iPhone Srbija Servis, Beograd Kosovska 28
Page 1 of 2 12 LastLast
Results 1 to 15 of 20

Thread: iOS Malware "Unflod.dylib" koji pokusava da ukrade AppleID i password

  1. #1
    Administrator zabrljanje's Avatar
    Join Date
    Jul 2011
    Location
    Beograd
    Posts
    20,586
    Thanks
    1,024
    Thanked 9,596 Times in 6,435 Posts

    Exclamation iOS Malware "Unflod.dylib" koji pokusava da ukrade AppleID i password

    Prema vestima sa ove stranice,

    Code:
    https://www.sektioneins.de/en/blog/14-04-18-iOS-malware-campaign-unflod-baby-panda.html
    od 14.02.2014. (prema signature date) postoji malware koji je namenjen telefonima koji imaju uradjen jailbrek a cela prica je pronadjena i pokrenuta 17.04.2014. na reddit sajtu...

    Code:
    http://www.reddit.com/r/jailbreak/comments/23b7qs/what_is_unflod_its_a_mobile_substrate_addon_that/
    http://www.reddit.com/r/jailbreak/comments/23bdwr/beware_unfloddylib_sends_apple_id_and_password_to/

    Izgleda da kod potice iz Kine i dolazi kao "library" pod nazivom Unfold.dylib i ubacuje se u procese na jailbreak-ovanim telefonima i "slusa" outgoing SSL konekcije. Prema ovim navodima, iz ovih konekcija, on pokusva da sazna Apple ID i posalje ga kao plain text serveru na sledecim IP adresama (koje su na US hostingu ali pripadaju kinezima)

    23.88.10.4 and 23.228.204.55 na portu 7878...


    Jos uvek nije poznato kako se ubacuje u telefone i jos nije dokazano/potvrdjeno da su kineski piratski repo-i ukljuceni u to ali se pretpostavlja da ima veze sa pravim tweak-om - Unfold.

    Ubacuje se na sledecu putanju
    /Library/MobileSubstrate/DynamicLibraries/Unflod.dylib

    Otkriven je i digitalni potpis sa developer sertifikata koji se vodi na ime WANG XIN - sustinski nebitno za celu pricu na ovom forumu posto se jos ne zna da li je to izmisjeno ime ili "ukraden identitet".


    Saurik je na reedit sajtu pisao o tome i trazio da ga (svi koji imaju ovaj fajl na svom telefonu) posalju njemu na analizu...



    What is "Unflod"?. It's a mobile substrate addon that is breaking some apps. by tdvxin jailbreak


    [–]saurik 13 points 2 hours ago
    Please run the following command:
    grep -Eri "P5KFURM8M8|Unflod" /System /Library /usr /var
    Also, please use Cydia to e-mail me, and leave the dpkgl.log file attached. If you could also send me the contents of /var/lib/cydia/metadata.plist, I would be much appreciative.




    (I will also again take this moment to point out to anyone concerned that the probability of this coming from a default repository is fairly low: I don't recommend people go adding random URLs to Cydia and downloading random software from untrusted people any more than I recommend opening the .exe files you receive by e-mail on your desktop computer.)
    Namenski je podebljan deo Saurikovog posta...

    Code:
    http://www.reddit.com/user/saurik

    Koliko i na koji nacin se ubacuje ovaj kod, ostaje tek da se vidi ali se nadam da je i ovo jedan od dovoljnih razloga da dobro razmislite kako i sta ubacujete od narodnih verzija (ne pricamo vise o losem kreku ili da aplikacija ne radi vec o kradji vaseg AppleID-a i password-a)...

    Ovo napominjem iz vrlo jednostavnog razloga, sama stvar je sama po sebi dovoljno ozbiljna a i prica o zasticenosti iOS-a dobija dodatnu dimenziju o kojoj treba razmisljati pri instalaciji pomenutih verzija softvera...


    EDIT: Novost sa twitter naloga Stefan Esser ‏@i0n1c



    ...o svemu mozete da citate i pratite na twitter-u i0n1c-a gde sam i video prvu informaciju pre tri sata...


