At Verisign we take our Internet stewardship mission very seriously, so when details emerged over the past week concerning the XcodeGhost infection, researchers at Verisign iDefense wanted to help advance community research efforts related to the XcodeGhost issue, and leveraging our unique capabilities, offer a level of public service to help readers determine their current and historical level of exposure to the infection.

Background

First identified in recent days on the Chinese microblog site Sina Weibo, XcodeGhost is an infection of Xcode, the framework developers use to create apps for Apple’s iOS and OS X operating systems. Most developers download secure Xcode from Apple. However, some acquire unofficial versions from sites with faster download speeds.

Apps created with XcodeGhost contain instructions, unknown to both the app developers and the end users, that collect potentially sensitive information from the user’s device and send it to command-and-control (C2) servers managed by the XcodeGhost operator. This way, the XcodeGhost operators circumvented the security of Apple’s official Xcode distribution, and the security of Apple’s App Store.

iDefense IntelGraph chart and intelligence alert, “XcodeGhost” (Click to Enlarge)

The infection had widespread impact. As of September 25th, Palo Alto Networks and Fox-IT had identified more than 87 infected apps by name, and FireEye claimed to have identified more than 4,000 infected apps. This activity impacts millions of users both in China and elsewhere in the world. To understand key aspects of the infection, iDefense researchers leveraged authoritative DNS traffic patterns to the C2 domains.

Infection Trends

DNS Query Volume by Day (Click to Enlarge)

The data patterns illustrate the following:

• Queries began to appear around the same time the domains were registered.
• Queries for ‘icloud-analysis.com’ escalated in April—two months after the domain registration on February 25th—and peaked at 1,402,831 queries on July 2nd 2015.
• Queries for ‘icloud-diagnostics.com’ escalated in June—six weeks after the domain registration on May 7th—and peaked at 10,628 on September 18th when the infection was publicly disclosed.
• Queries for ‘crash-analytics.com’ escalated in August—immediately after the domain was registered—and peaked at 908 on September 18th.

DNS Query Volume by Day (Click to Enlarge)

Geographic Distribution

Although the original infection came from an unofficial Chinese Xcode distribution, queries for the C2 domains propagated worldwide; and US-based queries for ‘crash-analytics.com’ far outnumbered those from China.

NXDOMAIN source IP geographic distribution, Feb-Sep 2015 (Click to Enlarge)

From traffic analysis, Verisign iDefense researchers also learned a bit about the early testing of XcodeGhost malware. This data derives from TLD authoritative-only queries at .COM DNS resolution sites, which are globally distributed but commonly buffered by intermediate recursive name servers that often absorb 1-2 orders of magnitude or more queries after an initial response from the authoritative infrastructure has been cached; as such, the actual number of queries is typically larger for commonly resolved domains.

• The ‘icloud-analysis.com’ C2 domain was queried three times via AS15169 (Google) shortly before being registered. (Note: these are queries from Google’s widely-used open recursive name servers, not from Google’s corporate infrastructure).
• The ‘icloud-diagnostics.com’ C2 domain was queried twelve times, all via nodes in China—AS17621 (CNCGROUP—SH), AS4816 (ChinaNet—IDC—GD), AS4808 (CNCGroup—Beijing), and AS58466 (ChinaNet Guangzhou)—shortly before being registered.
• The ‘crash-analytics.com’ was queried fifteen times, all via nodes in China—AS4134 (ChinaNet—Backbone), AS58543 (Chinatelecom Guangdong), AS17623 (CNCGroup—Shenzen), AS4812 (ChinaNet—SH—AP), and AS58466 (ChinaNet Guangzhou)—shortly before being registered.

Additionally, EPP transactions (the mechanism registrars use to check, add, modify, and delete domains names with a registry) associated with these domains were observed from a number of registrars and provide insights and additional signal into the tactics, techniques, and procedures employed by the culprits. Furthermore, early resolution requests for the domains just after the domains were registered also provide interesting insights into their behavior.

Continuing Activity

A snapshot of NXDOMAIN transactions illustrates that even though the delegations have been removed—the C2 domains have been disabled—we still see large numbers of queries per day, indicating that many users still have yet to remove the malicious apps. A (IPv4) and AAAA (IPv6) record queries for 25 September 2015 totaled 2,197,998 for icloud-analysis.com, 20,796 for icloud-diagnostics.com, and 2626 for crash-analytics.com. The geographic distribution of requests for each C2 domain varies significantly.

NXDOMAIN source IP totals and geographic distribution for ‘icloud-analysis.com’, 25 September 2015 (Click to Enlarge)

NXDOMAIN source IP totals and geographic distribution for ‘icloud-diagnostics.com’, 25 September 2015 (Click to Enlarge)

NXDOMAIN source IP totals and geographic distribution for ‘crash-analytics.com’, 25 September 2015 (Click to Enlarge)

Longitudinal view of XcodeGhost C2 DNS traffic to present, active IP addresses. (Click to Enlarge)

Longitudinal view of XcodeGhost C2 DNS traffic to present, unique IP addresses. (Click to Enlarge)

Note that negative caching effects in the DNS result in a considerable increase in query load once a domain is removed (i.e., negative responses are not cached as long as positive responses), so while the number of queries in the charts above increases considerably when the delegations are removed, the number of impacted users is decreasing. For more information on the negative caching in the DNS see RFC2308.

Recommendations

Verisign iDefense recommends uninstalling infected apps until they are updated and changing the related Apple ID password immediately. iDefense also recommends that users be cognizant of any dialogue boxes (e.g., e-mails or push notifications) that show up on screens and do not enter any information without verifying the source.

Verisign has been cooperating with relevant parties as we analyze the scope of the XcodeGhost infection and early tactics of the adversaries behind the incident, leveraging our unique observation space in order to advance the security and stability of our registry services and security offerings. We will continue to investigate infection and remediation rates as solutions associated with this and other incidents continue to be applied. If you would like to analyze the data summarized here but with specific details for your network, please send a request to: [email protected]. This is a free report with no obligation other than proof of Internet number resource holdership.

iDefense customers: If you would like a deeper dive on infection rates for your network, please contact Verisign customer service ([email protected]) or your iDefense Account Manager.

For information on remediation actions for the XcodeGhost infection, consult the Apple website at: http://www.apple.com/cn/xcodeghost/#english.