WireLurker Mac OS X Malware Found, Shut Down

msm1267 writes WireLurker is no more. After causing an overnight sensation, the newly disclosed family of Apple Mac OS X malware capable of also infecting iOS devices has been put to rest. Researchers at Palo Alto Networks confirmed this morning that the command and control infrastructure supporting WireLurker has been shut down and Apple has revoked a legitimate digital certificate used to sign WireLurker code and allow it to infect non-jailbroken iOS devices.

Researchers at Palo Alto Networks discovered and dubbed the threat WireLurker because it spreads from infected OS X computers to iOS once the mobile device is connected to a Mac via USB. The malware analyzes the connected iOS device looking for a number of popular applications in China, namely the Meitu photo app, the Taobao online auction app, or the AliPay payment application. If any of those are found on the iOS device, WireLurker extracts its and replaces it with a Trojanized version of the same app repackaged with malware.

Patient zero is a Chinese third-party app store called Maiyadi known for hosting pirated apps for both platforms. To date, Palo Alto researchers said, 467 infected OS X apps have been found on Maiyadi and those apps have been downloaded more than 350,000 times as of Oct. 16 by more than 100,000 users.

risk vs opportunity

[Anonymous Coward]

Why take a risk in going beyond the walden garden for a bloody photo-app, while in paradise there exist countless photo-apps for free?

Re:

[MachineShedFred]

Clearly, XProtect [wikipedia.org] does "just work" as Apple was able to stamp that shit out in less than a day.

There's probably STILL Windows machines infected with iloveyou out there.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[andreicristianpetcu]

like the 700.000 zombie mac botnet army a few years back, or like gotofail

Re:

[Anonymous Coward]

Yes. EXACTLY. Mac’s are as vulnerable as Windows and iPhones as vulnerable as Android because not only did a rogue app store send fake apps, but “a few years back” there was a botnet. Idiot.

Re:

[Anonymous Coward]

Yes. EXACTLY. Mac’s are as vulnerable as Windows and iPhones as vulnerable as Android because not only did a rogue app store send fake apps, but “a few years back” there was a botnet. Idiot.

You should be careful not creating a strawman to fight. I don't think anybody claim Mac's are *as* vulnerable as Windows (or iOS vs Android), but (rightly) challenging the false perception that it is immune.

Also, "a few years back there was a botnet" doesn't really do justice to the largest malware epidemic in modern times - regardless of platform - in terms of percentage of user base infected. Around 1% of internet connected Macs where infected by Mac Flashback. Second biggest was Windows Conficker with a

Re:

[MachineShedFred]

With percentage of user base arguments, you could say that if 5 SCO UnixWare machines got infected it's the worst outbreak ever, because that would be like 15% of their installed user base!

Massaging the statistics still doesn't make the orders of magnitude of difference between infected Windows boxes and infected Macs any different.

Sure. Just exactly as vulnerable. That's a laugh!

[Anonymous Coward]

Mac's are only as vulnerable as Windows, etc... if you only allow for two levels of vulnerability: Vulnerable, and Invulnerable.

(BTW, if you used your OS X machine the way any sane Unix or GNU/Linux user does, and you don't do daily tasks from an administrator account... you are apparently not at risk from this malware. Why would you use your OS X machine the same way someone whose computer runs Unix does? Because underneath all the pretty, flowery goodness and pretty special effects in OS X,... IT'S UNIX

Re:

[psergiu]

Too bad OS X is opensource.
http://opensource.apple.com/ [apple.com]
We should all switch to a truly proprietary OS. Anyone has any advice on which truly-proprietary OS is better security-wise ?

Re:

[exomondo]

That page lists the projects used in OS X (and iOS) that are open source, you cannot download the source code for OS X.

Re:

[exomondo]

Wrong, that's just the kernel of OS X. Where's the code for the other essential parts of OSX like Quartz Extreme, Aqua, Cocoa framework, System Preferences (and all its sub utilities)?

The title of the linked page even says "Apple releases OS X 10.10 Yosemite Open Source Darwin code", explicitly stating in no uncertain terms that they are talking about Darwin, which is one component of OS X.

Re:

[jazzis]

http://www.opensource.apple.co... [apple.com] https://developer.apple.com/li... [apple.com] Darwin (Yosemite 10.10)

Re:

[exomondo]

Yes I see those links. You can build the kernel and you can build some of the components used in the operating system but - as I have already said - you cannot download the source code for OS X, only some bits of it. If you think it's possible then certainly give me the link, but those links you provided most certainly are not it.

