Wirelurker
description
Transcript of Wirelurker
The ppt is based on a report available at
https://www.paloaltonetworks.com
It’s the first malware to affect both
operating systems, and
introduces On – The - Flyrepackaging of apps on iOS
devices that have and have not
been jailbroken.
On November 5, 2014,
Palo Alto Networks
published a report
regarding “WireLurker,”
a new malware it labels
as one of the most
advanced attacks on Mac
OS X and iOS devices.
What's this about?
While iPhones are considered
more secure by some, this new
malware demonstrates how
hackers are using new techniques
and security gaps in Ios to infiltrate
devices.
What's this about?
Source of WireLurker has been
linked to the Maiyadi third-party
app store for iOS and OS X.
Source of Wirelurker ?
Maiyadi store contains a large number of
trojanized apps repackaged with theadditional WireLurker code.
How does it Work?
It begins when WireLurker is installedthrough a third-party app store.
Following installation, the app monitors USBports for an iOS device to be connected to theinfected computer.
WireLurker queries information onthe connected device using thelibimobiledevice library.
WireLurker then checks if the device is jailbroken in order to see which attacks can be used against the device.
WireLurker installs predefined apps signed
by a known compromised enterprise
certificate connected to the developer, allowing
it to bypass the Apple app store.
WireLurker then installs one or
several compromised apps,
depending on the specific version ofWireLurker variant.
These compromised apps send information from the device which includes identifying information about the device itself.
How does it Work?
How it all started?
Qū Chāo, a developer at Tencent, initially observed
WireLurker on June 1, 2014, when he found highly suspicious files and processes on his Mac and iPhone
Nine days later, a thread was
created on a Chinese developer
forum by the user “LeoHe”,
describing anomalous findings
on his iPhone. A similar thread
was created on a Chinese Apple
fan forum on August 9, 2014.
How it all started?
In these forum threads,
numerous users reported
the installation of strange
applications and the
creation of enterprise
provisioning profiles on
their non-jailbroken
iPhones and iPads
How it all started?
They also mentioned launch daemons found
on their Mac computers, with names like
“machook_damon” and WatchProc”.
Some of these same users
stated that they recently
downloaded and installed
applications from the Maiyadi
App Store
Maiyadi site is a Chinese portal for
Apple related news and resources. The
Maiyadi App Store is a sub-site known
to host pirated premium Mac, iPhone,
and iPad applications.
Workflow and
Malware
Progression
Chart
Investigation of the Third Party App
Store
Some forum users specifically mentioned downloading a Mac application named “CleanApp” from the Maiyadi App Store and suspected it might be a culprit.
Damage already done!!!!
It's thought that 467 infected applications have been downloadedover 356,104 times, mainly by Mac and iOSusers in China.
All of the WireLurker trojanized applications included an installationinterface that used “Pirates of the Caribbean” themed wallpaper
A “麦客孤独” seal andQQ account numberwere also displayed,both of whichcorrespond to theowner of the Maiyadisite.
Another similarity between these installers was thattheir packages always contained an application named“使用帮助” (“User Manual”, in English).
Symptoms
Why is it a Big Deal?
WireLurker can boast a number of firsts - all of which make it a particularly nasty piece of work.
First known strain of malware thatcan infect installed iOS apps in asimilar way to how a traditionalvirus on a desktop computer would.
First-in-the-wild malware family that can installthird-party apps on iOS devices that haven't beenjailbroken using enterprise provisioning
Keep away from third-party
app stores that aren't only
infested with malware, they're
of dubious legality due to
reasons related to copyright and
IP.
How can I Stay Safe?
Because WireLurker is only
found in third-party Mac
apps, you can stay safe
from harm by only
downloading apps from
Apple's own Mac App
Store.
Make sure your Mac is
running a decent
Antivirus
How can I Stay Safe?
Make sure all your iOS and OS X
devices Software's and Applications
are up-to date
How can I Stay Safe?
Don’t connect youriPhone to anyuntrusted USB port.
As soon as you discover an infected orunwanted app or software, uninstall itand delete all related files
How can my ENTERPRISE
Stay Safe?
Enterprises should assure their mobiledevice traffic is routed through athreat prevention system using amobile security application likeGlobalProtect™
Employ an antivirus or security protection product for the Mac OS X system and keep its signatures up-to-date
In the OS X System Preferences panel under “Security & Privacy”, ensure “Allow apps downloaded from Mac App Store (or Mac App Store and identified developers)” is set
Do not download and run Mac applications or games from any
third-party app store, download site or other untrusted source
Do not accept any unknown enterprise
provisioning profile unless an authorized,
trusted party (e.g. your IT corporate help
desk) explicitly instructs you to do so
How can my ENTERPRISE
Stay Safe?
WireLurker Versions
From April 30, 2014, through October 17, 2014,
Three distinct versions of WireLurker.
Detection and Containment
From May 21, 2014, through September 28, 2014,
five different WireLurker files (representing three
different versions) were submitted to VirusTotal……
……however, none of the 55 threat detection
engines employed by VirusTotal identified this threat
…..a Python script for OS X
systems to detect known malicious
and suspicious files, as well as
applications that exhibit
characteristics of infection can be
downloaded at the link below
This script can be downloaded from the following URL:https://github.com/PaloAltoNetworks-BD/WireLurkerDetec
Detection and Containment
For host-based detection, Mac and iOS users should check
processes and files on their Mac computers and iOSdevices…
Contact me :
[email protected]://about.me/anupam.tiwarihttps://www.youtube.com/user/anupam50/videoshttp://anupriti.blogspot.in/