Fri Nov 22 00:04:07 2024
EVENTS
 FREE
SOFTWARE
INSTITUTE

POLITICS
JOBS
MEMBERS'
CORNER

MAILING
LIST

NYLXS Mailing Lists and Archives
NYLXS Members have a lot to say and share but we don't keep many secrets. Join the Hangout Mailing List and say your peice.

DATE 2015-11-01

HANGOUT

2024-11-22 | 2024-10-22 | 2024-09-22 | 2024-08-22 | 2024-07-22 | 2024-06-22 | 2024-05-22 | 2024-04-22 | 2024-03-22 | 2024-02-22 | 2024-01-22 | 2023-12-22 | 2023-11-22 | 2023-10-22 | 2023-09-22 | 2023-08-22 | 2023-07-22 | 2023-06-22 | 2023-05-22 | 2023-04-22 | 2023-03-22 | 2023-02-22 | 2023-01-22 | 2022-12-22 | 2022-11-22 | 2022-10-22 | 2022-09-22 | 2022-08-22 | 2022-07-22 | 2022-06-22 | 2022-05-22 | 2022-04-22 | 2022-03-22 | 2022-02-22 | 2022-01-22 | 2021-12-22 | 2021-11-22 | 2021-10-22 | 2021-09-22 | 2021-08-22 | 2021-07-22 | 2021-06-22 | 2021-05-22 | 2021-04-22 | 2021-03-22 | 2021-02-22 | 2021-01-22 | 2020-12-22 | 2020-11-22 | 2020-10-22 | 2020-09-22 | 2020-08-22 | 2020-07-22 | 2020-06-22 | 2020-05-22 | 2020-04-22 | 2020-03-22 | 2020-02-22 | 2020-01-22 | 2019-12-22 | 2019-11-22 | 2019-10-22 | 2019-09-22 | 2019-08-22 | 2019-07-22 | 2019-06-22 | 2019-05-22 | 2019-04-22 | 2019-03-22 | 2019-02-22 | 2019-01-22 | 2018-12-22 | 2018-11-22 | 2018-10-22 | 2018-09-22 | 2018-08-22 | 2018-07-22 | 2018-06-22 | 2018-05-22 | 2018-04-22 | 2018-03-22 | 2018-02-22 | 2018-01-22 | 2017-12-22 | 2017-11-22 | 2017-10-22 | 2017-09-22 | 2017-08-22 | 2017-07-22 | 2017-06-22 | 2017-05-22 | 2017-04-22 | 2017-03-22 | 2017-02-22 | 2017-01-22 | 2016-12-22 | 2016-11-22 | 2016-10-22 | 2016-09-22 | 2016-08-22 | 2016-07-22 | 2016-06-22 | 2016-05-22 | 2016-04-22 | 2016-03-22 | 2016-02-22 | 2016-01-22 | 2015-12-22 | 2015-11-22 | 2015-10-22 | 2015-09-22 | 2015-08-22 | 2015-07-22 | 2015-06-22 | 2015-05-22 | 2015-04-22 | 2015-03-22 | 2015-02-22 | 2015-01-22 | 2014-12-22 | 2014-11-22 | 2014-10-22 | 2014-09-22 | 2014-08-22 | 2014-07-22 | 2014-06-22 | 2014-05-22 | 2014-04-22 | 2014-03-22 | 2014-02-22 | 2014-01-22 | 2013-12-22 | 2013-11-22 | 2013-10-22 | 2013-09-22 | 2013-08-22 | 2013-07-22 | 2013-06-22 | 2013-05-22 | 2013-04-22 | 2013-03-22 | 2013-02-22 | 2013-01-22 | 2012-12-22 | 2012-11-22 | 2012-10-22 | 2012-09-22 | 2012-08-22 | 2012-07-22 | 2012-06-22 | 2012-05-22 | 2012-04-22 | 2012-03-22 | 2012-02-22 | 2012-01-22 | 2011-12-22 | 2011-11-22 | 2011-10-22 | 2011-09-22 | 2011-08-22 | 2011-07-22 | 2011-06-22 | 2011-05-22 | 2011-04-22 | 2011-03-22 | 2011-02-22 | 2011-01-22 | 2010-12-22 | 2010-11-22 | 2010-10-22 | 2010-09-22 | 2010-08-22 | 2010-07-22 | 2010-06-22 | 2010-05-22 | 2010-04-22 | 2010-03-22 | 2010-02-22 | 2010-01-22 | 2009-12-22 | 2009-11-22 | 2009-10-22 | 2009-09-22 | 2009-08-22 | 2009-07-22 | 2009-06-22 | 2009-05-22 | 2009-04-22 | 2009-03-22 | 2009-02-22 | 2009-01-22 | 2008-12-22 | 2008-11-22 | 2008-10-22 | 2008-09-22 | 2008-08-22 | 2008-07-22 | 2008-06-22 | 2008-05-22 | 2008-04-22 | 2008-03-22 | 2008-02-22 | 2008-01-22 | 2007-12-22 | 2007-11-22 | 2007-10-22 | 2007-09-22 | 2007-08-22 | 2007-07-22 | 2007-06-22 | 2007-05-22 | 2007-04-22 | 2007-03-22 | 2007-02-22 | 2007-01-22 | 2006-12-22 | 2006-11-22 | 2006-10-22 | 2006-09-22 | 2006-08-22 | 2006-07-22 | 2006-06-22 | 2006-05-22 | 2006-04-22 | 2006-03-22 | 2006-02-22 | 2006-01-22 | 2005-12-22 | 2005-11-22 | 2005-10-22 | 2005-09-22 | 2005-08-22 | 2005-07-22 | 2005-06-22 | 2005-05-22 | 2005-04-22 | 2005-03-22 | 2005-02-22 | 2005-01-22 | 2004-12-22 | 2004-11-22 | 2004-10-22 | 2004-09-22 | 2004-08-22 | 2004-07-22 | 2004-06-22 | 2004-05-22 | 2004-04-22 | 2004-03-22 | 2004-02-22 | 2004-01-22 | 2003-12-22 | 2003-11-22 | 2003-10-22 | 2003-09-22 | 2003-08-22 | 2003-07-22 | 2003-06-22 | 2003-05-22 | 2003-04-22 | 2003-03-22 | 2003-02-22 | 2003-01-22 | 2002-12-22 | 2002-11-22 | 2002-10-22 | 2002-09-22 | 2002-08-22 | 2002-07-22 | 2002-06-22 | 2002-05-22 | 2002-04-22 | 2002-03-22 | 2002-02-22 | 2002-01-22 | 2001-12-22 | 2001-11-22 | 2001-10-22 | 2001-09-22 | 2001-08-22 | 2001-07-22 | 2001-06-22 | 2001-05-22 | 2001-04-22 | 2001-03-22 | 2001-02-22 | 2001-01-22 | 2000-12-22 | 2000-11-22 | 2000-10-22 | 2000-09-22 | 2000-08-22 | 2000-07-22 | 2000-06-22 | 2000-05-22 | 2000-04-22 | 2000-03-22 | 2000-02-22 | 2000-01-22 | 1999-12-22

Key: Value:

Key: Value:

MESSAGE
DATE 2015-11-09
FROM Ruben
SUBJECT Re: [Hangout-NYLXS] serious iphone/objectivec problems
http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/


YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS
Devices by Abusing Private APIs

posted by: Claud Xiao on October 4, 2015 6:00 PM

filed in: Malware, Threat Prevention, Unit 42
tagged: antivirus, app store, Apple, China, iOS, iPhones, Taiwan,
XcodeGhost, YiSpecter
Summary

We recently identified a new Apple iOS malware and named it YiSpecter.
YiSpecter is different from previously seen iOS malware in that it
attacks both jailbroken and non-jailbroken iOS devices through unique
and harmful malicious behaviors. Specifically, it’s the first malware
we’ve seen in the wild that abuses private APIs in the iOS system to
implement malicious functionalities.

So far, the malware primarily affects iOS users in mainland China and
Taiwan. It spreads via unusual means, including the hijacking of traffic
from nationwide ISPs, an SNS worm on Windows, and an offline app
installation and community promotion. Many victims have discussed
YiSpecter infections of their jailbroken and non-jailbroken iPhones in
online forums and have reported the activity to Apple. The malware has
been in the wild for over 10 months, but out of 57 security vendors in
VirusTotal, only one is detecting the malware at the time of this writing.

YiSpecter consists of four different components that are signed with
enterprise certificates. By abusing private APIs, these components
download and install each other from a command and control (C2) server.
Three of the malicious components use tricks to hide their icons from
iOS’s SpringBoard, which prevents the user from finding and deleting
them. The components also use the same name and logos of system apps to
trick iOS power users.

On infected iOS devices, YiSpecter can download, install and launch
arbitrary iOS apps, replace existing apps with those it downloads,
hijack other apps’ execution to display advertisements, change Safari’s
default search engine, bookmarks and opened pages, and upload device
information to the C2 server. According to victims’ reports, all these
behaviors have been exhibited in YiSpecter attacks in the past few
months. Some other characteristics about this malware include:

Whether an iPhone is jailbroken or not, the malware can be
successfully downloaded and installed
Even if you manually delete the malware, it will automatically
re-appear
Using third-party tools you can find some strange additional
“system apps” on infected phones
On infected phones, in some cases when the user opens a normal app,
a full screen advertisement will show

YiSpecter is the latest in a line of significant malware families to
target iOS devices. Previously, the malware WireLurker demonstrated the
ability to infected non-jailbroken iOS devices by abusing enterprise
certificates, and academic researchers have discussed how private APIs
can be used to implement sensitive functionalities in iOS. However,
YiSpecter is the first real world iOS malware that combines these two
attack techniques and causes harm to a wider range of users. It pushes
the line barrier of iOS security back another step.

Moreover, recent research shows that over 100 apps in the App Store have
abused private APIs and bypassed Apple’s strict code review. What that
means is the attacking technique of abusing private APIs can also be
used separately and can affect all normal iOS users who only download
apps from the App Store.

Palo Alto Networks has released IPS and DNS signatures to block
YiSpecter’s malicious traffic. This blog also contains suggestions for
how other users can manually remove YiSpecter and avoid potential
similar attacks in the future. Apple has also been notified.
Background

On February 7, 2015, Qihoo 360 and Cheetah Mobile, two security
companies in China, posted analysis reports separately about a Windows
worm named “Lingdun(灵顿)”. The Lingdun worm hijacked victims’ QQ
sessions (a popular IM program produced by Tencent) and sent malicious
links to their QQ contacts. According to those reports, if a user
clicked the malicious links using Android or iOS devices, an Android
Adware or an iOS Adware would be installed. Qihoo 360 and Cheetah Mobile
found the installed apps’ main behavior is to prompt other mobile apps
and classify them as Android and iOS variants of the Lingdun worm.

YiSpecter1

Figure 1. Access Lingdun’s webpage with an iPhone will infect the
device with YiSpecter

After further investigation, however, we think their analysis is
incomplete and has led to an incorrect conclusion. The iOS app spread by
Lingdun and the malicious components it installs have different
developers, different Command and Control (C2) servers, different
purposes, and different code signing certificates. Therefore, we don’t
believe them to be variants of the Lingdun worm but instead separate
malware using the Lingdun worm to spread. Additionally, we found these
iOS apps have many more malicious functions than previous disclosed.
Hence we do not refer to this malware family as Lingdun and have given
it the new name YiSpecter.

Qihoo 360 and Cheetah Mobile didn’t share samples of YiSpecter with the
security community nor did they disclose file hash values we could use
to identify their samples. As a result, until now, no other security
vendor has detected YiSpecter as malware.

In the course of our investigation, we found 23 samples of YiSpecter
were submitted to VirusTotal from different countries between November
2014 and August 2015. Except for Qihoo, the 56 antivirus engines
included in VirusTotal didn’t detect these files (as shown in Figure 2).
Qihoo’s detection result uses the meaningless name “virus.ios.hidden”.
It is also worth noting that all of these samples belong to YiSpecter’s
main apps, and its three additional malicious components were not
uploaded to VirusTotal until we published this report. All of these
samples are listed at the end of this report.

YiSpecter2

Figure 2. YiSpecter is not detected by nearly all AntiVirus programs
Uncommon Spreading Methods

YiSpecter began to spread in the wild in November 2014, if not earlier.
The main iOS apps of this malware have user interface and functionality
that enable the watching of free porn videos online, and were advertised
as “private version” or “version 5.0” of a famous media player “QVOD”.
QVOD was developed by Kuaibo(快播) and became popular in China by users
who share porn videos. Kuaibo was investigated by a local police
department in April 2014 and at the same time their online video playing
service was terminated. After that event, the attackers behind YiSpecter
began to claim their app as an alternative QVOD to attract users into
installing their software.

So far we have identified four different mechanisms YiSpecter uses to
infect phones.
Internet Traffic Hijacking

In the past 6 years, many Chinese media organizations (including state
television) have reported that local ISPs in some provinces have
supported DNS hijacking and Internet traffic hijacking attacks. ISPs
hijacked the traffic to display advertisements to their users. For
example, when Internet users use their computers or mobile phones to
browse a website, the ISP will inject JavaScript code or HTML content
into the session, which results in advertisements being displayed in the
returned webpage. Last year, we also observed that some ISPs replaced
app download URLs with other apps. For example, if an URL ends with
“.apk” (i.e. downloading an Android app), it will be redirected to
different URL, downloading a “promoted” app onto the victims’ Android
phones. YiSpecter, as far as we know, is the first malware that has been
spread by ISPs hijacking Internet traffic.

Many users based in mainland China and Taiwan have discussed their
infections by YiSpecter online (we will introduce these discussions in
next section.) From their discussions and reports, we found that more
than half of the infections came from pop-up dialogs displayed when
browsing famous news websites.

For example, Figure 3 shows a screenshot posted to Apple’s official
support community. It shows that when the author was browsing
ITHome.com, an abnormal pop-up dialog asked him to install a “QVOD
Private Version” player to “watch special movies”.

YiSpecter3

Figure 3. Ads and pop-up dialog were injected into normal Internet traffic

Based on the user’s discussions, we found the problem only occurred when
they were using WiFi networks in their homes; mobile networks and office
networks didn’t appear to be affected. Some non-jailbroken iPhone users
tried to clear cookies, reset iOS, change their iCloud accounts, and
block pop-ups in Safari, but these operations didn’t resolve the
problem. However, if they used a third party mobile browser with
built-in proxy functionality to access the same webpage, the
advertisements disappeared. One user even called his ISP’s service phone
number to complain and the problem was resolved – these advertisements
never appeared again. Based on this information, we believe that ISP’s
traffic hijacking was used to spread the malware in these cases, and not
a malicious third party.
SNS Worm

According to analysis reports by Qihoo 360 and Cheetah Mobile, YiSpecter
was also spread by the Lingdun worm.

Lingdun uses fake VeriSign and Symantec certificates to bypass malware
detection systems. Its primary goal is to download and to install
additional Windows software onto a PC. Most of this additional software
is benign but at least one installation was malicious. The malware
fetches the current user’s QQ authorization token by accessing Tencent’s
unified login interface, then acquires a key to access all QQ services.
Specifically, it will access the QQ Discussion Group’s file sharing
interface to upload malicious HTML files. These HTML files have names
including pornographic and sexually suggestive words and will be shared
with all other QQ users in the same discussion group.

YiSpecter4

Figure 4. A malicious webpage uploaded by Lingdun worm

If other QQ users access these malicious HTML files, the webpage will
determine their devices’ type by User-Agent value and distinguish
Windows, Linux, Android, iOS (including iPhone and iPad), and Windows
Phone. If the device is Android, the session will be redirected to
download an Android Adware that prompts the user to install other porn
apps. If the device is an iPhone or iPad, the session will be redirected
to download the YiSpecter malware (Figure 1).

We listed hash values of all public available samples of Lingdun worm at
the end of this article.
Offline App Installation

During our investigation, we found that the main YiSpecter apps were
also published on multiple underground app distribution websites (Figure 5).

In an underground or “gray” mobile app ecosystem, mobile app developers
(including malware authors) will post tasks of distributing their apps
to these kinds of websites. Distributors will then accept these tasks,
and install the apps on other users phones to earn a promotion fee from
developers. For example, some third-party mobile phone retailers and
maintenance suppliers will install apps on any mobile phone they can
access; and mobile malware developers also install apps to earn income
from devices they have infected.

YiSpecter5

Figure 5. YiSpecter apps were listed in underground app distribution
websites

From one of these websites (Figure 5), we see that many tasks to
distribute YiSpecter were created in May 2015 and July 2015. The
promotion fee for one installation is between 1.80 and 2.50 RMB (about
US $0.30 to $0.40.) These tasks’ descriptions also showed that the
YiSpecter apps have a backend system to automatically track
installations, thus distributors do not need to provide screenshots to
prove their successful infections.
Community Promotion

We also found that YiSpecter’s author tried to directly promote their
malicious apps on social networks and in public communities. For
example, in a popular Chinese online forum, we found a user posted an
article in January 2015 recommending the YiSpecter apps as good
replacement for QVOD player. The user’s account name is “HaoYi Apple
Helper(好易苹果助手)”, which is exactly the name of another product
YiSpecter’s author developed. We will describe YiSpecter’s author in
more detail in later sections.

YiSpecter6

Figure 6. YiSpecter’s author recommends the app in public forum
Attacks and Victims

While analyzing YiSpecter’s code, we searched for keywords related to
its distribution channels and user interface in Google, and found many
victims from mainland China and Taiwan discussing their infections in
online forums and social networks including Zhihu, Douban, Weiphone,
CocoaChina, Baidu Zhidao and Mobile01.

For example, one malicious component in YiSpecter shows an interface
containing the words “Cydia is detecting and protecting” in Chinese
(Figure 25). Google showed about 2,580 results by searching for this
Chinese sentence (Figure 7).

YiSpecter7

Figure 7. Search for YiSpecter’s user interface keyword

Based on these search results, we found some interesting facts about the
malware:

Whether an iPhone is jailbroken or not, the malware can be
successfully downloaded and installed
Even if you manually delete the malware, it will automatically
re-appear (Figure 8)
Using third-party tools you can find some strange additional
“system apps” on infected phones
On infected phones, in some cases when the user opens a normal app,
a full screen advertisement will show

We explain the details of how this happens in the malicious behaviors
analysis section below.

YiSpecter8

Figure 8. Taiwanese victim writes that the malware reappeared aafter
deleting
YiSpecter Components and C2 Server

YiSpecter consists of four different components: various main apps that
are distributed through the means described earlier, and three different
malicious apps that are installed by these main apps. All samples
analyzed and discussed in previous research are the various main apps,
while the three malicious apps have not been revealed before.
Main Apps

As far as we know, there are at least two main apps distributed in the
wild thus far:

HYQvod (bundle id: weiying.Wvod)
DaPian (bundle id: weiying.DaPian)

Both of them were spread by one or more of the multiple ways described
earlier. They include the functionality of watching videos online by
consuming credits and users can get credits by installing additional iOS
apps it promotes (Figure 9). But most important, it will download and
install another malicious app we have named NoIcon.

