security solutions.
Moreover, device that receives Facebook or Twitter
notification and allowed to manage them via SMS brings one
more security hole [3]. The PlayBook does not have similar
API; it has only an invoke interface shows native application
moving it on the top of screen stack. In addition, BlackBerry
Bridge technology is not affected too by the same reason
(suitable API is absent).
IX. G
UI EXPLOITATION
Previous issues related to the fundamental BlackBerry
problems, solution for those looks like "turn on/off feature".
BlackBerry has powerful integration capabilities that
exploitable too. Each application written for BlackBerry can
integrate itself in options or menu (directly into the global
menu or indirectly into sub-menus like "Send via"). BlackBerry
manages with API allows GUI object manipulation neither it is
own application or foreign; native application that
external/foreign regarding to the application calling API is
exploitable more than third party. Developers may redraw
screens, catch opening specific native screen like
open/forward/reply email message, grab extractable data from
them and replace it, change checkbox states, adds GUI objects
and more. The last case (adding GUI object) does not provide
way to shuffle buttons or replace with another by design, Copyright © 2012 ICITST-2012 Technical Co-Sponsored by IEEE UK/RI Computer Chapter 485

because GUI constructs through source code like
"this.addChild()" that fills a line entirely and place a second
object next line. It is good idea than specifying exactly size,
height, and width or x-y-z orientation if screen orientation has
changed and should be redrawn or to exclude "come down
objects" cases. Native applications are applications like email,
calendar, Blackberry Messenger and others are developed by
RIM like GTalk or Facebook. It is not a simulation as an input
injects of hardware buttons that is available for all application
screen even third party that requires allowed API additionally.
Sometimes it is possible to recreate screen design completely
to deceive with fake window/screen or clickjacking.
It difficult to define what data is not extractable on native
applications because application will get all text data plus all
object properties by API; if object is so-called manager it will
be expanded because all objects, e.g. text fields, pack into
managers if there is one even. Text fields differ by type from
basic edit fields to the password fields with masking or custom
for cases when strongly recommend to type only certain data
like custom set of characters. Windows is known has weakly
protection for text field with “password char #” properties thus
it is possible to steal data from such fields despite an interface,
that copies data from edit box, returns nothing. As opposite to
Windows, BlackBerry does not protect such field that
application-proven for preinstalled and others RIM applications
on OS v4-7. The field stores the password as plain text but
draws it as a series of asterisks that can be replaced easily for
applications or options that especially important for section
Password Device and Device Encryption.
X. T
HIRD PARTY EXPLOITATION
Many third party applications try to improve BlackBerry
security offer the same features sometimes, like SMS filtering.
One of them is KMS (Kaspersky Mobile Security) featured by
GPS find, device lock, device wipe and call/SMS filters.
“Device wipe” feature manages with personal information and
custom folders only and does not reformat external storage.
This application similar to the BlackBerry Protect while
accessible through SMS not WEB but protected by ciphering.
It means SMS-command will be decrypted and KMS performs
actions only then. In other words, any right SMS that sent to
the victim will perform action on victim device except only one
case – user should enable this option. GUI examines reveal
possible of weak encryption due SMS message size and typed
password counts four digits out sixteen at minimum. Previous
version 8 uses the same password typed by user to access
application to create a command SMS. Current version 9 offers
to type another password but users usually do not used to
operate like that. There was found no inaccuracy of crypto-
engine implementation but encryption takes place by GOST R
34.11-94 (that's quite obvious if company is in Russian)
without salt, with test values, and hash size is truncated in two,
for example, a password contains digits “1234” will hash into
“8a19de2e756035a3ece48cd01260b89e” instead of full value
“8a19de2e756035a3ece48cd01260b89ec36a510d9e18066e64ff
c4d379c6e457”, that eventually simplifies exploitation. Further
examination shows outgoing SMS can be dropped, replaced
with body or recipient. It may result spoof, bot-net creation or
misusing resources like a Frankenstein [12]. As it is a third-
party application, it is difficult to manage with GUI to extract
user password when it is being typed but screen capture works.
However, that is not what it needs because the numeric set is
less than set contains characters, numbers, and special marks.
