DOCSLIB.ORG

Remote Access and SSH

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Remote Access and SSH 1 Remote Access ● Modern computing requires the use of a variety of resources located on different machines in widely separated locations. ● You are familiar with the world wide web, which allows us to obtain information from other machines. ● However, mathematicians frequently need to create and delete files on other machines, or even to use their processing power. 2 SSH ● Secure Shell (SSH) is a cryptographic network protocol to run a command line on a remote machine. ● Client-server architecture: the "ssh client" runs on your local machine, while the remote machine must run an "ssh daemon" - a server. ● There are two ssh protocols: ssh1, which uses 56-bit encryption (this means that the public keys can be expressed in 56 binary digits) and is susceptible to some attacks, and ssh2, which uses 128-bit encryption and is much safer. 3 Command-line Interface ● A command-line user interface (CLI), also known as a console user interface is a means of interacting with a computer program where the user (or client) issues commands to the program in the form of successive lines of text (command lines). A program which handles the interface is called a command language interpreter or shell. ● Implemented by cmd.exe in Windows, Terminal in Linux/MacOS. ● SSH provides access to CLI on a remote machine. ● Graphical User Interfaces (GUI - pronounced "gooey") are the familiar ways that we interact with computers. Before Xerox invented the GUI in the 1970s, command lines provided the only interfaces to computers. Since the mid-eighties, GUIs have become the only interfaces to computers that most people know. 4 SSH Clients ● There is a bunch of them. Here are the most popular. ● PuTTY (Windows). Free and open-source. Has a handy GUI. ● OpenSSH (Linux). ● MacOS has a built-in ssh client. ● On Linux/MacOS typically the command looks like ssh [email protected][:port]. 5 Processes ● Processes are the tasks that a computer handles. Every time you run any command, it appears on the computer as a process, with attributes and identifiers. If a process runs amok, you need to do something about it. Thus, commands for managing processes are integral to any good operating system. ● In most modern operating systems there may be lots of processes running at the same time. This is referred as multitasking. ● Process has its owner associated with it (a user which started this process). The process has the same permissions as its owner does. ● Each process has it’s own dedicated piece of memory. You may think of it as a sandbox where the code of your particular program/task is executed. 6 Managing Processes ● Commands for managing processes are integral to any good operating system. ● In Windows it’s Task Manager (taskmgr.exe). Could be reached by pressing Ctrl+Esc or Ctrl+Alt+Del and mostly used to kill application that is hanging. ● Starting a process from the command line is the easiest thing to do on any computer. Just type the name of the process you want to run. ● For example, on a Unix computer the command /usr/bin/firefox should run the Firefox Browser. ● On windows, the corresponding command would be "c:\program files\firefox\firefox.exe". ● In addition you can specify command options/arguments/parameters which define the way command should behave. Each command has it’s own predefined list of parameters which make sense specifically for this command. To see the exhaustive list all options for standard commands use man <command_name> command. For example man ls will give you information about ls command. 7 Foreground and Background Execution ● By default, every process that you start runs in the foreground. It gets its input from the keyboard and sends its output to the screen. ● If the ls command wants any input (which it does not), it waits for it from the keyboard. While a program is running in the foreground and is time-consuming, no other commands can be run (start any other processes) because the prompt would not be available until the program finishes processing and comes out. ● A background process runs without being connected to your terminal. If the background process requires any keyboard input, it waits but you couldn’t see this. ● The advantage of running a process in the background is that you can run other commands; you do not have to wait until it completes to start another. ● The simplest way to start a background process is to add an ampersand (&) at the end of the command. ● So typing e.g. /usr/bin/firefox will start Firefox Browser in foreground, whereas /usr/bin/firefox & will run Firefox Browser in background. 8 Managing Processes: ps command. ● In Linux the basic command for monitoring processes is called ps (process status). Typing ps by itself lists the processes that you own from your current session on the computer. ● Here is the most important information you can get from ps command output. ● User – owner of the process ● PID – unique ID of the process ● TTY – terminal associated with the process ● STIME – process start time ● TIME – CPU time taken by the process ● CMD – The command that started this process 9 Managing Processes: ps command. ● ps -f gives you some more details ● ps -x – shows information about processes without terminals ● ps -a shows processes for all users ● ps -u shows the process's user/owner ● You can get more by running man ps 10 Interrupting Process ● The easiest way to kill a process that has taken over your command line is to press <ctrl>+c. The "control-c" combination interrupts almost any process that is running in your shell as a foreground process. ● To kill process which is running in background use kill command. You will need PID for that which you can find with ps command. ● kill -9 1245 will kill process with PID 1245. 11 Filtering Output of ps command ● Use ps [your options] | grep <expression>. We’ll discuss more details about grep later. ● Use wildcards for specifying <expression> ● There are a few "wildcard" characters that can match many things. The question mark matches any single character. Thus, ls image?.jpg would list all of the files image1.jpg, image9.jpg, and imageA.jpg on a directory, but would not list image23.jpg The asterisk matches any number of characters, so that ls image*.jpg would list image1.jpg, image23.jpg and image49027.jpg. 12 More on Processes ● Parent and Child Processes: each unix process has two ID numbers assigned to it: The Process ID (pid) and the Parent process ID (ppid). Each user process in the system has a parent process. Most of the commands that you run have the shell as their parent. Check the ps -f example where this command listed both the process ID and the parent process ID. ● Zombie and Orphan Processes: normally, when a child process is killed, the parent process is updated via a SIGCHLD signal. Then the parent can do some other task or restart a new child as needed. However, sometimes the parent process is killed before its child is killed. In this case, the "parent of all processes," the init process, becomes the new PPID (parent process ID). In some cases, these processes are called orphan processes. ● When a process is killed, a ps listing may still show the process with a Z state. This is a zombie or defunct process. The process is dead and not being used. These processes are different from the orphan processes. They have completed execution but still find an entry in the process table. ● Daemon Processes: daemons are system-related background processes that often run with the permissions of root and services requests from other processes. A daemon has no controlling terminal. If you do a "ps -ef" and look at the tty field, all daemons will have a ? for the tty. ● To be precise, a daemon is a process that runs in the background, usually waiting for something to happen that it is capable of working with. For example, a printer daemon waiting for print commands or SSH daemon you are actually interacting with to connect to this machine through SSH. ● If you have a program that calls for lengthy processing, then it’s worth to make it a daemon and run it in the background. 13 Navigation and File Management ● Another fundamental skills you need to master are moving around the filesystem and getting an idea of what is around you. We will discuss the tools that allow you to do this. ● You also probably will need to change what’s around you. Here is where file management commands come in handy. 14 Finding Where You Are with the pwd Command ● When you log into your server, you are typically dropped into your user account's home directory. A home directory is a directory set aside for your user to store files and create directories. It is the location in the filesystem where you have full dominion. ● To find out where your home directory is in relationship to the rest of the filesystem, you can use the pwd command. This command displays the directory that we are currently in. ● You should get back some information that looks like this: /home/user1 ● The home directory is named after the user account, so the above example is what the value would be if you were logged into the server with an account called user1. This directory is within a directory called /home, which is itself within the top-level directory, which is called "root" but represented by a single slash "/". 15 Looking at the Contents of Directories with ls command ● ls will give you the list of all files and folders (except hidden) in your current directory sorted alphabetically.
Recommended publications
  • Many Slides Borrowed from Ben Zhao, Christo Wilson, & Others

