Re: iPhone contacting a sinkhole

[Scott Finlon <sfinlon () REN-ISAC NET>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Normally when we are contacted back about these notifications we make
the same comments that have been said here and reference that it's
likely XcodeGhost.

We normally also reference an article [1] that explains what it is,
and and another [2] that lists a number of apps that are known to be
infected.

It seems the macrumors article [3] that was mentioned by Mike has a
few extra apps that the Ars one doesn't have so I'll add that one in.

As always, if you have any questions regarding the notifications that
you receive from REN-ISAC, please feel free to reply and we'll let you
know any and all information that we have about them.

Thank you,
Scott Finlon
Principal Security Engineer
REN-ISAC

[1]
https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.
html

[2]
http://arstechnica.com/security/2015/09/apple-scrambles-after-40-malicio
us-xcodeghost-apps-haunt-app-store/

[3]
http://www.macrumors.com/2015/09/20/xcodeghost-chinese-malware-faq/

On 11/20/2015 4:18 PM, Michael William Zimmer wrote:
> Wow, thank you for bringing this topic up!  We have been receiving
> similar alerts recently and found in each case that it pointed back
> to same iOS device.  We have identified the user as an
> international student from China.  Until now, we weren't certain
> when our Student Tech Center would have a chance to work with it -
> but they will send this URL to the student in the meantime.
>
> Thank you - and I guess you can add NAU to your list of 'also
> seeing this' group.
>
> Michael Zimmer Northern Arizona University Flagstaff, AZ
>
> -----Original Message----- From: The EDUCAUSE Security Constituent
> Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of
> Mike Iglesias Sent: Friday, November 20, 2015 1:56 PM To:
> SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] iPhone
> contacting a sinkhole
>
> On 11/20/2015 12:44 PM, McClenon, Brady wrote:
> > We have received three alerts from REN-ISAC in the last month or
> > so about an address on our network contacting a sinkhole.  In
> > each case the device was a student's iPhone on our residential
> > network (a different student in each case).  I'm curious if
> > anyone else has seen this and if they have had any luck
> > determining what is causing it.
>
> It's XcodeGhost.
>
> http://www.macrumors.com/2015/09/20/xcodeghost-chinese-malware-faq/
>
>  We've had RI notices about this too.  We point the students at the
> page above and tell them to remove all the apps noted on the list
> of apps that page points to, and then reinstall them if they want
> them back.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWUzxCAAoJEHUim8hreGrASrgQAKccc2aO77Md97xv1Bs4V/Eb
Egc/VFqeW8JnN816DJpWOAgtw0iYCswxQvZPyN5hkmCEP+r3HT2ooTMZPENUBKCw
PCB0XHU2NJSmAs/KJ6YDfA5YopjlOwGyxc4ZO9SENcGNLe2du/G0wCso/JRoZZJf
ccZ8qSTtPvCaajVTmZfUcRv+ABkANcX+kXjY/zZ49ZCqBOrcg5+0XwgBL7j0pR4b
+4EN/OlJKD/d3ThYbHBWxf+vbWeo7nFLC44mSOlDtv4tWzzP/4rzMLgoBGZJaHNZ
X+kloFloRng04sKgd8LJYpMCQVoZN6LirVUQgq1RYPPUSyDKb+4Fo9Mv/beBeKq2
LxgOgVt/rjSy/+b2m4tP2dK07Q04eqaO8iQt9a50kog9E1o4BZzyr4dmSsGPskSh
u2DjdYfzD/Nto0QRLJZfy5MwKsQxBak1aBPfQcoHznnDZN7362BtGTIZ013D5u9X
4Zk1cPMXcOlBK7i3qiNRg8eGzH2EqFPFPQwqpW5JYax7qX4Y1uLvapfFL6pE95We
rVZV/ChMHmXl8xyBFuE43T8rr2iAbScwx27hhdloIeMDWj1K2P76OmX/KODauwx5
Teou+aq91YnRwcMlc6qPpV4HnqlNXXZPMjlZL794pKtZK6H9tzzvJD6LlU1K0IdN
dwpzYFzmUstX48R5YYnu
=5OSl
-----END PGP SIGNATURE-----