Tag Archives: iPhone

If it’s encrypting, perhaps it’s ransomware

Researchers from the University of Florida and Villanova University suggest that ransomware can be mitigated by detecting its encrypting files early in the process:

CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data

A good idea, but some anti-malware programs already do something like this (i.e. flag programs that start encrypting files in bulk). But still a good idea. At The Register, Richard Chirgwin offers a round of applause:

Florida U boffins think they’ve defeated all – ransomware Crypto Drop looks for tell-tale signs that files are being encrypted

David Harley

Advertisements

SRI iBotnet analysis

I’m not a huge fan of SRI, mainly because of its misconceived and inept use of VirusTotal as a measure of a measure of anti-malware effectiveness. (Unfortunately, SRI is not the only organization to misuse what is actually a useful and well-designed service by Hispasec as a sort of poor man’s comparative testing, even though  Hispasec/VirusTotal themselves have been at pains to disassociate themselves from this inappropriate use of the facility: see http://blog.hispasec.com/virustotal/22.)

So it pains me slightly to report that they have actually produced a reasonable analysis of the botnet associated with the iPhone malware sometimes known as Ikee.B or Duh (sigh…) But they have, and it’s at http://mtc.sri.com/iPhone/.

I wish I could say that some of their other web content is of the same standard. Disclaimer: the company for which I currently work does indeed consistently appear at a very low position in SRI rankings, so you’d expect me to dislike the way they get their results. I do… But I dislike even more the way that they’ve ignored all my attempts to engage them on the topic. OK, rant over. The ikee analysis is still well worth a look.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

Jailbreaking: not just an AppleJackHack

John Leyden has reported that the Motorola Droid has been rooted, so that users of the hack can install applications not offered by operators, in a manner not dissimilar to jailbreaking the iPhone and iPod Touch.

Here’s the link, , but watch that Shell rollover ad: it really gets in the way if you’re switching tabs!

http://www.theregister.co.uk/2009/12/11/hackers_jailbreak_droid/

See also the article by Stefanie Hoffman at CRN:

http://preview.tinyurl.com/ydm4fxb

No-one is saying that this issue  is 100% analogous to the iPhone issue, in that there is (as far as I know) no readymade vulnerability lying in wait for Droid users (unless you count the vulnerability in wetware that makes social engineering such an effective attack). However, it does point to the weakness of the whitelisting and restricted privilege models as a sole defence. If an end user is willing to forgo the legitimacy of a vanilla smartphone by “rooting” it, in order to get a wider choice of apps, there are people out there willing to share techniques for doing so. And plenty more ready to take advantage of the resulting exposure to risk, if they can.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

The Name Game – Duh…

[Update: well, Sophos have, it seems, gone official on the name iPh/Duh, which I find quite unreasonably irritating. However, Paul’s latest blog (link below) includes some very useful info.]

http://www.sophos.com/blogs/duck/g/2009/11/24/clean-up-iphone-worm/

Paul Ducklin, what have you done?

Well, it’s not exactly Paul’s fault, as much as the industry’s: he referred at http://www.sophos.com/blogs/duck/g/2009/11/23/iphone-worm-password/ to the iBot thingie (yes, that again…) as Duh, since there’s no standardized name for it, and “because that is the name which the virus itself gives to the component which strongly differentiates it from the earlier Ikee worm”.

And so, already we have various media sources referring to the Duh worm or Ikee.B. Well, if naming really mattered, I suppose we’d have all the various iPhone malware bits and pieces properly categorized and named by now. Historically, every vendor would have used a different name, of course, but there would have been some minimal cross-referencing and a semi-standard CARO-ish alternative. And probably the latest example (I really don’t like to describe it as a variant) would not have been called Duh because we tend to avoid using the form of name the malware author might have wanted.

Well, I haven’t changed my mind about naming, in general. In most cases, it’s largely irrelevant and often misleading, certainly in the Windows context. When you have many tens of thousands of unique binary samples coming in on a daily basis, accurately cross-referencing and naming them doesn’t seem much of a priority. (See  one of these papers for a more complete picture of why I say that.)

http://www.eset.com/download/whitepapers/cfet2009naming.pdf 
http://www.eset.com/download/whitepapers/Harley-Bureau-VB2008.pdf

So most companies don’t seem to have bothered to name these  at all, even though iPhone malware was obviously going to excite some media interest. Well, exact naming for fairly low-impact threats wasn’t an issue I could raise much interest in either. But the fact is, that journalists and their audiences need a name to hang a malware story on, and they don’t care about the complexities of CARO-like naming (why should they?). So Duh will do, I suppose, especially since Paul as good as endorsed it. (“Perhaps, in fact, Duh is a good name for this virus.”)

What worries me is that at some point, someone is going to point to this as another example of how the AV industry can’t get its act together on naming, even on a platform with few enough threats to count on one hand. Well, we could have sorted this one out easily enough (and still could, in principle), but it will always be Duh now, so we probably won’t bother.

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Definitely not speaking for the AV industry…

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

iBotnet updates

Some updated information posted at http://www.eset.com/threat-center/blog/2009/11/22/ibot-mark-2-go-straight-to-jail-do-not-pass-go and  http://www.eset.com/threat-center/blog/2009/11/23/ibot-revisited-briefly.

Thanks to Mikko, Graham, Duck, and Henk for keeping the information flow going.

Is there still anyone out there with an iPhone or iPod Touch who hasn’t taken remedial action? I suppose so…

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

iPhone botnet

It seems to me that, like it or not, Apple is moving slowly but remorselessly closer to joining the rest of us in the 21st century threatscape.  Their products may never be subject to the sheer volume of problems (especially malware problems) that we enjoy in the Wonderful World of Windows, but the time when Apple could say with any conviction “we don’t have security issues” is long, long gone.

The iPhone bot is another small but significant step on that road: it demonstrates that the bad guys are paying serious attention.

Blogged at more length at
 http://www.eset.com/threat-center/blog/2009/11/22/ibot-mark-2-go-straight-to-jail-do-not-pass-go

David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at:
http://www.eset.com/threat-center/blog
http://dharley.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/

iPhone worm hits Jailbroken phones

By now the media machine has moved into action and all sorts of nonsense has been spouted about the creation of a worm that spreads on jailbroken iPhones, written by a guy called ‘ikee’. The facts are these,

  1. It ONLY affects jailbroken phones – if your iPhone is not jailbroken then you are not vulnerable
  2. It ONLY affects jailbroken phones that have OpenSSH installed (This involves you having consciously installed OpenSSH)
  3. If you have changed the default passwords for the ‘root‘ and ‘mobile‘ accounts subsequent to installation, you will not be vulnerable to this worm.

It’s tempting to say ‘I told you so’ on this one, as, I actually did state this fact 2 days before the worm was released. On a panel at the AVAR2009 Conference discussing vendor future strategy, someone brought up the idea that the iPhone will be a desirable platform for exploitation. This is true, but as I pointed out, the biggest risk is not so much to users who are using the default OS provided by Apple, because they are in a strictly controlled environment, with Apple as the benevolent dictator, as it is to those users who have jailbroken phones, at which point – you’re on your own.The whole thing does highlight the potential though, there’s no reason why any platform is automagically protected from malware, so it’s no real surprise to anyone that this sort of thing has happened. David Harley (among others) has written more on this subject here, and as always, it’s worth reading.

Andrew Lee CISSP
AVIEN CEO