1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Apple App Store hit by XcodeGhost malware infection

Discussion in 'Article Discussion' started by Gareth Halfacree, 21 Sep 2015.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    10,574
    Likes Received:
    793
  2. wolfticket

    wolfticket Downwind from the bloodhounds

    Joined:
    19 Apr 2008
    Posts:
    2,673
    Likes Received:
    124
    You say it's difficult to blame Apple, but shouldn't malicious code automatically injected into a well meaning app be the sort of thing that would be picked up by effective automated scanner.
    As opposed to an app built from the ground up to perform malicious actions where this appoach may be less effective.
     
  3. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    10,574
    Likes Received:
    793
    Effective automated scanner? Ain't no such thing. The best an automated scanner can do is find things we know about. S'why AV software needs frequent signature updates.

    I'd certainly put more blame on the devs who downloaded Xcode from some hooky website than Apple's App Store system, but that's not to say that Apple is completely blameless - when you tell people that you're locking their devices down for their protection then fail to protect them, questons will be asked.
     
  4. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,142
    Likes Received:
    135
    i-users questioning Apple? You're hilarious Gareth! :D
     
  5. wolfticket

    wolfticket Downwind from the bloodhounds

    Joined:
    19 Apr 2008
    Posts:
    2,673
    Likes Received:
    124
    Well there is... It's called heuristic scanning. And while obviously I don't know the exact nature of the beast, I'd have thought code automatically injected into and existing trusted source via an update is the sort of thing a good heuristic scanner would be designed to detect.

    Indeed, we're largely not talking about scanning for existing viruses here at all. When it comes to apps the problem can just as well be malicious code written by the dev within apps created by them that have not been distributed else where at all.
    The idea of relying on existing signatures in this context is obviously not very useful.
     
  6. Corky42

    Corky42 What did walle eat for breakfast?

    Joined:
    30 Oct 2012
    Posts:
    8,391
    Likes Received:
    186
    No doubt the devs are just as culpable but if it wasn't for Apple's walled-garden approach would this have even happened in the first place?

    By that I mean it was Apple who insisted (I'm guessing) that apps can only be written and publish if they were programed using Apple's own Xcode package, basically Apple created a system with a single point of failure.
     
  7. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,142
    Likes Received:
    135
    Yes.
     
  8. mi1ez

    mi1ez Active Member

    Joined:
    11 Jun 2009
    Posts:
    1,398
    Likes Received:
    13
    I must admit, I thought Apple tested apps automatically too. Plus, how hard is it to stick an app behind a proxy in a VM or container or whatever and monitor what traffic it sends and receives?
     
  9. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    10,574
    Likes Received:
    793
    If behaviour-based (heuristic) scanning was that effective, we'd never need to update our anti-virus signatures. Heuristic scanners can only look for known patterns; if a piece of malware does something new, it'll be completely ignored by heuristic algorithms. I can think of a dozen ways I could sneak malware past an automated scanner, and even the mooted "stick it behind a proxy and see what it does test" - starting with "if I'm running inside Apple HQ and/or I'm running but not yet visible on the App Store for public download, assume I'm being tested and keep the malware portion dormant."
     
  10. SexyHyde

    SexyHyde Member

    Joined:
    24 Jul 2009
    Posts:
    594
    Likes Received:
    7
    Is there a media blackout on this or something? Considering so many people have been compromised I thought it might have been covered a bit more.
     
  11. rollo

    rollo Well-Known Member

    Joined:
    16 May 2008
    Posts:
    7,676
    Likes Received:
    94
    It's covered heavily in China but not elsewhere. Mostly affects China though bunch of Chinese apps the Chinese what's app for example. It's also been sorted at last check.
     
  12. SexyHyde

    SexyHyde Member

    Joined:
    24 Jul 2009
    Posts:
    594
    Likes Received:
    7
    "Interestingly, a Snowden leak from the CIA’s internal wiki system suggested that the agency had considered using a modified version of Xcode as an attack vector."

    I'd be surprised if this was the only hack.
     
  13. rollo

    rollo Well-Known Member

    Joined:
    16 May 2008
    Posts:
    7,676
    Likes Received:
    94
    Every computer system in the world is suspect to attack. Despite marketing or anything else you really think a mass produced smartphone is going to be virus proof. CIA well less said. look at psn or Xbox live servers was not even a virus just DnS attacks that brought them down.

    Skype was said to be a similar thing.
     
  14. Corky42

    Corky42 What did walle eat for breakfast?

    Joined:
    30 Oct 2012
    Posts:
    8,391
    Likes Received:
    186
    Yes every computer system in the world is suspect to attack but isn't creating a system with a single point of failure asking for trouble?

    In a distributed system you may be able to compromise a few hundred or thousand individual systems, when you have a single point of failure you only have to attack that single point to compromise everything, a chains only as strong as its weakest link.
     
  15. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,142
    Likes Received:
    135
    Redundancy is only good when it can mitigates a failure of another component. When we think of RAID (above 0) a failure in one disk can be compensated for by the remaining disks.

    Increasing the number of gardens, walled or otherwise in terms of dev tools simply increases the surface area exposed to attack vectors. It doesn't reduce your problem it increases it. If there is a failure in one, having more of them doesn't help the matter. Unlike disks in RAID.

    I'm almost universally opposed to Apple's approach to technology, but in this case having one controlled system is likely to be the most secure approach outside of opening the source.
     
  16. Corky42

    Corky42 What did walle eat for breakfast?

    Joined:
    30 Oct 2012
    Posts:
    8,391
    Likes Received:
    186
    I was thinking it was more like the Internet, sure you can take down parts that may effect small sections but you can't (well shouldn't be able to) target a single point and take the whole lot down or large swaths of it.

    EDIT: I guess it comes down to how we/me/you view as the best approach to securing a system, yes a distributed system increases the surface area exposed to attack but it also lessens the inevitable impact of such an attack.

    IMHO a failure, attack or problem is unavoidable, no system is 100% secure, it's just a matter of whether a one in a million chance that a problem could bring down an entire system is worth many small problems.
     
    Last edited: 23 Sep 2015
  17. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,142
    Likes Received:
    135
    Ah you are referring to the download sites rather than the actual tools?
     
  18. Corky42

    Corky42 What did walle eat for breakfast?

    Joined:
    30 Oct 2012
    Posts:
    8,391
    Likes Received:
    186
    Well both if the download site (app store) only allows apps to be published written using a single tool, they both open up the possibility to target a single vector and effect the whole system, this particular attack was only limited in effect due to geographical/language reasons (afaik).
     
  19. rollo

    rollo Well-Known Member

    Joined:
    16 May 2008
    Posts:
    7,676
    Likes Received:
    94
    Multiple stores would be multiple points of attack and verification increased 10 fold
     
  20. Corky42

    Corky42 What did walle eat for breakfast?

    Joined:
    30 Oct 2012
    Posts:
    8,391
    Likes Received:
    186
    :confused:
     

Share This Page