Slashdot Mirror
WireLurker Mac OS X Malware Found, Shut Down
msm1267 writes WireLurker is no more. After causing an overnight sensation, the newly disclosed family of Apple Mac OS X malware capable of also infecting iOS devices has been put to rest. Researchers at Palo Alto Networks confirmed this morning that the command and control infrastructure supporting WireLurker has been shut down and Apple has revoked a legitimate digital certificate used to sign WireLurker code and allow it to infect non-jailbroken iOS devices.
Researchers at Palo Alto Networks discovered and dubbed the threat WireLurker because it spreads from infected OS X computers to iOS once the mobile device is connected to a Mac via USB. The malware analyzes the connected iOS device looking for a number of popular applications in China, namely the Meitu photo app, the Taobao online auction app, or the AliPay payment application. If any of those are found on the iOS device, WireLurker extracts its and replaces it with a Trojanized version of the same app repackaged with malware.
Patient zero is a Chinese third-party app store called Maiyadi known for hosting pirated apps for both platforms. To date, Palo Alto researchers said, 467 infected OS X apps have been found on Maiyadi and those apps have been downloaded more than 350,000 times as of Oct. 16 by more than 100,000 users.
Researchers at Palo Alto Networks discovered and dubbed the threat WireLurker because it spreads from infected OS X computers to iOS once the mobile device is connected to a Mac via USB. The malware analyzes the connected iOS device looking for a number of popular applications in China, namely the Meitu photo app, the Taobao online auction app, or the AliPay payment application. If any of those are found on the iOS device, WireLurker extracts its and replaces it with a Trojanized version of the same app repackaged with malware.
Patient zero is a Chinese third-party app store called Maiyadi known for hosting pirated apps for both platforms. To date, Palo Alto researchers said, 467 infected OS X apps have been found on Maiyadi and those apps have been downloaded more than 350,000 times as of Oct. 16 by more than 100,000 users.
Why take a risk in going beyond the walden garden for a bloody photo-app, while in paradise there exist countless photo-apps for free?
Some lessons are never learned.
Life is not for the lazy.
like the 700.000 zombie mac botnet army a few years back, or like gotofail
Yes. EXACTLY. Mac’s are as vulnerable as Windows and iPhones as vulnerable as Android because not only did a rogue app store send fake apps, but “a few years back” there was a botnet. Idiot.
Blasphemy!!!
SJW's don't eliminate discrimination. They just expropriate it for themselves.
RTFA, please. This didn’t require jailbreaking to infect the phone.
Infection process:
1) Download pirate-friendly AppStore app for your Mac.
2) Download & run one of the trojaned, probably pirated apps on your Mac.
3) Plug in your phone.
4) Accept the prompt to install an enterprise provisioning profile, enter your device’s unlock code to authorize that, confirm one more time that you’re certain you want to install the profile (at least that was the process last time I added a custom profile: Two “Are you sure?"’s and an authentication prompt, not just TouchID).
5) Trojaned apps on Mac scan for interesting apps on the phone & replace them with trojaned versions of the iOS apps.
No iOS or Mac bugs were exploited.
The Mac side was just downloading & running dodgy software from (software) houses of ill repute.
The iOS side relied on a legitimate Apple-signed key that was issued to some company (haven’t found the name of the company yet — redacted to protect the careless?) It does seem that the key had greater than usual entitlements to allow additional background execution beyond what’s usually allowed. The trojaned iOS apps ran on a non-jailbroken, non-compromised (by bugs anyways) phone because the user allowed installation of the enterprise provisioning profile which allows the phone to run apps signed by someone other than Apple.
As far as mitigation, Apple added signatures for the Mac-side stuff to Gatekeeper so OS X won’t run them any more unless you stand on your head and accept a bunch of, “This will explode your computer!” prompts.
They also revoked the provisioning profile signing key on the phone side, so it can’t create newly trojaned apps on the phone, and the profile won’t be installable on new phones. I’m not sure at the moment what effect that revocation has on phones that have already installed the profile or on apps that were already modified by it. I’m also not sure if it’s vulnerable to the “change the date on your phone” thing that was used to installed NES emulators a while back. At one point, apps’ signatures were only checked on initial install, but I *think* expired or revoked enterprise profiles are actually checked at each launch and the apps should die now.
Yes. EXACTLY. Mac’s are as vulnerable as Windows and iPhones as vulnerable as Android because not only did a rogue app store send fake apps, but “a few years back” there was a botnet. Idiot.
