WireLurker Mac OS X Malware Found, Shut Down

msm1267 writes WireLurker is no more. After causing an overnight sensation, the newly disclosed family of Apple Mac OS X malware capable of also infecting iOS devices has been put to rest. Researchers at Palo Alto Networks confirmed this morning that the command and control infrastructure supporting WireLurker has been shut down and Apple has revoked a legitimate digital certificate used to sign WireLurker code and allow it to infect non-jailbroken iOS devices.

Researchers at Palo Alto Networks discovered and dubbed the threat WireLurker because it spreads from infected OS X computers to iOS once the mobile device is connected to a Mac via USB. The malware analyzes the connected iOS device looking for a number of popular applications in China, namely the Meitu photo app, the Taobao online auction app, or the AliPay payment application. If any of those are found on the iOS device, WireLurker extracts its and replaces it with a Trojanized version of the same app repackaged with malware.

Patient zero is a Chinese third-party app store called Maiyadi known for hosting pirated apps for both platforms. To date, Palo Alto researchers said, 467 infected OS X apps have been found on Maiyadi and those apps have been downloaded more than 350,000 times as of Oct. 16 by more than 100,000 users.

Re:Now

[Aaden42]

RTFA, please. This didn’t require jailbreaking to infect the phone.

Infection process:

1) Download pirate-friendly AppStore app for your Mac.
2) Download & run one of the trojaned, probably pirated apps on your Mac.
3) Plug in your phone.
4) Accept the prompt to install an enterprise provisioning profile, enter your device’s unlock code to authorize that, confirm one more time that you’re certain you want to install the profile (at least that was the process last time I added a custom profile: Two “Are you sure?"’s and an authentication prompt, not just TouchID).
5) Trojaned apps on Mac scan for interesting apps on the phone & replace them with trojaned versions of the iOS apps.

No iOS or Mac bugs were exploited.

The Mac side was just downloading & running dodgy software from (software) houses of ill repute.

The iOS side relied on a legitimate Apple-signed key that was issued to some company (haven’t found the name of the company yet — redacted to protect the careless?) It does seem that the key had greater than usual entitlements to allow additional background execution beyond what’s usually allowed. The trojaned iOS apps ran on a non-jailbroken, non-compromised (by bugs anyways) phone because the user allowed installation of the enterprise provisioning profile which allows the phone to run apps signed by someone other than Apple.

As far as mitigation, Apple added signatures for the Mac-side stuff to Gatekeeper so OS X won’t run them any more unless you stand on your head and accept a bunch of, “This will explode your computer!” prompts.

They also revoked the provisioning profile signing key on the phone side, so it can’t create newly trojaned apps on the phone, and the profile won’t be installable on new phones. I’m not sure at the moment what effect that revocation has on phones that have already installed the profile or on apps that were already modified by it. I’m also not sure if it’s vulnerable to the “change the date on your phone” thing that was used to installed NES emulators a while back. At one point, apps’ signatures were only checked on initial install, but I *think* expired or revoked enterprise profiles are actually checked at each launch and the apps should die now.

Re:Now

[tlhIngan]

Once installed on the Mac OS X computer, making use of legittimage Apple developer credentials, the software seems to have been able to infect non-jailbroken iOS devices when those devices were attached to the machine via USB.

No, it wasn't developer credentials, it was enterprise credentials.

Developer credentials is that every year, you get to add up to 100 devices to your "testing" list. You submit that list to Apple and Apple gives you back a .mobileprovisioning file that is signed by Apple containing the list of those 100 devices. Beta testers then install that file on their device and it lets you test unsigned software on it. But 100 devices max, and you can only reset it once a year (so it's not 100 devices, reset it, another 100 devices, etc). You can add devices if you have less than 100 at any time, but to clear it can only be done annually.

An enterprise certificate costs more ($500/year) but it comes with signing rights, so you can make provisioning files, sign apps (so you can bypass the App Store) and other things. Of course, you have to install the enterprise certificate to run enterprise signed apps.

The malware used a legit developer cert ($99/year) to sign the malware app on OS X (you can bypass the Mac App Store by buying a certificate from Apple to sign your own apps as the OS X default is "Mac App Store and Signed Apps Only"). That malware then installs the enterprise provisioning onto a connected iOS device and then pushes the signed malware to it.

Thus, what Apple did was revoke the signing key, revoke the enterprise cert, and install new XProtect signatures to neuter the OS X apps.

Re:Good

[jazzis]

http://www.opensource.apple.co... https://developer.apple.com/li... Darwin (Yosemite 10.10)