- Grosse Infektion von Devices zwischen 17.09.2015 und 21.09.2015
- Firewall = Sperren URL init.icloud-analysis.com. Dieser Record wird derzeit nicht mehr aufgelöst aber falls er noch im Cache ist. Die ist das Bot Control Center.
- Es sind auch APPS ausserhalb China betroffen. Winzip, PDFReader (Total 300 APPS)
- Nachsehen ob eine APP auf der Liste ist. FALLS > Entfernen APP falls vorhanden und am besten alle Passwörter ändern.
- Apple auf Support Seite bis derzeit keine Infos. Die Liste der APPS sind aus traffic Scan auf die URL init.icloud-analysis.com (OPENDNS hat dazu genaue Daten)
- Infizierte IPHONE fallen durch Nachfrage von Credentials auf
http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/
http://www.forbes.com/sites/abigailtracy/2015/09/21/hackers-infiltrated-apples-app-store-heres-what-you-need-to-know/?ss=Security
https://isc.sans.edu/diary/Detecting+XCodeGhost+Activity/20171
http://www.wired.com/2015/09/apple-removes-300-infected-apps-app-store/
http://blogs.blackberry.com/2015/09/faq-how-users-and-it-administrators-can-detect-and-dump-malware-ridden-ios-apps/
https://labs.opendns.com/2015/09/21/xcodeghost-materializes/
Sonstige Links:
https://www.elcomsoft.com/PR/recon_2013.pdf (Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document Storage)
The FQDN init.icloud-analysis.com does not resolve anymore but it resolved to the following IP addresses (from the VT Passive DNS):
2015-07-17 52.2.85.22 AMAZON-AES - Amazon.com, Inc.,US 0/0
2015-05-14 52.4.74.88 AMAZON-AES - Amazon.com, Inc.,US 0/0
2015-05-13 52.6.167.64 AMAZON-AES - Amazon.com, Inc.,US 0/0
2015-04-29 52.68.131.221 AMAZON-02 - Amazon.com, Inc.,US 0/0
2015-04-15 104.238.125.92 AS-26496-GO-DADDY-COM-LLC - GoDaddy.com, LLC,US 0/0
How to detect infected devices?
If you're an iPhone user:
• Check for HTTP traffic to http://init.icloud-analysis.com in your firewalls or proxies logs.
• Check for traffic to the IP addresses listed above.
• Remove the apps listed as malicious.
• Change passwords on websites used by the malicious applications.
If you're a developer:
• Check if the file Library/Frameworks/CoreServices.framework/CoreService exists in the Xcode SDK/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/.
• Always download resources from official locations and double-check the provided hashes (MD5/SHA1).
------------------------------------------------------------------------
Infected iOS apps
51卡保险箱5.0.1 |
air2 |
AmHexinForPad |
baba |
BiaoQingBao |
CamCardv.6.5.1 |
CamCardv6.5.1 |
CamScanner |
CamScannerLite |
CamScannerPro |
ChinaUnicom3.x |
CSMBP-AppStore |
CuteCUT |
DataMonitor |
FlappyCircle |
golfsense |
golfsensehd |
guaji_gangtaien |
GuitarMaster |
IHexin |
immtdchs |
InstaFollower |
installer |
iOBD2 |
iVMS-4500 |
jin |
Lifesmart1.0.44 |
MobileTicket |
MoreLikers2 |
MSL070 |
MSL108 |
Musical.ly |
nicedev |
OPlayer |
OPlayer2.1.05 |
OPlayerLite |
PDFReader |
PDFReaderFree |
Perfect365 |
PocketScanner |
QuickSave |
QYER |
SaveSnap |
SegmentFault2.8 |
snapgrabcopy |
SuperJewelsQuest2 |
ting |
TinyDeal.com |
Wallpapers10000 |
WeChat |
WeLoop |
WhiteTile |
WinZip |
WinZipSector |
WinZipStandard |
下厨房 |
下厨房4.3.2 |
中信银行动卡空间3.3.12 |
中国联通手机营业厅3.2 |
口袋记账1.6.0 |
同花顺 |
同花顺9.60.01 |
喜马拉雅4.3.8 |
夫妻床头话1.2 |
开眼1.8.0 |
微信6.2.5 |
微博相机 |
快速问医生7.73 |
愤怒的小鸟22.1.1 |
懒人周末 |
我叫MT21.10.5 |
我叫MT5.0.1 |
新三板 |
滴滴出行4.0.0.6-4.0.0.0 |
滴滴司机 |
滴滴打车3.9.7.1–3.9.7 |
炒股公开课 |
爱推 |
电话归属地助手3.6.5 |
礼包助手 |
穷游6.6.6 |
简书2.9.1 |
网易云音乐 |
网易云音乐2.8.3 |
网易公开课4.2.8 |
股市热点 |
自由之战1.1.0 |
药给力1.12.1 |
讯飞输入法5.1.1463 |
豆瓣阅读 |
铁路123064.5 |
马拉马拉1.1.0 |
高德地图 |
高德地图7.3.8 |