XCodeGhost ‘Materializes’ on App Store

GHOSTAccording to several sources, Apple’s App Store, known for being a strictly regulated closed ecosystem, has been infiltrated with malware that our friends over at Palo Alto NetworksUnit 42 are calling XcodeGhost. Unit 42 initially discovered that the malware had infected 39 iOS apps (a number that keeps climbing and is north of 50 apps at time of publishing) potentially impacting hundreds of millions of users by embedding malicious code into specific iOS apps.

Claud Xiao, author of the technical blog post, states that the XcodeGhost code embedded into infected iOS apps is capable of receiving commands from the attacker through a C2 server to prompt a fake alert dialog to phish user credentials, hijack opening specific URLs based on their scheme (which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps), and read and write data in the user’s clipboard (which could be used to read the user’s password if that password is copied from a password management tool).

According to a BBC News article, researchers at the e-commerce site Alibaba initially flagged the malware. It was discovered that the hackers had uploaded several altered versions of Xcode — a tool used to build iOS apps — to a Chinese cloud storage service. Then, about six months ago, the attackers posted links to the software on several forums commonly visited by Chinese developers.

Let’s take a look at the C2 domains in question from the perspective of the OpenDNS Global Network Infrastructure.

The first domain associated with XcodeGhost is init[.]crash-analytics[.]com. As you can see from the OpenDNS Investigate details below, we observed very few queries over the the past 30 days.

Screenshot 2015-09-21 08.39.30

The registrant for this domain utilizes a Tencent QQ, popularly known as QQ, email address. Past investigations have shown that QQ accounts (both instant messaging and email) are relatively easy to register and require very little validation of an individual’s authenticity.

Screenshot 2015-09-21 08.40.02

The IP address and name servers for this domain are on different networks that, although common, becomes an indicator to note.

Screenshot 2015-09-21 08.52.18
The second domain, init[.]icloud-diagnostics[.]com, has noticeably more traffic and a dramatic upswing in queries starting September 11.

Screenshot 2015-09-21 08.40.53

A look at the WHOIS information for this domain shows that the domain was registered by the same individual that registered init[.]crash-analytics[.]com.

Screenshot 2015-09-21 08.41.11

If we pivot on the registrant email address we can see that 18 known domains are associated with this registrant. Some interesting slightly suspiciously named domains include allsdk[.]org, ioscode[.]org, iossdk[.]org, iostool[.]com, sdkdev[.]net, and sdkdev[.]org.

Screenshot 2015-09-21 08.42.29

This domain has also recently changed from using an Amazon AWS CNAME (which will surface later in this post) to the same IP address hosting init[.]crash-analytics[.]com.

Screenshot 2015-09-21 08.41.29

As we can see, this IP address is hosting several domains owned by the registrant.

Screenshot 2015-09-21 08.42.57

Pivoting on the IP address, which is located in Singapore, we can see that it is associated with AS 63949, which is owned by hosting provider Linode.

Screenshot 2015-09-21 09.58.10
The third domain, init[.]icloud-analysis[.]com, shows the most significant spike in queries of the three. As you can see below, the query volume accelerates on September 11 and peaks over 330,000 queries.

Screenshot 2015-09-21 09.04.44

That is until the query volume normalizes on September 13 at 10:00am GMT.

Screenshot 2015-09-21 10.05.11

Unlike the other two domains the WHOIS information does not show the same registrant email address or name server information. We can note, however, that at one time all three domains had an @domainsbyproxy.com registrant email address which can be used to draw a loose association between the domains.

Screenshot 2015-09-21 09.05.07

What we do see, however, is the reappearance of the Amazon AWS CNAME that was previously associated with init[.]icloud-diagnostics[.]com, effectively associating these domains with one another.

Screenshot 2015-09-21 09.05.23

If we pivot on the CNAME associated with the domain, we see a significant spike in traffic on the day it was associated with the init[.]icloud-analytics[.]com domain.

