WireLurker Mac OS X Malware Found, Shut Down

msm1267 writes WireLurker is no more. After causing an overnight sensation, the newly disclosed family of Apple Mac OS X malware capable of also infecting iOS devices has been put to rest. Researchers at Palo Alto Networks confirmed this morning that the command and control infrastructure supporting WireLurker has been shut down and Apple has revoked a legitimate digital certificate used to sign WireLurker code and allow it to infect non-jailbroken iOS devices.

Researchers at Palo Alto Networks discovered and dubbed the threat WireLurker because it spreads from infected OS X computers to iOS once the mobile device is connected to a Mac via USB. The malware analyzes the connected iOS device looking for a number of popular applications in China, namely the Meitu photo app, the Taobao online auction app, or the AliPay payment application. If any of those are found on the iOS device, WireLurker extracts its and replaces it with a Trojanized version of the same app repackaged with malware.

Patient zero is a Chinese third-party app store called Maiyadi known for hosting pirated apps for both platforms. To date, Palo Alto researchers said, 467 infected OS X apps have been found on Maiyadi and those apps have been downloaded more than 350,000 times as of Oct. 16 by more than 100,000 users.

risk vs opportunity

Why take a risk in going beyond the walden garden for a bloody photo-app, while in paradise there exist countless photo-apps for free?

Re:risk vs opportunity

They clearly forgot their 5th Commandment: "Downloadth only from Father Steve and thou shall be saved." They must make penance by saying ten Hail Steves and buying a new iPhone 6+.

Re:risk vs opportunity

I was wondering how AppleDot would spin this as positive for their paymasters. .

Re:risk vs opportunity

The Apple cult gives their members a possibility of giving one tenth of their salaries to the church of Steve. People can not write facebook posts for "I just apt-get'd a gimp", but they get their fix of jealosy, respect and approval from "I just bought a $100 " posts.

Re:risk vs opportunity

Yeah, because a broad spectrum of people actually *like* Apple products, rather than merely tolerating the alternatives.

Get over your jealousy already.

Re:risk vs opportunity

Jealousy? Why would someone be jealous for Apple thingies? They are just the same crap built by chinese children as anything else, but only with shiny logo which is important for a cult of believers.

Re:risk vs opportunity

Buying Apple products is like buying a car that has had its hood welded shut and only allows you to drive on specific roads. Apple is computer training wheels for stupid people.

something something

'it just works' something something... insert witty remark here

Re:something something

Oh noes! I thought Apple was immune.

Maybe that's why they pulled this from the store: the malware's control infrastructure was removed causing a degradation in the user experience. Can't have apps like that around!

Re:something something

[MachineShedFred]

Clearly, XProtect does "just work" as Apple was able to stamp that shit out in less than a day.

There's probably STILL Windows machines infected with iloveyou out there.

No honor among thieves

[DigiShaman]

Some lessons are never learned.

Good

This is what I like about proprietary software. Lots of eyeballs are probing for vulnerabilities, and when such are found, they are fixed quickly by professional paid developers.

Re:Good

[andreicristianpetcu]

like the 700.000 zombie mac botnet army a few years back, or like gotofail

Re:Good

Yes. EXACTLY. Mac’s are as vulnerable as Windows and iPhones as vulnerable as Android because not only did a rogue app store send fake apps, but “a few years back” there was a botnet. Idiot.

Re:Good

Yes. EXACTLY. Mac’s are as vulnerable as Windows and iPhones as vulnerable as Android because not only did a rogue app store send fake apps, but “a few years back” there was a botnet. Idiot.

You should be careful not creating a strawman to fight. I don't think anybody claim Mac's are *as* vulnerable as Windows (or iOS vs Android), but (rightly) challenging the false perception that it is immune.

Also, "a few years back there was a botnet" doesn't really do justice to the largest malware epidemic in modern times - regardless of platform - in terms of percentage of user base infected. Around 1% of internet connected Macs where infected by Mac Flashback. Second biggest was Windows Conficker with around 0.7% of Windows machines infected (of course that is more PCs, but percentage of user base is the relevant measurement).

btw, why are you talking about rogue app store? That is not what is happening in this WireLurker case.

Re:Good

[psergiu]

Too bad OS X is opensource.
http://opensource.apple.com/
We should all switch to a truly proprietary OS. Anyone has any advice on which truly-proprietary OS is better security-wise ?

Re:Good

Too bad OS X is opensource. http://opensource.apple.com/ We should all switch to a truly proprietary OS. Anyone has any advice on which truly-proprietary OS is better security-wise ?

