New WireLurker malware infects Mac OS X and iOS

Published November 6th, 2014 at 10:31 AM EST , modified November 7th, 2014 at 2:07 PM EST

Palo Alto Networks announced yesterday their discovery of new malware for Mac OS X, which they are calling WireLurker. This malware has been distributed in 467 known pirated apps distributed in China’s Maiyadi App Store (not affiliated with Apple’s Mac App Store). To make matters worse, this malware is known to infect iOS devices that are connected to infected Macs, even if those iOS devices have not been jailbroken!

The malware has evidently been circulating since April, but has only recently caught the attention of security researchers. According to Palo Alto’s research, the trojanized apps made up the majority of the uploads to Maiyadi between April 30, 2014 and June 11, 2014, and were downloaded more than 356,104 times, as of October 16.

Once run on a Mac, the malicious apps dropped quite an array of files. A WireLurker detection script released by Palo Alto looks for the following files, which it identifies as malicious or, in the case of the last two, suspicious:

/Users/Shared/run.sh
/Library/LaunchDaemons/com.apple.machook_damon.plist
/Library/LaunchDaemons/com.apple.globalupdate.plist
/usr/bin/globalupdate
/usr/local/machook/
/usr/bin/WatchProc
/usr/bin/itunesupdate
/Library/LaunchDaemons/com.apple.watchproc.plist
/Library/LaunchDaemons/com.apple.itunesupdate.plist
/System/Library/LaunchDaemons/com.apple.appstore.plughelper.plist
/System/Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist
/System/Library/LaunchDaemons/com.apple.systemkeychain-helper.plist
/System/Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist
/usr/bin/com.apple.MailServiceAgentHelper
/usr/bin/com.apple.appstore.PluginHelper
/usr/bin/periodicdate
/usr/bin/systemkeychain-helper
/usr/bin/stty5.11.pl
/etc/manpath.d/
/usr/local/ipcc/

This is a far more extensive list of dropped files than I believe I have ever seen in any Mac malware. However, as interesting as that fact is, it’s far from the most interesting thing about this malware. It gets worse… the malware’s main job appears to be watching for iOS devices to be connected. Once that happens, it does two things. First, it grabs identifying information from the device, such as serial number, phone number and other personally identifying information, and transmits this information to a server.

Next, it tries to install malicious apps on the iOS device. If the device is jailbroken (ie, hacked to allow apps downloaded from somewhere other than Apple’s App Store), this is done in a very pervasive manner, even allowing for infection of system apps, with the intent of gathering more personally identifying information and transmitting it back to the server.

However, on an iOS device that has not been jailbroken, the malware installs malicious apps through “enterprise provisioning,” which allows for installation of custom business apps distributed by an employer rather than through the App Store. This is the first time that this system has been abused to install malware on iOS devices that have not been jailbroken, and will probably lead to Apple making some security-related changes to that system in the future.

Interestingly, this malware seems to be focused on collecting information that could be used to identify the device and the individual using it. Palo Alto has not commented on the possible goals of this malware, saying that “none of the information points to a specific motive.” However, Jonathan Zdziarski mentions an intriguing possibility: that the malware seems to be trying to identify Chinese software pirates.

China has shown a willingness to use unethical techniques to invade the privacy of Chinese citizens, even being accused recently of using man-in-the-middle attacks to gather Apple ID passwords. It would not surprise me in the least if this malware were created by the Chinese government in order to locate and prosecute software pirates.

This is simply another example of why software piracy is a highly dangerous activity to engage in. Cases of malware or adware being distributed in pirated apps are on the rise in the Mac world. Many Mac users feel they can engage freely in such behaviors, since “Macs don’t get viruses.” Obviously, this is a flawed idea, and always has been. Malware has existed for Mac OS X for quite some time, and stolen software is always a common vector for infection.

If you engage in software piracy, through torrents or sites like Pirate Bay, you should cease all such activities immediately! If you believe that you may be infected with WireLurker, use Palo Alto’s script or look for the above files manually (see Locating files from paths) to check for an infection. If your Mac is infected, I recommend erasing the hard drive and reinstalling everything from scratch. Any iOS devices that you have connected to that Mac should also be erased, by restoring the device to factory settings – but be careful not to do this from an infected Mac, or the device will just end up infected again after the process completes.

