Reversing OSX / iOS malwaremachook / wirelurker

Julien Bachmann / @milkmix_

AppSecForum 2014 - RumpSession

intro | appealing late night twitt

Like at 1am this morning…

intro | immediate reaction

“Maybe it’s more interesting to analyse than Unflod.dylib!”

But: original download link for the IPA was not working anymore :(

Solution: start from the beginning, aka find original blog post linked with the case

intro | original post

osx | initial infection

start.sh

unzip FontMap1.cfg

deploy machook in /usr/local/machook

create LaunchDaemon to persist

osx | machook

64 bits binary only

use libimobiledevice to detect when an iOS device is plugged-in

com.apple.afc

ProductVersion

SerialNumber

list of installed Apps

osx | machook

osx | machookstarts com.apple.afc2

if worked (jailbroken device ) copy

[OSX]/usr/local/machook/sfbase.dylib

[iOS]Library/MobileSubstrate/DynamicLibraries/sfbase.dylib

download signed IPA and push it as well using com.apple.mobile.installation_proxy

URL stored in SQLite DB: foundation

Enterprise cert means that first execution will bring validation pop-up

code not encrypted as not from AppStore

globalupdate : loop to check for updates

osx | machook

osx | machook

osx | machook

iOS | sfbase.dylibnot signed

MobileSubstrate to hook [UIWindow sendEvent] in

MobileStorageMounter

MobileSafari

MobilePhone

MobileSMS

Preferences

also checks for updates

iOS | sfbase.dylibif event is applicationWillResignActive, kill applications

What??? Maybe I don’t have the latest version

also, dead code to query URL and hide it

retrieve some files

SMS.db

AddressBook.sqlitedb

UDID

post to saveinfo.php

iOS | sfbase.dylib

iOS | sfbase.dylib

conclusion | maybe not that “new era”did not look at the signed binary for the moment

possibilities too limited

except if privileges escalation is possible…

hooking methods but does not use it

targeted at Chinese market but logs in english

still some nice functionalities

update functionality

OSX —> iOS, but already seen in the wild