    Many Slides Borrowed from Ben Zhao, Christo Wilson, & Others

    12. Network Attacks Blase Ur and David Cash (many slides borrowed from Ben Zhao, Christo Wilson, & others) February 7th, 2020 CMSC 23200 / 33250 Network threat model • Network scanning • Attacks on confidentiality (e.g., eavesdropping) • Attacks on integrity (e.g., spoofing, packet injection) • Attacks on availability (e.g., denial of service (DoS)) Scanning and observing networks Network Scanning: Ping • Essential, low-level network utility • Sends a “ping” ICMP message to a host on the internet $ ping 66.66.0.255 PING 66.66.0.255 (66.66.0.255) 56(84) bytes of data. 64 bytes from 66.66.0.255: icmp_seq=1 ttl=58 time=41.2 ms • Destination host is supposed to respond with a “pong” – Indicating that it can receive packets • By default, ping messages are 56 bytes long (+ some header bytes) – Maximum size 65535 bytes • What if you send a ping that is >65535 bytes long? Ping of Death • $ ping –s 65535 66.66.0.255 – Attack identified in 1997 – IPv6 version identified/fixed in 2013 Network Scanning: Traceroute • traceroute — hops between me and host – Sends repeated ICMP reqs w/ increasing TTL Port Scanning • What services are running on a server? Nmap • 5 seconds to scan a single machine!! SYN scan Only send SYN Responses: • SYN-ACK — port open • RST — port closed • Nothing — filtered (e.g., firewall) Port Scanning on Steroids • How do you speed up scans for all IPv4? – Don’t wait for responses; pipeline – Parallelize: divide & conquer IPv4 ranges – Randomize permutations w/o collisions • Result: the zmap tool – Scan all of IPv4 in 45mins (w/ GigE cxn) – IPv4 in 5 mins w/ 10GigE Eavesdropping Tools: Wireshark, tcpdump, Bro, … Steps: 1.
  • Chapter 3: Processes