You should be careful not creating a strawman to fight. I don't think anybody claim Mac's are *as* vulnerable as Windows (or iOS vs Android), but (rightly) challenging the false perception that it is immune.
Also, "a few years back there was a botnet" doesn't really do justice to the largest malware epidemic in modern times - regardless of platform - in terms of percentage of user base infected. Around 1% of internet connected Macs where infected by Mac Flashback. Second biggest was Windows Conficker with around 0.7% of Windows machines infected (of course that is more PCs, but percentage of user base is the relevant measurement).
btw, why are you talking about rogue app store? That is not what is happening in this WireLurker case.
Too bad OS X is opensource.
http://opensource.apple.com/
We should all switch to a truly proprietary OS. Anyone has any advice on which truly-proprietary OS is better security-wise ?
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
No, it wasn't developer credentials, it was enterprise credentials.
Developer credentials is that every year, you get to add up to 100 devices to your "testing" list. You submit that list to Apple and Apple gives you back a .mobileprovisioning file that is signed by Apple containing the list of those 100 devices. Beta testers then install that file on their device and it lets you test unsigned software on it. But 100 devices max, and you can only reset it once a year (so it's not 100 devices, reset it, another 100 devices, etc). You can add devices if you have less than 100 at any time, but to clear it can only be done annually.
An enterprise certificate costs more ($500/year) but it comes with signing rights, so you can make provisioning files, sign apps (so you can bypass the App Store) and other things. Of course, you have to install the enterprise certificate to run enterprise signed apps.
The malware used a legit developer cert ($99/year) to sign the malware app on OS X (you can bypass the Mac App Store by buying a certificate from Apple to sign your own apps as the OS X default is "Mac App Store and Signed Apps Only"). That malware then installs the enterprise provisioning onto a connected iOS device and then pushes the signed malware to it.
Thus, what Apple did was revoke the signing key, revoke the enterprise cert, and install new XProtect signatures to neuter the OS X apps.
"RTFA, please. This didn’t require jailbreaking to infect the phone."
Non-jailbroken phones were never 'infected.' WireLurker simply loaded a harmless comic book app on non-jailbroken devices. Since WireLurker didn't jailbreak your device, it was limited to the iOS sandbox.
This wasn't even malware for non-jailbreak devices. The user was prompted to install an enterprise app, and had the ability to allow/deny. The app itself was harmless. The only malware was for jailbroken devices.
If you read the paper, non-jailbroken devices were 'infected' with a harmless comic book app. This only occurred if the user accepted the enterprise cert.
"Once Wirelurker gains access to a non-jailbroken iPhone, the program currently side-loads a non-malicious comic book app onto the phone."
Loading an enterprise-signed application, requiring user acceptance, that is non-malicious isn't much of an infection.
This is not the same as preventing the vulnerability. It's just taking away the control center. it does not prevent someone from doing it again in the future so stop thinking you're safe because you run a Mac.
BeauHD. Worst editor since kdawson.
There is a PDF report on the main website for Unit42 about the malware, but it has a fairly invasive registration process. Signed up with bs info and uploaded to public google drive for everyone.
Link to the researchers website for those cautious about the gdocs link
Straight Link to the report (requires registration)
Have not read the technical details yet, but it looks fairly comprehensive.
That page lists the projects used in OS X (and iOS) that are open source, you cannot download the source code for OS X.
http://www.opensource.apple.co... https://developer.apple.com/li... Darwin (Yosemite 10.10)
Yes I see those links. You can build the kernel and you can build some of the components used in the operating system but - as I have already said - you cannot download the source code for OS X, only some bits of it. If you think it's possible then certainly give me the link, but those links you provided most certainly are not it.
Wrong, that's just the kernel of OS X. Where's the code for the other essential parts of OSX like Quartz Extreme, Aqua, Cocoa framework, System Preferences (and all its sub utilities)?
The title of the linked page even says "Apple releases OS X 10.10 Yosemite Open Source Darwin code", explicitly stating in no uncertain terms that they are talking about Darwin, which is one component of OS X.
Really, the story here is that the malware was signed by a valid certificate. This basically means the certificate system is worthless. That is a far bigger threat than any single malware.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Mac's are only as vulnerable as Windows, etc... if you only allow for two levels of vulnerability: Vulnerable, and Invulnerable.
(BTW, if you used your OS X machine the way any sane Unix or GNU/Linux user does, and you don't do daily tasks from an administrator account... you are apparently not at risk from this malware. Why would you use your OS X machine the same way someone whose computer runs Unix does? Because underneath all the pretty, flowery goodness and pretty special effects in OS X,... IT'S UNIX!!! Duh.)
If you instead look at the ODDS of how likely you are to see adverse consequences that come exclusively from your choice of platform... Windows flaws & vulnerabilities are so rampant that many people stopped hacking them because they saw it as no meaningful challenge. This is where the term "script-kiddie" comes from. Hacking became something you could do with a trivial snippet of code someone else wrote.
Windows security has always been a joke. This is probably because Microsoft uses the in-built security flaws as an anti-piracy measure. You'd have to have your HEAD EXAMINED if you use a Windows PC without Windows update, unless it's got NO connectivity hardware, no speaker, and no microphone, no floppy drive, no externally accessible ports, basically, a "stand-alone, black box." Otherwise, you're begging for trouble. In fact, Windows for years required you to have anti-virus/anti-spyware/anti-malware/anti-worm/anti-intusion software that you got elsewhere to patch up the gaping security holes left in their own software. What garbage!
I don't know if this is still true because for about half a dozen years, I have been Microsoft free. Never been happier! No more blue-screens of death that I used to see ALL. THE. TIME... no more "WARNING! YOUR COMPUTER HAS A VIRUS!!!" no more "CAUTION: YOUR COMPUTER IS UNPROTECTED!" and DEFINITELY no more "We are no longer supporting your operating system. If you want to continue to receive security updates, you'll have to pay us another couple hundred dollars for another new version of our wretched, lousy, buggy, unsecure-by-design 'Operating System' Hahahahahh Pay us, bitch!"
Now I get my OS updates for free, and my computer is much slicker, has better features, longer battery life, and interoperates with all my other technology.
When you have millions of users, and millions of developers all writing millions of pieces of software, one thing slips by, and suddenly all the Microsoft Win-SLAVES are crowing or braying like jackasses. Does anyone even track Windows vulnerabilities anymore? Or do we just go ahead and assume its an almost daily occurrence, no longer worthy of note?
re "This is what I like about proprietary software. Lots of eyeballs are probing for vulnerabilities, and when such are found, they are fixed quickly by professional paid developers."
The same brands who allowed years of weak crypto for the NSA and GCHQ?
Hard to see what extras a person gets with proprietary software. Or what is nor fixed or fixed later.
Domestic spying is now "Benign Information Gathering"
Hard to see what extras a person gets with proprietary software. Or what is nor fixed or fixed later.
If a piece of software has had lots of development and testing done on it by very talented individuals, the user gets to enjoy better-designed, higher-quality software.
In some (but not all) cases, the proprietary nature of the software supplies the money necessary to pay those talented programmers and testers to spend the extra time necessary to really develop/debug/polish the software's quality.
Open source software sometimes gets that extra attention too, but since it's often written by self-directed volunteers, the extra-mile polishing often happens only to the parts of the software that software developers find interesting. Hence Linux's great kernel, but mediocre [relative to OS/X] GUI.
Does being proprietary make software more secure? Unlikely -- but security is not the only yardstick by which software is judged.
I don't care if it's 90,000 hectares. That lake was not my doing.
Clearly, XProtect does "just work" as Apple was able to stamp that shit out in less than a day.
There's probably STILL Windows machines infected with iloveyou out there.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
With percentage of user base arguments, you could say that if 5 SCO UnixWare machines got infected it's the worst outbreak ever, because that would be like 15% of their installed user base!
Massaging the statistics still doesn't make the orders of magnitude of difference between infected Windows boxes and infected Macs any different.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
You're exactly right. In my new job that I've had for a month now, we've been picking open-source solutions wherever we can, and it usually takes far more time and effort to get it set up properly because the documentation is lacking, the different components don't always work together as they should, what documentation that does exist highly favors one particular distort family, and you're compiling from source and dealing with dependency hell if you're on the other family, etc.
Say what you will about Windows / OS X, but you usually don't run into those problems, because they have paid people to QA and document.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Can we put away the straw man that people actually say that first?
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
And by "infection vector" you mean "documented and intended functionality to support large organizations with custom app development", right?
Because that's what we're talking about - they used a certificate they stole from a registered enterprise developer account to sign apps and load them in via a profile, which has been available since iOS 6 or so. And, that app is still beholden to the same sandboxing rules as any other app.
That cert has now been revoked, and anything signed with it is now useless non-executable bits.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
https://opensource.apple.com/r...