    Code:
    https://twitter.com/i0n1c
    https://twitter.com/search?q=%23VUPEN&src=hash

    EDIT 2: DrWeb ga je prvi detektovao kao "malicious"

    Code:
    https://www.virustotal.com/en/file/3f1b6ae4bd3b2f3297bf722012b01fe8d8c0bb2d6899dbad24c7510096dfb689/analysis/1397836667/

    Jos jedan citat sa reedit sajta...preko SSH kucati dole pomenutu komandu a ono sto se pojavljuje kao rezultat, moze da pomogne da se sazna uz koje pakete se distribuira...

    Anyone who has this file, please run the following command via SSH/Terminal:dpkg -S /Library/MobileSubstrate/DynamicLibraries/Unflod.dylib
    This will return the package associated with the file.

    Example:
    # dpkg -S /Library/MobileSubstrate/DynamicLibraries/Alkaline.dylib
    com.fortysixandtwo.alkaline: /Library/MobileSubstrate/DynamicLibraries/Alkaline.dylib
    This data should help compile a list of packages distributing the malware.

    Dakle, ako se unflod ne pojavljuje u DynamicLibraries folderu (/Library/MobileSubstrate/DynamicLibraries/), uredjaj je cist...


    Covek koji je to prvi primetio, sumnja da ga je pokupio u Auxo 2 sa Hackyouriphone repo-a ali nije 100% siguran...
    Attached Images Attached Images
    Last edited by zabrljanje; 18-04-2014 at 20:16.

  2. The Following 10 Users Say Thank You to zabrljanje For This Useful Post:

    LDV20 (18-04-2014),bbrks (18-04-2014),bydussan (18-04-2014),didlika (18-04-2014),gotik911 (18-04-2014),illusion (18-04-2014),komsa (18-04-2014),kylle (19-04-2014),sica (18-04-2014),zuboje (19-04-2014)

  3. #2
    iSrbijaBigFan cikajoca's Avatar
    Join Date
    May 2010
    Location
    Brčko DC
    Age
    48
    Posts
    118
    Thanks
    13
    Thanked 20 Times in 19 Posts

    Default Re: iOS Malware "Unflod.dylib" koji pokusava da ukrade AppleID i password

    Hm, možda je ovo mogući razlog iznenadnog krešovanja Safari i e-mail aplikacija na mojem iPad-u 4 JB. Morao sam podići na 7.1.
    iPhone 6 64 GB iOS 9.02 JB; Ipad 4 , 128 GB, iOS 9.1;

  4. #3
    Administrator zabrljanje's Avatar
    Join Date
    Jul 2011
    Location
    Beograd
    Posts
    20,586
    Thanks
    1,024
    Thanked 9,596 Times in 6,435 Posts

    Default Re: iOS Malware "Unflod.dylib" koji pokusava da ukrade AppleID i password

    ...oni mogu da lose rade i neposredno nakon jailbreak-a a o tome je pisano u drugoj temi...lako mozes da se proveri da li neko ima ovaj fajl koji se nalazi u /Library/MobileSubstrate/DynamicLibraries/...


    Saurik-ova uputstva za sve sa Unflod.dylib u /Library/MobileSubstrate/DynamicLibraries/ (ovo jeste cist copy/paste sa link-a)

    Context: A piece of malware has shown up on a few jailbroken devices - it's almost certainly installed via something on a non-default repository (probably a pirate repository), and it's probably installed via a less-popular package, since it's not very common. It's usually called Unflod.dylib, and it's a malicious piece of software that tries to steal your Apple ID and password; nobody has figured out yet exactly where it comes from. You can read analysis by i0n1c here, and discussion in these two threads: what is it? and beware of it.saurik wrote instructions in this thread to help him get more information about Unflod.dylib, and here's a more detailed version of those instructions. Please let me know if you get stuck or confused at any point in these instructions, and I'll write more explanations.

