
Retrospection and Full PCAP Reveal Instances of XcodeGhost Dating Back to April - wslh
https://www.protectwise.com/blog/retrospection-and-full-pcap-reveal-instances-of-xcodeghost-dating-back-to-april-2015/
======
tlb
It's an amusing trick to have the encryption key be "stringWithFormat", a
common ObjC symbol that wouldn't look like a key if you found it in a strings
table.

~~~
mikeash
Hilarious! They really should have added a colon on the end to be fully
accurate, but few people would pick up on that.

------
moyix
I continue to be somewhat baffled as to why malware authors don't use public
key crypto for these things. Maybe commonly available libraries don't make it
easy enough?

Also, single DES in 2015 -- amazing.

~~~
wyldfire
I think they just want the bar to be high enough to avoid arousing the
suspicion of casual snoopers. Single DES is enough to do that.

~~~
apetresc
But it's not really any harder to do it properly. So many good libraries
exist. You kinda have to go out of your way to use the wrong thing here.

~~~
kjs3
Pure speculation, but perhaps they thought they were making a compromise
between obfuscation and performance. I've heard this argument made in similar
contexts on the theory that software implementations of 1DES should be faster
than software AES-128 or other alternative algorithms. In practice, however,
the performance between 1DES and AES-128 is not that large, and probably not
large enough to matter.