YiSpecter9

Figure 9. Main app ask users install other iOS apps to earn credits
NoIcon

NoIcon (bundle id: com.weiying.hiddenIconLaunch) is the main malicious
component of YiSpecter. It takes the following actions on an infected
device:

Connect to the command and control server using HTTP
Upload basic device information
Retrieve and execute remote commands
Change the iOS default Safari configuration
Silently install two additional malicious apps “ADPage” and
“NoIconUpdate”
Monitor other installed applications and hijack their launch
routine to use “ADPage” to display advertisements

Additionally, NoIcon can be remotely controlled to download and install
arbitrary iOS apps from the C2 server or uninstall any existing apps in
iOS system.
ADPage

ADPage (bundle id: com.weiying.ad) is responsible for displaying
advertisements when NoIcon hijacks the execution of legitimate apps.
NoIconUpdate

NoIconUpdate (bundle id: com.weiying.noiconupdate) regularly checks for
other components’ existence, connects with the C2 server and report its
installation information. It also checks for updated versions of the
malware and installs them.
C2 Server

YiSpecter uses “bb800.com” as its C2 server’s domain name. In
VirusTotal, there are 38 records of subdomains under this domain name.
Sixteen of them have been used by Android Adware for years, e.g.,
ad.bb800[.]com and down.bb800[.]com. Another subdomain, ty1.bb800[.]com,
was used by a Windows virus Almanahe.B.

YiSpecter uses these subdomains:

iosnoico.bb800[.]com: used to upload information, download configs
and commands, download malicious components (Figure 10)
qvod.bb800[.]com: used to download main app
qvios.od.bb800[.]com: used to download main app
dp.bb800[.]com: used to download promoted iOS apps
iosads.cdn.bb800[.]com: used to download promoted iOS apps and
malicious components

Note that the main C2 subdomain, iosnoico.bb800[.]com, is not observed
in VirusTotal and also has no results in Google searches.

YiSpecter10

Figure 10. C2 server access logs in cache in a victim’s iPhone

In some online articles, YiSpecter’s author posted URLs like
“https://qvod.bb800[.]com/itms-services/jx152” for readers to download
its main apps. When accessing these URLs from iPhone or iPad, victims
are redirected to URLs like
“itms-services://?action=download-manifest&url=https://qvod.bb800.com/assets/upload/3794.plist”.
Here “itms-services://” is a protocol used by iOS for enterprise app
distribution (Figure 11). Through crawling these URLs, we found at least
102 versions of main apps that developed from Nov 2014 to Sep 2015.

YiSpecter11

Figure 11. PLIST file hosted by C2 server for YiSpecter’s installation
Malicious Behavior Analysis

In this section, we’re going to describe the malicious behaviors seen in
each component of YiSpecter. The samples we analyzed are listed in the
Appendix and will be shared with security community for research and
detection.
Abusing Enterprise Certificates

YiSpecter’s malicious apps were signed with three iOS enterprise
certificates issued by Apple so that they can be installed as enterprise
apps on non-jailbroken iOS devices via in-house distribution. The “main”
apps used a certificate for “Changzhou Wangyi Information Technology
Co., Ltd.” and then later used a certificate from “Baiwochuangxiang
Technology Co., Ltd.” The three malicious components all used the same
certificate belonging to “Beijing Yingmob Interaction Technology co,
.ltd” (Figure 12).

YiSpecter12

Figure 12. NoIcon used enterprise certificate for YingMob Interaction

Through this kind of distribution, an iOS app can bypass Apple’s strict
code review procedures and can invoke iOS private APIs to perform
sensitive operations. There is one disadvantage to using this method for
installation compared to the official App Store: when these apps are
executed for the first time iOS displays a dialog to notify the user
that the apps are from a specific developer (Figure 13). However, many
iOS users may simple click “Continue” and not be aware of the security
implications of their choice.

Note that, in Apple’s just-released iOS 9, enterprise certificate
security has been improved. Users now must manually set a related
provisioning profile as “trusted” in Settings before they can install
Enterprise provisioned apps.

YiSpecter13

Figure 13. iOS displays a dialog the first time a user opens an
enterprise-signed app

The enterprise distribution program was designed for companies and
organizations to distribute private iOS apps internally. WireLurker and
YiSpecter’s usages obviously violate the license and the spirit of this
program.
Installing Malicious Apps

Each time a user opens the main app of YiSpecter, it will invoke
the[HYOwner checkI0S8_3AndJaikbreakOrNot] function. This function checks
whether the current iOS system is older than version 8.3 and then
determines if NoIcon is already installed. After that it checks whether
the device is jailbroken or not by attempting to access a “cydia://” URL.

If the infected device has an iOS version less than 8.3, and NoIcon
hasn’t been installed yet, whether the device is jailbroken or not,
YiSpecter will invoke the function [HYAppDelegate requestNoicon:] to
download the NoIcon IPA installer and PLIST manifest files (Figure 14).

YiSpecter14

Figure 14. Main app downloads NoIcon for both jailbroken or
non-jailbroken devices

The main app installs NoIcon in a unique way. The app opens an HTTP
server and listens on port 8080 using [HYAppDelegate createLocalHTTP
Server] (Figure 15). After downloading the NoIcon’s IPA and PLIST files,
it will use these files’ local path to construct a local HTTP URL and
displays an alert dialog with meaningless title and button text to the
user (Figure 16). If the user clicks the button in the dialog, the HTTP
server will handle the local HTTP URL and NoIcon will be installed using
the itms-service protocol. With this mechanism YiSpecter uses the
infected iOS device as an enterprise apps’ distribution server.

YiSpecter15

Figure 15. Main app launched a local HTTP server

YiSpecter16

Figure 16. Main app construct NoIcon installation URL and prompt alert
dialog

After NoIcon is installed, it will install two more malicious apps:
ADPage and NoIconUpdate. After downloading ADPage and NoIconUpdate’s IPA
installer files, NoIcon did not use an HTTP server like the main app,
but used iOS’s private APIs defined in private framework
MobileInstallation to install them (Figure 17). More specifically,
NoIcon invokes the MobileInstallationInstall methods implemented in the
framework to install local IPA file. It also claimed the necessary
private entitlement key “com.apple.private.mobileinstall.allowedSPI”
which should only be used by system apps in iOS (Figure 18). Again,
through enterprise distribution, YiSpecter successfully bypassed the App
Store’s code review process that typically would prevent an app from
using these private APIs.

Note that NoIcon, ADPage, and NoIconUpdate are signed with same
enterprise certificate. Since user has accepted the provisioning profile
when installing NoIcon, ADPage and NoIconUpdate can be installed in this
way without any user notification.

YiSpecter17

Figure 17. NoIcon downloads ADPage’s IPA file and installs it

YiSpecter18

Figure 18. NoIcon has private entitlement for app installation
Uninstalling Existing Apps

NoIcon has another functionality called “fakeApps”. If it receives this
command from the C2 server, it will uninstall the iOS app specified in
the commands from current device (Figure 19). Then, it will install
another downloaded app as a fake version to trick the user. This
uninstallation operation is also implemented using a private API — the
MobileInstallationUninstall defined in the MobileInstallation framework.

YiSpecter19

Figure 19. NoIcon uninstall specified app in fakeApps command
Self Monitoring and Updating

The NoIconUpdate will regularly check whether all these malicious
components are installed, then connect with YiSpecter’s C2 server to
check for updates. This is why some victims deleted the main app and
NoIcon but the malware still remained on the phone.

YiSpecter20

Figure 20. NoIconUpdate checks installed components’ version

Additionally, NoIconUpdate will regularly check whether NoIcon is
running. If not, it will launch NoIcon immediately.

YiSpecter21

Figure 21. NoIconUpdate checks running status and launches NoIcon
Hiding Icon in SpringBoard

NoIcon, ADPage and NoIconUpdate use a trick to hide their icons from
SpringBoard (the desktop in iOS.) In their Info.plist file, the
“SBAppTags” key contains a value of “hidden” (Figure 22). Any app with
this characteristic will not be shown in SpringBoard, hence the user
won’t see its icon and its name. This mechanism is used by some
preinstalled apps for testing and diagnostics on the iOS system. In
February 2015, an iOS Spyware XAgent (aka PawnStorm) also used this trick.

YiSpecter22

Figure 22. Part of NoIcon’s Info.plist file

This icon hiding behavior is critical to YiSpecter’s success. Without
being able to see the icon, users not only can’t discover these
malicious apps, but also have no way to uninstall them (because
uninstalling an iOS app requires the user to long click the app’s icon
in SpringBoard). This behavior is likely why YiSpecter’s named the
component “NoIcon.”
Pretending to be System Apps

Even though icons are hidden from the SpringBoard, YiSpecter’s author
still has considered power users who may use third-party tools to manage
iPhones or iPads. The author used special display app names and logos
for these three apps to make them look like iOS system apps. The table
below shows the display name and icon of three samples we analyzed. As
far as we know, YiSpecter has pretended to be the Phone, Weather, Game
Center, Passbook, Notes and Cydia apps. While this is a simple trick, it
may be effective at fooling some users.
Component Bundle ID Displayed App Name Faked App Logo
NoIcon com.weiying.hiddenIconLaunch Passbook
ADPage com.weiying.ad Cydia
NoIconUpdate com.weiying.noiconupdate Game Center
Hijacking Other Apps Execution to Show Ads

NoIcon will also regularly check which iOS app the user has open. This
is implemented by using the private API function
SBSCopyFrontmostApplicationDisplayIdentifier defined in the
SpringBoardServices framework. NoIcon receives a whitelist of apps from
C2 server and checks if the currently running app is on this list, which
contains YiSpecter’s components and apps built by Apple. If the app
isn’t in the list, NoIcon will launch the ADPage app by executing
another private API function: SBSLaunchApplicationWithIdentifier.

