iPhone Srbija Servis, Beograd Kosovska 28
Results 1 to 15 of 20

Thread: iOS Malware "Unflod.dylib" koji pokusava da ukrade AppleID i password

Threaded View

  1. 18-04-2014, 14:06 #1
    zabrljanje
    zabrljanje is offline
    Administrator zabrljanje's Avatar
    Join Date
    Jul 2011
    Location
    Beograd
    Posts
    20,586
    Thanks
    1,024
    Thanked 9,596 Times in 6,435 Posts

    Exclamation iOS Malware "Unflod.dylib" koji pokusava da ukrade AppleID i password

    Prema vestima sa ove stranice,

    Code:
    https://www.sektioneins.de/en/blog/14-04-18-iOS-malware-campaign-unflod-baby-panda.html
    od 14.02.2014. (prema signature date) postoji malware koji je namenjen telefonima koji imaju uradjen jailbrek a cela prica je pronadjena i pokrenuta 17.04.2014. na reddit sajtu...

    Code:
    http://www.reddit.com/r/jailbreak/comments/23b7qs/what_is_unflod_its_a_mobile_substrate_addon_that/
http://www.reddit.com/r/jailbreak/comments/23bdwr/beware_unfloddylib_sends_apple_id_and_password_to/

    Izgleda da kod potice iz Kine i dolazi kao "library" pod nazivom Unfold.dylib i ubacuje se u procese na jailbreak-ovanim telefonima i "slusa" outgoing SSL konekcije. Prema ovim navodima, iz ovih konekcija, on pokusva da sazna Apple ID i posalje ga kao plain text serveru na sledecim IP adresama (koje su na US hostingu ali pripadaju kinezima)

    23.88.10.4 and 23.228.204.55 na portu 7878...


    Jos uvek nije poznato kako se ubacuje u telefone i jos nije dokazano/potvrdjeno da su kineski piratski repo-i ukljuceni u to ali se pretpostavlja da ima veze sa pravim tweak-om - Unfold.

    Ubacuje se na sledecu putanju
    /Library/MobileSubstrate/DynamicLibraries/Unflod.dylib

    Otkriven je i digitalni potpis sa developer sertifikata koji se vodi na ime WANG XIN - sustinski nebitno za celu pricu na ovom forumu posto se jos ne zna da li je to izmisjeno ime ili "ukraden identitet".


    Saurik je na reedit sajtu pisao o tome i trazio da ga (svi koji imaju ovaj fajl na svom telefonu) posalju njemu na analizu...



    What is "Unflod"?. It's a mobile substrate addon that is breaking some apps. by tdvxin jailbreak


    [–]saurik 13 points 2 hours ago
    Please run the following command:
    grep -Eri "P5KFURM8M8|Unflod" /System /Library /usr /var
    Also, please use Cydia to e-mail me, and leave the dpkgl.log file attached. If you could also send me the contents of /var/lib/cydia/metadata.plist, I would be much appreciative.




    (I will also again take this moment to point out to anyone concerned that the probability of this coming from a default repository is fairly low: I don't recommend people go adding random URLs to Cydia and downloading random software from untrusted people any more than I recommend opening the .exe files you receive by e-mail on your desktop computer.)
    Namenski je podebljan deo Saurikovog posta...

    Code:
    http://www.reddit.com/user/saurik

    Koliko i na koji nacin se ubacuje ovaj kod, ostaje tek da se vidi ali se nadam da je i ovo jedan od dovoljnih razloga da dobro razmislite kako i sta ubacujete od narodnih verzija (ne pricamo vise o losem kreku ili da aplikacija ne radi vec o kradji vaseg AppleID-a i password-a)...

    Ovo napominjem iz vrlo jednostavnog razloga, sama stvar je sama po sebi dovoljno ozbiljna a i prica o zasticenosti iOS-a dobija dodatnu dimenziju o kojoj treba razmisljati pri instalaciji pomenutih verzija softvera...


    EDIT: Novost sa twitter naloga Stefan Esser ‏@i0n1c



    ...o svemu mozete da citate i pratite na twitter-u i0n1c-a gde sam i video prvu informaciju pre tri sata...


    Code:
    https://twitter.com/i0n1c
https://twitter.com/search?q=%23VUPEN&src=hash

    EDIT 2: DrWeb ga je prvi detektovao kao "malicious"

    Code:
    https://www.virustotal.com/en/file/3f1b6ae4bd3b2f3297bf722012b01fe8d8c0bb2d6899dbad24c7510096dfb689/analysis/1397836667/

    Jos jedan citat sa reedit sajta...preko SSH kucati dole pomenutu komandu a ono sto se pojavljuje kao rezultat, moze da pomogne da se sazna uz koje pakete se distribuira...

    Anyone who has this file, please run the following command via SSH/Terminal:dpkg -S /Library/MobileSubstrate/DynamicLibraries/Unflod.dylib
    This will return the package associated with the file.
    Example:
    # dpkg -S /Library/MobileSubstrate/DynamicLibraries/Alkaline.dylib
    com.fortysixandtwo.alkaline: /Library/MobileSubstrate/DynamicLibraries/Alkaline.dylib
    This data should help compile a list of packages distributing the malware.

    Dakle, ako se unflod ne pojavljuje u DynamicLibraries folderu (/Library/MobileSubstrate/DynamicLibraries/), uredjaj je cist...


    Covek koji je to prvi primetio, sumnja da ga je pokupio u Auxo 2 sa Hackyouriphone repo-a ali nije 100% siguran...
    Attached Images Attached Images
    Last edited by zabrljanje; 18-04-2014 at 19:16.
    Reply With Quote Reply With Quote

  2. The Following 10 Users Say Thank You to zabrljanje For This Useful Post:

    LDV20 (18-04-2014),bbrks (18-04-2014),bydussan (18-04-2014),didlika (18-04-2014),gotik911 (18-04-2014),illusion (18-04-2014),komsa (18-04-2014),kylle (19-04-2014),sica (18-04-2014),zuboje (19-04-2014)
« Previous Thread | Next Thread »

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules