View
260
Download
0
Tags:
Embed Size (px)
DESCRIPTION
d
Citation preview
Reversing OSX / iOS malwaremachook / wirelurker
Julien Bachmann / @milkmix_
AppSecForum 2014 - RumpSession
intro | appealing late night twitt
Like at 1am this morning…
intro | immediate reaction
“Maybe it’s more interesting to analyse than Unflod.dylib!”
But: original download link for the IPA was not working anymore :(
Solution: start from the beginning, aka find original blog post linked with the case
intro | original post
osx | initial infection
start.sh
unzip FontMap1.cfg
deploy machook in /usr/local/machook
create LaunchDaemon to persist
osx | machook
64 bits binary only
use libimobiledevice to detect when an iOS device is plugged-in
com.apple.afc
ProductVersion
SerialNumber
list of installed Apps
osx | machook
osx | machookstarts com.apple.afc2
if worked (jailbroken device ) copy
[OSX]/usr/local/machook/sfbase.dylib
[iOS]Library/MobileSubstrate/DynamicLibraries/sfbase.dylib
download signed IPA and push it as well using com.apple.mobile.installation_proxy
URL stored in SQLite DB: foundation
Enterprise cert means that first execution will bring validation pop-up
code not encrypted as not from AppStore
globalupdate : loop to check for updates
osx | machook
osx | machook
osx | machook
iOS | sfbase.dylibnot signed
MobileSubstrate to hook [UIWindow sendEvent] in
MobileStorageMounter
MobileSafari
MobilePhone
MobileSMS
Preferences
also checks for updates
iOS | sfbase.dylibif event is applicationWillResignActive, kill applications
What??? Maybe I don’t have the latest version
also, dead code to query URL and hide it
retrieve some files
SMS.db
AddressBook.sqlitedb
UDID
post to saveinfo.php
iOS | sfbase.dylib
iOS | sfbase.dylib
conclusion | maybe not that “new era”did not look at the signed binary for the moment
possibilities too limited
except if privileges escalation is possible…
hooking methods but does not use it
targeted at Chinese market but logs in english
still some nice functionalities
update functionality
OSX —> iOS, but already seen in the wild