New Virus/malicious dylib

Discussion in 'iPod touch Firmware 3.0' started by mark1985, Feb 13, 2010.

  1. mark1985

    mark1985 New Member

    Joined:
    Dec 28, 2008
    Messages:
    178
    Likes Received:
    0
    Device:
    4G iPod touch
    Hi
    after the batterie of my iPod touch 2G FW3.0 died and i had to plug in, i started the iPod.
    At first the boot went normal but then instead of my lockscreen i had the recoverymode sign (usb cable and irunes disc).
    just by accident i pressed the home button to see, that it would then shwo my wallpaper but without any clock or slider or whatever. i was suspicious because that didnt seem normal for the recoverymode. i then long pressed the power button-->the slide to shut down screen appeared with my skinned slider! it also showed the fake carrier and that its connected to wifi.

    I then went to plug it into my computer and started diskaid---fortunately i could connect and went straigt to the dynamic libraries, where i found the file Lockdown.dylib it appeared suspicious to me so i renamed the fileending to .disabled

    i then rebooted and i could use my ipod like i used to.
    the contents of the lockdown.plist is here
    Code:
    {
    	Filter = {
    		Bundles = (
    			"com.apple.springboard",
    		);
    	};
    }
    wehn i open the lockdown.dylib with a text editor this is what i get
    Code:
    Îúíþ            ˜  …       __TEXT               `       `               __text          __TEXT          Ô  h7  Ô               €        __picsymbolstub4__TEXT          <M  `  <M              €       __cstring       __TEXT          œN  a  œN                           h  __DATA           `      `                  __dyld          __DATA           `      `                         __la_symbol_ptr __DATA          `  X   `                       __mod_init_func __DATA          ``     ``             	           __cfstring      __DATA          d`  à  d`                         __objc_selrefs  __DATA          Db  à  Db                        __objc_classrefs__DATA          $d  P   $d                         __objc_superrefs__DATA          td     td                         __objc_classlist__DATA          €d     €d                         __objc_protolist__DATA          Œd     Œd                         __objc_imageinfo__DATA          d     d                         __data          __DATA          ¨d  L  ¨d                         __bss           __DATA          ôl                                  8   __LINKEDIT       p   P   p  €3                
       t                 /Users/DavidM/Desktop/LockdownDylib6.2/build/Debug-iphoneos/LockdownDylib.app/LockdownDylib       ø xn]½ùŽp· t1      ð~  û   Œ  „     P       Ï   Ï       Ï   ,                           ÜŒ  ,   ´Š  E    p  Þ     T          ¦  ,/System/Library/Frameworks/Foundation.framework/Foundation     L           å    /System/Library/Frameworks/UIKit.framework/UIKit       X          g  @ /System/Library/Frameworks/CoreGraphics.framework/CoreGraphics     4               /usr/lib/libgcc_s.1.dylib      4         
     o    /usr/lib/libSystem.B.dylib     4           ã    /usr/lib/libobjc.A.dylib       \          Þ  – /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation        ¢  p                                                                                                           
    
    
                                              