YiSpecter23

Figure 23. NoIcon compares current running app with whitelist

YiSpecter24

Figure 24. NoIcon launch ADPage to cover other apps user interface

The launched ADPage will show a full screen with words “Cydia is
detecting and protecting” in Chinese (Figure 25), then display some
advertisements provided by third-party mobile ads platforms. Through
this mechanism NoIcon and ADPage successfully hijacked other iOS apps’
execution and show its advertisements to victims. This is the most
significant behavior reported by victims, as it is disruptive to their
regular use of iOS devices.

YiSpecter25

Figure 25. ADPage’s full screen before displaying advertisement
Changing Safari Configurations

Another feature of NoIcon allows it to change Safari browser’s
configurations on jailbroken devices by directly writing to local
configuration and database files.

If NoIcon receives a specific command from the C2 server, it will
enumerate all subdirectories in the “/var/mobile/Applications” directory
to find a “Preferences/com.apple.mobilesafari.plist” file. Thus, it can
identify the Safari app’s home directory. It then modifies this plist
file to change Safari’s default search engine to a specified one between
Google, Bing, Yahoo and Baidu (Figure 26). However, in a nearby piece of
code, we found that Baidu was specifically hard coded as target search
engine in some situations (Figure 27).

YiSpecter26

Figure 26. NoIcon locates Safari’s config file and change default search
engine

YiSpecter27

Figure 27. NoIconHard-coded to change default search engine to Baidu

Additionally, NoIcon changes Safari’s bookmarks database to update all
existing bookmark URLs to the URL that specified by C2 server. It will
also write Safari’s SuspendStates.plist file to change all latest opened
webpages’ URLs to the specified URL.

Note that all these behaviors also occurred according to victims’
reports posted in online forums.

YiSpecter28

Figure 28. Change URLs in all existing bookmarks

YiSpecter29

Figure 29. Change URLs in latest opened pages
Collecting and Uploading Device Information

All of the malicious YiSpecter apps collect some device information and
upload it to the C2 server, including:

A los of installed iOS apps; by invoking the private API
MobileInstallationLookup;
A list of running processes by invoking sysctl;
The device UUID;
The device MAC address, by invoking sysctl.

Who’s Behind YiSpecter?

There is a lot of evidences that suggests YiSpecter was developed by a
company named “YingMob Interaction (微赢互动)”. For example, three of
four components are signed by YingMob Interaction’s enterprise
certificate. In the NoIconUpdate’s code, we even found a README.md which
names the company in the app’s release notes. YiSpecter’s C2 server has
hosted some websites belonging to YingMob. For example, if we directly
visit the subdomain for YiSpecter’s downloading, qvod.bb800[.]com, we
can find it’s an “WAP iOS Traffic Platform Backend Management System”
with copyright information of YingMob Interaction.

YiSpecter30

Figure 30. README.md in the NoIconUpdate

YiSpecter31

Figure 31. YiSpecter’s C2 server page has YingMob Interaction’s
copyright info

YiSpecter32

Figure 32. YingMob Interaction official website

YingMob Interaction’s official website shows it’s a Chinese mobile
advertisement platform. In addition to YiSpecter we found the company
also developed an iOS “helper” tool named “HaoYi Apple Helper(好易苹果助
手)”. The tool was later renamed to “Fengniao Helper(蜂鸟助手)”. The
tool’s website is http://zs.haoyi.com/ but there’s another subdomain
http://zs.od.bb800.com in YiSpecter’s C2 domain that is redirected to
zs.haoyi.com. The helper tool says it can help users install all paid
iOS apps in the App Store without jailbreaking, and it will give Apple
IDs to users as presents to avoid registration in Apple. These
functionalities are similar to what the iOS Trojan KeyRaider did earlier
this year. Based on victims’ discussions, we found that YiSpecter will
frequently ask users to install this helper tool.

YiSpecter33

Figure 33. Fengniao Helper developed by YingMob Interaction
Relationship between YiSpecter and XcodeGhost

In September 2015, we initially investigated an OS X and iOS malware
named XcodeGhost. By infecting Xcode, this compiler malware was
successfully compiled into thousands of iOS apps in the App Store and
affected hundred of millions users.

While YiSpecter and XcodeGhost both attacked non-jailbroken iOS devices,
they are not related to each other. We believe that YiSpecter and
XcodeGhost were developed by different attackers and there is no
evidence of cooperation between the two developers so far.

However, from technical perspective, it’s still interesting to discuss
potential connections between them.

First, we explained that XcodeGhost could be remotely controlled by
attackers to open arbitrary URLs, including opening a URL to ask a user
to install any app signed by enterprise certificate. Hence, XcodeGhost
could be another way to distribute malware like YiSpecter. In fact, not
only XcodeGhost but also other legitimate iOS apps in the App Store can
also do this.

Second, we explained that XcodeGhost collects system and app information
and uploads it to its C2 server. People may be curious why the malware
collects this data for. YiSpecter also exhibits this behavior but it
also silently installs additional apps, which XcodeGhost does not.

In the underground ecosystem, when someone distributes apps for a fee
they typically need some evidence to prove they were successful. For
example, after YiSpecter silently installs other apps or games, the
attacker could provide related devices and app information to paying
developers in order to collect his or her fee. Given that XcodeGhost
didn’t install other apps but uploaded that information by default, we
suspect that XcodeGhost may have been scamming other underground
distributors by collecting the evidence of installation but not actually
performing it.
Security Risks and Related Threats

The world where only jailbroken iOS devices were threatened by malware
is a thing of the past. WireLurker proved that non-jailbroken iOS
devices can also be infected through abuse of the enterprise
distribution mechanism. YiSpecter further shows us that this technique
is being used to infect many iOS devices in the wild.

The key techniques deployed in YiSpecter are bypassing App Store reviews
using enterprise distribution and abusing iOS private APIs to perform
sensitive operations. This method has been discussed in some top
academic conference papers in recent years (e.g., Tielei Wang et al in
USENIX Security 2013, Min Zheng et al in AsiaCCS 2015, and Zhui Deng et
al in CCS 2015.) However, YiSpecter is the first iOS malware in the wild
that adopted this technique to launch a wide range attacks. This attack
vector breaks Apple’s security mechanisms and is likely to be abused in
future attacks.

For years Apple has searched for privates APIs used in apps submitted to
the App Store and rejected the apps found using them. However, except
for enterprise distribution, there’re still some ways to bypass this
security check.

In the Objective-C language, invoking a method of an Objective-C object
is not implemented through a virtual table as in C++. Objective-C uses a
central message forwarding mechanism to handle method invoking where
class name and method name are passed as string format parameters.
Hence, a malware author can directly invoke the message forwarding
functions such as objc_msgSend with obfuscated or encrypted class name
and method name strings to use private APIs. Apple’s code review is not
strong enough hence apps using private APIs in this way will bypass
their review and go to the App Store.

In fact, in one academic paper “iRiS: Vetting Private API Abuse in iOS
Applications” in the coming ACM Conference on Computer and
Communications Security (CCS 2015), researchers Zhui Deng et al from
Purdue University successfully discovered 146 iOS apps from the App
Store that abused 150 different private APIs including 25 APIs that are
security critical. These occupied about 7 percent of all apps they
analyzed. Note that they even found a third-party advertisement library
that abused private APIs to collect private user information.

This observation is significant, because as a community, many of us have
considered Apple’s code review on private APIs good enough and that
abusing private APIs can only be successful if combined with enterprise
distribution (like in the case of the YiSpecter.) Though this research,
we now know that abusing private APIs in the iOS system could be an
independent attack technique and could affect all iOS users.
Prevention and Removal of YiSpecter

Palo Alto Networks has released IPS signatures (14861,14862,14863) via
our Threat Prevention product to detect and block all malicious C2
traffic related to YiSpecter. We have also released signatures to detect
the queries for the C2 domains used by the malware.

We have also reported the YiSpecter threat to Apple for them to revoke
the abused enterprise certificates. (As noted above, the new iOS 9
requires users to manually set related provisioning profile as trusted
in Settings before they can install Enterprise provisioned apps. This
new feature is also helpful for preventing some security incidents
caused by abusing enterprise certificates.)

For iOS users that are potentially infected by YiSpecter, we suggest
removing it with the following steps:

In iOS, go to Settings -> General -> Profiles to remove all unknown
or untrusted profiles;
If there’s any installed apps named “情涩播放器”, “快播私密版” or
“快播0”, delete them;
Use any third-party iOS management tool (e.g., iFunBox, though note
that Apple’s iTunes doesn’t work in this step) on Windows or Mac OS X,
to connect with your iPhone or iPad;
In the management tool, check all installed iOS apps; if there’re
some apps have name like Phone, Weather, Game Center, Passbook, Notes,
or Cydia, delete them. (Note that this step won’t affect original system
apps but just delete faked malware.)