So hold on, from that page you actually took that to mean OSX is open source? Did you not *read* the page or do you not know what OSX is?

Re:Good

[exomondo]

That page lists the projects used in OS X (and iOS) that are open source, you cannot download the source code for OS X.

Re:Good

Here ya go dummies. http://9to5mac.com/2014/10/31/...

Re:Good

[jazzis]

http://www.opensource.apple.co... https://developer.apple.com/li... Darwin (Yosemite 10.10)

Re:Good

[exomondo]

Yes I see those links. You can build the kernel and you can build some of the components used in the operating system but - as I have already said - you cannot download the source code for OS X, only some bits of it. If you think it's possible then certainly give me the link, but those links you provided most certainly are not it.

Re:Good

[exomondo]

Wrong, that's just the kernel of OS X. Where's the code for the other essential parts of OSX like Quartz Extreme, Aqua, Cocoa framework, System Preferences (and all its sub utilities)?

The title of the linked page even says "Apple releases OS X 10.10 Yosemite Open Source Darwin code", explicitly stating in no uncertain terms that they are talking about Darwin, which is one component of OS X.

Re:Good

From the link:

Apple releases OS X 10.10 Yosemite Open Source Darwin code

First clue: Why is they say "Darwin"? Surely if they were releasing the OSX Yosemite code they would say "Apple releases OS X 10.10 Yosemite Open Source code", but they didnt, they said "Darwin".

Darwin is an open sourceUnix-like computer operating system released by Apple Inc. in 2000. It is composed of code developed by Apple, as well as code derived from NeXTSTEP, BSD, and other free software projects.

Second clue: Again they are talking about "Darwin" and not about OSX.

Darwin forms the core set of components upon which OS X and iOS are based.

Final clue: "Darwin" is a set of components that are part of OSX and iOS but Darwin is not OSX or iOS.

The page makes it clear such that even the most uneducated of people could understand: That Darwin is not OSX. How is it that with the information presented there you can still not understand that Darwin != OSX?

...news for nerds indeed.

Re:Good

[AHuxley]

re "This is what I like about proprietary software. Lots of eyeballs are probing for vulnerabilities, and when such are found, they are fixed quickly by professional paid developers."
The same brands who allowed years of weak crypto for the NSA and GCHQ?
Hard to see what extras a person gets with proprietary software. Or what is nor fixed or fixed later.

Re:Good

[Jeremi]

Hard to see what extras a person gets with proprietary software. Or what is nor fixed or fixed later.

If a piece of software has had lots of development and testing done on it by very talented individuals, the user gets to enjoy better-designed, higher-quality software.

In some (but not all) cases, the proprietary nature of the software supplies the money necessary to pay those talented programmers and testers to spend the extra time necessary to really develop/debug/polish the software's quality.

Open source software sometimes gets that extra attention too, but since it's often written by self-directed volunteers, the extra-mile polishing often happens only to the parts of the software that software developers find interesting. Hence Linux's great kernel, but mediocre [relative to OS/X] GUI.

Does being proprietary make software more secure? Unlikely -- but security is not the only yardstick by which software is judged.

Re:Good

[MachineShedFred]

With percentage of user base arguments, you could say that if 5 SCO UnixWare machines got infected it's the worst outbreak ever, because that would be like 15% of their installed user base!

Massaging the statistics still doesn't make the orders of magnitude of difference between infected Windows boxes and infected Macs any different.

Re:Good

[MachineShedFred]

You're exactly right. In my new job that I've had for a month now, we've been picking open-source solutions wherever we can, and it usually takes far more time and effort to get it set up properly because the documentation is lacking, the different components don't always work together as they should, what documentation that does exist highly favors one particular distort family, and you're compiling from source and dealing with dependency hell if you're on the other family, etc.

Say what you will about Windows / OS X, but you usually don't run into those problems, because they have paid people to QA and document.

Re:Good

https://opensource.apple.com/r...

Now

Now, can we please put to rest this applefanatic idea that "mac's can't get a virus"?

Re:Now

[NotDrWho]

Blasphemy!!!

Re:Now

You mean jailbroken iOS devices downloading pirated software from a dodgy store?

Non-jailbroken devices that don't have this store available are immune to this, as this malware isn't coming from Apple's store.

Re:Now

[Aaden42]

RTFA, please. This didn’t require jailbreaking to infect the phone.

Infection process:

1) Download pirate-friendly AppStore app for your Mac.
2) Download & run one of the trojaned, probably pirated apps on your Mac.
3) Plug in your phone.
4) Accept the prompt to install an enterprise provisioning profile, enter your device’s unlock code to authorize that, confirm one more time that you’re certain you want to install the profile (at least that was the process last time I added a custom profile: Two “Are you sure?"’s and an authentication prompt, not just TouchID).
5) Trojaned apps on Mac scan for interesting apps on the phone & replace them with trojaned versions of the iOS apps.

No iOS or Mac bugs were exploited.

The Mac side was just downloading & running dodgy software from (software) houses of ill repute.

The iOS side relied on a legitimate Apple-signed key that was issued to some company (haven’t found the name of the company yet — redacted to protect the careless?) It does seem that the key had greater than usual entitlements to allow additional background execution beyond what’s usually allowed. The trojaned iOS apps ran on a non-jailbroken, non-compromised (by bugs anyways) phone because the user allowed installation of the enterprise provisioning profile which allows the phone to run apps signed by someone other than Apple.

As far as mitigation, Apple added signatures for the Mac-side stuff to Gatekeeper so OS X won’t run them any more unless you stand on your head and accept a bunch of, “This will explode your computer!” prompts.

They also revoked the provisioning profile signing key on the phone side, so it can’t create newly trojaned apps on the phone, and the profile won’t be installable on new phones. I’m not sure at the moment what effect that revocation has on phones that have already installed the profile or on apps that were already modified by it. I’m also not sure if it’s vulnerable to the “change the date on your phone” thing that was used to installed NES emulators a while back. At one point, apps’ signatures were only checked on initial install, but I *think* expired or revoked enterprise profiles are actually checked at each launch and the apps should die now.

Re:Now

[j-beda]

You mean jailbroken iOS devices downloading pirated software from a dodgy store?

Non-jailbroken devices that don't have this store available are immune to this, as this malware isn't coming from Apple's store.

Actually, it looks like this is driven by a Mac OS X application the at was spread by being delivered along with legitimate software from a software collection site (like the info-mac archives once was in those halcion days of yore. https://en.wikipedia.org/wiki/... Or maybe it was cracked/stolen/pirated software that contained the malware.

Once installed on the Mac OS X computer, making use of legittimage Apple developer credentials, the software seems to have been able to infect non-jailbroken iOS devices when those devices were attached to the machine via USB.

Re:Now

[tlhIngan]

Once installed on the Mac OS X computer, making use of legittimage Apple developer credentials, the software seems to have been able to infect non-jailbroken iOS devices when those devices were attached to the machine via USB.

No, it wasn't developer credentials, it was enterprise credentials.

Developer credentials is that every year, you get to add up to 100 devices to your "testing" list. You submit that list to Apple and Apple gives you back a .mobileprovisioning file that is signed by Apple containing the list of those 100 devices. Beta testers then install that file on their device and it lets you test unsigned software on it. But 100 devices max, and you can only reset it once a year (so it's not 100 devices, reset it, another 100 devices, etc). You can add devices if you have less than 100 at any time, but to clear it can only be done annually.

An enterprise certificate costs more ($500/year) but it comes with signing rights, so you can make provisioning files, sign apps (so you can bypass the App Store) and other things. Of course, you have to install the enterprise certificate to run enterprise signed apps.

The malware used a legit developer cert ($99/year) to sign the malware app on OS X (you can bypass the Mac App Store by buying a certificate from Apple to sign your own apps as the OS X default is "Mac App Store and Signed Apps Only"). That malware then installs the enterprise provisioning onto a connected iOS device and then pushes the signed malware to it.

Thus, what Apple did was revoke the signing key, revoke the enterprise cert, and install new XProtect signatures to neuter the OS X apps.

Re:Now

[the+computer+guy+nex]

"RTFA, please. This didn’t require jailbreaking to infect the phone."

Non-jailbroken phones were never 'infected.' WireLurker simply loaded a harmless comic book app on non-jailbroken devices. Since WireLurker didn't jailbreak your device, it was limited to the iOS sandbox.

This wasn't even malware for non-jailbreak devices. The user was prompted to install an enterprise app, and had the ability to allow/deny. The app itself was harmless. The only malware was for jailbroken devices.

Re:Now

"RTFA, please. This didn’t require jailbreaking to infect the phone." Non-jailbroken phones were never 'infected.' WireLurker simply loaded a harmless comic book app on non-jailbroken devices. Since WireLurker didn't jailbreak your device, it was limited to the iOS sandbox. This wasn't even malware for non-jailbreak devices. The user was prompted to install an enterprise app, and had the ability to allow/deny. The app itself was harmless. The only malware was for jailbroken devices.

