Educause Security Discussion mailing list archives
Re: iPhone contacting a sinkhole
From: Scott Finlon <sfinlon () REN-ISAC NET>
Date: Mon, 23 Nov 2015 11:18:10 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Normally when we are contacted back about these notifications we make the same comments that have been said here and reference that it's likely XcodeGhost. We normally also reference an article [1] that explains what it is, and and another [2] that lists a number of apps that are known to be infected. It seems the macrumors article [3] that was mentioned by Mike has a few extra apps that the Ars one doesn't have so I'll add that one in. As always, if you have any questions regarding the notifications that you receive from REN-ISAC, please feel free to reply and we'll let you know any and all information that we have about them. Thank you, Scott Finlon Principal Security Engineer REN-ISAC [1] https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new. html [2] http://arstechnica.com/security/2015/09/apple-scrambles-after-40-malicio us-xcodeghost-apps-haunt-app-store/ [3] http://www.macrumors.com/2015/09/20/xcodeghost-chinese-malware-faq/ On 11/20/2015 4:18 PM, Michael William Zimmer wrote:
Wow, thank you for bringing this topic up! We have been receiving similar alerts recently and found in each case that it pointed back to same iOS device. We have identified the user as an international student from China. Until now, we weren't certain when our Student Tech Center would have a chance to work with it - but they will send this URL to the student in the meantime. Thank you - and I guess you can add NAU to your list of 'also seeing this' group. Michael Zimmer Northern Arizona University Flagstaff, AZ -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Iglesias Sent: Friday, November 20, 2015 1:56 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] iPhone contacting a sinkhole On 11/20/2015 12:44 PM, McClenon, Brady wrote:We have received three alerts from REN-ISAC in the last month or so about an address on our network contacting a sinkhole. In each case the device was a student's iPhone on our residential network (a different student in each case). I'm curious if anyone else has seen this and if they have had any luck determining what is causing it.It's XcodeGhost. http://www.macrumors.com/2015/09/20/xcodeghost-chinese-malware-faq/ We've had RI notices about this too. We point the students at the page above and tell them to remove all the apps noted on the list of apps that page points to, and then reinstall them if they want them back.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWUzxCAAoJEHUim8hreGrASrgQAKccc2aO77Md97xv1Bs4V/Eb Egc/VFqeW8JnN816DJpWOAgtw0iYCswxQvZPyN5hkmCEP+r3HT2ooTMZPENUBKCw PCB0XHU2NJSmAs/KJ6YDfA5YopjlOwGyxc4ZO9SENcGNLe2du/G0wCso/JRoZZJf ccZ8qSTtPvCaajVTmZfUcRv+ABkANcX+kXjY/zZ49ZCqBOrcg5+0XwgBL7j0pR4b +4EN/OlJKD/d3ThYbHBWxf+vbWeo7nFLC44mSOlDtv4tWzzP/4rzMLgoBGZJaHNZ X+kloFloRng04sKgd8LJYpMCQVoZN6LirVUQgq1RYPPUSyDKb+4Fo9Mv/beBeKq2 LxgOgVt/rjSy/+b2m4tP2dK07Q04eqaO8iQt9a50kog9E1o4BZzyr4dmSsGPskSh u2DjdYfzD/Nto0QRLJZfy5MwKsQxBak1aBPfQcoHznnDZN7362BtGTIZ013D5u9X 4Zk1cPMXcOlBK7i3qiNRg8eGzH2EqFPFPQwqpW5JYax7qX4Y1uLvapfFL6pE95We rVZV/ChMHmXl8xyBFuE43T8rr2iAbScwx27hhdloIeMDWj1K2P76OmX/KODauwx5 Teou+aq91YnRwcMlc6qPpV4HnqlNXXZPMjlZL794pKtZK6H9tzzvJD6LlU1K0IdN dwpzYFzmUstX48R5YYnu =5OSl -----END PGP SIGNATURE-----
Current thread:
- iPhone contacting a sinkhole McClenon, Brady (Nov 20)
- Re: iPhone contacting a sinkhole Mike Iglesias (Nov 20)
- Re: iPhone contacting a sinkhole Michael Cole (Nov 20)
- Re: iPhone contacting a sinkhole Michael William Zimmer (Nov 20)
- Re: iPhone contacting a sinkhole Scott Finlon (Nov 23)
- Re: iPhone contacting a sinkhole Ricardo Fitipaldi (Nov 20)
- Re: iPhone contacting a sinkhole Mike Iglesias (Nov 20)