Our primary security suggestion to avoid being affected by this kind iOS
malware was, is and remains this: never download iOS apps from any
untrusted sources, and never trust unknown developers. You should always
download iOS apps from the official App Store for personal use, or
download your company or organization’s internal app under your IT
department’s guidance. Consider that even apps from the App Store can
also abuse private APIs for harmful operations, and that these security
habits won’t prevent all similar attacks but should prevent most of
them. We have also made suggestions to Apple for improving their code
review procedures and urged them to improve iOS security mechanisms to
defeat these potential security problems.
Appendix
Samples of YiSpecter

57cc101ee4a9f306236d1d4fb5ccb3bb96fa76210142a5ec483a49321d2bd603 ADPage

4938b9861b7c55fbbe47d2ba04e9aff2da186e282f1e9ff0a15bbb22a5f6e0e7 ADPage.ipa

fc55c5ced1027b48885780c87980a286181d3639dfc97d03ebe04ec012a1b677 DaPian

5259854994945a165996d994e6484c1afc1c7e628cb5df2dc3750f4f9f92202e DaPian.ipa

7714dbb85c5ebcd85cd1d93299479cff2cc82ad0ed11803c24c44106530d2e2f HYQvod

ddd16577b458a5ec21ea0f57084033435a46f61dc5482f224c1fe54f47d295bc HYQvod.ipa

8fa135fc74583e05be208752e8ce191060b1617447815a007efac78662b425d0
HYQvod_3.3.3

526e1dc893629c00c017fbe62b53392cb26bc6b15947e7b8b7df10a62f40cbad
HYQvod_3.3.3.ipa

41176825ba0627f61981280b27689a0c5cc6bfb310a408fa623515e6239b8647 NoIcon

98e9e65d6e674620eccaf3d024af1e7b736cc889e94a698685623d146d4fb15f NoIcon.ipa

e7f071929a4304447cf638057d9499df9970b2a3d53d328a609f191a4bc29ffd
NoIconUpdate

8873908061f9c8d563de26fe6fa671080a90a2d60f795cc0664ef686e1162955
NoIconUpdate.ipa
Samples in VirusTotal
SHA-256 Filename Submit Detections
382b88b654d7c5149ce8e9813accb86fd58eb1c01d66f730774f27a14d6af06c
HYQvod 11/18/14 1/55
0a106551b950d312c3847889cb233cbdaaebbc55fc2d7b6deb37f493079aa419
qj238_HYQvod_18.ipa 11/18/14 1/52
95c2b1fd5a9e0141e6c597771e832e6c6743713888bfad3d172c0180d650795b
qj238_HYQvod_14.ipa 1/26/15 1/56
487a442fa69be5fe701662976a2f9d16f7f1dc4b03d63b9a289a6395855b42d0
qvod2.4.0HYQvod_jx46.ipa 1/26/15 1/57
63b4ff014e74bd0a31b16393d145d1332e963b2e17f07396529793a4f0cf8b48
qiumama_HYQvod_jx69.ipa 2/5/15 1/56
fa8594384e119908ec4ea5e0af9597251f6de76a66c30682e36ca1f1d303c7a9
qiuchuanyi_HYQvod_jx48.ipa 2/26/15 1/57
f2a478eb2674b65d602204b2df8fc5e715e22596b039f235f9dfa27c03bbaa9b
1420683505536.ipa 2/26/15 1/57
ca59d78e9d23a737054b70385060346a8e6afc4948cd84f97826deb05168c279
20150113205442561.ipa 2/26/15 0/57
af338b0d35e532644850f9f5e00b6c67d6e08609cb9ef79d48e9f435f87366d0
qvod2.4.0HYQvod_6.ipa 2/26/15 1/57
17c89f5a579ecc3f97914a0fdd8ed1305a3682e09a719f91716607c3d63eabdf
qvod2.4.0HYQvod_5.ipa 2/26/15 1/57
0e75378d2ee5a7b90696dd67efa0d06d619f7f29021a7f056ff5a0fe881f8d6e
20150203141304735.ipa 2/26/15 0/57
55573153750d98938270d858ca220a4435ebcd1dac44388e5a59315e7811193c
DaPian 2/27/15 0/57
426f279a503a19d5c253621ad98f589d853270fd0a1ec54bf08ee55c1f647964
DaPian 2/27/15 0/57
f1e527fba122f91e79e790ba519c0d161cb4959bb1c89d6c20cf8a141ef8f854
HYQvod 4/20/15 1/57
bcb3d4a2960e76cc169bd80ff26c7973502ef11baf0d45d52534184f055003a1
HYQvod 4/20/15 1/56
5fd7b3994fc95cd72e2c76607ed00f260783e02b6fdf228e1e4616ca1e8702be
HYQvod 4/20/15 1/55
0771302f113d9c64fca3988a31020afa0767d3e1b66a2e74f819fd62b80b8a5e
HYQvod 4/20/15 1/57
1d5eea2236a2a44fe0ff4e17491c37f04ffa4a0af9a4b09ecc463089e3f48f14
kuaibozqb.3987.ipa 4/26/15 1/56
1d5eea2236a2a44fe0ff4e17491c37f04ffa4a0af9a4b09ecc463089e3f48f14
kuaibozqb.3987.ipa 5/12/15 1/57
3404bbf56d81da355636371f2e84b3b83ead7d78384c1627db67c4a59c275285
Unknown 6/29/15 0/56
04f69960b2e5fbd06f746e050c7a04e4ea9de67289fd82d3a85a92963aec387a
Unknown 6/29/15 0/56
363e58e1f489b6fade4975a54c02575e8832d95171b6b5646fd475d6a5f35ed9
HYQvod 7/25/15 0/56
ddd16577b458a5ec21ea0f57084033435a46f61dc5482f224c1fe54f47d295bc
1438074603284.ipa 8/18/15 1/56
Samples of Worm.Win32.Lingdun

2771276596981c0ff189c27e6869b147c3c3665fd8b94b14d68695ea6ea3d09d inst.exe

8d113243da8992220e73a2fd02ae28d209b326b191aeef95f3c8e223c1c6db96
leba99_setup_220041398.exe

9e538a58aed94a7748df9262ae0343dea9efce8d9117e0868eb404e1098747b6 u.exe

1607cf9625d7bf4ef39f8c1383fa0b1b1edcd13939d5d49fba5cdc14a73a2d95 ziyt.scr

6bd56dd4cc6a97912531fcb8d9f79f814fd45c9e97600f170646308868b1097b 亲情视
频秀.exe

a8456f50c47b5248a93bcaebd05cb07bbf61527d5c7537767df1aaabb64bad95 天使嫩
女视频全集.msi
Acknowledgements

Thanks CDSQ from WeipTech group for providing some samples of YiSpecter
from an infected iPhone.

Thanks Josh Grunzweig and Bryan Lee from Palo Alto Networks for their
suggestions on naming. (Finding a proper name is always so hard!)

Thanks Rongbo Shao and Zhaoyan Xu from Palo Alto Networks for their
efforts in detecting the threat.

Thanks Ryan Olson from Palo Alto Networks for reviewing and revising
this report.



292 Pingbacks & Trackbacks

October 11, 2015 3:16 AM
苹果开始封锁能攻击非越狱 iPhone 的 app 了 | 天蓝

October 11, 2015 7:23 AM
不JB就很安全?新款病毒YiSpecter出现,iPhone/iPad 没JB照样中毒 | 草泥馬3C站

October 11, 2015 8:56 AM
YiSpecter: privát API-k kihasználásával fertőző malware - Szifon.com

October 11, 2015 7:14 PM
Is China Poisoning the Internet? – Bloomberg View

October 12, 2015 3:48 AM
هل تملك هاتف أيفون ؟ احذر ثغرة YiSpecter تهدد هواتف الأيفون - Alo
Arabia – الو ارابيا

October 12, 2015 5:51 PM
#544 Not Happy with Apple, Is it a Good Deal to Get a New iPhone Every
Year, Encrypted Backups, Programming by Stealth Introduction « NosillaCast

October 12, 2015 9:29 PM
New Malware Called YiSpecter Is Attacking iOS Devices in China And
Taiwan | Gadget News

October 12, 2015 9:39 PM
Has Malware Jumped Over China's Great Firewall?

October 13, 2015 2:42 PM
Trend Micro Simplesmente SegurançaNenhum iPhone está a salvo: Malware
YiSpecter afeta dispositivos iOS não modificados - Trend Micro
Simplesmente Segurança

October 14, 2015 12:18 PM
You Can Now Jailbreak Your iOS 9 Devices (But You Probably Shouldn’t) |
Pakistan Biggest Portal to Provide Latest News & Entertainment!

October 14, 2015 12:27 PM
You Can Now Jailbreak Your iOS 9 Devices (But You Probably Shouldn’t) -
GeekTechTalk

October 14, 2015 12:34 PM
You Can Now Jailbreak Your iOS 9 Devices (But You Probably Shouldn’t) |
PJ Tec - Latest Tech News

October 14, 2015 12:36 PM
You Can Now Jailbreak Your iOS 9 Devices (But You Probably Shouldn’t) -
Topiik

October 14, 2015 12:40 PM
You Can Now Jailbreak Your iOS 9 Devices (But You Probably Shouldn’t) |
Tips for Healthy

October 14, 2015 1:10 PM
You Can Now Jailbreak Your iOS 9 Devices (But You Probably
Shouldn’t)DreamnDesire.com | DreamnDesire.com

October 14, 2015 1:21 PM
You Can Now Jailbreak Your iOS 9 Devices (But You Probably Shouldn’t) |
Entire News Link

October 14, 2015 1:30 PM
You Can Now Jailbreak Your iOS 9 Devices (But You Probably Shouldn’t) |
IoEBusiness.com | Internet of Everything Business

October 14, 2015 2:10 PM
You Can Now Jailbreak Your iOS 9 Devices (But You Probably Shouldn’t) |
technology market

October 14, 2015 3:12 PM
You Can Now Jailbreak Your iOS 9 Devices (But You Probably Shouldn’t) |
TechCrunch

October 14, 2015 3:21 PM
You Can Now Jailbreak Your iOS 9 Devices (But You Probably Shouldn’t) |
Tech Review Magazine

October 14, 2015 4:23 PM
You Can Now Jailbreak Your iOS 9 Devices (But You Probably Shouldn’t) |
Digital Gadget dan Selular

