David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]
-
Upload
rootedcon -
Category
Technology
-
view
2.428 -
download
2
description
Transcript of David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]
![Page 1: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/1.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iPhone + Botnets = Fun
El ascenso y caída de un imperio
Autor: David Barroso
![Page 2: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/2.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Agenda
• Nuestro personaje • Cómo intentó infectar millones de iPhones
– En quién se fijó – Cómo lo hizo – Cómo acabó
• Conclusiones
2
![Page 3: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/3.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Aviso
La presentación contiene datos reales y datos de ciencia-ficción
En caso de duda, siga el principio de la Navaja de Occam
3
![Page 4: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/4.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Nuestro personaje
• Nombre: Homer • Edad: 38 • Ocupación: Inspector
de Seguridad • Lugar: Springfield
4
![Page 5: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/5.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Springfield Shopper
5
![Page 6: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/6.jpg)
Mariposa
Congreso de Seguridad ~ Rooted CON’2010
![Page 7: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/7.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Hmmmm
7
![Page 8: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/8.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Idea
8
![Page 9: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/9.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Ser el amo de millones de ordenadores
9
![Page 10: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/10.jpg)
Congreso de Seguridad ~ Rooted CON’2010 10
![Page 11: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/11.jpg)
Congreso de Seguridad ~ Rooted CON’2010 11
![Page 12: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/12.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Be Cool
12
![Page 13: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/13.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iPhone e iPad
13
![Page 14: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/14.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iBoard e iMat
14
![Page 15: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/15.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iPhone
15
Fuente: Wikipedia
![Page 16: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/16.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Tienda de donuts
16
![Page 17: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/17.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Encuentro con A-Z
17
![Page 18: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/18.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Zhiguli Sedan
18
![Page 19: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/19.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Mercedes SLR
19
![Page 20: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/20.jpg)
Congreso de Seguridad ~ Rooted CON’2010
ZeuS - Precio
• ZeuS Kit 1.3.4 ($3000 - $4000) – Licencia por hardware
• Backconnect ($1500) • Firefox form grabber ($2000) • Soporte Jabber ($500) • VNC ($10000) • Windows Vista/Windows 7 ($2000)
20
![Page 21: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/21.jpg)
Congreso de Seguridad ~ Rooted CON’2010
ZeuS Builder
21
![Page 22: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/22.jpg)
Congreso de Seguridad ~ Rooted CON’2010
ZeuS no infecta
• Spam • Drive-by downloads • Web 2.0 infections • Pay-per-install • Falsos codecs
22
![Page 23: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/23.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Tienda de donuts
23
![Page 24: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/24.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Ikee Worm
• Primer código malicioso para iPhone • Ashley Towns, 21 años • Australia
24
![Page 25: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/25.jpg)
Congreso de Seguridad ~ Rooted CON’2010
SSH Scanning
25
![Page 26: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/26.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Ikee Worm
• Ikee iPhone Worm (alpine): “<ikee> Secondly I was quite amazed by the number
of people who didn't RTFM and change their default passwords.”
• Segundo iPhone Worm (ohshit!): – Roba información – Es una botnet con dos C&C – Afecta a bancos holandeses – Ya no es sólo un script de prueba sino que tiene
un proceso malicioso (sshd) 26
![Page 27: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/27.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Idea
27
![Page 28: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/28.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard
iOrchard = Botnet de iPhones
Basada en ZeuS
28
![Page 29: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/29.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Coming soon
29
ZeuS vs
iOrchard
![Page 30: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/30.jpg)
Congreso de Seguridad ~ Rooted CON’2010
ZeuS – Conexión al C&C
30
![Page 31: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/31.jpg)
Congreso de Seguridad ~ Rooted CON’2010
ZeuS – C&C
31
![Page 32: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/32.jpg)
Congreso de Seguridad ~ Rooted CON’2010
ZeuS – C&C
32
![Page 33: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/33.jpg)
