Top antivirus company Kaspersky has released Python scripts to automate the analysis of Shutdown.log, an Apple iOS system log file that covers device activity during a reboot, in an effort to curb spyware on the world’s most popular mobile platform.
Per an announcement on its Securelist blog aimed at security researchers, the collection of scripts known as iShutdown, available now on Github, avoids any byzantine technical solution, such as attempting to access encrypted backups, in favour of the relatively easily accessible Shutdown.log file.
Spyware, a specific form of malware that seeks to send sensitive and private user data, as well as device activity to unknown assailants, should be of great concern to employers who issue Apple iPhones to employees as corporate phones. As such, sysadmins would also be wise to take an interest in the iShutDown scripts in order to identify device intrusions.
iShutDown scripts in detail
There are three scripts in the package, designed to find and access data inside the Shutdown.log file, which is itself stored within ‘Sysdiagnose.tar’.
That amount of scripts appear to be necessary to search for the .log file inside the archive, extract it, and then go onto extract reboot data from it. The good news is that, despite this being an iterative, multi-script process written in Python, you could use Python to automate that, too.
Despite being freely available on GitHub, the tools are geared towards security researchers, meaning that the output of the scripts could be impenetrable to those who aren’t sure of what they’re looking for. We doubt this will be a huge problem, as this is a very niche bit of news, unlikely to pique the interest of anyone who doesn’t already know what a Python interpreter is.
For those who do know what they’re doing, the main caveat will be that, because the iShutdown scripts retrieve reboot data, this will require quite a lot of rebooting, probably. Enough that Kaspersky is being deliberately evasive on the point, preferring in the announcement to “leave this as an open-ended question”, depending on the user’s “threat profile”.
Even with all this, security researchers’ lives are about to get easier. The obvious potential caveat with this kind of ‘it just works’ solution is that spyware developers already know, now, where these scripts are checking for aberrations in logs.
iShutdown will likely lead to some disruption for black-hat developers, such as those responsible for the notorious Pegasus spyware package, but likely just mean that the cat-and-mouse game to detect spyware, to then see it avoid detection, on repeat forever, will just intensify.