October 14, 2015 7:03 PM
You Can Now Jailbreak Your iOS 9 Devices (But You Probably Shouldn’t) |
Tech Heads Network

October 14, 2015 8:34 PM
You Can Now Jailbreak Your iOS 9 Devices (But You Probably Shouldn’t) |
All About Tech in News

October 15, 2015 1:07 AM
现在你可以从 iOS 9 越狱了,虽然我们并不推荐 | TechCrunch 中国

October 15, 2015 2:51 AM
You Can Now Jailbreak Your iOS 9 Devices (But You Probably Shouldn’t) |
Tech Digital News

October 15, 2015 3:20 AM
为什么不推荐你为iPhone越狱? - 动点科技

October 15, 2015 3:58 AM
You Can Now Jailbreak Your iOS 9 Devices (But You Probably Shouldn’t) |
Tech News Magazines

October 15, 2015 8:56 AM
Security news IT leaders need to know | Financial Post

October 15, 2015 5:34 PM
​YiSpecter malware uses technique that can bypass Apple App Store
security checks | Tech Review Magazine

October 15, 2015 5:44 PM
​YiSpecter malware uses technique that can bypass Apple App Store
security checks | Tech Heads Network

October 15, 2015 9:19 PM
New Malware Called YiSpecter Is Attacking iOS Devices in China And
Taiwan | Boxkondee.com

October 16, 2015 2:46 AM
​YiSpecter malware uses technique that can bypass Apple App Store
security checks | Tech Digital News

October 16, 2015 5:05 AM
​YiSpecter malware uses technique that can bypass Apple App Store
security checks | Tech News Magazines

October 17, 2015 8:04 AM
Descubren nuevo malware que ataca a dispositivos iOS | MundoCompras.com.ve

October 19, 2015 3:12 AM
Detecting and Removing Apple iOS YiSpecter Malware | securityinaction

October 19, 2015 3:22 AM
YISPECTER. Nuevo malware para iOS | NOTICIAS DE ARCHIVO

October 19, 2015 3:36 AM
You Can Now Jailbreak Your iOS 9 Devices (But You Probably Shouldn’t) |
Global Times

October 21, 2015 11:30 AM
​YiSpecter malware uses technique that can bypass Apple App Store
security checks | Tech Beginners

October 23, 2015 12:20 AM
Sobre el Malware YiSpecter y por qué no es un problema para la inmensa
mayoría de usuarios de iPhone en iPhoneros.com

November 1, 2015 6:16 AM
Apple Responds to YiSpecter Malware, Says Fix Was Implemented in iOS 8.4
| WebSetNet

November 2, 2015 9:42 PM
iPhone Users in China & Taiwan Encounter Tricky iOS Malware

November 4, 2015 9:08 AM
iPhone 5 iOS 9.0.2 Review: Is It Worth Installing? – Gotta Be Mobile |
The Technology Journal
Share your thoughts
2 Comments
FEDRIC on October 5, 2015 12:00 PM said

I think now Apple have to mould and get a thier best engineer and stop
this threat from virus. Still users who dont watch porn sites will be on
safer side , as these virus are spread through those videos in china
AK on October 7, 2015 5:37 AM said

Claud, this is a very well written and comprehensive article. I applaud
you effort. Question: how does this relate to recent hack of jail broken
iPhones and Apple’s recent effort (as of 2 weeks ago) to fix problem
apps in the App Store? I know these may be vague questions but have only
recently developed an interest as my wife is getting the new iPhone 6s
and I have just started to read of any issues related to iPhone and IOS.
Thanks again.
Post Your Comment

Name *

Email *

Website

Home
Government
Partners
Unit 42 Threat Intelligence
Technical Documentation
Advanced Endpoint Protection
Get Updates
Sign up to receive the latest news, cyber threat intelligence and
research from Unit 42.

Subscribe to the Research Center Blog
Subscribe
Categories & Archives

More →
Recent Posts

Here’s Where to Find Palo Alto Networks at Black Hat Europe 2015
posted by Catherine Crandall on November 9, 2015
Connect with Fuel User Group at Black Hat Europe
posted by Megan Scofield on November 8, 2015
Palo Alto Networks News of the Week – November 7
posted by Anna Lough on November 7, 2015
Learn All About CryptoWall 3 and the Cyber Threat Alliance
posted by Chad Berndtson on November 6, 2015
Channel Scoop – November 6, 2015
posted by Lang Tibbils on November 6, 2015

More →

1.866.320.4788

Privacy Policy Legal Notices Site Index Subscriptions

Copyright © 2007-2013 Palo Alto Networks


On 11/09/2015 05:03 PM, Ruben wrote:
> https://www.fireeye.com/blog/threat-research/2015/11/ibackdoor_high-risk.html
>
>
> iBackDoor: High-Risk Code Hits iOS Apps
>
> November 04, 2015 | By Zhaofeng Chen
> ,
> Adrian Mettler
> ,
> Peter Gilbert
> ,
> Yong Kang
> |
> Mobile Threats
> ,
> Threat Research
>
>
> apple logo grey
>
>
> Introduction
>
> FireEye mobile researchers recently discovered potentially “backdoored” versions
> of an ad library embedded in thousands of iOS apps originally published in the
> Apple App Store. The affected versions of this library embedded functionality in
> iOS apps that used the library to display ads, allowing for potential malicious
> access to sensitive user data and device functionality.
>
> These potential backdoors could have been controlled remotely by loading
> JavaScript code from a remote server to perform the following actions on an iOS
> device:
>
> * Capture audio and screenshots
> * Monitor and upload device location
> * Read/delete/create/modify files in the app’s data container
> * Read/write/reset the app’s keychain (e.g., app password storage)
> * Post encrypted data to remote servers
> * Open URL schemes to identify and launch other apps installed on the device
> * “Side-load” non-App Store apps by prompting the user to click an “Install”
> button
>
> The offending ad library contained identifying data suggesting that it is a
> version of the mobiSage SDK [1]. We found 17 distinct versions of the
> potentially backdoored ad library: version codes 5.3.3 to 6.4.4. However, in the
> latest mobiSage SDK publicly released by adSage [2] – version 7.0.5 – the
> potential backdoors are not present. It is unclear whether the potentially
> backdoored versions of the ad library were released by adSage or if they were
> created and/or compromised by a malicious third party.
>
> As of November 4, we have identified 2,846 iOS apps containing the potentially
> backdoored versions of mobiSage SDK. Among these, we observed more than 900
> attempts to contact an ad adSage server capable of delivering JavaScript code to
> control the backdoors. We notified Apple of the complete list of affected apps
> and technical details on October 21, 2015.
>
> While we have not observed the ad server deliver any malicious commands intended
> to trigger the most sensitive capabilities such as recording audio or stealing
> sensitive data, affected apps periodically contact the server to check for new
> JavaScript code. In the wrong hands, malicious JavaScript code that triggers the
> potential backdoors could be posted to eventually be downloaded and executed by
> affected apps.
>
>
> Technical Details
>
> As shown in Figure 1, the affected mobiSage library included two key components,
> separately implemented in Objective-C and JavaScript. The Objective-C component,
> which we refer to as *msageCore*, implements the underlying functionality of the
> potential backdoors and exposed interfaces to the JavaScript context through a
> WebView. The JavaScript component, which we refer to as *msageJS*, provides
> high-level execution logic and can trigger the potential backdoors by invoking
> the interfaces exposed by msageCore. Each component has its own separate version
> number.
>
> Figure 1: Key components of backdoored mobiSage SDK
>
> In the remainder of this section, we reveal internal details of msageCore,
> including its communication channel and high-risk interfaces. Then we describe
> how msageJS is launched and updated, and how it can trigger the backdoors.
>
>
> Backdoors in msageCore
>
>
> *Communication channel*
>
> MsageCore implements a general framework to communicate with msageJS via the ad
> library’s WebView. Commands and parameters are passed via specially crafted URLs
> in the format adsagejs://cmd¶meter. As shown in the reconstructed code
> fragment in Figure 2, msageCore fetches the command and parameters from the
> JavaScript context and inserts them in its command queue.
>
> Figure 2: Communication via URL loading in WebView
>
> To process a command in its queue, msageCore dispatches the command, along with
> its parameters, to a corresponding Objective-C class and method. Figure 3 shows
> portions of the reconstructed command dispatching code.
>
> Figure 3: Command dispatch in msageCore
>
> *At-risk interfaces*
>
> Each dispatched command ultimately arrives at an Objective-C class in msageCore.
> Table 1 shows a subset of msageCore classes and the corresponding interfaces
> that they expose.
>
> *msageCore Class Name*
>
>
>
> *Interfaces *
>
> MSageCoreUIManagerPlugin
>
>
>
> - captureAudio:
>
> - captureImage:
>
> - openMail:
>
> - openSMS:
>
> - openApp:
>
> - openInAppStore:
>
> - openCamera:
>
> - openImagePicker:
>
> - ...
>
> MSageCoreLocation
>
>
>
> - start:
>
> - stop:
>
> - setTimer:
>
> - returnLocationInfo:webViewId:
>
> - ...
>
> MSageCorePluginFileModule
>
>
>
> - createDir
>
> - deleteDir:
>
> - deleteFile:
>
> - createFile:
>
> - getFileContent:
>
> - ...
>
> MSageCoreKeyChain
>
>
>
> - writeKeyValue:
>
> - readValueByKey:
>
> - resetValueByKey:
>
> MSageCorePluginNetWork
>
>
>
> - sendHttpGet:
>
> - sendHttpPost:
>
> - sendHttpUpload:
>
> - ...
>
> MSageCoreEncryptPlugin
>
>
>
> - MD5Encrypt:
>
> - SHA1Encrypt:
>
> - AESEncrypt:
>
> - AESDecrypt:
>
> - DESEncrypt:
>
> - DESDecrypt:
>
> - XOREncrypt:
>
> - XORDecrypt:
>
> - RC4Encrypt:
>
> - RC4Decrypt
>
> - ...
>
> Table 1: Selected interfaces exposed by msageCore
>
> The selected interfaces reveal some of the key capabilities exposed by the
> potential backdoors in the library. They expose the potential ability to capture
> audio and screenshots while the affected app is in use, identify and launch
> other apps installed on the device, periodically monitor location, read and
> write files in the app’s data container, and read/write/reset “secure” keychain
> items stored by the app. Additionally, any data collected via these interfaces
> can be encrypted with various encryption schemes and uploaded to a remote server.
>
> Beyond the selected interfaces, the ad library potentially exposed users to
> additional risks by including logic to promote and install “enpublic” apps as
> shown in Figure 4. As we have highlighted in previous blogs [footnotes 3, 4, 5,
> 6, 7], enpublic apps can introduce additional security risks by using private
> APIs in certain versions of iOS. These private APIs potentially allow for
> background monitoring of SMS or phone calls, breaking the app sandbox, stealing
> email messages, and demolishing arbitrary app installations. Apple has addressed
> a number of issues related to enpublic apps that we have brought to their attention.
>
> Figure 4: Installing “enpublic” apps to bypass Apple App Store review
>
> We can see how this ad library functions by examining the implementations of
> some of the selected interfaces. Figure 5 shows reconstructed code snippets for
> capturing audio. Before storing recorded audio to a file audio_xxx.wav, the code
> retrieves two parameters from the command for recording duration and threshold.
>
> Figure 5: Capturing audio with duration and threshold
>
> Figure 6 shows a code snippet for initializing the app’s keychain before
> reading. The accessed keychain is in the kSecClassGenericPassword class, which
> is widely used by apps for storing secret credentials such as passwords.
>
> Figure 6: Reading the keychain in the kSecClassGenericPassword class
>
>
> Remote control in msageJS
>
> msageJS contains JavaScript code for communicating with a remote server and
> submitting commands to msageCore. The file layout of msageJS is shown in Figure
> 7. Inside sdkjs.js, we find a wrapper object called adsage and the JavaScript
> interface for command execution.
>
> Figure 7: The file layout of msageJS
>
> The command execution interface is constructed as follows:
>
> */adsage.exec(className, methodName, argsList, onSuccess, onFailure);/*
>
> The className and methodName parameters correspond to classes and methods in
> msageCore. The argsList parameter can be either a list or dict, and the exact
> types and values can be determined by reversing the methods in msageCore. The
> final two parameters are function callbacks invoked when the method exits. For
> example, the following invocation starts audio capture:
>
> */adsage.exec("MSageCoreUIManager", "captureAudio", ["Hey", 10, 40], onSuccess,
> onFailure);/*
>
> Note that the files comprising msageJS cannot be found by simply listing the
> files in an affected app’s IPA. The files themselves are zipped and encoded in
> Base64 in the data section of the ad library binary. After an affected app is
> launched, msageCore first decodes the string and extracts msageJS to the app’s
> data container, setting index.html shown in Figure 7 as the landing page in the
> ad library WebView to launch msageJS.
>
> Figure 8: Base64 encoded JavaScript component in Zip format
>
> When msageJS is launched, it sends a POST request to hxxp://entry.adsage.com/d/
> to check for updates. The server responds with information about the latest
> msageJS version, including a download URL, as shown in Figure 9.
>
> Figure 9: Server response to msageJS update request via HTTP POST
>
>
> *Enterprise Protection*
>
> To ensure the protection of our customers, FireEye has deployed detection rules
> in its Network Security (NX)
> and Mobile
> Threat Prevention (MTP)
>
> products to identify the affected apps and their network activities.
>
> For FireEye NX customers, alerts will be generated if an employee uses an
> infected app while their iOS device is connected to the corporate network.
> FireEye MTP management
> customers
> have full visibility into high-risk apps installed on mobile devices in their
> deployment base. End users will receive on-device notifications of the risky app
> and IT administrators receive email alerts.
>
>
> Conclusion
>
> In this blog, we described an ad library that affected thousands of iOS apps
> with potential backdoor functionality. We revealed the internals of backdoors
> which could be used to trigger audio recording, capture screenshots, prompt the
> user to side-load other high-risk apps, and read sensitive data from the app’s
> keychain, among other dubious capabilities. We also showed how these potential
> backdoors in ad libra