    Chapter 3: Processes

    Chapter 3: Processes Operating System Concepts – 9th Edition Silberschatz, Galvin and Gagne ©2013 Chapter 3: Processes Process Concept Process Scheduling Operations on Processes Interprocess Communication Examples of IPC Systems Communication in Client-Server Systems Operating System Concepts – 9th Edition 3.2 Silberschatz, Galvin and Gagne ©2013 Objectives To introduce the notion of a process -- a program in execution, which forms the basis of all computation To describe the various features of processes, including scheduling, creation and termination, and communication To explore interprocess communication using shared memory and message passing To describe communication in client-server systems Operating System Concepts – 9th Edition 3.3 Silberschatz, Galvin and Gagne ©2013 Process Concept An operating system executes a variety of programs: Batch system – jobs Time-shared systems – user programs or tasks Textbook uses the terms job and process almost interchangeably Process – a program in execution; process execution must progress in sequential fashion Multiple parts The program code, also called text section Current activity including program counter, processor registers Stack containing temporary data Function parameters, return addresses, local variables Data section containing global variables Heap containing memory dynamically allocated during run time Operating System Concepts – 9th Edition 3.4 Silberschatz, Galvin and Gagne ©2013 Process Concept (Cont.) Program is passive entity stored on disk (executable
  • Blue Coat SGOS Command Line Interface Reference, Version 4.2.3

    Blue Coat SGOS Command Line Interface Reference, Version 4.2.3

    Blue Coat® Systems ProxySG™ Command Line Interface Reference Version SGOS 4.2.3 Blue Coat ProxySG Command Line Interface Reference Contact Information Blue Coat Systems Inc. 420 North Mary Ave Sunnyvale, CA 94085-4121 http://www.bluecoat.com/support/contact.html [email protected] http://www.bluecoat.com For concerns or feedback about the documentation: [email protected] Copyright© 1999-2006 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxySG™, ProxyAV™, CacheOS™, SGOS™, Spyware Interceptor™, Scope™, RA Connector™, RA Manager™, Remote Access™ are trademarks of Blue Coat Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, WinProxy®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate Internet Sharing Solution®, Permeo®, Permeo Technologies, Inc.®, and the Permeo logo are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners. BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC.
  • Unix / Linux Processes Management

    Unix / Linux Processes Management

    UUNNIIXX // LLIINNUUXX -- PPRROOCCEESSSSEESS MMAANNAAGGEEMMEENNTT http://www.tutorialspoint.com/unix/unix-processes.htm Copyright © tutorialspoint.com Advertisements In this chapter, we will discuss in detail about process management in Unix. When you execute a program on your Unix system, the system creates a special environment for that program. This environment contains everything needed for the system to run the program as if no other program were running on the system. Whenever you issue a command in Unix, it creates, or starts, a new process. When you tried out the ls command to list the directory contents, you started a process. A process, in simple terms, is an instance of a running program. The operating system tracks processes through a five-digit ID number known as the pid or the process ID. Each process in the system has a unique pid. Pids eventually repeat because all the possible numbers are used up and the next pid rolls or starts over. At any point of time, no two processes with the same pid exist in the system because it is the pid that Unix uses to track each process. Starting a Process When you start a process (run a command), there are two ways you can run it − Foreground Processes Background Processes Foreground Processes By default, every process that you start runs in the foreground. It gets its input from the keyboard and sends its output to the screen. You can see this happen with the ls command. If you wish to list all the files in your current directory, you can use the following command − $ls ch*.doc This would display all the files, the names of which start with ch and end with .doc − ch01-1.doc ch010.doc ch02.doc ch03-2.doc ch04-1.doc ch040.doc ch05.doc ch06-2.doc ch01-2.doc ch02-1.doc The process runs in the foreground, the output is directed to my screen, and if the ls command wants any input (which it does not), it waits for it from the keyboard.
  • Secrets of Powershell Remoting

    Secrets of Powershell Remoting

    Secrets of PowerShell Remoting The DevOps Collective, Inc. This book is for sale at http://leanpub.com/secretsofpowershellremoting This version was published on 2018-10-28 This is a Leanpub book. Leanpub empowers authors and publishers with the Lean Publishing process. Lean Publishing is the act of publishing an in-progress ebook using lightweight tools and many iterations to get reader feedback, pivot until you have the right book and build traction once you do. © 2016 - 2018 The DevOps Collective, Inc. Also By The DevOps Collective, Inc. Creating HTML Reports in Windows PowerShell A Unix Person’s Guide to PowerShell The Big Book of PowerShell Error Handling DevOps: The Ops Perspective Ditch Excel: Making Historical and Trend Reports in PowerShell The Big Book of PowerShell Gotchas The Monad Manifesto, Annotated Why PowerShell? Windows PowerShell Networking Guide The PowerShell + DevOps Global Summit Manual for Summiteers Why PowerShell? (Spanish) Secrets of PowerShell Remoting (Spanish) DevOps: The Ops Perspective (Spanish) The Monad Manifesto: Annotated (Spanish) Creating HTML Reports in PowerShell (Spanish) The Big Book of PowerShell Gotchas (Spanish) The Big Book of PowerShell Error Handling (Spanish) DevOps: WTF? PowerShell.org: History of a Community Contents Secrets of PowerShell Remoting ..................................... 1 Remoting Basics ................................................ 3 What is Remoting? ............................................ 3 Examining Remoting Architecture .................................. 3 Enabling
  • The Evolution of Gandcrab Ransomware

    The Evolution of Gandcrab Ransomware

    The Evolution of GandCrab Ransomware Tamas Boczan @tamas_boczan Sr. Threat Analyst Why? Why? Why? Business Model: RaaS Panel for Affiliates Mass Delivery Methods • Email attachments - Javascript - Doc - Encrypted doc • Drive- by download Delivery: RDP, Exploits Payload: Starting Point Data collection • System Info • External IP • AV? Payload: Starting Point Data collection Connect Home • System Info • nslookup • External IP • AV? Payload: Starting Point Data collection Connect Home Preparation • System Info • nslookup • Kill Processes • External IP • AV? Payload: Starting Point Data collection Connect Home Preparation Encryption • System Info • nslookup • Kill Processes • AES • External IP • *.GDCB • AV? Payload: Starting Point Data collection Connect Home Preparation Encryption Post-Infection • System Info • nslookup • Kill Processes • AES • Shadow Copies • External IP • *.GDCB • AV? Feb 28: Europol decryptor Data collection Connect Home Preparation Encryption Post-Infection • System Info • nslookup • Kill Processes • AES • Shadow Copies • External IP • *.GDCB • AV? 7 days later: v2 Data collection Connect Home Preparation Encryption Post-Infection • System Info • nslookup • Kill Processes • AES • Shadow Copies • External IP • *.CRAB • AV? • Kernel-AV 7 weeks later: v3 Post-Infection • Shadow Copies • Wallpaper v4 Data collection Connect Home Preparation Encryption Post-Infection • System Info • nslookup • Kill Processes • AES • Shadow Copies • External IP • Salsa • Wallpaper • AV? • *.KRAB • Self-removal • SMB shares v4.1 Data collection
  • Shells and Processes

