Save 37% off PRO during our Black Friday Sale! »

Reversing iOS/OSX malware : wirelurker

Reversing iOS/OSX malware : wirelurker

5minutes rump session @ Application Security Forum, Yverdon


Julien Bachmann

November 07, 2014


  1. Reversing OSX / iOS malware machook / wirelurker Julien Bachmann

    / @milkmix_ AppSecForum 2014 - RumpSession
  2. intro | appealing late night twitt Like at 1am this

  3. intro | immediate reaction “Maybe it’s more interesting to analyse

    than Unflod.dylib!” But: original download link for the IPA was not working anymore :( Solution: start from the beginning, aka find original blog post linked with the case
  4. intro | original post

  5. osx | initial infection unzip FontMap1.cfg deploy machook in

    /usr/local/machook create LaunchDaemon to persist
  6. osx | machook 64 bits binary only use libimobiledevice to

    detect when an iOS device is plugged-in ProductVersion SerialNumber list of installed Apps
  7. osx | machook

  8. osx | machook starts if worked (jailbroken device )

    copy [OSX]/usr/local/machook/sfbase.dylib [iOS]Library/MobileSubstrate/DynamicLibraries/sfbase.dylib download signed IPA and push it as well using URL stored in SQLite DB: foundation Enterprise cert means that first execution will bring validation pop-up code not encrypted as not from AppStore globalupdate : loop to check for updates
  9. osx | machook

  10. osx | machook

  11. osx | machook

  12. iOS | sfbase.dylib not signed MobileSubstrate to hook [UIWindow sendEvent]

    in MobileStorageMounter MobileSafari MobilePhone MobileSMS Preferences also checks for updates
  13. iOS | sfbase.dylib if event is applicationWillResignActive, kill applications What???

    Maybe I don’t have the latest version also, dead code to query URL and hide it retrieve some files SMS.db AddressBook.sqlitedb UDID post to saveinfo.php
  14. iOS | sfbase.dylib

  15. iOS | sfbase.dylib

  16. conclusion | maybe not that “new era” did not look

    at the signed binary for the moment possibilities too limited except if privileges escalation is possible… hooking methods but does not use it targeted at Chinese market but logs in english still some nice functionalities update functionality OSX —> iOS, but already seen in the wild