Mac and iOS Malware Wirelurker

Comments

  • Rusli
    Rusli Posts: 1,012 Influencer

    Currently ESET Nod32 CyberSecurity for Mac Antivirus detects this malware... check eset threat for more details...http://www.eset.com/us/threat-center/threatsense-updates/search/?q=osx

     

    http://blog.kaspersky.com/wirelurker-ios-osx-malware/

     

     

  • Rusli
    Rusli Posts: 1,012 Influencer

    http://www.macissues.com/2014/11/06/faq-on-how-to-detect-and-remove-wirelurker-from-os-x-and-ios/

    https://github.com/PaloAltoNetworks-BD/WireLurkerDetector


    FAQ on how to detect and remove WireLurker from OS X and iOS

    November 6, 2014 by Topher Kessler
    4 Replies    

    BurnIconXFollowing the recent Wirelurker malware that was discovered yesterday, Apple has taken some rapid steps to fix it, including releasing an XProtect update to detect programs that are run on OS X which may contain the malware, and revoking developer certificates for compromised applications that are being used as vectors to spread the malware. In addition to these steps, if you suspect your Mac or iOS system might have been infected, then there are some steps you can take to detect and remove it from your system.
    How could I be infected?

    This malware infects systems by first being distributed through modified software packages. These packages are downloaded through third-party app stores (not the App Store Apple includes in OS X), and from underground Web sites that distribute pirated software. If you suspect software on your system that you have downloaded in the past six months has been from suspect sources such as these, then there might be an area for concern; however, if you have only installed software from the App Store or from an official download from a reputable distributor or developer, then you likely have nothing to worry about.
    Are there known symptoms of an infection?

    There are no known telltale symptoms of Wirelurker; however, malware-infected apps will usually be unstable and crash, or hang, or show similar odd behavior while they run. Even though these alone are not signs of a malware infection, if you have run apps from third-party app stores and unvetted Web sites, and they have not run as expected, then you might take caution and investigate your situation more.

    How do I detect WireLurker?

    The WireLurker malware installs a number of files on your OS X system, which set it up to detect any iOS systems you attach by a USB cable, and then install malware into that iOS device. If you have any of these files on your Mac, then you likely have the malware installed. These have been outlined by Palo Alto Networks, the company that discovered the malware, and for the current variant of the malware include the following files:

        A file called “run.sh” in the Macintosh HD > Users > Shared folder
        Any of the following files in the Macintosh HD > Library > LaunchDaemons folder

        com.apple.machook_damon.plist
        com.apple.globalupdate.plist
        com.apple.watchproc.plist
        com.apple.itunesupdate.plist

        Any of the following files in the Macintosh HD > System > Library > LaunchDaemons folder

        com.apple.appstore.plughelper.plist
        com.apple.MailServiceAgentHelper.plist
        com.apple.systemkeychain-helper.plist
        com.apple.periodic-dd-mm-yy.plist

        In addition, the following files and folders will be in the hidden usr/bin directory, which can be opened by pressing Shift-Command-G in the Finder and then then entering “/usr/bin” in the path field that shows up:

        globalupdate/usr/local/machook/
        WatchProc
        itunesupdate
        com.apple.MailServiceAgentHelper
        com.apple.appstore.PluginHelper
        periodicdate
        systemkeychain-helper
        stty5.11.pl

    If you see any or all of these files in your Mac’s hard drive, then your Mac has likely been compromised. You can remove the malware by removing these files and restarting your system, which should clear it fully; however, Palo Alto Networks has released a python script that will do this for you. The script can be found at this github project, and you can also run it by opening the Terminal and then running the following two commands (copy and paste all lines of each command). The first command downloads the script, and the second runs it in the Terminal–you will need administrative access to run these scripts:

    curl -O https://raw.githubusercontent.com/PaloAltoNetw\
    orks-BD/WireLurkerDetector/master/WireLurkerDetectorOSX.py

    python WireLurkerDetectorOSX.py

    How do I remove WireLurker from iOS?

    If you have detected WireLurker on your Mac and have attached your iOS device to it with a USB cable, then you likely have compromised your iOS device. In this case, you should take no chances and wipe your iOS device:

        Use iCloud to back up your device and all personal data on it
        Go to Settings > General > Reset
        Tap “Erase All Content and Settings” to clear all apps and data from the device
        Restart your iOS device and set it up again
        Sign into iCloud when you set up your iOS device and restore your backed up data
        If needed, download your apps again from the App Store

    You can also attach your iPhone or iPad to your Mac and use the “Restore iPhone/iPad” button in iTunes to factory-reset the device. The key to these steps is they clear out all programs on your iOS device which may have been compromised, and replace them with fresh copies. Your data and files should all be preserved, though you might lose some application settings.

  • Rusli
    Rusli Posts: 1,012 Influencer

    http://www.macissues.com/2014/11/06/apple-responds-to-wirelurker-threat-revokes-developer-certificates/


    Apple responds to ‘Wirelurker’ threat, revokes developer certificates

    November 6, 2014 by Topher Kessler
    1 Reply    

    BurnIconXFollowing the recent discovery of the “Rootpipe” vulnerability in OS X that allows a hacker to bypass the requirement for administrative passwords and gain full control of a Mac system, a new malware attack called “Wirelurker” (aka “MacHook”) has been revealed that affects iOS devices when paired with an infected OS X system. However, Apple has quickly responded to this threat by revoking developer identities for apps identified as being part of this malware scam.

