This document summarizes the analysis of the OSX and iOS malware called machook and wirelurker. It infects OSX systems and then uses those systems to infect connected iOS devices. It does this by deploying a machook daemon on OSX that detects when iOS devices connect, then uses the iOS substrate to install a dylib payload that steals information like contacts, SMS messages, and UDID. The dylib also has the ability to kill running apps and check for updates from the command and control server.

1. Reversing OSX / iOS malware
machook / wirelurker
AppSecForum 2014 - RumpSession
Julien Bachmann / @milkmix_

2. intro | appealing late night twitt
Like at 1am this morning…

3. intro | immediate reaction
“Maybe it’s more interesting to analyse than Unflod.dylib!”
But: original download link for the IPA was not working anymore :(
Solution: start from the beginning, aka find original blog post linked with the
case

4. intro | original post

5. osx | initial infection
start.sh
unzip FontMap1.cfg
deploy machook in /usr/local/machook
create LaunchDaemon to persist

6. osx | machook
64 bits binary only
use libimobiledevice to detect when an iOS device is plugged-in
com.apple.afc
ProductVersion
SerialNumber
list of installed Apps

7. osx | machook

8. osx | machook
starts com.apple.afc2
if worked (jailbroken device ) copy
[OSX]/usr/local/machook/sfbase.dylib
[iOS]Library/MobileSubstrate/DynamicLibraries/sfbase.dylib
download signed IPA and push it as well using com.apple.mobile.installation_proxy
URL stored in SQLite DB: foundation
Enterprise cert means that first execution will bring validation pop-up
code not encrypted as not from AppStore
globalupdate : loop to check for updates

9. osx | machook

10. osx | machook

11. osx | machook

12. iOS | sfbase.dylib
not signed
MobileSubstrate to hook [UIWindow sendEvent] in
MobileStorageMounter
MobileSafari
MobilePhone
MobileSMS
Preferences
also checks for updates

13. iOS | sfbase.dylib
if event is applicationWillResignActive, kill applications
What??? Maybe I don’t have the latest version
also, dead code to query URL and hide it
retrieve some files
SMS.db
AddressBook.sqlitedb
UDID
post to saveinfo.php

14. iOS | sfbase.dylib

15. iOS | sfbase.dylib

16. conclusion | maybe not that “new era”
did not look at the signed binary for the moment
possibilities too limited
except if privileges escalation is possible…
hooking methods but does not use it
targeted at Chinese market but logs in english
still some nice functionalities
update functionality
OSX —> iOS, but already seen in the wild