Thursday, November 6, 2014

Wirelurker Malware's Butt Gets Kicked Good!
(Free Detection Script!)

--

Early this AM the net waves were abuzz about a discovery made by Palo Alto Networks. It's OS X malware named Wirelurker (aka 'MacHook') that is capable of cross-infecting both jailbroken AND non-jailbroken iOS devices. That's a new species of malware for the Apple community. 

Topher Kessler and Thomas Reed have excellent coverage of the Wirelurker malware at their websites:

New WireLurker malware infects Mac OS X and iOS

Apple responds to 'Wirelurker' threat, revokes developer certificates

What's great is how Apple responded and stomped this thing dead in less than 24 hours!

Free Wirelurker Detection

Palo Alto Networks has provided a FREE detection script that runs in the Terminal HERE.

If you're not used to working in the Terminal, please do not attempt this script. If you ARE used to working in the terminal, this is dirt easy. Be sure to read the ReadME first, follow the instructions and it starts cooking, seeking Wirelurker. It will likely take a few minutes as it searches through all your applications for infection. If you've got the bug, follow the result instructions.

The Moral Of The Story

There are two olde lessons to learn from Wirelurker:

1) Don't Install Warez
If the software you're downloading and installing has been compromised, you'll be compromised too. Welcome to infection. You've been Trojaned.

2) Don't Jailbreak Your iOS Gear!
Thanks to Apple's rapid response, all non-jailbroken iOS gear can no longer be infected with Wirelurker. HOWEVER, all jailbroken iOS gear is still susceptible to Wirelurker, as well as the handful of other jailbroken iOS malware out in-the-wild. If you care about the security of your iOS gear, you care not for jailbreaking software.

[UPDATE!] Here is a HIGHER VOLTAGE discussion of Wirelurker from Jonathan Zdziarski, for those interested. (Italics mine):

What You Need to Know About WireLurker
It would greatly behoove Apple to address this situation with more than a certificate revocation; I’m not scared of WireLurker, but I am concerned that this technique could be weaponized in the future, and be a viable means of attack on public and private sector machines. It could easily be attached to any software download in-transit across non-encrypted HTTP, such as an Adobe Flash download or other software download. Social engineering would also help to make juicy targets out of people likely to click on links from IT departments or install software on their Mac. There are a number of potentially more dangerous uses for WireLurker, and unfortunately many of them will go unnoticed by Apple in time to revoke a certificate. It would be a much better solution to address the underlying design issues that make this possible.



--

2 comments:

  1. > Palo Alto Networks has provided a FREE detection script.

    The script had an error in it which caused it to miss identifying two of the WireLurker files.

    If you ran this script and found you were infected, then download and run it again to find those last two files (although they are harmless by themselves).

    If you ran the script and were not infected, there is no reason to run it again.

    ReplyDelete