    Shells and Processes

    Shells and Processes Bryce Boe 2012/08/08 CS32, Summer 2012 B Outline • Operang Systems and Linux Review • Shells • Project 1 Part 1 Overview • Processes • Overview For Monday (Sor>ng Presentaons) OS Review • Operang systems – Manages system resources: cpu, memory, I/O – Types: single/mul>-user and single/mul>-process – Provides Fairness, security Self Check Quesons • What is the primary benefit oF a mul>-process OS over a single process OS? How is this accomplished? • Explain the difference between mul>programming and mul>tasking Self Check Answers • What is the primary benefit oF a mul>-process OS over a single process OS? How is this accomplished? – Increased resource u>lizaon (primarily oF the CPU) accomplished by scheduling other processes when the currently running process requires I/O SelF Check Answers cont. • Explain the difference between mul>programming and mul>tasking – Mul>programming systems switch the running process when that process requires I/O. – Mul>tasking systems periodically switch the running process aer some (typically minute) period of me Linux Architecture Shells What is a shell? • A shell is a program that provides the interFace between the user and the operang system • Can be used to tell the OS to: – Execute programs (as processes) – Stop, or pause processes – Create, copy, move, remove files – Load or unload device drivers Types of Shells • Command line shells: – Provide a textual input as the user-interFace – Bourne shell (sh), C shell (csh), Bourne-Again shell (bash), cmd.exe • Graphical shells – Provide a point-and-click
  • Operating Systems Basics • IOS Architecture Overview • Memory Organization • IOS Processes • IOS Kernel • Packet Buffer Management • Device Drivers

    Operating Systems Basics • IOS Architecture Overview • Memory Organization • IOS Processes • IOS Kernel • Packet Buffer Management • Device Drivers

    Ch01i.book Page 2 Tuesday, June 13, 2000 2:43 PM This chapter covers the following key topics: • Operating Systems Basics • IOS Architecture Overview • Memory Organization • IOS Processes • IOS Kernel • Packet Buffer Management • Device Drivers Ch01i.book Page 3 Tuesday, June 13, 2000 2:43 PM C H A P T E R 1 Fundamental IOS Software Architecture If you were naming the most popular and widely used computer operating systems, which ones would you choose? Most likely, your list would contain names like UNIX, MS-DOS, Microsoft Windows, or even IBM’s MVS for mainframes. These are all well-known operating systems—you might even be using one on a computer at home. Now, think for a minute; are there any others? Would your list contain Cisco IOS? No, it probably wouldn’t, even though IOS is one of the most widely deployed operating systems in use today. Unlike the general-purpose operating systems just mentioned, many people never encounter IOS directly. Most who use a computer to access the Internet aren’t even aware IOS is behind the scenes. Even those who are aware of IOS, people who use it directly, often don’t consider it to be an operating system but instead just the software that runs Cisco routers. IOS might not run word processors or accounting applications like others on the list but it is still, in fact, an operating system—albeit, one specialized for switching data packets. As you will see, much of the IOS architecture is focused on switching packets as quickly and efficiently as possible.
  • Running a Script Without User Intervention 7

    Running a Script Without User Intervention 7

    ,ch02.2190 Page 6 Thursday, April 8, 2004 11:55 AM 2 Chapter 2 Running a Script Without User Intervention 2. We have indicated that scripts can be used to save huge amounts of time by carry- ing out mundane maintenance and configuration tasks automatically. However, it should be pointed out that no matter how sophisticated a script may be, it is never anything more than a text file containing words and symbols that can be under- stood by an interpreter. It is completely powerless to carry out any activities on a workstation unless explicitly executed. If you happen to be sitting in front of a workstation, running a script is trivial: it usually involves typing its name at the command prompt. While it might sound rather painless on the face of it, this inter- active method of running a script is completely impractical if you are attempting to look after a large number of workstations. The reason is simple: visiting each workstation in turn is the time-consuming activity. Unless the maintenance or con- figuration you intend to carry out is extremely complicated, it is likely to take very little additional effort to carry out the task manually. Unfortunately, there is no easy way to start a script remotely short of running a Telnet server on every workstation under your control (and there are many good reasons not to do this). Thankfully, however, there are ways of preinstalling scripts so that they run themselves either at predetermined times or in response to a workstation state. The significance of this is that a maintenance script designed to run regularly has to be installed only once and will require no further interven- tion; a configuration script can be preinstalled and primed so that it will start up by itself when required.
  • Freebsd Command Reference