    Outlined yesterday by security researchers at Palo Alto Networks, WireLurker is a trojan horse malware distributed through Chinese-based online app stores, as well as through re-packaged pirated applications distributed on underground networks, that takes advantage of Apple’s Enterprise Provisioning services for iOS to infect iOS systems. Once run on an OS X system, the malware will monitor any iOS device connected to an infected Mac with a USB cable, and will then install malicious applications onto the device. These programs will then attempt to steal data and sensitive information.

    In general, such threats have been thought to be a problem only for jailbroken devices where Apple’s inherent security features are bypassed for the sake of customizing iOS to your liking; however, by using OS X and Apple’s official certifications to talk with the iOS device, this attack can similarly bypass security without requiring a device be jailbroken.

    Overall, Palo Alto Networks describes this threat as one of the largest-scale malware attacks for trojanized (repackaged applications), having been downloaded over 356,104 times in the past six months, by way of over 467 such altered programs. It is also the first in-the-wild malware to install malware on non-jailbroken iOS devices through automatic generation of malicious iOS applications using binary file replacement in existing apps. As a result, this is one of the first malware attacks that affects iOS in a similar way to a traditional virus or worm.

    In quick response to this threat, Apple has taken steps overnight to help stem the impact that this attack has on iOS users, by revoking the certificates being used for the enterprise provisioning routines used by the malware. In a statement to MacNN, Apple has mentioned it is promptly addressing the problem:

        “We are aware of malicious software available from a download site aimed at users in China and we’ve blocked the identified apps to prevent them from launching.”

    In addition, Apple has quickly updated its XProtect malware scanning system that is built into OS X, to help detect the WireLurker installers being hidden in seemingly legitimate programs.

    With these protections in place, if you attempt to open a programs that Apple has identified, OS X will issue a warning that the program you are launching contains known malware, and recommends you do not run it.

    Even though these steps by Apple will help stem the spread of Wirelurker, keep in mind your best mode for securing your Mac is to use computing “street smarts” and, in this case, only install programs from legitimate sources such as Apple’s App Store or as direct downloads from the Web sites of reputable application developers.

    In addition to avoiding underground software Web sites, unsolicited deals, offerings, and other suspicious lures, you can help keep your Mac and iOS devices safe by locking them down with encryption and secure passwords. See the following articles for some suggestions on how best to do this:

        How to secure and lock down your Mac
        Monitor System folders to secure your Mac
        Concerned about privacy? Keep iOS and Mac OS up to date
        How to stay safe using iCloud and other online services

    UPDATE: See here for more information on how to detect and remove the WireLurker malware from OS X and iOS systems

  • Rusli
    Rusli Posts: 1,012 Influencer

    http://www.macissues.com/2014/11/04/how-to-protect-os-x-from-the-rootpipe-vulnerability/


    How to protect OS X from the “rootpipe” vulnerability

    November 4, 2014 by Topher Kessler
    30 Replies    

    BurnIconXA relatively long-standing vulnerability in OS X has been uncovered by a Swedish hacker, Emil Kvarnhammar, who has dubbed it “rootpipe” by the so-far undisclosed method in which it can be used to take control of your Mac. In this vulnerability, a flaw allows a hacker to gain administrative access of a system without supplying a password, and then be able to interact with your Mac as an administrator.

    In an interview with MacWorld, Kvarnhammar describes this bug as having been present in OS X 10.8.5, but he was not able to replicate it in 10.9; however, Apple has shuffled around its code in OS X 10.10 so the bug again allows access.

    In contacting Apple about the issue, Kvarnhammar did not get a response; however, Apple has agreed upon a date in January for full disclosure of the vulnerability’s details, suggesting Apple has indirectly acknowledged the issue and is developing a fix to be out by then.

    In the mean time, this and other privilege-escalation vulnerabilities can be managed by taking two important security steps with your Mac:
    Use a standard user account

    When you set up your Mac, the first user account created will be an administrative one so you can fully configure your system; however, Apple leaves you with this as your main account, instead of requiring you create a separate user account with more limited privileges for daily use. By working in an admin account, you chance encountering vulnerabilities that could give access to your system under this account’s privilege level, and by limiting yourself to a standard account you can help stem such vulnerabilities.

    The process for switching to a standard account for daily use is easy and painless:

        Open the Users & Groups system preferences and authenticate by clicking the lock.
        Create a new user account, and check the box to allow the user to administer the computer.
        Log out of your current account, and log into the new administrator account.
        Go back to the Users & Groups system preferences and again unlock them.
        Select your main user account and uncheck the option to allow the user to administer the computer.

    Setting admin privileges in OS X

    From within your new administrative account, uncheck this box for your other user accounts to prevent them from running as admin.