  1. 2015-11-01 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] [dha-at-panix.com: [MEETING] November Social]
  2. 2015-11-02 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Aviva's new baby
  3. 2015-11-02 einker <eminker-at-gmail.com> Re: [Hangout-NYLXS] Aviva's new baby
  4. 2015-11-02 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] IBM Linux mainframes
  5. 2015-11-02 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] the dangers of lip reading
  6. 2015-11-03 ruben safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Fwd: JEWISH PROFESSOR HOUNDED AT CALIFORNIA
  7. 2015-11-03 Rick Moen <rick-at-linuxmafia.com> Re: [Hangout-NYLXS] Fwd: JEWISH PROFESSOR HOUNDED AT CALIFORNIA
  8. 2015-11-03 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] make a small killing in the market?
  9. 2015-11-03 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Israel Tech Jobs
  10. 2015-11-03 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] more jobs
  11. 2015-11-03 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] UML software development and the team effort..
  12. 2015-11-03 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] Israel Tech Jobs
  13. 2015-11-03 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] New TV Set for sale
  14. 2015-11-04 ruben safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] openrc tips
  15. 2015-11-04 Ruben <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] AI work in NYC and the torch Project
  16. 2015-11-04 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Fwd: Re: [Mailman-Users] 64 bit encoding
  17. 2015-11-05 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Fwd: [Mailman-Users] 64 bit encoding
  18. 2015-11-05 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Fwd: Re: [Mailman-Users] 64 bit encoding
  19. 2015-11-05 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Fwd: Re: [Mailman-Users] 64 bit encoding
  20. 2015-11-05 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Fwd: Re: [Mailman-Users] 64 bit encoding
  21. 2015-11-05 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Fwd: Re: [Mailman-Users] 64 bit encoding
  22. 2015-11-05 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Fwd: Re: [Mailman-Users] 64 bit encoding
  23. 2015-11-05 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] tip from craigslist
  24. 2015-11-05 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Microsoft Linux with systemd is on the way
  25. 2015-11-05 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Fun with FUN in the largest Washington Post Article
  26. 2015-11-05 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] UML
  27. 2015-11-06 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Fwd: Re: [Mailman-Users] 64 bit encoding
  28. 2015-11-06 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Fwd: Re: [Mailman-Users] 64 bit encoding
  29. 2015-11-06 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Fwd: Re: [Mailman-Users] 64 bit encoding
  30. 2015-11-06 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Fwd: Re: [Mailman-Users] 64 bit encoding
  31. 2015-11-06 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Fwd: Re: [Mailman-Users] 64 bit encoding
  32. 2015-11-06 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Fwd: Re: [Mailman-Users] 64 bit encoding
  33. 2015-11-06 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Fwd: Re: [Mailman-Users] 64 bit encoding
  34. 2015-11-06 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Fwd: Re: [Mailman-Users] 64 bit encoding
  35. 2015-11-06 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] mets mets mets
  36. 2015-11-06 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] This is not Van Gogh,
  37. 2015-11-07 Rick Moen <rick-at-linuxmafia.com> Re: [Hangout-NYLXS] Fun with FUN in the largest Washington Post
  38. 2015-11-08 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Movie of the week
  39. 2015-11-08 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] ransomware - attacking apache
  40. 2015-11-08 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout-NYLXS] Fun with FUD in the largest Washington Post
  41. 2015-11-08 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Who is paying for what drugs
  42. 2015-11-08 Rick Moen <rick-at-linuxmafia.com> Re: [Hangout-NYLXS] Fun with FUD in the largest Washington Post
  43. 2015-11-08 Rick Moen <rick-at-linuxmafia.com> Re: [Hangout-NYLXS] ransomware - attacking apache
  44. 2015-11-08 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] ransomware - attacking apache
  45. 2015-11-08 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] ransomware - attacking apache
  46. 2015-11-08 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] Fun with FUD in the largest Washington Post
  47. 2015-11-08 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Cruise to Albany up the Hudson
  48. 2015-11-08 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] Fun with FUD in the largest Washington Post
  49. 2015-11-08 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] Fun with FUD in the largest Washington Post
  50. 2015-11-08 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] Fun with FUD in the largest Washington Post
  51. 2015-11-08 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] Fun with FUD in the largest Washington Post
  52. 2015-11-08 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] Fun with FUD in the largest Washington Post
  53. 2015-11-08 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Libreplanet in Boston Next Year
  54. 2015-11-08 Rick Moen <rick-at-linuxmafia.com> Re: [Hangout-NYLXS] ransomware - attacking apache
  55. 2015-11-08 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Open for Comments
  56. 2015-11-09 Rick Moen <rick-at-linuxmafia.com> Re: [Hangout-NYLXS] Fun with FUD in the largest Washington Post
  57. 2015-11-09 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] The race is on to replace your linux toolkit
  58. 2015-11-09 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] ransomware - attacking apache
  59. 2015-11-09 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] ransomware - attacking apache
  60. 2015-11-09 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Decent Linux Podcast this week
  61. 2015-11-09 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] True Love
  62. 2015-11-09 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Browser security and EFF
  63. 2015-11-09 Rick Moen <rick-at-linuxmafia.com> Re: [Hangout-NYLXS] ransomware - attacking apache
  64. 2015-11-09 Rick Moen <rick-at-linuxmafia.com> Re: [Hangout-NYLXS] ransomware - attacking apache
  65. 2015-11-09 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] ransomware - attacking apache
  66. 2015-11-09 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout-NYLXS] ransomware - attacking apache
  67. 2015-11-09 Rick Moen <rick-at-linuxmafia.com> Re: [Hangout-NYLXS] ransomware - attacking apache
  68. 2015-11-09 Ruben <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] ransomware - attacking apache
  69. 2015-11-09 Ruben <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] serious iphone/objectivec problems
  70. 2015-11-09 Ruben <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] serious iphone/objectivec problems
  71. 2015-11-09 Ruben <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] serious iphone/objectivec problems
  72. 2015-11-09 Rick Moen <rick-at-linuxmafia.com> Re: [Hangout-NYLXS] ransomware - attacking apache
  73. 2015-11-10 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] The Technology of Wishing
  74. 2015-11-10 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] another time and place
  75. 2015-11-10 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] The importance and moral obligation to archive
  76. 2015-11-10 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] message from Jesus
  77. 2015-11-10 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] everything in the story has to be exactly on time
  78. 2015-11-13 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] RMS on Education
  79. 2015-11-14 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] situation worsens
  80. 2015-11-14 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Who snoops on Who
  81. 2015-11-14 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Salman Rushdie
  82. 2015-11-14 Ruben Safir <ruben.safir-at-my.liu.edu> Subject: [Hangout-NYLXS] Ayaan Hirsi Ali on Islam
  83. 2015-11-15 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] [jkeen-at-verizon.net: ny.pm technical meeting on
