Malicious Xcode could spread via download manager Xunlei

What’s at stake?

We reported last week that popular Chinese iOS apps were compromised in an unprecedented malware attack. We discovered that the source of the infection was compromised copies of Xcode hosted on Baidu Pan. Apple has published an article urging developers to download Xcode directly from the Mac App Store, or from the Apple Developer website and validate signatures. We’ve now discovered that even if a developer uses a download link seemingly from Apple, he might still be possible to obtain a compromised copy of Xcode.

Please note that we do not have evidence that such attacks has happened. But it is an easy attack that anyone can implement.

How does it work?

This compromise happened because of Xunlei. Xunlei is the most popular download manager in China. Much of its popularity is due to the fact they can accelerate download speeds by pulling resources from other Xunlei users as well as cached copies on the Xunlei server. All of this, however, is invisible to users. Users can simply enter a regular http download address into Xunlei  download manager and the download will start. Chinese developers were using direct download addresses such as http://adcdownload.apple.com/Developer_Tools/Xcode_7/Xcode_7.dmg to download Xcode.

Because of Xunlei’s P2P and server cache, download speeds would be much faster than the Mac App Store. Downloading via Xunlei also means that developers do not need to be enrolled in the Apple developer program. Direct downloads of Xcode via the developer program cost $99. Because the URL belongs to Apple, users were tricked into thinking that the download link was authentic and hence the Xcode copy. But in actual fact, the file is not authentic because it comes from Xunlei’s P2P and server cache.

The way to “host” a compromised copy of Xcode on Apple’s server is to trick Xunlei locally and let the error propagate. For example, a malicious user can hijack adcdownload.apple.com locally via host file and download from a non-exsistant URL http://adcdownload.apple.com/xcode-fake-1.1.1.1.dmg. Xunlei will then correlate this URL with the file specified by the malicious user and provide this file to other innocent users.

This is what actually happens when you use Xunlei to download http://adcdownload.apple.com/xcode-fake-1.1.1.1.dmg

But if you look at the details of the download source, you can see that 0% of the download is from the original server (i.e adcdownload.apple.com) while the server cache accounts for 26% and P2P accounts for 3% of the download.

You can also see that attempts by Xunlei to connect to adcdownload.apple.com were redirected to https://developer.apple.com/unauthorized/  because Apple only allows users in the Apple developer program to access the page.

Malicious attackers can poison Xunlei with a URL similar to a real Apple Xcode URL and then post the fake URL on forums and download sites. Most Chinese users by default use Xunlei to download. In fact, they have to if they are not enrolled in the Apple developer program. Most will have a compromised copy of Xcode, seemingly downloaded from Apple.

 

What can developers do to prevent future attacks?

Our suggestions are exactly the same from our last blog post.

  • Always download Xcode from the official Mac App Store. For other developer tools, always download these from official sources.

  • Always check the digital signature of developer tools. It is irresponsible for developers to ignore signature warnings. Xcode clearly should have been signed by Apple; all other versions should have produced user warnings.

  • Separate your development system with your everyday system. Development systems should be used solely for development and not for browsing random sites. If physical separation presents too much of a problem for developers, at the very least, a dedicated user account for development should be used.

 

Xunlei users should be cautious

As demonstrated above, Xunlei cannot be trusted to download the correct file, even if the download link is HTTPS. Users should manually check hash after download or use the browser’s download function.

 

References:

https://v2ex.com/t/222553

 

评论

更多博客文章

订阅 email
显示 博客 | Google+ | Twitter | 全部 的消息. 使用 RSS 订阅我们的博客。

星期四, 11月 30, 2017

About those 674 apps that Apple censored in China

Apple opened the door on its censorship practices in China - but just a crack.

星期二, 5月 23, 2017

Is China establishing cyber sovereignty in the United States?

Last week Twitter came under attack from a DDoS attack orchestrated by the Chinese authorities. While such attacks are not uncommon for websites like Twitter, this one proved unusual. While the Chinese authorities use the Great Firewall to block harmful content from reaching its citizens, it now uses DDoS attacks to take down content that appears on websites beyond its borders. For the Chinese authorities, it is not simply good enough to “protect” the interests of Chinese citizens at home - in their view of cyber sovereignty, any content that might harm China’s interests must be removed, regardless of where the website is located.

And so last week the Chinese authorities determined that Twitter was the target. In particular, the authorities targeted the Twitter account for Guo Wengui (https://twitter.com/KwokMiles), the rebel billionaire who is slowly leaking information about corrupt Chinese government officials via his Twitter account and through his YouTube videos. Guo appeared to ramp up his whistle-blowing efforts last week and the Chinese authorities, in turn, ramped up theirs.

via https://twitter.com/KwokMiles/status/863689935798374401

星期一, 12月 12, 2016

面对中国,Google 还打算终结网络审查吗?

