Following the recent Wirelurker malware that was discovered yesterday, Apple has taken some rapid steps to fix it, including releasing an XProtect update to detect programs that are run on OS X which may contain the malware, and revoking developer certificates for compromised applications that are being used as vectors to spread the malware. In addition to these steps, if you suspect your Mac or iOS system might have been infected, then there are some steps you can take to detect and remove it from your system.
How could I be infected?
This malware infects systems by first being distributed through modified software packages. These packages are downloaded through third-party app stores (not the App Store Apple includes in OS X), and from underground Web sites that distribute pirated software. If you suspect software on your system that you have downloaded in the past six months has been from suspect sources such as these, then there might be an area for concern; however, if you have only installed software from the App Store or from an official download from a reputable distributor or developer, then you likely have nothing to worry about.
Are there known symptoms of an infection?
How do I detect WireLurker?
The WireLurker malware installs a number of files on your OS X system, which set it up to detect any iOS systems you attach by a USB cable, and then install malware into that iOS device. If you have any of these files on your Mac, then you likely have the malware installed. These have been outlined by Palo Alto Networks, the company that discovered the malware, and for the current variant of the malware include the following files:
- A file called “run.sh” in the Macintosh HD > Users > Shared folder
- Any of the following files in the Macintosh HD > Library > LaunchDaemons folder
com.apple.machook_damon.plist com.apple.globalupdate.plist com.apple.watchproc.plist com.apple.itunesupdate.plist
- Any of the following files in the Macintosh HD > System > Library > LaunchDaemons folder
com.apple.appstore.plughelper.plist com.apple.MailServiceAgentHelper.plist com.apple.systemkeychain-helper.plist com.apple.periodic-dd-mm-yy.plist
- In addition, the following files and folders will be in the hidden usr/bin directory, which can be opened by pressing Shift-Command-G in the Finder and then then entering “/usr/bin” in the path field that shows up:
globalupdate/usr/local/machook/ WatchProc itunesupdate com.apple.MailServiceAgentHelper com.apple.appstore.PluginHelper periodicdate systemkeychain-helper stty5.11.pl
If you see any or all of these files in your Mac’s hard drive, then your Mac has likely been compromised. You can remove the malware by removing these files and restarting your system, which should clear it fully; however, Palo Alto Networks has released a python script that will do this for you. The script can be found at this github project, and you can also run it by opening the Terminal and then running the following two commands (copy and paste all lines of each command). The first command downloads the script, and the second runs it in the Terminal–you will need administrative access to run these scripts:
curl -O https://raw.githubusercontent.com/PaloAltoNetw\ orks-BD/WireLurkerDetector/master/WireLurkerDetectorOSX.py
How do I remove WireLurker from iOS?
If you have detected WireLurker on your Mac and have attached your iOS device to it with a USB cable, then you likely have compromised your iOS device. In this case, you should take no chances and wipe your iOS device:
- Use iCloud to back up your device and all personal data on it
- Go to Settings > General > Reset
- Tap “Erase All Content and Settings” to clear all apps and data from the device
- Restart your iOS device and set it up again
- Sign into iCloud when you set up your iOS device and restore your backed up data
- If needed, download your apps again from the App Store
You can also attach your iPhone or iPad to your Mac and use the “Restore iPhone/iPad” button in iTunes to factory-reset the device. The key to these steps is they clear out all programs on your iOS device which may have been compromised, and replace them with fresh copies. Your data and files should all be preserved, though you might lose some application settings.
Thank you very much!
I checked my Mac manually for all the files you listed, out of curiosity rather than because I expected to find anything. I suggest anyone doing the same be careful what you throw away. There are some legitimate files on the system with similar, but not identical, names.
PS: This is a case in which using Terminal is probably the easiest way to go, for the time being anyway. 😉 XPotect may do the job going forward. But apparently it will not remove the files listed above if they have already been put in place by infected apps. In my opinion Apple should provide a more complete solution so that we don’t have to go to third parties and run Python scripts in Terminal.
Apple does provide a complete solution: The App Store. The fact that apps downloaded through the App Store can not run if they are modified later is the complete solution. If you choose to acquire software through other means, the onus is on you to ensure that software is only going to do what the provider says it is.
how do i look for the above files in mac
In the Finder, open your hard drive (usually called “Macintosh HD”). You can locate this by choosing “Computer” from the Go menu, or by pressing Shift-Command-C. In here, you can open the folders to the paths I mentioned above (such as System > LaunchDaemons) and then browse the files in that folder to see if you can locate any that I mentioned in this article. Do this for all of the folders I mention for the steps above.
After pressing Shift-Command-G in the Finder and then then entering “/usr/bin” in the path field, I found “stty.pl” and “stty5.12.pl” files – close to the “stty5.11.pl” file you said I should look out for.
So, am I still ok?
Are the other files listed in the article present, or just that one? Those are perl scripts required for some system functions. The one that this malware sets up is so far known to be “stty5.11.pl” and not others. I would say you are fine. Macs will have similarly-named perl scripts in these folders, so I’d say you’re fine unless the specific one mentioned along with the other files, are found on your system.
Thanks Mr. Kessler. I found none of the files listed above. But when I press shift, command and G it says this folder cannot be found.
Kindly ignore earlier post..Sorry I figured how to do this. I found stty.pl, stty5.12.pl and stty.5.16.pl
Is this ok. No other files you mentioned above.
You should be fine, especially if you cannot find any of the other files mentioned in the article on your Mac.
How do I re-hide the /usr/bin folder?
You can close the folder and it should remain hidden. This routine only opens it in the Finder, but the folder itself should remain hidden.
Never had problems with Mac with Lion. After some days with Yosemite, it started yesterday an email from my Mail account to contacts taken by there… is it WireLurker or aything else?
Can some forensics folks infect a demo iOS device with WL and report actual flies added/changed via an actual IDS? e.g., using Tripwire or file/dir hashing.