Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reversing iOS/OSX malware : wirelurker

Reversing iOS/OSX malware : wirelurker

5minutes rump session @ Application Security Forum, Yverdon

Julien Bachmann

November 07, 2014

More Decks by Julien Bachmann

Other Decks in Technology


  1. Reversing OSX / iOS malware machook / wirelurker Julien Bachmann

    / @milkmix_ AppSecForum 2014 - RumpSession
  2. intro | immediate reaction “Maybe it’s more interesting to analyse

    than Unflod.dylib!” But: original download link for the IPA was not working anymore :( Solution: start from the beginning, aka find original blog post linked with the case
  3. osx | initial infection start.sh unzip FontMap1.cfg deploy machook in

    /usr/local/machook create LaunchDaemon to persist
  4. osx | machook 64 bits binary only use libimobiledevice to

    detect when an iOS device is plugged-in com.apple.afc ProductVersion SerialNumber list of installed Apps
  5. osx | machook starts com.apple.afc2 if worked (jailbroken device )

    copy [OSX]/usr/local/machook/sfbase.dylib [iOS]Library/MobileSubstrate/DynamicLibraries/sfbase.dylib download signed IPA and push it as well using com.apple.mobile.installation_proxy URL stored in SQLite DB: foundation Enterprise cert means that first execution will bring validation pop-up code not encrypted as not from AppStore globalupdate : loop to check for updates
  6. iOS | sfbase.dylib not signed MobileSubstrate to hook [UIWindow sendEvent]

    in MobileStorageMounter MobileSafari MobilePhone MobileSMS Preferences also checks for updates
  7. iOS | sfbase.dylib if event is applicationWillResignActive, kill applications What???

    Maybe I don’t have the latest version also, dead code to query URL and hide it retrieve some files SMS.db AddressBook.sqlitedb UDID post to saveinfo.php
  8. conclusion | maybe not that “new era” did not look

    at the signed binary for the moment possibilities too limited except if privileges escalation is possible… hooking methods but does not use it targeted at Chinese market but logs in english still some nice functionalities update functionality OSX —> iOS, but already seen in the wild