    //many weird signs here my computer cant even display which i removed//
    
                                                                                       ðœå´  ÀŸåÀà ðœå°  NSObject    UIApplicationDelegate   LockdownDylibAppDelegate    isEqual:    hash    superclass  class   self    zone    performSelector:    performSelector:withObject: performSelector:withObject:withObject:  isProxy isKindOfClass:  isMemberOfClass:    conformsToProtocol: respondsToSelector: retain  autorelease retainCount description applicationDidFinishLaunching:  applicationDidBecomeActive: applicationWillResignActive:    application:handleOpenURL:  applicationDidReceiveMemoryWarning: applicationWillTerminate:   applicationSignificantTimeChange:   application:willChangeStatusBarOrientation:duration:    application:didChangeStatusBarOrientation:  application:willChangeStatusBarFrame:   application:didChangeStatusBarFrame:    release dealloc setWindow:  window  #8@0:4  ^{_NSZone=}8@0:4    @12@0:4:8   @16@0:4:8@12    @20@0:4:8@12@16 c8@0:4  c12@0:4#8   c12@0:4@8   c12@0:4:8   Vv8@0:4 I8@0:4  c16@0:4@8@12    v24@0:4@8i12d16 v16@0:4@8i12    v28@0:4@8{CGRect={CGPoint=ff}{CGSize=ff}}12 v8@0:4  @8@0:4  v12@0:4@8   @"UIWindow" T@"UIWindow",&,Vwindow  /var/mobile/Library/Preferences/com.iptm.lockdown6.2.plist  Library Preferences com.iptm.lockdown6.2.plist  LockWiggle  LockAppDelete   Identifiers com.apple.MobileSMS SBUIController  UniversalPassword6  LaunchButton    EnableLockdown  %@  OK  WB:Warning: cannot find class [%s]  WB:Warning: cannot find method [%s %s]  LD_ WB:Error: failed to rename [%s %s]  com.apple.springboard   activateApplicationAnimated:    animateLaunchOfApplication: SBApplicationIcon   launch  iPhone  SBSMSAlertItem  performUnlockAction SBIcon  setIsGrabbed:   closeBoxClicked:    defaultManager  fileExistsAtPath:   alloc   stringByAppendingPathComponent: initWithContentsOfFile: objectForKey:   boolValue   LD_setIsGrabbed:    LD_closeBoxClicked: initWithArray:  count   objectAtIndex:  isEqualToString:    sharedInstance  clickedMenuButton   LD_performUnlockAction  stringWithString:   displayIdentifier   stringWithFormat:   mainScreen  bounds  initWithFrame:  isKeyWindow getID:andPass:andOther:andLaunch:and3:  showWindow  transitionOut   LD_launch   rangeOfString:  LD_activateApplicationAnimated: LD_animateLaunchOfApplication:  init    mainBundle  bundleIdentifier    currentDevice   systemVersion   intValue    model   SBApplicationController Lockdown: %@    Please enter your password  Lockdown    MainView    scheduledTimerWithTimeInterval:target:selector:userInfo:repeats:    initWithString: backgroundColor clearColor  setBackgroundColor: makeKeyAndVisible   isUserInteractionEnabled    setUserInteractionEnabled:  allApplications displayName countByEnumeratingWithState:objects:count:  initWithTitle:andDesc:andAppID:andPass:andLaunch:andIs3:    sendBool:   show    dismissWithClickedButtonIndex:animated: setHidden:  resignKeyWindow finishInit: IsOn3Greater    oString unPass  idString    alertSheet  @24@0:4{CGRect={CGPoint=ff}{CGSize=ff}}8    v28@0:4@8@12@16c20c24   c   @"NSString" @"AlertSheetMake"   None    Cancel  Launch  com.apple.mobileipod-MediaPlayer    com.apple.mobileipod    com.apple.mobileslideshow-Photos    com.apple.mobileslideshow-Camera    com.apple.mobileslideshow   com.apple.mobileipod-VideoPlayer    UITextFieldDelegate UIAlertViewDelegate AlertSheetMake  textFieldShouldBeginEditing:    textFieldDidBeginEditing:   textFieldShouldEndEditing:  textFieldDidEndEditing: textFieldShouldClear:   textFieldShouldReturn:  alertView:clickedButtonAtIndex: alertViewCancel:    didPresentAlertView:    alertView:didDismissWithButtonIndex:    title   setTitle:   message setMessage: setDelegate:    addButtonWithTitle: font    systemFontOfSize:   setFont:    isSecureTextEntry   setSecureTextEntry: delegate    textAlignment   setTextAlignment:   keyboardAppearance  setKeyboardAppearance:  keyboardType    setKeyboardType:    whiteColor  addSubview: automaticKeyboard   text    stringByAppendingString:    orderOutWithAnimation:  resignFirstResponder    applicationsWithBundleIdentifier:   performSelector:withObject:afterDelay:  frame   setFrame:   orderInWithAnimation:   becomeFirstResponder    animateLaunchApplication:   textField:shouldChangeCharactersInRange:replacementString:  launchApp   willPresentAlertView:   alertView:willDismissWithButtonIndex:   launchTheApp:   setPassField:   WriteFile   universalPass   appToLaunch kB  passField   @32@0:4@8@12@16@20c24c28    v12@0:4c8   c24@0:4@8{_NSRange=II}12@20 @"UIKeyboard"   @"UITextField"  T@"UITextField",&,VpassField    
    