    Freebsd Command Reference

    FreeBSD command reference Command structure Each line you type at the Unix shell consists of a command optionally followed by some arguments , e.g. ls -l /etc/passwd | | | cmd arg1 arg2 Almost all commands are just programs in the filesystem, e.g. "ls" is actually /bin/ls. A few are built- in to the shell. All commands and filenames are case-sensitive. Unless told otherwise, the command will run in the "foreground" - that is, you won't be returned to the shell prompt until it has finished. You can press Ctrl + C to terminate it. Colour code command [args...] Command which shows information command [args...] Command which modifies your current session or system settings, but changes will be lost when you exit your shell or reboot command [args...] Command which permanently affects the state of your system Getting out of trouble ^C (Ctrl-C) Terminate the current command ^U (Ctrl-U) Clear to start of line reset Reset terminal settings. If in xterm, try Ctrl+Middle mouse button stty sane and select "Do Full Reset" exit Exit from the shell logout ESC :q! ENTER Quit from vi without saving Finding documentation man cmd Show manual page for command "cmd". If a page with the same man 5 cmd name exists in multiple sections, you can give the section number, man -a cmd or -a to show pages from all sections. man -k str Search for string"str" in the manual index man hier Description of directory structure cd /usr/share/doc; ls Browse system documentation and examples. Note especially cd /usr/share/examples; ls /usr/share/doc/en/books/handbook/index.html cd /usr/local/share/doc; ls Browse package documentation and examples cd /usr/local/share/examples On the web: www.freebsd.org Includes handbook, searchable mailing list archives System status Alt-F1 ..
  • System Calls & Signals

    System Calls & Signals

    CS345 OPERATING SYSTEMS System calls & Signals Panagiotis Papadopoulos [email protected] 1 SYSTEM CALL When a program invokes a system call, it is interrupted and the system switches to Kernel space. The Kernel then saves the process execution context (so that it can resume the program later) and determines what is being requested. The Kernel carefully checks that the request is valid and that the process invoking the system call has enough privilege. For instance some system calls can only be called by a user with superuser privilege (often referred to as root). If everything is good, the Kernel processes the request in Kernel Mode and can access the device drivers in charge of controlling the hardware (e.g. reading a character inputted from the keyboard). The Kernel can read and modify the data of the calling process as it has access to memory in User Space (e.g. it can copy the keyboard character into a buffer that the calling process has access to) When the Kernel is done processing the request, it restores the process execution context that was saved when the system call was invoked, and control returns to the calling program which continues executing. 2 SYSTEM CALLS FORK() 3 THE FORK() SYSTEM CALL (1/2) • A process calling fork()spawns a child process. • The child is almost an identical clone of the parent: • Program Text (segment .text) • Stack (ss) • PCB (eg. registers) • Data (segment .data) #include <sys/types.h> #include <unistd.h> pid_t fork(void); 4 THE FORK() SYSTEM CALL (2/2) • The fork()is one of the those system calls, which is called once, but returns twice! Consider a piece of program • After fork()both the parent and the child are ..
  • WIRELURKER: a New Era in Ios and OS X Malware

    WIRELURKER: a New Era in Ios and OS X Malware

    WIRELURKER: A New Era in iOS and OS X Malware REPORT BY CLAUD XIAO PALO ALTO NETWORKS | 4401 Great America Parkway | Santa Clara, CA 95054 www.paloaltonetworks.com TABLE OF CONTENTS Executive Summary 3 Background 4 User Reporting for this Threat 4 Investigation of the Third Party App Store 5 WireLurker Workflow and Malware Progression 6 WireLurker Versions 7 Analysis of WireLurker OS X Malware 9 Bundle Repackaging and File Hiding 9 Self Update 11 Persistence Mechanisms 13 C2 Server Communication 14 iOS Application Download 15 USB Connection Monitoring 17 Exfiltration of Device Information 17 Installation of Malicious Dynamic Library to an iOS Device 18 Backup of Specific Installed Applications from an iOS Device 19 Trojanizing iOS Applications 20 Installation of Trojanized iOS Applications 20 Analysis of WireLurker iOS Malware 22 Code Injection into System Applications 22 Self Update 23 Exfiltration of User Data 24 Exfiltration of Application Usage and Device Serial Number Information 25 Overall Threat Analysis 26 Use of Repackaging to Trojanize Applications 26 Malicious Use of USB Connections 26 Attacks Against Jailbroken Devices 26 Attacks Against Non-Jailbroken Devices 26 Actor Motivation 27 Prevention, Detection, Containment and Remediation 27 Prevention 27 Detection and Containment 28 Remediation 29 Acknowledgements 29 Appendix 30 SHA-1 Hashes of WireLurker Related Files 30 URLs for C2 Communication 31 Version C Encrypted C2 Communication Code 32 Executive Summary Palo Alto Networks® recently discovered a new family of Apple OS X