Re:

[jazzis]

https://opensource.apple.com/r... [apple.com]

Re:

[AHuxley]

re "This is what I like about proprietary software. Lots of eyeballs are probing for vulnerabilities, and when such are found, they are fixed quickly by professional paid developers."
The same brands who allowed years of weak crypto for the NSA and GCHQ?
Hard to see what extras a person gets with proprietary software. Or what is nor fixed or fixed later.

Re:

[Jeremi]

Hard to see what extras a person gets with proprietary software. Or what is nor fixed or fixed later.

If a piece of software has had lots of development and testing done on it by very talented individuals, the user gets to enjoy better-designed, higher-quality software.

In some (but not all) cases, the proprietary nature of the software supplies the money necessary to pay those talented programmers and testers to spend the extra time necessary to really develop/debug/polish the software's quality.

Open source software sometimes gets that extra attention too, but since it's often written by self-directed volun

Re:

[MachineShedFred]

You're exactly right. In my new job that I've had for a month now, we've been picking open-source solutions wherever we can, and it usually takes far more time and effort to get it set up properly because the documentation is lacking, the different components don't always work together as they should, what documentation that does exist highly favors one particular distort family, and you're compiling from source and dealing with dependency hell if you're on the other family, etc.

Say what you will about Win

Re:

[NotDrWho]

Blasphemy!!!

Re:Now

[Aaden42]

RTFA, please. This didn’t require jailbreaking to infect the phone.

Infection process:

1) Download pirate-friendly AppStore app for your Mac.
2) Download & run one of the trojaned, probably pirated apps on your Mac.
3) Plug in your phone.
4) Accept the prompt to install an enterprise provisioning profile, enter your device’s unlock code to authorize that, confirm one more time that you’re certain you want to install the profile (at least that was the process last time I added a custom profile: Two “Are you sure?"’s and an authentication prompt, not just TouchID).
5) Trojaned apps on Mac scan for interesting apps on the phone & replace them with trojaned versions of the iOS apps.

No iOS or Mac bugs were exploited.

The Mac side was just downloading & running dodgy software from (software) houses of ill repute.

The iOS side relied on a legitimate Apple-signed key that was issued to some company (haven’t found the name of the company yet — redacted to protect the careless?) It does seem that the key had greater than usual entitlements to allow additional background execution beyond what’s usually allowed. The trojaned iOS apps ran on a non-jailbroken, non-compromised (by bugs anyways) phone because the user allowed installation of the enterprise provisioning profile which allows the phone to run apps signed by someone other than Apple.

As far as mitigation, Apple added signatures for the Mac-side stuff to Gatekeeper so OS X won’t run them any more unless you stand on your head and accept a bunch of, “This will explode your computer!” prompts.

They also revoked the provisioning profile signing key on the phone side, so it can’t create newly trojaned apps on the phone, and the profile won’t be installable on new phones. I’m not sure at the moment what effect that revocation has on phones that have already installed the profile or on apps that were already modified by it. I’m also not sure if it’s vulnerable to the “change the date on your phone” thing that was used to installed NES emulators a while back. At one point, apps’ signatures were only checked on initial install, but I *think* expired or revoked enterprise profiles are actually checked at each launch and the apps should die now.

Re:Now

[the computer guy nex]

"RTFA, please. This didn’t require jailbreaking to infect the phone."

Non-jailbroken phones were never 'infected.' WireLurker simply loaded a harmless comic book app on non-jailbroken devices. Since WireLurker didn't jailbreak your device, it was limited to the iOS sandbox.

This wasn't even malware for non-jailbreak devices. The user was prompted to install an enterprise app, and had the ability to allow/deny. The app itself was harmless. The only malware was for jailbroken devices.

Re:

[the computer guy nex]

If you read the paper, non-jailbroken devices were 'infected' with a harmless comic book app. This only occurred if the user accepted the enterprise cert.

"Once Wirelurker gains access to a non-jailbroken iPhone, the program currently side-loads a non-malicious comic book app onto the phone."

Loading an enterprise-signed application, requiring user acceptance, that is non-malicious isn't much of an infection.

Re:

[MachineShedFred]

And by "infection vector" you mean "documented and intended functionality to support large organizations with custom app development", right?

Because that's what we're talking about - they used a certificate they stole from a registered enterprise developer account to sign apps and load them in via a profile, which has been available since iOS 6 or so. And, that app is still beholden to the same sandboxing rules as any other app.