Congreso de Seguridad ~ Rooted CON’2010
ZeuS – C&C
33
![Page 34: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/34.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– C&C
34
![Page 35: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/35.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– C&C
35
![Page 36: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/36.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– C&C
36
• Basado en LAMP (como casi todos) • Fuerte uso de javascript (mootools)
![Page 37: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/37.jpg)
Congreso de Seguridad ~ Rooted CON’2010
ZeuS – Cifrado (antiguo)
37
![Page 38: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/38.jpg)
Congreso de Seguridad ~ Rooted CON’2010
ZeuS – Cifrado
• ZeuS utiliza el algoritmo RC4 con claves de 256 bytes – Enviar datos robados – Contactar con el C&C – Recibir ordenes
• El fichero de configuración está cifrado con la clave única (unas 1200)
38
![Page 39: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/39.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Cifrado
• Algoritmos disponibles enum { kCCAlgorithmAES128, kCCAlgorithmDES, kCCAlgorithm3DES, kCCAlgorithmCAST, kCCAlgorithmRC4, kCCAlgorithmRC2 };
39
CCCrypt(encryptOrDecrypt, kCCAlgorithmRC4, kCCOptionPKCS7Padding, vkey, //"123456789012345678901234", //key kCCKeySizeDES, vinitVec, //"init Vec", //iv, vplainText, //"Your Name", //plainText, plainTextBufferSize, (void *)bufferPtr, bufferPtrSize, &movedBytes);
![Page 40: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/40.jpg)
Congreso de Seguridad ~ Rooted CON’2010
ZeuS – Supervivencia
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
"Userinit" = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Userinit" = "C:\Documents and Settings\user\Application Data\sdra64.exe"
40
![Page 41: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/41.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Supervivencia
• LaunchDaemons – /System/Library/LaunchDaemons/ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/
PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.simpsons.iorchard</string> <key>Program</key> <string>/usr/bin/iorchard</string> <key>StandardErrorPath</key> <string>/dev/null</string> <key>OnDemand</key> <false/> </dict> </plist> 41
![Page 42: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/42.jpg)
Congreso de Seguridad ~ Rooted CON’2010
ZeuS – Información privada
• Roba credenciales almacenados en el Windows Protected Storage
• Roba certificados X.509 • Roba credenciales FTP y POP3 • Roba cookies HTTP y Flash
42
![Page 43: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/43.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Información privada
• Direcciones de correo – /var/mobile/Library/Preferences/
com.apple.accountsettings.plist • POP3, IMAP, Gmail, MobileMe, etc.
– No está la contraseña (PSKeychainUtilities) • /private/var/Keychains/keychain-2.db 1||||||||||||||[email protected]||mail.mrx.com|smtp||25||<t?????hT
Sj??\]6=?|apple
43
![Page 44: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/44.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Información privada
• SMS – /private/var/mobile/Library/SMS/sms.db
sqlite> select * from message; 581|605234312|1268480030|"Hola David, soy Homer.
Oye, llamame por favor cuando puedas, vale? Venga, hasta luego." - via SpinVox. Recuerda: DictaSMS es gratis. Solo se cobra al que te llama si te deja msj. |2|0||230|0|0|0|0||es|||1||
44
![Page 45: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/45.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Información privada
• Llamadas – /System/Library/PrivateFrameworks/
AppSupport.framework/calldata.db – /private/var/mobile/Library/CallHistory/call_history.db sqlite> select * from call; 1357|0097142925822|1268039168|0|5|1659 1358|943324191|1268039290|77|5|-1 1359|+971503515393|1268040783|0|131077|-1 1360|+971333495251|1268040824|810|5|-1
45
![Page 46: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/46.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Información privada
• Contactos – NSArray *people = (NSArray
*)ABAddressBookCopyArrayOfAllPeople(addressBook);
– /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
sqlite> select * from ABPerson;
46
![Page 47: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/47.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Información privada
• Eventos y tareas – /private/var/mobile/Library/Calendar/Calendar.sqlitedb sqlite> .tables Alarm OccurrenceCache AlarmChanges OccurrenceCacheDays Attendee Participant AttendeeChanges Recurrence Calendar RecurrenceChanges CalendarChanges Store Event Task EventChanges TaskChanges EventExceptionDate _SqliteDatabaseProperties
47
![Page 48: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/48.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Información privada
• Redes Wireless – /Library/Preferences/SystemConfiguration/
com.apple.wifi.plist • SSID_STR • lastJoined • lastAutoJoined
48
![Page 49: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/49.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Información privada
• Datos del teléfono – /var/mobile/Library/Preferences/
com.apple.commcenter.plist • ICCID, IMSI, SBFormattedPhoneNumber
– /var/mobile/Library/Preferences/com.apple.mobilephone.settings.plist
• call-forwarding-number – /var/mobile/Library/Preferences/
com.apple.mobilephone.plist • DialerSavedNumber • AddressBookLastDialedUid
49
![Page 50: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/50.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Información privada
