Death Profile

Presented at Black Hat Asia 2018, March 23, 2018, 3:30 p.m. (30 minutes).

As we all know, WannayCry has caused terrible disturbances worldwide to Windows PC, utilizing remote 0day SMB vulnerability. The Apple platform (especially the iOS operating system) is imaged to be immune to such kinds of security threats because of its declared system security feature by design and restrict Apple Store security policy. However, we found - possibly for the first time - a suspected ransomware remote attack towards iOS and OSX platforms distributed in the wild.

In this paper, we would like to tell you the whole story of how we hunt for the remote iOS ransomware attack based on profile installation and defeat it in cradle. We will analysis how the iOS ransomware hijacks your phone screen or even causes system crashes or hang using profile installation - as we call "death profile" - in technical detail. We will also introduce both static and dynamic solution to detect and remediate such threat. Thus, we would propose one new remote attack interface on iOS system research.


Presenters:

  • Ju Zhu - Staff Engineer-Developer, Trend Micro
    Ju Zhu has 5 years of experience in Mobile Advanced Threat Research. Now he work for iOS Advanced Threat Research Team of Trend Micro. Currently, he focuses on research about iOS 0Day, nDay and vulnerability. He has been working on using automated systems to hunt advanced threats. He has found the first malware that exploited nDay(CVE-2014-7911) to attack smart TV at Christmas in 2015. In 2016, he and his team also found a lot of malware using 0Day(CVE-2016-4606, CVE-2016-4659, CVE-2016 7651) attack victims in the 3rd Party App Store, and named them "Landmine".
  • Moony Li - Staff Engineer-Developer, Trend Micro
    Moony Li is Staff Engineer in TrendMicro who owned 8 years knowledge and experience in security product development and research. Design and develop ScandCastle security Sandbox for Deep Security production for both Windows and Mac system. Design and develop iOS sandbox system. Currently, he focuses on Research on Windows, Mac, Android and iOS kernel vulnerability hunt and exploit. Also, he has participated at global top security conferences as follow: 1. HITCON 2016 - (P)FACE Into the Apple Core and Exploit to Root; 2. Code Blue 2016 - (P)FACE into the Apple core and exploit to root; 3. Pacsec 2016 - Active fuzzing as complementary for passive fuzzing; 4. BlackHat Europe 2016 - WHEN VIRTUALIZATION ENCOUNTER AFL: A PORTABLE VIRTUAL DEVICE FUZZING FRAMEWORK WITH AFL

Links:

Similar Presentations: