New NetWeird variant in the wild
Published March 27th, 2014 at 9:10 AM EDT , modified March 27th, 2014 at 9:10 AM EDT
Since early February, I’ve seen several reports of a new variant of the NetWeird malware. In all cases, this malware was detected by Dr. Web, and was detected as Backdoor.Wirenet.2, as opposed to the earlier Wirenet.1 variant that first appeared back in 2012. It would appear that this malware is still in active development, and the news is bad on all fronts.
When NetWeird (aka Wirenet) first appeared back in 2012, it was pretty lame. It installed itself fairly obviously and suspiciously, making it easy for the user to spot. Further, it attempted – but failed – to add itself to the user’s login items list (so it would open at login). There were a few other variants of this first sample, all very similar and a bit less broken. These are detected by Dr. Web as Backdoor.Wirenet.1, but none of these variants were detected by XProtect until March 13, after I had done some disappointing tests of XProtect and submitted those samples to Apple.
Last month, on Apple’s forums, I saw a case of an infection by something Dr. Web called Backdoor.Wirenet.2. I didn’t think too much about that at the time, as I hadn’t seen any signs of this malware in a while, and I assumed it was probably an older infection, or even a false positive. But then another case showed up on Tuesday, and a search turned up a third (from February) that I hadn’t stumbled across at the time. It started looking like there was something new out there.
A little searching on VirusTotal for anything that Dr. Web called “Backdoor.Wirenet.2” turned up three complete samples: two apps called cracker.app and one named Host.app. If it wasn’t bad enough that this malware is apparently still in active development and distribution, things were about to get worse. I powered up an up-to-date Mavericks test system and tried to open all three apps there, discovering that none of them are detected by the new NetWeird definitions added to XProtect on March 13! All three were allowed to open.
These trojans all displayed identical behavior. They create a new folder called “.Install” in the user’s home folder. Due to the leading period (‘.’) character in the name, this folder is invisible, making it unlikely for the average user to notice it. Next, the malware copies itself into that folder. Finally, it adds itself (successfully) to the user’s login items so that it will be opened automatically when the user logs in.
I have also been pointed to a fourth sample, which is regrettably incomplete. However, it takes a different form, as a file that pretends to be able to activate Microsoft Office 2011, by being copied into a trial installation of Office. It also contains a few pieces of an application that appears to have been called “Office 2011”.
It’s important to point out that at least one person infected with the Wirenet.2 variant of this malware admits to having downloaded pirated material from a torrent. This is extremely dangerous behavior, as it not only exposes you to files that criminals want you to have for free (very suspicious to begin with), but it could also result in bypassing XProtect entirely (depending on the torrent client you use). Do not download such things via torrents, or through any other methods! Any time someone offers you something for free online that other people are paying for, you should be immediately suspicious. Even if such behavior doesn’t result in an infection of some kind, you are breaking the law.
It’s unclear how long this variant has been in the wild. Dr. Web has been detecting it since early February, at least, but it’s difficult to know how long ago this may have been first seen. It’s important to understand that, although these samples are new to me, they may not actually be very new to security companies like Dr. Web. One sample was first submitted to VirusTotal in July of 2013, though that doesn’t say anything about what companies recognized it as malicious at that time.
Due to the potential for backdoor access with this malware, I do not advise trying to remove it manually, as easy as that seems to be. It’s entirely possible that other components may have been downloaded and installed before you have the opportunity to try. If you find that you are infected with this malware, I strongly recommend that you erase the hard drive and reinstall the system from scratch. No other response can guarantee the integrity of your system.
These NetWeird samples have been submitted to Apple. It will be interesting to see how quickly XProtect is updated.
Tags: malware, NetWeird, trojan, Wirenet, XProtect
One Comment
This post is more than 90 days old and has been locked. No further comments are allowed.
Here are VirusTotal scans (re-scanned today) for the 3 samples mentioned in this article:
cracker.app first submitted to VT on 2013-07-06:
https://www.virustotal.com/en/file/35b161dc0b9b47bb7c1cebcdada07860029839a5fe486ac71a755635f52c4386/analysis/1395950297/
(currently 18/50 detection rate)
cracker.app first submitted to VT on 2014-01-05:
https://www.virustotal.com/en/file/fbbf500c4a5966237e5f3a15b315bb7e6cbecc2998b43b7f224ebe698a08919a/analysis/1395950266/
(currently 20/51 detection rate)
Host.app first submitted to VT on 2014-02-01:
https://www.virustotal.com/en/file/fa2744f8863405b2a783464f2690e37b3c303d3006f6b8fc08952a3237d2b099/analysis/1395950243/
(currently 18/51 detection rate)
McAfee, Symantec, Fortinet, and some other big names (as well as MacScan) currently don’t detect any of these files.
So far, only 16 scanning engines used by VirusTotal — namely AVG, Ad-Aware, AntiVir, Avast!, BitDefender, ClamAV, Comodo, Dr.Web, ESET, Emsisoft, F-Secure, GData, MicroWorld-eScan, NANO-Antivirus, Sophos, and nProtect — (as well as Intego VirusBarrier) detect all of these samples.