2

We detected network traffic from a device infected with xcodeghost trying to reach a known bot command and control address. Obviously, we removed the device from the network. The user removed two applications that were mentioned in articles about xcodeghost, but we really have no way to be sure that those were the culprit apps do we? If we let them reconnect, we run the risk that we won't detect further traffic to other, unknown bot networks.
My first instinct is that we should force this user to re-image the device before we allow them to reconnect to the network. I think I've answered my own question, but I wanted to check here to see:

  1. do any tools exist to detect and/or clean xcodeghost.
  2. Has anyone here dealt with xcodeghost on a byod device? What was the resolution?
mcgyver5
  • 6,807
  • 2
  • 24
  • 45
  • 1
    Good on you for having those tools in place. I can't speak to either of your two questions so I'm leaving this as a comment instead. Rather than trying to do clean up of a BYOD, my suggestion would be to wipe the device and the user can one by one install the applications they need. It sucks, but wiping iOS devices and reinstalling is pretty easy. –  Oct 07 '15 at 16:11
  • As far as I know XCodeGhost only compromises individual apps compiled with it and not the whole device, so deleting the offending apps should be enough. – André Borie Nov 22 '15 at 17:23

2 Answers2

1

I've not yet discovered any tools to detect/clean devices infected with xcodeghost but as far as the remediation goes for cleansing BYODs that are infected with malware, make sure to check the BYOD policy first of course! If it's stated in your policy that wiping a user's personal device is a possibility then I see no reason not to use that option. It's pretty much the most efficient way of ensuring the malware is 'gone'. Well, aside from banning their device from the network. Whether that's physically banning the device from the work site, MAC filtering, blacklisting on routers/firewalls etc.

Sevaara
  • 181
  • 2
  • 8
1

Beware that "stock" firmware/image can be infected too, especially if we're talking about some (usually cheap) chinese devices. Secondly, you could try to monitor it's traffic after reflashing/reimage it. But there's no real guarantee that it will not perform new, unwanted or undetected "things".

If the manufacturer is a trusted one, there's little chance that it will be a problem again. Yet, it still depends on the apps the user installs.

Mircea P
  • 11
  • 2