New WireLurker malware infects Mac OS X and iOS
Published November 6th, 2014 at 10:31 AM EDT , modified November 7th, 2014 at 2:07 PM EDT
Palo Alto Networks announced yesterday their discovery of new malware for Mac OS X, which they are calling WireLurker. This malware has been distributed in 467 known pirated apps distributed in China’s Maiyadi App Store (not affiliated with Apple’s Mac App Store). To make matters worse, this malware is known to infect iOS devices that are connected to infected Macs, even if those iOS devices have not been jailbroken!
The malware has evidently been circulating since April, but has only recently caught the attention of security researchers. According to Palo Alto’s research, the trojanized apps made up the majority of the uploads to Maiyadi between April 30, 2014 and June 11, 2014, and were downloaded more than 356,104 times, as of October 16.
Once run on a Mac, the malicious apps dropped quite an array of files. A WireLurker detection script released by Palo Alto looks for the following files, which it identifies as malicious or, in the case of the last two, suspicious:
/Users/Shared/run.sh /Library/LaunchDaemons/com.apple.machook_damon.plist /Library/LaunchDaemons/com.apple.globalupdate.plist /usr/bin/globalupdate /usr/local/machook/ /usr/bin/WatchProc /usr/bin/itunesupdate /Library/LaunchDaemons/com.apple.watchproc.plist /Library/LaunchDaemons/com.apple.itunesupdate.plist /System/Library/LaunchDaemons/com.apple.appstore.plughelper.plist /System/Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist /System/Library/LaunchDaemons/com.apple.systemkeychain-helper.plist /System/Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist /usr/bin/com.apple.MailServiceAgentHelper /usr/bin/com.apple.appstore.PluginHelper /usr/bin/periodicdate /usr/bin/systemkeychain-helper /usr/bin/stty5.11.pl /etc/manpath.d/ /usr/local/ipcc/
This is a far more extensive list of dropped files than I believe I have ever seen in any Mac malware. However, as interesting as that fact is, it’s far from the most interesting thing about this malware. It gets worse… the malware’s main job appears to be watching for iOS devices to be connected. Once that happens, it does two things. First, it grabs identifying information from the device, such as serial number, phone number and other personally identifying information, and transmits this information to a server.
Next, it tries to install malicious apps on the iOS device. If the device is jailbroken (ie, hacked to allow apps downloaded from somewhere other than Apple’s App Store), this is done in a very pervasive manner, even allowing for infection of system apps, with the intent of gathering more personally identifying information and transmitting it back to the server.
However, on an iOS device that has not been jailbroken, the malware installs malicious apps through “enterprise provisioning,” which allows for installation of custom business apps distributed by an employer rather than through the App Store. This is the first time that this system has been abused to install malware on iOS devices that have not been jailbroken, and will probably lead to Apple making some security-related changes to that system in the future.
Interestingly, this malware seems to be focused on collecting information that could be used to identify the device and the individual using it. Palo Alto has not commented on the possible goals of this malware, saying that “none of the information points to a specific motive.” However, Jonathan Zdziarski mentions an intriguing possibility: that the malware seems to be trying to identify Chinese software pirates.
China has shown a willingness to use unethical techniques to invade the privacy of Chinese citizens, even being accused recently of using man-in-the-middle attacks to gather Apple ID passwords. It would not surprise me in the least if this malware were created by the Chinese government in order to locate and prosecute software pirates.
This is simply another example of why software piracy is a highly dangerous activity to engage in. Cases of malware or adware being distributed in pirated apps are on the rise in the Mac world. Many Mac users feel they can engage freely in such behaviors, since “Macs don’t get viruses.” Obviously, this is a flawed idea, and always has been. Malware has existed for Mac OS X for quite some time, and stolen software is always a common vector for infection.
If you engage in software piracy, through torrents or sites like Pirate Bay, you should cease all such activities immediately! If you believe that you may be infected with WireLurker, use Palo Alto’s script or look for the above files manually (see Locating files from paths) to check for an infection. If your Mac is infected, I recommend erasing the hard drive and reinstalling everything from scratch. Any iOS devices that you have connected to that Mac should also be erased, by restoring the device to factory settings – but be careful not to do this from an infected Mac, or the device will just end up infected again after the process completes.
Thursday, November 6, 2014 @ 11:56 am EST: Apparently, Apple has already updated XProtect and revoked the developer ID used to sign this malware. (I had been holding off mentioning this until my system updated XProtect, but it has been slow to do so, and I know the update is there even if my system isn’t updated yet.) This should prevent future infections, unless a newer variant appears that isn’t detected by XProtect. XProtect identifies the malware as OSX.Machook.A.
Thursday, November 6, 2014 @ 9:50 pm EST: I got my hands on a sample of one of the infected apps used to install WireLurker, and found that it will no longer open, as I would expect. Apple has effectively blocked it. Further, sources are reporting that the command & control server has been taken offline, effectively killing the malware even if Apple hadn’t done anything.
Of course, infected Macs and iOS devices will still need to be cleaned up… but, at least no further information should be gathered from those machines. The damage was probably already done in those cases, though.