Updates

Thursday, November 6, 2014 @ 11:56 am EST: Apparently, Apple has already updated XProtect and revoked the developer ID used to sign this malware. (I had been holding off mentioning this until my system updated XProtect, but it has been slow to do so, and I know the update is there even if my system isn’t updated yet.) This should prevent future infections, unless a newer variant appears that isn’t detected by XProtect. XProtect identifies the malware as OSX.Machook.A.

Thursday, November 6, 2014 @ 9:50 pm EST: I got my hands on a sample of one of the infected apps used to install WireLurker, and found that it will no longer open, as I would expect. Apple has effectively blocked it. Further, sources are reporting that the command & control server has been taken offline, effectively killing the malware even if Apple hadn’t done anything.

Of course, infected Macs and iOS devices will still need to be cleaned up… but, at least no further information should be gathered from those machines. The damage was probably already done in those cases, though.

Tags: China, iOS, Mac OS X, malware, WireLurker

17 Comments

Matthew says:

November 6, 2014 at 11:01 am

So if we are ethical people and don’t pirate, we’re fine (at least for now)?
- Thomas says:
  
  November 6, 2014 at 11:54 am
  
  As far as this one is concerned, yes… it looks like only people using the Maiyadi App Store to download stolen software are affected by WireLurker.
- Derek Currie says:
  
  November 6, 2014 at 3:43 pm
  
  If you’d like to FUD yourself, read through Jonathan Zdziarski’s article which Thomas linked above. He warns of the possible future for such malware, including its use outside of the warez community.
iEscape says:

November 6, 2014 at 4:58 pm

Good news:
http://threatpost.com/wirelurker-mac-os-x-malware-shut-down/109204
iEscape says:

November 6, 2014 at 5:06 pm

Second good news:
http://blogs.wsj.com/digits/2014/11/06/apple-blocks-chinese-iphone-hacks/
Steven J Klein says:

November 20, 2014 at 12:47 pm

Has AdwareMedic been updated to recognize WireLurker?
- Thomas says:
  
  November 20, 2014 at 1:22 pm
  
  No, AdwareMedic is not anti-virus software, and thus does not attempt to look for or remove real malware like WireLurker. AdwareMedic is just for adware.
  - Steven Jay Klein says:
    
    November 22, 2014 at 9:53 pm
    
    Are you aware of a similar product for viruses? I don’t mean av protection software, but just a clean-up utility?
    - Thomas says:
      
      November 23, 2014 at 6:58 am
      
      Nope, there’s really nothing similar for malware. Anti-virus software may be able to remove some things, but I almost never recommend allowing anti-virus software to remove infected files that it finds. See:
      
      http://www.thesafemac.com/how-to-remove-infected-files/
Finn says:

November 21, 2014 at 12:43 am

I noticed Machook.A and Machook.B in the latest XProtect update. Machook is also in your list of Wirelurker files/folders. I wonder if this is Apple giving protection against Wirelurker?
- Thomas says:
  
  November 21, 2014 at 5:57 am
  
  Yes, WireLurker’s teeth have been thoroughly pulled by Apple and by the shutdown of the command & control server. See the updates at the end of the article above for more details.
Tom says:

November 24, 2014 at 4:38 pm

How would you clean up if were infected? Would erasing the HD be enough?
- Thomas says:
  
  November 24, 2014 at 5:30 pm
  
  Erasing the hard drive would certainly be enough. Would it be necessary? Hard to say. Probably not, but I can’t say that with any certainty.
Professormac says:

December 6, 2014 at 5:31 pm

Adwaremedic is not a lie
Steve says:

December 21, 2014 at 10:48 pm

Are OS X systems older than Mountain Lion vulnerable to Wirelurker?
- Thomas says:
  
  December 22, 2014 at 7:00 am
  
  Nothing is vulnerable to WireLurker anymore. The malware has been effectively killed. See the updates at the end of the article above.
Philippe Lerch says:

January 31, 2015 at 12:17 pm

Allow me a perhaps silly question.

Say someone honest writes a “WireLurker” detector script and spreads it. Users can run the script and read its output, then take appropriate actions. Now assume someone less honest, writes seemingly the same but there is more behind the scene that could happen. Even perhaps something harmful. Not everyone can, by reading the script before running it, immediately identify “bad actions”.

This post is more than 90 days old and has been locked. No further comments are allowed.