McAfee Mobile Security looks like more secure and can
wipe device entirely than KMS but, as wrote in section about
application management, any application easily accesses to the
installed executable (.cod) modules to read, write, dump or
delete. Therefore, both McAfee Mobile Security and KMS do
not prevent it as opposed to the BlackBerry Protect. Moreover,
both of them works successfully under BlackBerry simulator
that provides behavior analyze (traffic, GUI, communication)
but it is not a part of this research.
XI. P
ERMISSIONS
Most of attack vectors showed Table II manages with
privileged API permissions allowing an access not only to own
application features but third party towards to that application
as well as OS entirely. Those interactions can be filtered and
restricted in some flexible way; instead, calling interfaces have
to be switched between turn on and turn off states. Permissions
divide into several wide groups while a BlackBerry has over a
hundred APIs that results to the disputable choice grant access
without knowledge what actions like read, delete, dump,
intercept or spoof will perform. For example, cross application
access leads to the foreign GUI’s intercept, while applications
management breaks into foreign executable modules to dump,
remove or lock that. BlackBerry Tablet permissions were
reduced greatly and have decreased efficiency to protect
spyware despite of a sandbox that protects applications data
more than user data sharing them widely. A PC case manages
with no permission for Windows OS; intercepts GUI object
stored a typing password or provides access to the device with
additional software like SDK/NDK or commercial software.
TABLE II. A TTACK VECTORS AND RESULTS
Ty
pe
Attack Permission
Smart
phone
Tablet
PC
(incl.
tools)
denial of service
Replacing .cod
+ + - +
Removing .cod
DoS’ing event
listeners
-
(except event
permission)
+ - -
GUI intercept + + - +
Noising input
fields
+ + - -
information disclosure
Clipboard
intercept
-(directly)
/
+ (via files)
+ +
+
(via
files)
Screen capture + +
+
(via
files)
+
Noising fields +
Screen capture
+ + - -
GUI intercept
(stealing
sensitive data)
+ + - +
Dumping .cod + + - +
ShChats - + - + Copyright © 2012 ICITST-2012 Technical Co-Sponsored by IEEE UK/RI Computer Chapter 486

Ty
pe
Attack Permission
Smart
phone
Tablet
PC
(incl.
tools)
Media +
metadata
(smartphone)
/
+ (tablet)
+ +
shared
folders
only
Docs + +
DB/other
+
rarely
+
often
MITM (interception / spoofing)
Messages
SMS + + - - MMS + + - -
Email + + - -
PIN2PIN + + - -
BBM + + - -
GUI intercept + + - +
Fake window/
clickjacking
+ + - +
XII. C ONCLUSION
Mobile vendor vision about user privacy has no deal with
real privacy completely favors mobile application to upload
user personal data without his knowledge. Once user
downloads an application, he decides if grant access relies on
poor explains what permissions will be utilized by application,
These permissions have never been being similar with
application’s actions; what’s more it is out of touch with data
that will be accessed. Issue when only few people look them
before installing it faces with security but it should not be taken
because this application never says what is actually will use
for. It difficult to understand why GPS tracker wants access to
the email function and impossible to be sure whether no one
email will be touched that does not belong to the application
operations results. Moreover, there are enough sensitive objects
that a malware could access without any permissions, just be
signed by vendors keys. Sometimes metadata embedded in
files easy reveal GEO data or date by involving shared file
access only. When applications are downloading, no one has a
time to discuss with developer why they want to access one or
another permission. Forensics techniques is no more provide
with information through the logs, because OS vendors let
developers store in application logs only debug information.
Only ten percent API calls have strong privileges on
BlackBerry, especially if it is BES BlackBerry device. The rest
provides cross-application interception that usually need to
manage own modules but as it mentioned above no one of OS
divide calling functions to the friend of foe. It does not need
modify system files or else to block internet connection;
sometimes it is just effective to build a silent extension for
native browser that filters desirable URLs, send POST/GET
requests to steal data or receive bot-net commands. Any mobile
OS boasts about of a “sandbox” like about user data privacy
but protect only application data in reality while user data keep
wide opened.