Screenshot 2015-09-21 09.09.16

If we take a look at the co-occurrences and related domains for init[.]icloud-analysis[.]com we can see several Apple app-related names emerge, several of which are associated with apps identified as being compromised by the XcodeGhost malware. These include, NetEase, Perfect365, Qyer, and WeChat, in addition to domains associated with app publishers like TickTockApps (creator of Wallpapers10000), which also have been identified as compromised.

Screenshot 2015-09-21 09.06.43

It’s been reported that the majority of people affected were in China and our own data corroborates this claim using OpenDNS Investigates Requester Geo Distribution metric.

Screenshot 2015-09-21 10.32.34

Unsurprisingly, however, we notice substantial queries originating from the US, Australia, Canada, Brazil, India, Vietnam, Italy, and Great Britain – all of which are countries with a sizable Chinese-speaking populations.

Using OpenDNS Investigate we’ve walked through an investigation, or rather corroboration of, findings from a third party. Perhaps the biggest benefit is that we didn’t have to utilize a number of disparate systems to do so. The next step in our investigation will likely be to take a look at those suspiciously named SDK domains also owned by the malicious registrant. That, of course, is another blog post entirely.

The post XCodeGhost ‘Materializes’ on App Store appeared first on OpenDNS Security Labs.

OpenDNS Security Labs at BSides Las Vegas, Black Hat, and Defcon

trinityIt’s that time of year where security folks descend upon the desert of Las Vegas for what many call “Security Summer Camp” or, in some circles, “Hacker Summer Camp”. We, of course, mean the Holey Trinity (see what we did there?) of Security BSides Las Vegas, Black Hat, and Defcon.

Security Analysts Kevin Bottomley and Josh Pyorre will be attending BSides Las Vegas to see a number of great talks including one from OpenDNS Engineering’s Andrew Hess entitled Advancing Internet Security Research with Big Data and Graph Databases. In the talk, Hess will provide an overview of OpenDNS’s threat intelligence database system and focus on how it has influenced security research at OpenDNS. This is the system that we, the OpenDNS Security Labs team, relies on for both data ingestion from our resolvers and serves as the repository for our threat model results….hopefully he doesn’t give away too many secrets about how the cyber-sausage is made.

OpenDNS will also have a booth at the Mandalay Bay Resort and Casino for Black Hat USA 2015. Why not stop by booth 753 to catch up with the OpenDNS Security Labs team, watch a demo of our products, snag a fancy t-shirt, and enter to win an Apple Watch? Dr. Dhia Mahjoub, Sr. Security Researcher, Anthony Kasza, Security Researcher, Andrew Hay, Director of Research, and Dan Hubbard, CTO will be at the booth throughout the day. If you happen to drop by and the person you’re looking for is not there, please leave a business card, written note, or verbal message and we’ll try and sync up with you. You can also meet with Dhia, Andrew, or Dan by scheduling a one-on-one meeting through our scheduling form. We have a meeting room off the show floor so private conversations are welcomed (and encouraged).

You should also plan on attending Dan Hubbard and Andree Toonk’s presentation entitled BGP Stream on Thursday, August 6th, from 12:10-1:00pm in South Seas IJ. In the presentation, Dan and Andree will talk about their methodology and tool—conceived during a recent OpenDNS Hack-a-thon—that can be used to monitor BGP ASN hijacks, historical relationships, and geographic locations of announcing Internet routers. This “alert system for the Internet” is described on our OpenDNS blog, found here. You can, and should, also follow the dedicated Twitter account @bgpstream.

Finally, you may have already started to notice complaints about the long wait times for a taxi at McCarran International Airport.

Vegas needs @Uber so bad. Standing in cab line. About one cab showing up every 2 minutes.

