Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
OS X Security IT

WireLurker Mac OS X Malware Found, Shut Down 59

msm1267 writes WireLurker is no more. After causing an overnight sensation, the newly disclosed family of Apple Mac OS X malware capable of also infecting iOS devices has been put to rest. Researchers at Palo Alto Networks confirmed this morning that the command and control infrastructure supporting WireLurker has been shut down and Apple has revoked a legitimate digital certificate used to sign WireLurker code and allow it to infect non-jailbroken iOS devices.

Researchers at Palo Alto Networks discovered and dubbed the threat WireLurker because it spreads from infected OS X computers to iOS once the mobile device is connected to a Mac via USB. The malware analyzes the connected iOS device looking for a number of popular applications in China, namely the Meitu photo app, the Taobao online auction app, or the AliPay payment application. If any of those are found on the iOS device, WireLurker extracts its and replaces it with a Trojanized version of the same app repackaged with malware.

Patient zero is a Chinese third-party app store called Maiyadi known for hosting pirated apps for both platforms. To date, Palo Alto researchers said, 467 infected OS X apps have been found on Maiyadi and those apps have been downloaded more than 350,000 times as of Oct. 16 by more than 100,000 users.
This discussion has been archived. No new comments can be posted.

WireLurker Mac OS X Malware Found, Shut Down

Comments Filter:
  • by Anonymous Coward

    Why take a risk in going beyond the walden garden for a bloody photo-app, while in paradise there exist countless photo-apps for free?

  • by DigiShaman ( 671371 ) on Thursday November 06, 2014 @03:07PM (#48327507) Homepage

    Some lessons are never learned.

  • by kuzb ( 724081 )

    This is not the same as preventing the vulnerability. It's just taking away the control center. it does not prevent someone from doing it again in the future so stop thinking you're safe because you run a Mac.

    • it does not prevent someone from doing it again in the future so stop thinking you're safe because you run a Mac.

      How about if I just feel safer? Is that OK?

  • There is a PDF report on the main website for Unit42 about the malware, but it has a fairly invasive registration process. Signed up with bs info and uploaded to public google drive for everyone. [google.com]

    Link to the researchers website for those cautious about the gdocs link [paloaltonetworks.com]

    Straight Link to the report (requires registration) [paloaltonetworks.com]

    Have not read the technical details yet, but it looks fairly comprehensive.

  • Really, the story here is that the malware was signed by a valid certificate. This basically means the certificate system is worthless. That is a far bigger threat than any single malware.

    • by Jeremi ( 14640 )

      Really, the story here is that the malware was signed by a valid certificate. This basically means the certificate system is worthless

      I think "worthless" is a bit too strong of a characterization. Now that the company's certificate is known to be compromised, Apple invalidates their certificate, and all malware that is signed with that certificate will no longer run on any Internet-connected Mac. That's not ideal, but it's a lot better than not having any mechanism to stop known malware.

      If there is a more effective security mechanism that Apple ought to be using instead, I'd be interested in hearing about it.

      • by gweihir ( 88907 )

        The important question is _how_ the certificate was compromised. Unless that problem is solved, the next one will just get compromised again.

        • that's easy - weak or compromised (read: intercepted through unencrypted email or social engineering) password on the enterprise developer account on http://adc.apple.com/ [apple.com]

          Because that's never been a problem in the past, ever.

          • by gweihir ( 88907 )

            And unless this is fixed and prevented _reliable_ from happening again, certs issued or used bu Apple are worthless.

            • Yeah, because this is only an Apple problem. In the past history of PKI, nobody has ever had a certificate compromised. Except for just about everyone.

    • Yeah, because certificates have never been compromised before. If anything, the almost-instant revocation of the certificate across millions of devices shows that it works great.

Unix: Some say the learning curve is steep, but you only have to climb it once. -- Karl Lehenbauer

Working...