The past couple months at work I have been tracking something that I can’t figure out. I believe it to be an iOS or OS X virus that is in the wild that I have yet to find anything that detects. Here is the information I know about it and I’m putting it out here in hopes that someone else has run into the same thing and may know more information than I do.
The reason these flags have been brought to my attention is because the suspected infected clients use P2P to download a payload from a server. Our network flags the P2P traffic which is what alerted me to the abnormal traffic.
All of the clients have been either iOS (iPhones and iPads) or Apple laptops running OS X.
To my knowledge there haven’t been any Windows clients flagged for the same P2P traffic.
What’s in common
The main thing in common is all of the clients are initiating a P2P connection to the host update.alyac.co.kr:6969 or IP address 126.96.36.199 which both belong to a Korean antivirus company.
All of the clients show the agent to be libtorrent.
All users don’t seem particularly tech savvy and no common software was found between all of the computers/phones/tablets. In most cases the software installed seemed very minimal. I did not have the opportunity to gather browser history on the clients.
What else is weird
The requests happen in batches. The first week I noticed them there were 3-4 in that week. A little time passed and I had another 2 hits just days apart. Now I get smaller sporadic hits.
What I have found
I have wireshark dumps from the P2P traffic but I can’t decipher any meaningful information from them besides the actual connection being made. Email me if you want to have a look.
I also found that the Alyac servers were hacked back in 2011 but I can’t find much else about the company or domain.
So I am posting this for anyone with more information to help me track down what is happening. I find it too coincidental that P2P traffic is going to a random Korean website when the users don’t appear to have any P2P traffic installed. Please leave a comment if you’ve seen something similar or have any other information on what may be happening.