    1. Use iFile (or another way to access your filesystem) to navigate to /Library/MobileSubstrate/DynamicLibraries/ and check to see if Unflod.dylib and Unflod.plist (or framework.dylib and framework.plist) are in the list of files in that directory. (If you aren't used to navigating the filesystem with iFile: open iFile, tap the back button at top left until you no longer get a back button, and then tap Library, tap MobileSubstrate, tap DynamicLibraries, and scroll down to see if these files are there.) If they exist, continue with the rest of these instructions. If you only see other .dylib and .plist files with other names, you're probably fine. (It's possible for this malware to have other names, but checking for these files is a good basic first step.)
    2. In iFile, tap the blue "i" at the right of the Unflod.dylib or framework.dylib file listing, and scroll down to where it says "Last modification". Write down the date & time that the file was last modified, and put this info into a new page in your Notes app.
    3. Open up Cydia and install OpenSSH, if you don't have it installed already. Follow these instructions to SSH into your device from your computer, and then follow these instructions to change your root and mobile passwords. (I would like to recommend using MobileTerminal from your device instead, since that's easier, but it doesn't seem to support copy and paste.)
    4. At the command line, preferably as root, paste this command (which is basically a special search command): grep -Eri "P5KFURM8M8|Unflod" /System /Library /usr /var
    5. Tap Return, and wait for several minutes. Don't let the phone go to sleep (or the search may stop), just let the results happen - it'll print out a bunch of messages.
    6. After it stops printing out messages (you can tell because you'll get a command prompt again, or if you don't know what a command prompt looks like, you can just tell because it'll stop printing out messages every few seconds), then select all of the results and copy them.
    7. Paste these results into an email to yourself (or something like that). On your device, copy and paste the results into your Notes page (where you put the "last modification" time in step 2).
    8. Open up iFile (or another way to access your filesystem) and go to /var/lib/cydia/metadata.plist. Open this and copy and paste it into the Notes page. Then select your whole Notes page and copy it.
    9. Open up Cydia and search for Cyntact (or another package by saurik). Tap "Author" at the top of the page, and tap one of the options to email saurik. In this email, change the subject line to "Unflod data", and then paste your collected info at the top of the email. Paste it carefully so that you don't accidentally delete the log files that Cydia has already automatically attached to the email. Send it!
    10. Use iFile (or another way to access your filesystem) to delete Unflod.dylib and Unflod.plist in /Library/MobileSubstrate/DynamicLibraries/

    Original instructions:
    Please run the following command:
    grep -Eri "P5KFURM8M8|Unflod" /System /Library /usr /var
    Also, please use Cydia to e-mail me, and leave the dpkgl.log file attached. If you could also send me the contents of /var/lib/cydia/metadata.plist, I would be much appreciative.
    (I will also again take this moment to point out to anyone concerned that the probability of this coming from a default repository is fairly low: I don't recommend people go adding random URLs to Cydia and downloading random software from untrusted people any more than I recommend opening the .exe files you receive by e-mail on your desktop computer.)
    Code:
    http://www.reddit.com/r/jailbreak/comments/23d990/instructions_from_saurik_for_anyone_with/
    Last edited by zabrljanje; 19-04-2014 at 13:13. Reason: Boldovano i povecano da bi bilo razumljivije.

  5. #4
    iModerator kylle's Avatar
    Join Date
    Oct 2009
    Location
    Krusevac
    Posts
    3,334
    Thanks
    1,646
    Thanked 1,623 Times in 1,003 Posts

    Default Re: iOS Malware "Unflod.dylib" koji pokusava da ukrade AppleID i password

    Koliko su oni ludi i na koji nacin pokusavaju da dodju do podataka, svaka cast kakvi su to umovi.
    Ako do ovog dodje stvarno, ko zna koliko ce para uzeti a i pored toga svi jailbreak-ovani telefoni sa zakljucanim apple ID-em, mozda ce moci da se otkljucaju.
    Za sad se pazite sumnjivih file-ova..i tweak-ova. Hvala na info-u.

  6. #5
    iEntuzijasta
    Join Date
    Feb 2012
    Posts
    99
    Thanks
    11
    Thanked 11 Times in 6 Posts

    Default Re: iOS Malware "Unflod.dylib" koji pokusava da ukrade AppleID i password

    Ja nemam mobile supstrate ... :/

  7. #6
    iModerator bbrks's Avatar
    Join Date
    Jan 2012
    Posts
    11,851
    Thanks
    2,158
    Thanked 4,039 Times in 2,553 Posts

    Default Re: iOS Malware "Unflod.dylib" koji pokusava da ukrade AppleID i password

    /Library/MobileSubstrate

  8. #7
    iSrbijaLegend milan64586's Avatar
    Join Date
    Aug 2008
    Posts
    2,978
    Thanks
    1,090
    Thanked 1,800 Times in 975 Posts

    Default Re: iOS Malware "Unflod.dylib" koji pokusava da ukrade AppleID i password

    Hm, ni ja nemam taj folder. Gledam preko iFile-a, a ukljucio sam i hidden files.

    EDIT:

    Nasao. Nemam unflod file.
    Last edited by milan64586; 19-04-2014 at 12:40.