• Fotografías – /var/mobile/Media/DCIM/100APPLE
• JPG y PNG • Longitud y latitud
50
![Page 51: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/51.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Información privada
• Localización geográfica – /var/mobile/Library/Preferences/com.apple.Maps.plist
• UserLocation with date • /var/mobile/Library/Preferences/
com.apple.preferences.datetime.plist – Timezone
– /var/mobile/Library/Preferences/com.apple.weather.plist
• Tiempo en ciudades
51
![Page 52: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/52.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Información privada
• Búsquedas recientes – /var/mobile/Library/Preferences/
com.apple.mobilesafari.plist • RecentSearches
– /var/mobile/Library/Preferences/com.apple.youtube.plistTimezone
• Bookmarks, History, lastSearch
52
![Page 53: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/53.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Información privada
• Keyboard Cache – /var/mobile/Library/Keyboard/
• dynamic-text.dat • es_ES-dynamic-text.dat
• Imagenes cacheadas • /private/var/mobile/Library/Caches/Snapshots
53
![Page 54: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/54.jpg)
Congreso de Seguridad ~ Rooted CON’2010
ZeuS – Robo de credenciales
• Hooks típicos en ring3: wininet.dll
• HttpSendRequestW • HttpSendRequestA • HttpSendRequestExW • HttpSendRequestExA • InternetReadFile • InternetReadFileExW • InternetReadFileExA • InternetQueryDataAvailable • InternetCloseHandle • HttpQueryInfoA • HttpQueryInfoW
54
ws2_32.dll • send • sendto • WSASend • WSASendTo • closesocket
![Page 55: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/55.jpg)
Congreso de Seguridad ~ Rooted CON’2010
ZeuS – Robo de credenciales
• Hooks típicos en ring3: user32.dll – GetMessageW – GetMessageA – PeekMessageA – PeekMessageW – GetClipboardData – TranslateMessage
crypt32.dll – PFXImportCertStore
55
![Page 56: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/56.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Robo de credenciales
• Hagamos lo mismo que en los cajeros automáticos
56
![Page 57: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/57.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Robo de credenciales
• Hagamos lo mismo que en los cajeros automáticos
57
![Page 58: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/58.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Robo de credenciales
• Teclado en el iPhone – UIKeyboardLayout (UIView)
• UIKeyboardLayoutRoman – UIKeyboardInputManager
• UIKeyboardInputManagerAlphabet (hook predicción)
– Para hacer hooks: • MobileSubstrate
– void MSHookFunction(void* function, void* replacement, void** p_original);
58
![Page 59: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/59.jpg)
Congreso de Seguridad ~ Rooted CON’2010
ZeuS – Kill OS
• Nethell: – Borra NTDETECT.COM y ntldr
• InfoStealer: – Borra \drivers\*.sys – Borra algunas claves (HKLM\Microsoft\Windows NT
\CurrentVersion\Winlogon: Shell = Explorer.exe • ZeuS:
– Borra HKCU, HKLM\Software y HKLM\System • Glacial Dracon:
– del /A:S /Q /F C:\\*.* – del /S /Q %SYSTEMROOT% %PROGRAMFILES%
59
![Page 60: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/60.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Kill OS
• rm –rf /
60
![Page 61: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/61.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– Acceso por VNC
• $10000 en ZeuS • Open Source en iOrchard ($0) • Integrando Veency, un servidor VNC
disponible en Cydia
61
![Page 62: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/62.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Objetivo conseguido
62
![Page 63: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/63.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Veamos los resultados
Después de varias oleadas de infecciones masivas…
… y de una intensa actividad de compra, alquiler y venta
63
![Page 64: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/64.jpg)
Congreso de Seguridad ~ Rooted CON’2010
ZeuS – ZeusTracker
64
![Page 65: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/65.jpg)
Congreso de Seguridad ~ Rooted CON’2010
iOrchard– iOrchardTracker
65
![Page 66: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/66.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Conclusiones
• Hay unos 40 millones de iPhone – 10% jailbreak
• Infección es simple – Contraseña por defecto
• Acceso total a los datos privados – Acceso a tu entidad financiera – Spear phishing
• Conectividad 24x7 • Copiemos las características de un caso de éxito • Vigila tu iPod/iPhone/iPad
66
![Page 67: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/67.jpg)
Congreso de Seguridad ~ Rooted CON’2010 67
¿Cómo acabó todo? ¿Qué pasó con
Homer y su iOrchard?
![Page 68: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/68.jpg)
Congreso de Seguridad ~ Rooted CON’2010
¿Cómo acabó todo?
68
![Page 69: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/69.jpg)
Congreso de Seguridad ~ Rooted CON’2010
¿Cómo acabó todo?
69
![Page 70: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/70.jpg)
Congreso de Seguridad ~ Rooted CON’2010
¿Cómo acabó todo?
70
![Page 71: David Barroso - iPhone + Botnets = FUN! [RootedCON 2010]](https://reader033.fdocuments.net/reader033/viewer/2022051610/5492de59ac79592f2e8b473b/html5/thumbnails/71.jpg)
Congreso de Seguridad ~ Rooted CON’2010
Gracias a: S21sec e-crime Jay Freeman (saurik) Nicolas Seriot (iPhone privacy) KennyTM (Keyboard hooks) Homer – Matt Groening
David Barroso [email protected]
@lostinsecurity