That cert has now been revoked, and anything signed with it is now useless non-

Re:

[j-beda]

You mean jailbroken iOS devices downloading pirated software from a dodgy store?

Non-jailbroken devices that don't have this store available are immune to this, as this malware isn't coming from Apple's store.

Actually, it looks like this is driven by a Mac OS X application the at was spread by being delivered along with legitimate software from a software collection site (like the info-mac archives once was in those halcion days of yore. https://en.wikipedia.org/wiki/... [wikipedia.org] Or maybe it was cracked/stolen/pirated software that contained the malware.

Once installed on the Mac OS X computer, making use of legittimage Apple developer credentials, the software seems to have been able to infect non-jailbroken iOS devices

Re:Now

[tlhIngan]

Once installed on the Mac OS X computer, making use of legittimage Apple developer credentials, the software seems to have been able to infect non-jailbroken iOS devices when those devices were attached to the machine via USB.

No, it wasn't developer credentials, it was enterprise credentials.

Developer credentials is that every year, you get to add up to 100 devices to your "testing" list. You submit that list to Apple and Apple gives you back a .mobileprovisioning file that is signed by Apple containing the list of those 100 devices. Beta testers then install that file on their device and it lets you test unsigned software on it. But 100 devices max, and you can only reset it once a year (so it's not 100 devices, reset it, another 100 devices, etc). You can add devices if you have less than 100 at any time, but to clear it can only be done annually.

An enterprise certificate costs more ($500/year) but it comes with signing rights, so you can make provisioning files, sign apps (so you can bypass the App Store) and other things. Of course, you have to install the enterprise certificate to run enterprise signed apps.

The malware used a legit developer cert ($99/year) to sign the malware app on OS X (you can bypass the Mac App Store by buying a certificate from Apple to sign your own apps as the OS X default is "Mac App Store and Signed Apps Only"). That malware then installs the enterprise provisioning onto a connected iOS device and then pushes the signed malware to it.

Thus, what Apple did was revoke the signing key, revoke the enterprise cert, and install new XProtect signatures to neuter the OS X apps.

Re:

[MachineShedFred]

Can we put away the straw man that people actually say that first?

No.

[kuzb]

This is not the same as preventing the vulnerability. It's just taking away the control center. it does not prevent someone from doing it again in the future so stop thinking you're safe because you run a Mac.

Re:

[Paradise Pete]

it does not prevent someone from doing it again in the future so stop thinking you're safe because you run a Mac.

How about if I just feel safer? Is that OK?

Technical Report from Unit42 on the Malware

[Vokkyt]

There is a PDF report on the main website for Unit42 about the malware, but it has a fairly invasive registration process. Signed up with bs info and uploaded to public google drive for everyone. [google.com]

Link to the researchers website for those cautious about the gdocs link [paloaltonetworks.com]

Straight Link to the report (requires registration) [paloaltonetworks.com]

Have not read the technical details yet, but it looks fairly comprehensive.

Re:

[Vokkyt]

Also, they wrote a detection script: https://github.com/PaloAltoNet... [github.com]

What happened to compromise the cert?

[gweihir]

Really, the story here is that the malware was signed by a valid certificate. This basically means the certificate system is worthless. That is a far bigger threat than any single malware.

Re:

[Jeremi]

Really, the story here is that the malware was signed by a valid certificate. This basically means the certificate system is worthless

I think "worthless" is a bit too strong of a characterization. Now that the company's certificate is known to be compromised, Apple invalidates their certificate, and all malware that is signed with that certificate will no longer run on any Internet-connected Mac. That's not ideal, but it's a lot better than not having any mechanism to stop known malware.

If there is a more effective security mechanism that Apple ought to be using instead, I'd be interested in hearing about it.

Re:

[gweihir]

The important question is _how_ the certificate was compromised. Unless that problem is solved, the next one will just get compromised again.

Re:

[MachineShedFred]

that's easy - weak or compromised (read: intercepted through unencrypted email or social engineering) password on the enterprise developer account on http://adc.apple.com/ [apple.com]

Because that's never been a problem in the past, ever.

Re:

[gweihir]

And unless this is fixed and prevented _reliable_ from happening again, certs issued or used bu Apple are worthless.

Re:

[MachineShedFred]

Yeah, because this is only an Apple problem. In the past history of PKI, nobody has ever had a certificate compromised. Except for just about everyone.

Re:

[MachineShedFred]

Yeah, because certificates have never been compromised before. If anything, the almost-instant revocation of the certificate across millions of devices shows that it works great.