  84. 2015-11-15 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Quick Cruise up the Hudson with the Smithsonian
  85. 2015-11-15 From: "ballantrae101 ." <ronny.coder-at-gmail.com> Re: [Hangout-NYLXS] Quick Cruise up the Hudson with the Smithsonian
  86. 2015-11-15 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Movie of the Week
  87. 2015-11-15 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] FWIW for Michael et al
  88. 2015-11-16 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] jobs
  89. 2015-11-16 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] jobs followup
  90. 2015-11-16 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout-NYLXS] ransomware - attacking apache
  91. 2015-11-16 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] windows 3.1
  92. 2015-11-16 Rick Moen <rick-at-linuxmafia.com> Re: [Hangout-NYLXS] ransomware - attacking apache
  93. 2015-11-16 Rick Moen <rick-at-linuxmafia.com> Re: [Hangout-NYLXS] windows 3.1
  94. 2015-11-16 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout-NYLXS] windows 3.1
  95. 2015-11-17 Rick Moen <rick-at-linuxmafia.com> Re: [Hangout-NYLXS] windows 3.1
  96. 2015-11-17 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout-NYLXS] [conspire] CIA chief Brennan hints new gov't
  97. 2015-11-17 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] could be done better if it was planned
  98. 2015-11-17 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Bad Debt Collectors and Their Prey
  99. 2015-11-18 Paul Robert Marino <prmarino1-at-gmail.com> Subject: [Hangout-NYLXS] permissions in Debian packages?
  100. 2015-11-18 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout-NYLXS] permissions in Debian packages?
  101. 2015-11-19 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] ms linux continues
  102. 2015-11-19 prmarino1-at-gmail.com Re: [Hangout-NYLXS] ms linux continues
  103. 2015-11-19 Chris Knadle <Chris.Knadle-at-coredump.us> Re: [Hangout-NYLXS] permissions in Debian packages?
  104. 2015-11-19 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] ms linux continues
  105. 2015-11-19 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Clips Notes
  106. 2015-11-19 prmarino1-at-gmail.com Re: [Hangout-NYLXS] permissions in Debian packages?
  107. 2015-11-19 prmarino1-at-gmail.com Re: [Hangout-NYLXS] permissions in Debian packages?
  108. 2015-11-20 Chris Knadle <Chris.Knadle-at-coredump.us> Re: [Hangout-NYLXS] permissions in Debian packages?
  109. 2015-11-20 Ruben Safir <ruben.safir-at-my.liu.edu> Subject: [Hangout-NYLXS] Fwd: Re: Handling dates and Time
  110. 2015-11-20 Ruben Safir <ruben.safir-at-my.liu.edu> Subject: [Hangout-NYLXS] Fwd: Re: Handling dates and Time
  111. 2015-11-20 Elfen Magix <elfen_magix-at-yahoo.com> Subject: [Hangout-NYLXS] Could NYLXS, CCNY. LIU,
  112. 2015-11-20 Ruben <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] Could NYLXS, CCNY. LIU,
  113. 2015-11-20 Ruben Safir <ruben.safir-at-my.liu.edu> Subject: [Hangout-NYLXS] Fwd: Re: eudyptula challenge,
  114. 2015-11-20 Elfen Magix <elfen_magix-at-yahoo.com> Re: [Hangout-NYLXS] Could NYLXS, CCNY. LIU,
  115. 2015-11-21 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Wastson on SuSE
  116. 2015-11-21 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Wastson on SuSE
  117. 2015-11-21 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout-NYLXS] Movie of the Week
  118. 2015-11-21 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout-NYLXS] Movie of the Week
  119. 2015-11-21 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Artificial Intelligence and Forward Chaining
  120. 2015-11-22 Ruben Safir <ruben.safir-at-my.liu.edu> Subject: [Hangout-NYLXS] Linux Job
  121. 2015-11-22 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] another job
  122. 2015-11-22 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] PHP
  123. 2015-11-23 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] this is the funiest thing Robin Williams never said
  124. 2015-11-24 Rick Moen <rick-at-linuxmafia.com> Re: [Hangout-NYLXS] this is the funiest thing Robin Williams never
  125. 2015-11-24 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Letters of Recommendation
  126. 2015-11-24 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] [noreply-at-comsoc.org: New Course on Big Data 5-6
  127. 2015-11-24 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Firefox marketing on Flatbush Avenue
  128. 2015-11-24 Ruben Safir <mrbrklyn-at-panix.com> Subject: [Hangout-NYLXS] Cheapbytes has been slacking
  129. 2015-11-24 Rick Moen <rick-at-linuxmafia.com> Re: [Hangout-NYLXS] Cheapbytes has been slacking
  130. 2015-11-24 Ruben Safir <ruben.safir-at-my.liu.edu> Re: [Hangout-NYLXS] Cheapbytes has been slacking
  131. 2015-11-24 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] in memorial
  132. 2015-11-25 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] security and tracking in the land of terrorism
  133. 2015-11-25 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] just a plug for our friend Amy
  134. 2015-11-25 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] private reusable rocket is a success
  135. 2015-11-25 Rick Moen <rick-at-linuxmafia.com> Re: [Hangout-NYLXS] Cheapbytes has been slacking
  136. 2015-11-25 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout-NYLXS] [conspire] CIA chief Brennan hints new gov't
  137. 2015-11-26 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Middle east Analysis
  138. 2015-11-26 Ruben Safir <ruben.safir-at-my.liu.edu> Re: [Hangout-NYLXS] [conspire] CIA chief Brennan hints new gov't
  139. 2015-11-26 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Thanksgiving Present
  140. 2015-11-26 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout-NYLXS] [conspire] CIA chief Brennan hints new gov't
  141. 2015-11-26 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] A message for Thanksgiving
  142. 2015-11-26 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Eight bucks, no kidding!
  143. 2015-11-26 Rick Moen <rick-at-linuxmafia.com> Subject: [Hangout-NYLXS] Five bucks, no kidding!
  144. 2015-11-26 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Compiler Theory Class
  145. 2015-11-27 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Nice Jewish Girl
  146. 2015-11-27 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Larry Wall on Haskell and Java
  147. 2015-11-27 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Apollo
  148. 2015-11-27 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Sil;licon Valley Republicans
  149. 2015-11-27 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] new way to get interviews only through skype ??
  150. 2015-11-27 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] The New Linux Journal in an app happy world
  151. 2015-11-27 Paul Robert Marino <prmarino1-at-gmail.com> Re: [Hangout-NYLXS] Cheapbytes has been slacking
  152. 2015-11-27 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout-NYLXS] Five bucks, no kidding!
  153. 2015-11-27 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Fwd: Re: Systems Administrator Position
  154. 2015-11-27 Ruben Safir <mrbrklyn-at-panix.com> Re: [Hangout-NYLXS] Cheapbytes has been slacking
  155. 2015-11-27 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] losing the internet
  156. 2015-11-27 prmarino1-at-gmail.com Re: [Hangout-NYLXS] Cheapbytes has been slacking
  157. 2015-11-27 Elfen Magix <elfen_magix-at-yahoo.com> Re: [Hangout-NYLXS] Five bucks, no kidding!
  158. 2015-11-28 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout-NYLXS] The New Linux Journal in an app happy world
  159. 2015-11-28 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout-NYLXS] The New Linux Journal in an app happy world
  160. 2015-11-28 Rick Moen <rick-at-linuxmafia.com> Re: [Hangout-NYLXS] losing the internet
  161. 2015-11-28 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Decent Vorbis Radio
  162. 2015-11-28 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Movie of the week
  163. 2015-11-29 Ruben Safir <ruben-at-mrbrklyn.com> Re: [Hangout-NYLXS] 30 thousand bucks, no kidding!
  164. 2015-11-30 From: "Mancini, Sabin (DFS)" <Sabin.Mancini-at-dfs.ny.gov> Subject: [Hangout-NYLXS] ???? = question ? So what is the question (s) ?
  165. 2015-11-30 Ruben Safir <ruben-at-mrbrklyn.com> Subject: [Hangout-NYLXS] Domination

NYLXS are Do'ers and the first step of Doing is Joining! Join NYLXS and make a difference in your community today!