三年前,施密特宣布谷歌将在十年内终结网络审查。当时我在卫报发表文章,批评谷歌的时程太长,并指出他们其实有可能在十天内达成目标。

星期四, 11月 24, 2016

Facebook: Please, not like this

Facebook is considering launching a censorship tool that would enable the world’s biggest social network to “enter” the China market. Sadly, nobody will be surprised by anything that Mark Zuckerberg decides to do in order to enter the China market. With such low expectations, Facebook is poised to usurp Apple as China’s favorite foreign intelligence gathering partner. If the company launches in China using this strategy they will also successfully erase any bargaining power that other media organizations may hold with the Chinese authorities.

星期二, 7月 05, 2016

GreatFire.org 现在开始测试VPN在中国的速度和稳定性

在中国有一个普遍观念,如果你有一个可以使用的VPN,那么你应该保持沉默。就信息自由而言,这种观念的问题在于获取知识竟成了一种秘密。今天,我们推出一个项目,希望能够摧毁这种模型。

我们最新的网站,翻墙中心,目的在于实时提供那些能够在中国使用的翻墙方案的信息和数据。在2011年以来我们就已经开始收集在中国被屏蔽的网站,现在我们也将增加那些可用的VPN和其他翻墙工具。

我们发布翻墙中心主要有四个目的。

我们的首要目标是助长使用翻墙工具的国人的数量。通过分享我们这些工具的信息和数据,我们希望对更广泛的受众展示那些工具时可以使用的。

我们的第二个目标是通过带来工具性能的透明化来提升中国用户的翻墙体验。我们将会测试工具的速度(流行网站的加载速度)和稳定性(流行网站加载成功的程度)。

我们开发速度测试的目的是要真实反映用户的体验。当用户在网站测速时,浏览器在后台会从10个世界上最流行的网站上下载一些资源文件。根据Alexa排名,这些网站分别是Google, Facebook, YouTube, Baidu, Amazon, Yahoo, Wikipedia, QQ, Twitter and Microsoft Live。速度的结果是简单的计算下载文件文件的大小和下载所需的时间。我们同样也会验证下载的文件是否完整。如果文件的内容是错误的或者在40秒内无法完成下载,我们会标记为失败。这个数据被我们用来生成另一个重要指标-稳定性。

其他的速度测试工具仅仅是通过发送数据到它们自己的服务器来测量上传和下载的速度。这种数据无法反应用户的体验,因为正常的浏览器通常会频繁的发送一系列的请求(而不是上传或下载一个大文件)到许多的服务器,而不止是一个。

我们的第二个指标 - 稳定性 - 是其他的服务通常不会测试的。一个健康的互联网连接应该达到100%的稳定性,除非有人在测试中把网线拔了。但是在中国使用翻墙工具却不是这样。任何时候连接都有可能变得不稳定或十分缓慢。根据请求的大小,最终的地点和代理的方式,一些请求有可能会失败。比较服务的稳定性要比比较速度更加重要。

你可以测试任意的翻墙工具,列表之外的也可以。中国的VPN用户也可以测试他们的工具,测试结果也会添加到数据库中。这些数据都将会对所有人开放。实时的在中国测试是非常重要的,因为VPN随时都可能被封锁或解封。我们欢迎任何的关于测试过程的反馈。有技术能力的用户也可以通过审查我们的javascript代码来获悉我们的测试是如何工作的。

我们郑重的邀请翻墙工具的开发者们向我们提供测试过程的反馈。我们的第三个目标是帮助这些开发人员改进他们的产品,让更多的选择适用于中国的顾客。此外,越多的工具可以工作,就意味着中国当局对翻墙的打击就会越难。

中国的用户都知道,在过去的18个月中当局加紧了对翻墙工具的攻击。而翻墙中心将会吹响反击的号角。反其道而行之,让这不再成为秘密。我们要鼓励人们分享翻墙工具可以工作的信息。

我们的第四个目标就是要为GreatFire.org创造收益。目前GreatFire仍然依靠世界各地的热心人士和组织的捐款。我们希望减少对这些机构的依赖,并探寻GreatFire.org自给自足的道路。用户只需到翻墙中心就能购买任意一款我们目前在测试的付费工具。GreatFire将作为这些工具在中国的经销商,因此VPN供应商会给予我们每个零售的一部分。用户也不必在中国购买这些翻墙服务。

使用 RSS 订阅我们的博客。

评论

Great article. Thanks for sharing this. Hope you continue providing useful posts like this.

Happy Diwali 2015

I think reading the article on the web that is very useful especially in this website , its very interesting article because it can broaden my thanks :)solutions of prevention and treatment of diseases with herbs AgaricPro, Obat Penyakit Asam Urat and Obat Penyakit Hernia

I think reading the article on the web that is very useful especially in this website , its very interesting article because it can broaden my thanks :)solutions of prevention and treatment of diseases with herbs AgaricPro, Obat Penyakit Asam Urat and Obat Penyakit Hernia

You love PlayBox HD App

Intetesting point on xunlei. It lacks origin integrity checking (normally a big part of p2p). The problem is Xcode dpwnloads take ages as Apple does not provide it from a cdn within China. Maybe Apple themselves need to look at such a peer-to-peer accelerator.

Intetesting point on xunlei. It lacks origin integrity checking (normally a big part of p2p). The problem is Xcode dpwnloads take ages as Apple does not provide it from a cdn within China. Maybe Apple themselves need to look at such a peer-to-peer accelerator.