RIM had a great security featured BES that allows to
manipulate with mask to filter any potential unsafe connections
neither network connection or local. Despite of that, it fails
with security too. A newer BlackBerry Server named as
BlackBerry Mobile Fusion manages with BlackBerry
PlayBook, old BES and other mobile devices faced with
problem leveraging of permissions groups in twice to keep
similar permission right among all mobile devices that a huge
fail. As opposite to that, AWS (Amazon Web Services) provide
a restriction by each API call if it is directory listing even. That
is a quite useful solution but does not solve what data accessed
and for. It seems OS vendors are unable to implement logging
system to show user what actions were actually used, what data
for, when action was and else. This kind of solution fill the
gaps not only with analyze malware but also helps to forensics
handle an investigation to be sure no one application harm data
or ruins management with forensics tools.
R
EFERENCES

[1] Y. Chemerkin, “A Security System That Changed The World”, Hakin9
Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682
Warszawa, vol. 6 №2 Issue 02/2011 (38) ISSN 1733-7186, pp. 10-13,
February 2011
[2] Y. Chemerkin, “Is Data Secure on the Password Protected Blackberry
Device?”, Hakin9 Magazine, Software Press Sp. z o.o. Sp.
Komandytowa 02-682 Warszawa, vol. 6 №2 Issue 02/2011 (38) ISSN
1733-7186, pp. 22-29, February 2011
[3] Y. Chemerkin, “The Backroom Message That’s Stolen Your Deal”,
Hakin9 Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682
Warszawa, vol. 6 №4 Issue 04/2011 (40) ISSN 1733-7186, pp. 22-27,
April 2011
[4] Y. Chemerkin, “Why is password protection a Fallacy Point of View”,
Hakin9 Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682
Warszawa, vol. 1 №1 Issue 01/2011 (01) ISSN 1733-7186, pp. 36-53,
June 2011
[5] Y. Chemerkin, “Does your BlackBerry smartphone have ears?”, Hakin9
Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682
Warszawa, vol. 6 №7 Issue 07/2011 (43) ISSN 1733-7186, pp. 26-40,
July 2011
[6] Y. Chemerkin, “To get round to the heart of fortress,” Hakin9 Extra
Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682
Warszawa, vol. 1 №3 Issue 03/2011 (03) ISSN 1733-7186, pp. 20–37,
August 2011
[7] Y. Chemerkin, “When Developer's API Simplify User-Mode Rootkits
Developing,” Hakin9 Mobile Magazine, Software Press Sp. z o.o. Sp.
Komandytowa 02-682 Warszawa, vol. 2 №2 Issue 02/2012 (3) ISSN
1733-7186, pp. 16–21, February 2012
[8] Y. Chemerkin “Insecurity of blackberry solutions: Vulnerability on the
edge of the technologies,” vol. 6, pp. 20-21, December 2011 [Annual
InfoSecurity Russia Conf., 2011]
[9] Y. Chemerkin, “When Developers API Simplify User-Mode Rootkits
Development – Part II,” Hakin9 OnDemand Magazine, Software Press
Sp. z o.o. Sp. Komandytowa 02-682 Warszawa, vol. 1 №4 Issue
04/2012 (4) ISSN 1733-7186, pp. 56–81, July 2012
[10] Y. Chemerkin, “Comparison of Android and BlackBerry Forensic
Techniques,” Hakin9 Extra Magazine, Software Press Sp. z o.o. Sp.
Komandytowa 02-682 Warszawa, vol. 11 №4 Issue 04/2012 (11) ISSN
1733-7186, pp. 28–36, April 2012
[11] Y. Chemerkin, “BlackBerry Playbook – New Challenges” Hakin9 E-
Book Magazine, Software Press Sp. z o.o. Sp. Komandytowa 02-682
Warszawa, vol. 1 №3 Issue 03/2012 (3) ISSN 1733-7186, pp. 1–34,
September 2012
[12] V. Mohan, K. Hamlen, “Frankenstein: Stitching Malware from Benign
Binaries”, 6th USENIX Workshop on Offensive Technologies (WOOT)
August 2012 [Annual WOOT Conf., 2012]
Copyright ? 2012 ICITST-2012 Technical Co-Sponsored by IEEE UK/RI Computer Chapter 487