According to the original source you are incorrect in insisting on non-jailbroken devices not being infected:

"Unit 42 has recently discovered a new family of Apple OSX and iOS malware, aptly named “WireLurker”. Characteristics of this malware family, including its ability to infect even non-jailbroken iOS devices through trojanized and repackaged OS X applications"

-- Of known malware families distributed through trojanized / repackaged OS X applications, it is the biggest in scale we have ever seen
-- It is only the second known malware family that attacks iOS devices through OS X via USB
-- It is the first malware to automate generation of malicious iOS applications, through binary file replacement
-- It is the first known malware that can infect installed iOS applications similar to a traditional virus
-- It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning

Re:Now

[the+computer+guy+nex]

If you read the paper, non-jailbroken devices were 'infected' with a harmless comic book app. This only occurred if the user accepted the enterprise cert.

"Once Wirelurker gains access to a non-jailbroken iPhone, the program currently side-loads a non-malicious comic book app onto the phone."

Loading an enterprise-signed application, requiring user acceptance, that is non-malicious isn't much of an infection.

Re:Now

If you read the paper, non-jailbroken devices were 'infected' with a harmless comic book app. This only occurred if the user accepted the enterprise cert. "Once Wirelurker gains access to a non-jailbroken iPhone, the program currently side-loads a non-malicious comic book app onto the phone." Loading an enterprise-signed application, requiring user acceptance, that is non-malicious isn't much of an infection.

The key word there is "currently" (and they can't be sure of even that), the comic book app is a proof of concept that the infection vector works and could be replaced by anything.

Re:Now

[MachineShedFred]

Can we put away the straw man that people actually say that first?

Re:Now

[MachineShedFred]

And by "infection vector" you mean "documented and intended functionality to support large organizations with custom app development", right?

Because that's what we're talking about - they used a certificate they stole from a registered enterprise developer account to sign apps and load them in via a profile, which has been available since iOS 6 or so. And, that app is still beholden to the same sandboxing rules as any other app.

That cert has now been revoked, and anything signed with it is now useless non-executable bits.

No.

[kuzb]

This is not the same as preventing the vulnerability. It's just taking away the control center. it does not prevent someone from doing it again in the future so stop thinking you're safe because you run a Mac.

Re:No.

[Paradise+Pete]

it does not prevent someone from doing it again in the future so stop thinking you're safe because you run a Mac.

How about if I just feel safer? Is that OK?

Re:No.

Yes it is jack hole...see i dont run enterprise apps on my devices or mac so no i will not have to worry about this. But hey if your dumb enough to run non apple store and allow enterprise apps then you get what you deserve. All systems are vunerable to the admin user if he/she is an idiot. And its pretty obvious that the folks infected are idiots.

Re:No.

Except that there was no vulnerability. Each and every user "infected" either jailbroke their device, or accepted installing an enterprise profile on their device.

The vulnerability was the idiot user - everything done was done through legitimate functionality, and could have been stopped if the user paid any attention whatsoever.

Technical Report from Unit42 on the Malware

[Vokkyt]

There is a PDF report on the main website for Unit42 about the malware, but it has a fairly invasive registration process. Signed up with bs info and uploaded to public google drive for everyone.

Link to the researchers website for those cautious about the gdocs link

Straight Link to the report (requires registration)

Have not read the technical details yet, but it looks fairly comprehensive.

Re:Technical Report from Unit42 on the Malware

[Vokkyt]

Also, they wrote a detection script: https://github.com/PaloAltoNet...

What happened to compromise the cert?

[gweihir]

Really, the story here is that the malware was signed by a valid certificate. This basically means the certificate system is worthless. That is a far bigger threat than any single malware.

Re:What happened to compromise the cert?

[Jeremi]

Really, the story here is that the malware was signed by a valid certificate. This basically means the certificate system is worthless

I think "worthless" is a bit too strong of a characterization. Now that the company's certificate is known to be compromised, Apple invalidates their certificate, and all malware that is signed with that certificate will no longer run on any Internet-connected Mac. That's not ideal, but it's a lot better than not having any mechanism to stop known malware.

If there is a more effective security mechanism that Apple ought to be using instead, I'd be interested in hearing about it.

Re:What happened to compromise the cert?

[gweihir]

The important question is _how_ the certificate was compromised. Unless that problem is solved, the next one will just get compromised again.

Re:What happened to compromise the cert?