I enjoyed this article because it is not including worthless information .The author clearly describes the information.
Thank you for sharing this types article.I am waiting for next article.I recommended the custom essay writing service
(http://buyessays.com) for new essay writing tips.

Well written. Great post. Continue posting useful articles like this.

http://techuloid.com/merry-christmas-2015-images-wishes-quotes-pictures-...

Awesome post. Thanks for sharing this informative article. Continue good work.

http://updatescolony.com/64th-miss-universe-2015-live-preview-broadcast-...

Informative post. Thanks for sharing. Hope you Continue posting useful contents.

http://updatescolony.com/happy-new-year-2016-wishes-images-greetings-quo...

Well Written. Great share and thanks for posting such useful articles.

http://techuloid.com/happy-new-year-2016-wishes-quotes-images-greetings-...

Your tips is quite unique. I appreciate the info on your web site. Thanks a lot for sharing!

http://www.goldenglobeawards2016lives.com/

Great post. Thanks for sharing. Hope you Continue posting useful informations.

http://www.happynewyear2016m.com/

Nice post. Thanks for sharing. Hope you Continue posting useful informations.

http://goldenglobeawards2016livestream.com/

Justin Bieber Tickets 2016 || Justin Bieber Concert is back with his long awaited 2016 album Purpose concert tour across the U.S. and Canada. Don’t miss Justin Bieber Concert 2016 and stay with us for tour dates, event details & tickets updates.

Justin Bieber Tickets
http://justinbieberconcert.co/

I would like announce for music lover especially Justin Bieber diehard fan, I think you already guessed it. Yep!! Absolutely right, Justin Bieber concert are coming soon. Who are missed previous concert this time they will must participate this program. Justin Bieber Tickets 2016 are available if you don’t want to miss this mesmerizing concert just collect your ticket. If you are true fan of Justin Bieber, must know about his biography.

The Golden Globes nominations reveal follows two other such announcements this week. As Gossip Cop reported, the 2016 Grammy Awards nominees were unveiled on Monday. And on Wednesday, the Screen Actors Guild revealed the 2016 SAG Awards nominees.

Golden Globe 2016 Live Stream. The 73rd annual Golden Globes Awards Open ceremony Live Stream by The Hollywood Foreign Press, On January 10, 2016 from Beverly Hilton Hotel.

Welcome to 2016. The Golden Globe Awards Live Stream Presentation of the 73rd Annual Announces fixed Key Dates for 2016 Ceremony, It will air at 5 p.m. PT/8 p.m. ET live on NBCfrom the Beverly Hilton, and The Red Carpet Begins at 4 PM EST. Golden Globe Awards Live Stream Awards start at 8 PM.

The Golden Globe Awards Live Stream will take place at the Beverly Hilton Hotel on January 10. But first, the nominees must be announced! The nominations live stream is expected to begin at 8:15 a.m. Eastern Time. Stay tuned! Angela Bassett, Chloe Grace Moretz, Dennis Quaid, and America Ferrera will all participate in the event, revealing the nominees in more than 20 different categories spanning film and television. They’ll be joined by Corinne Foxx, the daughter of Jamie Foxx, who was recently
announced as Miss Golden Globe for the 73rd annual Golden Globes ceremony. Bassett is a Golden Globes winner, as is Ferrera, while Quaid is a former nominee.

NICE THANKING YOU

new year images

How I can speedup my website?
http://www.trickspassion.com/

Great article. Thanks for posting such an useful post. Keep writing more like this.

http://www.royalrumble2016s.com/

Informative article. Thanks for this. Continue posting useful stuffs like this in future

http://www.superbowl2016s.com/

Golden Globe Awards 2016 Live Stream || @ On January 10, 2016 set the date for the 73rd Annual Golden Globe Awards by The Hollywood Foreign Press.

http://goldenglobeawards2016livestream.com/

Your tips is quite unique. I appreciate the info on your web site. Thanks a lot for sharing!

http://egyshellhosting.com/get-your-own-website-only-for-185/

It was well written article and very easy to understand. I wish you very happy new year. if you are looking you are looking for royal rumble results live stream here are very good sites in case you want to visit..if you want to know aboutRoyal Rumble 2016 Live Stream

Thanks for this article. Great share. Keep up your good work.

http://updatescolony.com/best-happy-valentines-day-2016-week-list-quotes...

Wonderful article. Thanks for this informative post. Continue posting great contents.

http://updatescolony.com/super-bowl-2016-live-tv-channels-cbs-online-tea...

Secret codes for mobile phones
http://www.samteck.net

nice article, was able to learn few things, thanks, AirMirror

Friends a very very Happy Chinese New Year 2016 to all of you. Hope this Chinese New Year 2016 will bring a lot of joy and happiness to you and your family.

页面

添加新评论

Filtered HTML

  • 自动将网址与电子邮件地址转变为链接。
  • 允许的HTML标签:<a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • 自动断行和分段。

Plain text

  • 不允许HTML标记。
  • 自动将网址与电子邮件地址转变为链接。
  • 自动断行和分段。
By submitting this form, you accept the Mollom privacy policy.