    When finished, you can log out and back into your main account, and be able to use it as if there is no difference. Now whenever you need to administer your system by installing programs or changing settings that require admin access, you will supply the username and password of your new admin account, instead of that for your current account. This is a trivial difference in function, but does allow your Mac to run with added security.
    Use FileVault

    In addition to running as a standard user, consider enabling FileVault on your Mac. This is another recommendation by Kvarnhammar for preventing the “rootpipe” vulnerability from being used. In general, it is also a good idea, especially for portable systems, to have the entire contents of the drive encrypted. This will prevent a system from being rebooted in alternative modes to bypass the operating system’s security features and access data on the drive. Without the encryption password, the data on your Mac’s drive will be completely inaccessible.
    FileVault in OS X

    Click this button in the Security & Privacy system preferences to enable FileVault.

    FileVault can be enabled by authenticating in the Security & Privacy system preferences, and then clicking the “Turn On FileVault” feature in the FileVault tab. Follow the on-screen instructions for managing your encryption key and enabling specific user accounts for unlocking the drive, and after your drive encrypts (it may take a few hours) your Mac’s drive will be fully encrypted.

  • Rusli
    Rusli Posts: 1,012 Influencer

    This is the method to remove Wirelurker from Palo Alto Networks....with Python scripts...

     

    Both Mac and Windows...

     

    Read the readme file:-

     

    https://github.com/PaloAltoNetworks-BD/WireLurkerDetector/blob/master/README.md

     

    Then proceed

     

    https://github.com/PaloAltoNetworks-BD/WireLurkerDetector

     

     

    WireLurker Detector
    Description

    This project provides script and/or tool to detect the WireLurker malware family found by Palo Alto Networks in Nov 2014.

    For details of the WireLurker:

        http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/
        http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-windows/

    Usage for OS X users

        Open the Terminal application in your OS X system;

        Execute this command to download the script:

        curl -O https://raw.githubusercontent.com/PaloAltoNetworks-BD/WireLurkerDetector/master/WireLurkerDetectorOSX.py

        Run the script in the Terminal:

        python WireLurkerDetectorOSX.py

        Read the output messages and detection result.

    For Windows users

    We described how to technically detect the Windows variant of WireLurker in this document: HOWTO-Windows.md . Please take a look at it if you would like to contribute on it.

    Here are some Windows detection tools developed by others. Remember to thanks them!

        https://github.com/ltfish/WireLurkerCleaner by ltfish

    Issues

    For any issue on the code and its result, please create a issue here: https://github.com/PaloAltoNetworks-BD/WireLurkerDetector/issues

  • Rusli
    Rusli Posts: 1,012 Influencer

    http://www.macissues.com/2014/11/10/how-to-protect-yourself-from-masque-attacks-that-replace-ios-apps-with-malware/

     


    How to protect yourself from ‘Masque Attacks’ that replace iOS apps with malware

    November 10, 2014 by Topher Kessler
    2 Replies    

    BurnIconXFollowing the recent finding of the widespread WireLurker malware that allows an infected system to hijack iOS applications and replace contents to convert them into malicious programs, security researchers at FireEye have revealed this as part of a long-standing flaw in iOS that similarly allows apps to be replaced with malware programs.

    This vulnerability uses the same enterprise provisioning routines that are used by WireLurker, but the approach that WireLurker uses is a limited form of a wider problem with iOS that allows an app to be replaced by another one using the same app bundle identifier.

    What this means is that if you have an app installed through the App Store, then this routine can allow a malicious program disguising itself as the app to be swapped out, and then run without any warnings or errors in iOS. This has potential severe security impacts, such as mobile banking apps that could be replaced with ones that mimic a bank’s interface, only to have your credentials sent to a third party.

    While the threat from WireLurker was limited to attaching your iOS device to an infected Mac via a USB cable, the Masque Attack can be used to install apps from a number of other locations, including Web pages and third-party app stores. In a demonstration of this problem, FireEye researchers were able to have a Web page install an app called “New Flappy Bird” that swaps out an original Gmail app on an iPhone.

    How to protect yourself from masque attacks

    While this problem has potential to be a widespread threat, if you use your iOS devices under standard conditions and with apps you only install from the App Store, then you are good to go. Staying safe from this and similar threats simply involve following these common guidelines:

        Do not jailbreak your device (or do so only if you know exactly what you are doing and understand the risks).
        Do not tap “install” on any alerts from Web pages that request you install anything on your iOS device.
        Avoid third-party App Stores, and only use Apple’s built-in App Store to install programs on your iOS device.
        Avoid opening any program that shows warnings such as “untrusted app developer,” even if the app looks legitimate.

    If you run across any Web page or installed app that shows these behaviors, then close it down, do not install anything, and delete any suspected app from your iOS device. You can always re-download the app to your system from the App Store to get a legitimate version.

    Another security measure that enterprise-managed iOS 7 devices can take is to check your device’s profiles for any provisioning profiles. To do this, go to Settings > General > Profiles and then check any listed provisioning profiles with your enterprise’s IT department to see whether or not they are authentic. However, this feature is not available in iOS 8, so be sure you are extra careful about what apps you install for devices running this version of iOS.

This discussion has been closed.
Pricing & Product Info