[MachineShedFred]

Yeah, because certificates have never been compromised before. If anything, the almost-instant revocation of the certificate across millions of devices shows that it works great.

Re:What happened to compromise the cert?

[MachineShedFred]

that's easy - weak or compromised (read: intercepted through unencrypted email or social engineering) password on the enterprise developer account on http://adc.apple.com/

Because that's never been a problem in the past, ever.

Re:What happened to compromise the cert?

[gweihir]

And unless this is fixed and prevented _reliable_ from happening again, certs issued or used bu Apple are worthless.

Re:What happened to compromise the cert?

[MachineShedFred]

Yeah, because this is only an Apple problem. In the past history of PKI, nobody has ever had a certificate compromised. Except for just about everyone.

Sure. Just exactly as vulnerable. That's a laugh!

Mac's are only as vulnerable as Windows, etc... if you only allow for two levels of vulnerability: Vulnerable, and Invulnerable.

(BTW, if you used your OS X machine the way any sane Unix or GNU/Linux user does, and you don't do daily tasks from an administrator account... you are apparently not at risk from this malware. Why would you use your OS X machine the same way someone whose computer runs Unix does? Because underneath all the pretty, flowery goodness and pretty special effects in OS X,... IT'S UNIX!!! Duh.)

If you instead look at the ODDS of how likely you are to see adverse consequences that come exclusively from your choice of platform... Windows flaws & vulnerabilities are so rampant that many people stopped hacking them because they saw it as no meaningful challenge. This is where the term "script-kiddie" comes from. Hacking became something you could do with a trivial snippet of code someone else wrote.

Windows security has always been a joke. This is probably because Microsoft uses the in-built security flaws as an anti-piracy measure. You'd have to have your HEAD EXAMINED if you use a Windows PC without Windows update, unless it's got NO connectivity hardware, no speaker, and no microphone, no floppy drive, no externally accessible ports, basically, a "stand-alone, black box." Otherwise, you're begging for trouble. In fact, Windows for years required you to have anti-virus/anti-spyware/anti-malware/anti-worm/anti-intusion software that you got elsewhere to patch up the gaping security holes left in their own software. What garbage!

I don't know if this is still true because for about half a dozen years, I have been Microsoft free. Never been happier! No more blue-screens of death that I used to see ALL. THE. TIME... no more "WARNING! YOUR COMPUTER HAS A VIRUS!!!" no more "CAUTION: YOUR COMPUTER IS UNPROTECTED!" and DEFINITELY no more "We are no longer supporting your operating system. If you want to continue to receive security updates, you'll have to pay us another couple hundred dollars for another new version of our wretched, lousy, buggy, unsecure-by-design 'Operating System' Hahahahahh Pay us, bitch!"

Now I get my OS updates for free, and my computer is much slicker, has better features, longer battery life, and interoperates with all my other technology.

When you have millions of users, and millions of developers all writing millions of pieces of software, one thing slips by, and suddenly all the Microsoft Win-SLAVES are crowing or braying like jackasses. Does anyone even track Windows vulnerabilities anymore? Or do we just go ahead and assume its an almost daily occurrence, no longer worthy of note?

OS X is not open source.

Too bad OS X is opensource.
http://opensource.apple.com/
We should all switch to a truly proprietary OS. Anyone has any advice on which truly-proprietary OS is better security-wise ?

You obviously didn't read the page you posted. Go back, actually READ it, then come back and make your comments when you know what you're talking about.

OS X DOES INCORPORATE open source software, and contributes to the development of many projects that are used in OS X. BUT... OS X itself is NOT open source. You can't get a copy of the entire OS' source code, compile it yourself, and run it on any arbitrary machine. It is designed to run on Apple built hardware designed to use THIS particular operating system.

They do, sadly, not support their own older hardware with new software, but since they are a HARDWARE company, Apple can't be blamed for not, any more than you could blame Microsoft for the fact that Windows 8 won't run on a 4.77 MHz IBM 5150 PC from circa 1981 using Intel's 8 bit interface, 8088 microprocessor chip, even if Microsoft made the PC themselves, rather than entering a licensing agreement (which they did,) with IBM to supply the OS to their original Personal Computer.

It would be nice if Apple committed to say, a decade, or a dozen years. When Mavericks came out, (last year, 2013, right?) only Macs built in 2007 or after could run it, which is only about a half-dozen years. This may seem like an eternity for high-tech, but it's kind of a short span of time for most anything else.

Re:OS X is not open source.

[jazzis]

https://opensource.apple.com/r...