— Chris Eng (@chriseng) August 3, 2015

Why not skip the line and jump on the OpenDNS Limo? We’re picking up from the Las Vegas airport Tuesday & Wednesday every 30 minutes. Just follow signs. We will make sure you get the details if you sign up here. Please note, the limo runs Tuesday (5am to 10pm) and Wednesday (5am to 1pm) and only travels between McCarran and the Mandalay Bay Resort and Casino. If you’re lucky enough to be arriving between 8am and 10am on Wednesday, Andrew Hay will regale you with tales of security from his adventures on the tropical island of Bermuda and of a far away and magical land…called Canada.

The OpenDNS Security Labs team will also be headed to Defcon to learn about some of the cutting edge research our peers have published – some responsibly, some not as responsibly. Dhia, Andrew, Kevin, Josh, and Anthony will be joined by Thibault Reuille, Sr. Security Researcher. Hopefully we’ll get a chance to connect at one of these amazing venues, at a party, or while waiting in a long line for food or a taxi.

We should be easy to spot as we’ll likely be wearing the t-shirts that get us noticed wherever we go. See you there!


The post OpenDNS Security Labs at BSides Las Vegas, Black Hat, and Defcon appeared first on OpenDNS Security Labs.

Infosecurity Europe and Intelligent Defence Wrap-up

Infosecurity Europe Logo_RGBThe first week of June saw Dr. Dhia Mahjoub and I (Andrew Hay) hopping on a plane at SFO and waking up in London – well, I was able to sleep, Dhia wasn’t able to. We were both in London to speak at Infosecurity Europe and at the new Infosecurity Intelligent Defence conference.

This was the first time the conference was held at the Olympia Conference Centre in London. It was a good thing the event moved from the Earls Court Exhibition Centre as I’m not sure the old venue could have held the number of vendors or attendees. It was packed.

IMG_20150602_140746OpenDNS had a booth on the show floor in one of the most trafficked thoroughfares in the building. Whenever we walked by the booth, it was bustling with activity. People looking for more information about our products, requesting demos, or just wanting to ask questions about specific threats and trends.

IMG_20150604_134250Luckily our expert booth staff were able to handle any and all questions that popped up. They were also not shy about grabbing Dhia and I as we walked by to introduce us to individuals looking to collaborate or share security information after the show.

On Tuesday, June 2nd Dhia and I both presented sessions. Dhia presented his malicious domain tracking research in a talk entitled Tracking Malware in Criminal Internet Neighbourhoods at Infosecurity Europe. The talk focused on recent and original research on tracking malware domains and infrastructures at large scale and methods to track, detect, and mitigate malware domains and IPs in order to protect one’s network and assets or those of customers.


(Thanks to @edouardng for letting us use this photo from his tweet)

I presented the results of our 2015 Internet of Things in the Enterprise Report in a talk entitled The Researcher’s Guide to the loT Galaxy. The talk was presented at Infosecurity Intelligent Defence, a new two-day, technical security conference, focusing on the latest research including insight into new vulnerabilities and exploits how to defend against them, and was well attended. I had numerous questions after the session and was interviewed by Infosecurity Europe immediately after (as seen below).

Though we were unable to get to BSides London, we both heard fantastic feedback from friends and colleagues who were able to get tickets. Maybe next year.

Our trip to London was great. Dhia and I were able to visit with a number of customers and prospects during our week in London to provide insight into OpenDNS’ capabilities and OpenDNS Security Labs’ current and future research projects.

Dhia also seized the opportunity to visit with our EMEA team a few more prospects in Paris and to attend in the Vatican city a conference on June 9th about “Ethics and Security in the Digital Age”, where our own Paolo Passeri also gave a talk. These meetings and conference were a great opportunity to emphasize the value of our research and innovation in OpenDNS’ product offerings. I can’t count how many times I heard “that’s amazing” or “wow” from customers and prospects. That feedback alone made the trip worth it.

The post Infosecurity Europe and Intelligent Defence Wrap-up appeared first on OpenDNS Security Labs.