Threat Researcher

November 9, 2009

iPhone worm “iKee”

Filed under: iPhone — Methusela Cebrian Ferrer @ 4:25 am
Tags: , , , , , , , , , ,

Name: Worm iKee

Author: ike_x

Location: Sydney, Australia

Discovered: November 6, 2009 – Friday at 12:15 pm by sierralpha @ whirlpool forum

Report details: 3GS 16gb
Os 3.1.2 (7D11) on OPTUS
Jailbroken with Blackra1n
Running Cydia, Winterboard and Installous

Description:

Worm iKee targets jailbroken iPhones and takes advantage of SSH service that uses default password to allow remote user logins.

From an interview by JD, the author explains:

As for users that are infected, there are two common denominator – They all have hacked iPhones

(known to the hacking community as “JailBroken”, and they all use an SSH Daemon, allowing users

to connect to their phone’s remotely, and attempt to login.

Worm Propagation Method: SSH service using default password

Author recommendation:

Users that have already “JailBroken” their iPhones, should immediately change the root account password, even if they have not installed an SSH Daemon.

Worm Behaviour:

- iKee overwrites Cydia files with its working code

“Cydia is a replacement packaging and repository manager for the original Installer.app for the iPhone or iPod touch”

- Changes iPhone owners’ wallpaper and replaces it with a photo that is known from a cross platform joke “RICKROLL” (I remember, I captured a video and uploaded in YouTube)  “Never Gonna Give You Up” by Rick Astley.

- Deletes SSH Daemon

- It scan pre-defined IP addresses to infect and spread to another vulnerable iPhone user (All

IP addresses belong to 3G customers in Australia and are hardcoded in the worm by SANS diary)

ikee-iphone-wallpaper.jpgImage source: forums.whirlpool.net.au “iKee changes infected iPhone user’s wallpaper”

How to remove iKee:

The author explained (from JD’s interview) that there are 4 variants of this worm, and here’s how to remove them:

Variants A-C store files in these directories, so you have to remove them (may use rm in terminal)

/bin/poc-bbot

/bin/sshpass

/var/log/youcanbeclosertogod.jpg

/var/mobile/LockBackground.jpg

/System/Library/LaunchDaemons/com.ikey.bbot.plis

/var/lock/bbot.lock

Then, reboot the phone and change your password and re-install SSH.

For variant D, remove the following files in these directories:

/usr/libexec/cydia/startup

/usr/libexec/cydia/startup.so

/usr/libexec/cydia/startup-helper

/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist

Reinstall Cydia.

Remember to change your root password!

Follow this instruction.

November 3, 2009

Your iPhone’s been hacked…€5 to unlock

Filed under: iPhone — Methusela Cebrian Ferrer @ 9:20 am
Tags: ,

Dutch hacker holds jailbroken iPhones “hostage” for €5 – Source: Ars Technica [read]

jailbroken_iphone_hacked_intro.jpg

It appears one enterprising Dutch hacker used port scanning to identify jailbroken iPhones on T-mobile Netherlands with SSH running. Enabling SSH is a common procedure for jailbroken iPhones, allowing a user to log in via Terminal and run standard UNIX commands. Unfortunately, iPhones all have a default root password that many forget to change after jailbreaking, leaving their phone as vulnerable as a Lamborghini parked on a public street with the windows down, the doors unlocked, and the keys in the ignition.

The hacker relied on unchanged root passwords to hack into the phones. He then sent what appears to be an SMS alert to the hacked phones that read, “You iPhone’s been hacked because it’s really insecure! Please visit doiop.com/iHacked and secure your iPhone right now! Right now, I can access all your files.” Going to the website directs the user to send €5 to a PayPal account, after which the hacker will e-mail instructions to remove the hack—which most likely involve restoring the iPhone to factory settings.

October 29, 2009

Have you played Lose/Lose?

Filed under: Daily Thoughts — Methusela Cebrian Ferrer @ 7:49 am
Tags: , , , ,

LoseLose

As the author describes “Lose/Lose is a video-game with real life consequences.”

This game works only in Mac, and as the warning explains, this game deletes files whenever the player kill those aliens. Yes, it is interesting but unfortunately it poses serious threat to users.

So, if you’ll happen to see this screen, I advise you to immediately quit the application (Command + Q) before it’s too late!

October 17, 2009

Infection Report

Filed under: OS X — Methusela Cebrian Ferrer @ 11:08 am
Tags: , , , , , , , ,

mac user infection report

DNSChanger and Jahlav distribution vector provided an avenue for attackers to successfully trick Mac users into installing it. The social engineering technique deployed is closely knitted to internet users’ popular activity which is called the “Mainstream Approach” – which makes simple tricks sophisticated and unrecognizable from an average internet user.