  9. #8
    iModerator bbrks's Avatar
    Join Date
    Jan 2012
    Posts
    11,851
    Thanks
    2,158
    Thanked 4,039 Times in 2,553 Posts

    Default Re: iOS Malware "Unflod.dylib" koji pokusava da ukrade AppleID i password

    Pogledajte preko iFile-a ili kako god vec, iFunBox, iTools i sl:





    Daklem u DynamicLibraries treba, tj, bolje ne treba da bude taj unflod.dylib file
    Last edited by bbrks; 19-04-2014 at 12:46.

  10. The Following User Says Thank You to bbrks For This Useful Post:

    milan64586 (19-04-2014)

  11. #9
    iSrbijaLegend milan64586's Avatar
    Join Date
    Aug 2008
    Posts
    2,978
    Thanks
    1,090
    Thanked 1,800 Times in 975 Posts

    Default Re: iOS Malware "Unflod.dylib" koji pokusava da ukrade AppleID i password

    Nasao. Lazna uzbuna.

  12. #10
    Administrator zabrljanje's Avatar
    Join Date
    Jul 2011
    Location
    Beograd
    Posts
    20,586
    Thanks
    1,024
    Thanked 9,596 Times in 6,435 Posts

    Default

    ...samo citajte...uvek se dodje do / i onda dalje a ne da se ide prvo na /var...


    EDIT:

    ...jos jedna od pretpostavki, za sta moze da se koriste ukradene sifre, je i da se zaobidje Activation lock (ukljucen Find My iPhone) kod "novoukradenih" telefona...

    Jos uvek pokusavaju da uhvate odakle sve moze da se "pokupi" Unflod.dylib...sada (pored BiteYourApple repo-a) sumnjaju i na

    Code:
    com.repo.xarold.com
    i NextGenUI koga ima na mnogim drugim repo-ima...


    Sugestija, po ko zna koji put, zaobilazite krekovane verzije tweak-ova...

  13. #11
    iSrbijaLegend MajX's Avatar
    Join Date
    Dec 2010
    Age
    39
    Posts
    1,922
    Thanks
    523
    Thanked 1,412 Times in 631 Posts

    Default Re: iOS Malware "Unflod.dylib" koji pokusava da ukrade AppleID i password

    Ja nemam mobilsubstrate


    Sent from S noge na nogu

  14. #12
    Administrator zabrljanje's Avatar
    Join Date
    Jul 2011
    Location
    Beograd
    Posts
    20,586
    Thanks
    1,024
    Thanked 9,596 Times in 6,435 Posts

    Default Re: iOS Malware "Unflod.dylib" koji pokusava da ukrade AppleID i password

    ...imas jailbreak, imas i to...pogledaj gde ides na iFile...prethodni post...dodjes do oznake / - samo ona stoji na pocetku i onda ides na library i ostalo...

  15. #13
    iSrbijaLegend MajX's Avatar
    Join Date
    Dec 2010
    Age
    39
    Posts
    1,922
    Thanks
    523
    Thanked 1,412 Times in 631 Posts

    Default Re: iOS Malware "Unflod.dylib" koji pokusava da ukrade AppleID i password

    Nadjoh,i sta se desava posto imam taj file,da li da ga izbrisem?


    Sent from S noge na nogu

  16. #14
    "The iSrbija Hall Of Fame" Member skiper's Avatar
    Join Date
    Feb 2010
    Posts
    4,606
    Thanks
    1,262
    Thanked 2,447 Times in 1,596 Posts

    Default Re: iOS Malware "Unflod.dylib" koji pokusava da ukrade AppleID i password

    Citao sam da moze da se brise ali da je dobro i zameniti Apple ID

  17. #15
    Administrator zabrljanje's Avatar
    Join Date
    Jul 2011
    Location
    Beograd
    Posts
    20,586
    Thanks
    1,024
    Thanked 9,596 Times in 6,435 Posts

    Default Re: iOS Malware "Unflod.dylib" koji pokusava da ukrade AppleID i password

    ...moze da se obrise ali uvek stoji i to sto si rekao...postoji i "Tool" za brisanje istog koji namerno nisam ostavio posto je bez potrebe a i nije nesto sto sam proveravao, sve moze rucno da se obrise...
    ...ono sto je najbitnije je da se u sirokom luku zaobilaze krekovani tweak-ovi...

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •