The ppt is based on a report available at

https://www.paloaltonetworks.com

It’s the first malware to affect both

operating systems, and

introduces On – The - Flyrepackaging of apps on iOS

devices that have and have not

been jailbroken.

On November 5, 2014,

Palo Alto Networks

published a report

regarding “WireLurker,”

a new malware it labels

as one of the most

advanced attacks on Mac

OS X and iOS devices.

What's this about?

While iPhones are considered

more secure by some, this new

malware demonstrates how

hackers are using new techniques

and security gaps in Ios to infiltrate

devices.

What's this about?

Source of WireLurker has been

linked to the Maiyadi third-party

app store for iOS and OS X.

Source of Wirelurker ?

Maiyadi store contains a large number of

trojanized apps repackaged with theadditional WireLurker code.

How does it Work?

It begins when WireLurker is installedthrough a third-party app store.

Following installation, the app monitors USBports for an iOS device to be connected to theinfected computer.

WireLurker queries information onthe connected device using thelibimobiledevice library.

WireLurker then checks if the device is jailbroken in order to see which attacks can be used against the device.

WireLurker installs predefined apps signed

by a known compromised enterprise

certificate connected to the developer, allowing

it to bypass the Apple app store.

WireLurker then installs one or

several compromised apps,

depending on the specific version ofWireLurker variant.

These compromised apps send information from the device which includes identifying information about the device itself.

How does it Work?

How it all started?

Qū Chāo, a developer at Tencent, initially observed

WireLurker on June 1, 2014, when he found highly suspicious files and processes on his Mac and iPhone

Nine days later, a thread was

created on a Chinese developer

forum by the user “LeoHe”,

describing anomalous findings

on his iPhone. A similar thread

was created on a Chinese Apple

fan forum on August 9, 2014.

How it all started?

In these forum threads,

numerous users reported

the installation of strange

applications and the

creation of enterprise

provisioning profiles on

their non-jailbroken

iPhones and iPads

How it all started?

They also mentioned launch daemons found

on their Mac computers, with names like

“machook_damon” and WatchProc”.

Some of these same users

stated that they recently

downloaded and installed

applications from the Maiyadi

App Store

Maiyadi site is a Chinese portal for

Apple related news and resources. The

Maiyadi App Store is a sub-site known

to host pirated premium Mac, iPhone,

and iPad applications.

Workflow and

Malware

Progression

Chart

Investigation of the Third Party App

Store

Some forum users specifically mentioned downloading a Mac application named “CleanApp” from the Maiyadi App Store and suspected it might be a culprit.

Damage already done!!!!

It's thought that 467 infected applications have been downloadedover 356,104 times, mainly by Mac and iOSusers in China.

All of the WireLurker trojanized applications included an installationinterface that used “Pirates of the Caribbean” themed wallpaper

A “麦客孤独” seal andQQ account numberwere also displayed,both of whichcorrespond to theowner of the Maiyadisite.

Another similarity between these installers was thattheir packages always contained an application named“使用帮助” (“User Manual”, in English).

Symptoms

Why is it a Big Deal?

WireLurker can boast a number of firsts - all of which make it a particularly nasty piece of work.

First known strain of malware thatcan infect installed iOS apps in asimilar way to how a traditionalvirus on a desktop computer would.

First-in-the-wild malware family that can installthird-party apps on iOS devices that haven't beenjailbroken using enterprise provisioning

Keep away from third-party

app stores that aren't only

infested with malware, they're

of dubious legality due to

reasons related to copyright and

IP.

How can I Stay Safe?

Because WireLurker is only

found in third-party Mac

apps, you can stay safe

from harm by only

downloading apps from

Apple's own Mac App

Store.

Make sure your Mac is

running a decent

Antivirus

How can I Stay Safe?

Make sure all your iOS and OS X

devices Software's and Applications

are up-to date

How can I Stay Safe?

Don’t connect youriPhone to anyuntrusted USB port.

As soon as you discover an infected orunwanted app or software, uninstall itand delete all related files

How can my ENTERPRISE

Stay Safe?

Enterprises should assure their mobiledevice traffic is routed through athreat prevention system using amobile security application likeGlobalProtect™

Employ an antivirus or security protection product for the Mac OS X system and keep its signatures up-to-date

In the OS X System Preferences panel under “Security & Privacy”, ensure “Allow apps downloaded from Mac App Store (or Mac App Store and identified developers)” is set

Do not download and run Mac applications or games from any

third-party app store, download site or other untrusted source

Do not accept any unknown enterprise

provisioning profile unless an authorized,

trusted party (e.g. your IT corporate help

desk) explicitly instructs you to do so

How can my ENTERPRISE

Stay Safe?

WireLurker Versions

From April 30, 2014, through October 17, 2014,

Three distinct versions of WireLurker.

Detection and Containment

From May 21, 2014, through September 28, 2014,

five different WireLurker files (representing three

different versions) were submitted to VirusTotal……

……however, none of the 55 threat detection

engines employed by VirusTotal identified this threat

…..a Python script for OS X

systems to detect known malicious

and suspicious files, as well as

applications that exhibit

characteristics of infection can be

downloaded at the link below

This script can be downloaded from the following URL:https://github.com/PaloAltoNetworks-BD/WireLurkerDetec

Detection and Containment

For host-based detection, Mac and iOS users should check

processes and files on their Mac computers and iOSdevices…

Contact me :

anupam605@gmail.comhttp://about.me/anupam.tiwarihttps://www.youtube.com/user/anupam50/videoshttp://anupriti.blogspot.in/