    
    //more of these signs//
    
    
    
    
    __mh_dylib_header _LockdownRename _lockdown_initializer dyld_stub_binding_helper -[LockdownDylibAppDelegate dealloc] -[LockdownDylibAppDelegate window] -[LockdownDylibAppDelegate setWindow:] _Lockdown_setJittering _Lockdown_boxClicked _Lockdown_performUnlockAction _LD_Lockdown_launchApp _Lockdown_animateLaunch -[MainView initWithFrame:] -[MainView getID:andPass:andOther:andLaunch:and3:] -[MainView finishInit:] -[MainView showWindow] -[MainView transitionOut] -[MainView dealloc] -[AlertSheetMake initWithTitle:andDesc:andAppID:andPass:andLaunch:andIs3:] _CGRectMake -[AlertSheetMake sendBool:] -[AlertSheetMake textField:shouldChangeCharactersInRange:replacementString:] -[AlertSheetMake launchApp] -[AlertSheetMake willPresentAlertView:] -[AlertSheetMake alertView:willDismissWithButtonIndex:] -[AlertSheetMake launchTheApp:] -[AlertSheetMake dealloc] -[AlertSheetMake passField] -[AlertSheetMake setPassField:] dyld__mach_header _OBJC_METACLASS_$_LockdownDylibAppDelegate _OBJC_CLASS_$_LockdownDylibAppDelegate _OBJC_IVAR_$_LockdownDylibAppDelegate.window _OBJC_METACLASS_$_MainView _OBJC_CLASS_$_MainView _OBJC_IVAR_$_MainView.IsOn3Greater _OBJC_METACLASS_$_AlertSheetMake _OBJC_CLASS_$_AlertSheetMake _OBJC_IVAR_$_AlertSheetMake.IsOn3Greater _Debug_ _OBJC_IVAR_$_MainView.alertSheet _OBJC_IVAR_$_MainView.idString _OBJC_IVAR_$_MainView.unPass _OBJC_IVAR_$_MainView.oString _OBJC_IVAR_$_MainView.LaunchButton _OBJC_IVAR_$_AlertSheetMake.passField _OBJC_IVAR_$_AlertSheetMake.kB _OBJC_IVAR_$_AlertSheetMake.appToLaunch _OBJC_IVAR_$_AlertSheetMake.universalPass _OBJC_IVAR_$_AlertSheetMake.WriteFile _OBJC_IVAR_$_AlertSheetMake.Cancel _OBJC_IVAR_$_AlertSheetMake.LaunchButton _mView _Allow _OpenSecond _IsOn3Greater _NSHomeDirectory _NSLog _OBJC_CLASS_$_NSArray _OBJC_CLASS_$_NSAutoreleasePool _OBJC_CLASS_$_NSBundle _OBJC_CLASS_$_NSFileManager _OBJC_CLASS_$_NSMutableDictionary _OBJC_CLASS_$_NSObject _OBJC_CLASS_$_NSString _OBJC_CLASS_$_NSTimer _OBJC_CLASS_$_UIAlertView _OBJC_CLASS_$_UIColor _OBJC_CLASS_$_UIDevice _OBJC_CLASS_$_UIFont _OBJC_CLASS_$_UIKeyboard _OBJC_CLASS_$_UIScreen _OBJC_CLASS_$_UITextField _OBJC_CLASS_$_UIWindow _OBJC_METACLASS_$_NSObject _OBJC_METACLASS_$_UIAlertView _OBJC_METACLASS_$_UIWindow ___CFConstantStringClassReference ___addsf3vfp ___divsf3vfp __objc_empty_cache __objc_empty_vtable _class_addMethod _class_copyMethodList _class_getInstanceMethod _free _memcpy _method_getImplementation _method_getTypeEncoding _method_setImplementation _objc_enumerationMutation _objc_getClass _objc_msgSend _objc_msgSendSuper2 _objc_msgSend_stret _objc_setProperty _object_getClass _sel_getUid _sel_registerName _strlen /Users/DavidM/Desktop/LockdownDylib6.2/Classes/LockdownDylibAppDelegate.m /Users/DavidM/Desktop/LockdownDylib6.2/build/LockdownDylib.build/Debug-iphoneos/LockdownDylib.build/Objects-normal/armv6/LockdownDylibAppDelegate.o -[LockdownDylibAppDelegate dealloc] -[LockdownDylibAppDelegate window] -[LockdownDylibAppDelegate setWindow:] _OBJC_METACLASS_$_LockdownDylibAppDelegate _OBJC_CLASS_$_LockdownDylibAppDelegate _OBJC_IVAR_$_LockdownDylibAppDelegate.window /Users/DavidM/Desktop/LockdownDylib6.2/Classes/Lockdown.m /Users/DavidM/Desktop/LockdownDylib6.2/build/LockdownDylib.build/Debug-iphoneos/LockdownDylib.build/Objects-normal/armv6/Lockdown.o _LockdownRename _lockdown_initializer _Lockdown_setJittering _Lockdown_boxClicked _Lockdown_performUnlockAction _LD_Lockdown_launchApp _Lockdown_animateLaunch _Debug_ _mView _Allow _OpenSecond _IsOn3Greater /Users/DavidM/Desktop/LockdownDylib6.2/Classes/MainView.m /Users/DavidM/Desktop/LockdownDylib6.2/build/LockdownDylib.build/Debug-iphoneos/LockdownDylib.build/Objects-normal/armv6/MainView.o -[MainView initWithFrame:] -[MainView getID:andPass:andOther:andLaunch:and3:] -[MainView finishInit:] -[MainView showWindow] -[MainView transitionOut] -[MainView dealloc] _OBJC_METACLASS_$_MainView _OBJC_CLASS_$_MainView _OBJC_IVAR_$_MainView.IsOn3Greater _OBJC_IVAR_$_MainView.alertSheet _OBJC_IVAR_$_MainView.idString _OBJC_IVAR_$_MainView.unPass _OBJC_IVAR_$_MainView.oString _OBJC_IVAR_$_MainView.LaunchButton /Users/DavidM/Desktop/LockdownDylib6.2/Classes/AlertSheetMake.m /Users/DavidM/Desktop/LockdownDylib6.2/build/LockdownDylib.build/Debug-iphoneos/LockdownDylib.build/Objects-normal/armv6/AlertSheetMake.o -[AlertSheetMake initWithTitle:andDesc:andAppID:andPass:andLaunch:andIs3:] _CGRectMake /Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS2.0.sdk/System/Library/Frameworks/CoreGraphics.framework/Headers/CGGeometry.h -[AlertSheetMake sendBool:] -[AlertSheetMake textField:shouldChangeCharactersInRange:replacementString:] -[AlertSheetMake launchApp] -[AlertSheetMake willPresentAlertView:] -[AlertSheetMake alertView:willDismissWithButtonIndex:] -[AlertSheetMake launchTheApp:] -[AlertSheetMake dealloc] -[AlertSheetMake passField] -[AlertSheetMake setPassField:] _OBJC_METACLASS_$_AlertSheetMake _OBJC_CLASS_$_AlertSheetMake _OBJC_IVAR_$_AlertSheetMake.IsOn3Greater _OBJC_IVAR_$_AlertSheetMake.passField _OBJC_IVAR_$_AlertSheetMake.kB _OBJC_IVAR_$_AlertSheetMake.appToLaunch _OBJC_IVAR_$_AlertSheetMake.universalPass _OBJC_IVAR_$_AlertSheetMake.WriteFile _OBJC_IVAR_$_AlertSheetMake.Cancel _OBJC_IVAR_$_AlertSheetMake.LaunchButton úÞÀ  g               [úÞ  ?         c   ,        ¢     Lockdown.dylib :uöÛ…)ŽÝ~¡´rœÀžÉs                    +Ž£ÍB"y‰=î ¤®	åˆ[™Û¬~w£È²<ñGi¡{mH ©…¹l?$@Bí0~B¢Êw	zaâ}`ß<ËùÞÉ7zH¦Ì”ØG¦©xAY:PAY¤7!LmEŠ_ò·n¡ýœv'’=EÊaôŠ@gÉé²›¿Ë~ÅêD€_Y¿yæ³ÛÕ,Wï4§õ‹˜…ìà¬öy)))#ÄÏkàÏ`Aµã¯Ã„t
    „˜ú?ïâÚóé±kKuý]øFöm9%5?ÄŠáØÏñì뇥`áÕ^DÜúúÞ                

    is this a new iPhone/iPod Touch virus or so? Maybe this helps someone to find out
  2. Mr.Funman

    Mr.Funman Banned

    Joined:
    Jul 18, 2009
    Messages:
    641
    Likes Received:
    0
    Device:
    iPhone 3GS (Black)
    i dont know, but you have to DFU restore, badly.
  3. mark1985

    mark1985 New Member

    Joined:
    Dec 28, 2008
    Messages:
    178
    Likes Received:
    0
    Device:
    4G iPod touch
    oh then i didnt make it clear-after i disabled the lockdown.dylib it workes just like normal
  4. Mr.Funman

    Mr.Funman Banned

    Joined:
    Jul 18, 2009
    Messages:
    641
    Likes Received:
    0
    Device:
    iPhone 3GS (Black)
    are yo a dev?
  5. Axis

    Axis Super Moderator Staff Member

    Joined:
    Dec 2, 2007
    Messages:
    6,288
    Likes Received:
    133
    Device:
    iPhone 4S (White)
    Where did you get this "lockdown.dylib" file?

    /edit: it's a Mach-O executable; I don't know what you were expecting to see in a text editor.
  6. mark1985

    mark1985 New Member

    Joined:
    Dec 28, 2008
    Messages:
    178
    Likes Received:
    0
    Device:
    4G iPod touch
    i am no dev.
    The idea with the dylibs came, when i rememberd how i disabled the android-lockscreen-for-iphone after i forgot the pattern

    i have no clue. maybee it is from the app-password-protection App from cydia but i dont think so because even though the dylib is disabled the password protection still works
  7. gunzmaiet

    gunzmaiet New Member

    Joined:
    Oct 3, 2007
    Messages:
    1,325
    Likes Received:
    5
    if you want someone to look at this file and tell if its malicious, your either gonna have to upload it (against the rules) or post an IDA disassembly of it (studangerous says its OK)
  8. mark1985

    mark1985 New Member

    Joined:
    Dec 28, 2008
    Messages:
    178
    Likes Received:
    0
    Device:
    4G iPod touch
    whats that?
  9. Axis

    Axis Super Moderator Staff Member

    Joined:
    Dec 2, 2007
    Messages:
    6,288
    Likes Received:
    133
    Device:
    iPhone 4S (White)
    assembly code dump. Don't worry about it. If it's causing problems, delete it.

Share This Page