![]() ![]() In one case, the name of the app was apparent (See figure 4). ![]() The HTTP Referrer header may hint at the infected app, but this text may not always contain useful information. Mertens focused on device owners identifying their own compromised devices and app developers identifying their compromised apps.Ī security practitioner familiar with packet capturing and inspection will discover that the HTTP POST sent by the malware includes some identifying detail in clear text which may help identify the infected app. ![]() This invention builds upon work of other security researchers, notably Xavier Mertens. Usage of Decrypt-XCodeGhostBeacon is then straightforward, as shown in Figure 3. This is an HTTP POST packet containing form data marked as "application/x-The analyst then extracts the HTTP POST form data and saves it into a file. This can be collected by a network monitoring system or locally by a tool such as tcpdump or wireshark.Īn analyst must locate the beacon message. Its manual usage is described here, but building it into other software is straightforward for one familiar with Powershell.įirst, a capture of the traffic is required. If the owner of the device wants to try updating their app, this version number can be used to tell which versions should not be trusted.ĭecrypt-XCodeGhost can be used manually or built-in to other software. Many app makers have released new versions of their apps to remove XCodeGhost. This can be used to positively identify the app in cases where the app’s name is not in English. ![]() The app’s name "下厨房", which translates as "The Kitchen".It also contains information about the infected app: The name the user has given their iOS device: John Smith’s iPhone.It contains useful information for identifying the device and owner: No worthwhile information about the infected device or app can be ascertained. Figure 1 depicts the encrypted bytes (shown as hexadecimal since many of them cannot be printed in this format). This requires painstaking research to determine which apps are infected (if it is at all possible) or lengthy trial-and-error removing apps until the infection goes away. However, those lists are not exhaustive and are being updated daily as more infected apps are found. This makes remediation difficult since the only instruction which can be given to the user is to find a listing of infected iOS apps published online and remove any of their apps which are on the list. Second, detection systems cannot determine which app(s) on an infected device actually have the malware. So, unless the owner can be found before the device leaves the network and the IP Address is recycled, detection relies on having a flawless audit history mapping historic IP address usage to an actual user’s name. However, the devices are mobile and IP addresses are recycled when a device stops being used on a network. When that communication is detected the IP address of the source (i.e. Researchers have determined the destinations the malware sends its encrypted data to, so systems can reliably detect the malware by watching for communications to those specific destinations. Prior to the invention of Decrypt-XCodeGhostBeacon there were two main problems with the detection and elimination of the malware.įirst, detection systems typically can only detect the IP address of an infected device. This information can be used to positively identify the infected iOS device, and then supplied to the user or IT helpdesk staff to positively identify the infected app(s) to remove from that device. This reveals the details of the infected iOS device and the name of the infected app. PS C:\ > Get-Content C:\payload.bin -Encoding Byte | Decrypt -XCodeGhostBeacon.ps1 Technical Descriptionĭecrypt-XCodeGhost decrypts the malware payload by using the DES algorithm in ECB mode with PKCS#7 padding using a key of "stringWithFormat". ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |