Top antivirus program company Kaspersky has released Python scripts to automate the analysis of Shutdown.log, an Apple iOS system log file that records device activity during restarts, in an effort to combat spyware on the world’s most popular mobile platform.
Per one announcement On his Securelist blog aimed at security researchers, the collection of scripts known as iShutdown, now available on Github, eschews any byzantine technical workarounds, such as attempts to access encrypted backups, in favor of the relatively easy-to-access Shutdown.log -file.
Spyware, a specific form of malware which aims to send sensitive and private user data and device activity to unknown attackers should be a major concern for employers who hand out Apple iPhones to employees as company phones. As such, system administrators would also be wise to take an interest in the iShutDown scripts to identify device intrusions.
iShutDown scripts in detail
There are three scripts in the package, designed to find and open data in the Shutdown.log file, which itself is stored in ‘Sysdiagnose.tar’.
That number of scripts seems to be needed to look for the .log file in the archive, extract it, and then extract the restart data from it. The good news is that even though this is an iterative, multi-script process written in Python, you could use Python to automate that too.
Despite being available for free on GitHub, the tools are aimed at security researchers, meaning the scripts’ output can be impenetrable to those who aren’t sure what they’re looking for. We doubt this will be a big deal, as this is a very niche piece of news that probably won’t pique the interest of anyone who doesn’t already know what a Python interpreter is.
For those who do know what they are doing, the main caveat will be that because the iShutdown scripts retrieve the restart data, this will likely require quite a bit of restarting. Enough that Kaspersky is deliberately evasive on this point, preferring in the announcement to “leave this as an open question” depending on the user’s “threat profile.”
Despite all this, life for security researchers is about to get easier. The obvious potential caveat to this kind of “it just works” solution is that spyware developers already know where these scripts check in logs for anomalies.
iShutdown will likely cause some disruption for black-hat developers, such as those responsible for the infamous Pegasus spyware package, but will likely just mean that the cat-and-mouse game of detecting spyware and then avoiding detection will continue forever. is repeated, will only intensify.
Through BleepingComputer