Reversing iOS/OSX malware : wirelurker

Reversing iOS/OSX malware : wirelurker

5minutes rump session @ Application Security Forum, Yverdon

D09f0bb8d2175fd4884f630cc66e49d5?s=128

Julien Bachmann

November 07, 2014
Tweet

Transcript

  1. Reversing OSX / iOS malware machook / wirelurker Julien Bachmann

    / @milkmix_ AppSecForum 2014 - RumpSession
  2. intro | appealing late night twitt Like at 1am this

    morning…
  3. intro | immediate reaction “Maybe it’s more interesting to analyse

    than Unflod.dylib!” But: original download link for the IPA was not working anymore :( Solution: start from the beginning, aka find original blog post linked with the case
  4. intro | original post

  5. osx | initial infection start.sh unzip FontMap1.cfg deploy machook in

    /usr/local/machook create LaunchDaemon to persist
  6. osx | machook 64 bits binary only use libimobiledevice to

    detect when an iOS device is plugged-in com.apple.afc ProductVersion SerialNumber list of installed Apps
  7. osx | machook

  8. osx | machook starts com.apple.afc2 if worked (jailbroken device )

    copy [OSX]/usr/local/machook/sfbase.dylib [iOS]Library/MobileSubstrate/DynamicLibraries/sfbase.dylib download signed IPA and push it as well using com.apple.mobile.installation_proxy URL stored in SQLite DB: foundation Enterprise cert means that first execution will bring validation pop-up code not encrypted as not from AppStore globalupdate : loop to check for updates
  9. osx | machook

  10. osx | machook

  11. osx | machook

  12. iOS | sfbase.dylib not signed MobileSubstrate to hook [UIWindow sendEvent]

    in MobileStorageMounter MobileSafari MobilePhone MobileSMS Preferences also checks for updates
  13. iOS | sfbase.dylib if event is applicationWillResignActive, kill applications What???

    Maybe I don’t have the latest version also, dead code to query URL and hide it retrieve some files SMS.db AddressBook.sqlitedb UDID post to saveinfo.php
  14. iOS | sfbase.dylib

  15. iOS | sfbase.dylib

  16. conclusion | maybe not that “new era” did not look

    at the signed binary for the moment possibilities too limited except if privileges escalation is possible… hooking methods but does not use it targeted at Chinese market but logs in english still some nice functionalities update functionality OSX —> iOS, but already seen in the wild