I have mapped the top five “internet mainstream” activities that became a hub that provides opportunity for organized group to plug-in and deploy cybercrimes.

mainstream_approach

It’s been weeks (almost a month) that Mac trojan internet distribution are offline. Because of this, I can’t help to ask myself:

  • Is it preparing for new attack?
  • Is it over, the fact that Apple stepped-in?
  • Just cooling off waiting for demand to kick in?

For whatever reason, I don’t know. For now, it’s good that Mac users are safe from these pest. For threat research community, let’s wait and see!

September 25, 2009

VB2009

Filed under: Daily Thoughts — Methusela Cebrian Ferrer @ 10:38 am
Tags: , , ,

I should have posted this content here as well.

So, the presentation has a different twist on what I have wrote in the whitepaper. I started building the understanding about Mac security in my introduction, as I lead the context to analysis at the specific threat families. Then followed by taking the macro analysis by broadening the perspective into attackers’ underlying business models, the competitive advantages it brings while constructing the means, motive and how these aspects build and created opportunity that enables these organize group to perform and deploy threats and attacks to Mac users.

While the momentum of interest and excitement increases, my presentation suddenly froze and crash report pops-up.  Indeed, an ice breaker as I continue to deliver the remaining slides.

At the end, the presentation shared some actual infection report and showed data how successful these threat into penetrating in this platform.

It was a great experience and same time meeting fellow researchers in this conference!

September 22, 2009

Greetings from Geneva!

Filed under: Daily Thoughts, Events — Methusela Cebrian Ferrer @ 6:24 pm
Tags: , , ,

Jet d'eau

Jet d’eau (Water Fountain) as taken this morning. It was hot and sunny here in Geneva, so it’s best time to walk around, take some pictures and chill out after taking a good rest and recovering from long trip from Melbourne.

St. Pierre Cathedral

St. Pierre Cathedral is a cathedral in Geneva, Switzerland, belonging to the Swiss Reformed Church.

September 10, 2009

Wor{d|m}press

Filed under: Daily Thoughts — Methusela Cebrian Ferrer @ 2:21 pm
Tags: , , ,

It’s really tedious job to update and perhaps, patching from time to time. I should say, security comes with a great responsibility just like parking your car in a right place or locking your valuable computer when leaving.

Last week, users using older version of WordPress noticed unusual strings added to their blogs permalinks which makes a blog post link don’t work.

journeyetc.com responded and describe the attack:

“If you use wordpress, you should check ASAP your blog’s permalinks/rss feed.
If they are broken and look like this
%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/
or
“/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_EXECCODE%5D))%7D%7D|.+)&%
or
‘error on line 22 at column 71: xmlParseEntityRef: no name wordpress’ for your feed
then you are the victim of the new hack attempt targeting our blogs.”

Affected users now faces the dilemma of upgrading and cleaning-up. The SQL injection attack leaves a backdoor in which even upgrading, may allow remote attacker to get in.  I recommend further reading to this post, “Old WordPress versions under attack” by Lorelle.

September 1, 2009

Bandwagon effect

Filed under: OS X, malware report — Methusela Cebrian Ferrer @ 2:05 pm
Tags: , , ,

Google.com/trends allows you to check some popular searches or trends that threats might take advantage as well.

However,  you don’t often check it, and for events like “Station Fire” which I just learned from the news this morning (here in Melbourne), it’s good that there are concern Mac users that sends you a heads up!

As a result, I’ve published this post.

August 29, 2009

About XProtect

Filed under: Daily Thoughts — Methusela Cebrian Ferrer @ 9:23 am
Tags:

A very good information about Snow Leopard malware protection, its capability and limitation: 

Snow Leopard malware protection system: What does XProtect do?

August 26, 2009

Snow Leopard includes malware protection

Filed under: Daily Thoughts — Methusela Cebrian Ferrer @ 3:35 am
Tags: , ,

An interesting news (it’s now all over the net) – Snow Leopard includes malware protection that detects two known threats, RSPlug and iServices. (Intego first spotted this anti-malware feature.)

Now curious thoughts buzzing around, many suspects that Apple is using ClamAV although Ryan Naraine @ zdnet blog had confirmed that Apple is not using it. Others suggest that it might be using Symantec’s engine, because of the naming convention used “OSX.RSPlug.A, OSX.iService.A”.

Anyway, in a perspective, it seems Apple is taking no chances with emerging and prevalent threats in Mac (as noted in recent changes). It is taking steps forward to deliver protection and exercise due care – which is good.

“Due care is care that a reasonable man would exercise under the circumstances”

At the end of the day, security is a process, which lives and deals with reality – our day to day computing activities.

Security researches, findings and awareness provides avenue for a better understanding of these (impending) attacks or threats.

Next Page »

Blog at WordPress.com.