Following the recent Wirelurker malware that was discovered yesterday, Apple has taken some rapid steps to fix it, including releasing an XProtect update to detect programs that are run on OS X which may contain the malware, and revoking developer certificates for compromised applications that are being used as vectors to spread the malware. In addition to these steps, if you suspect your Mac or iOS system might have been infected, then there are some steps you can take to detect and remove it from your system.
How could I be infected?
This malware infects systems by first being distributed through modified software packages. These packages are downloaded through third-party app stores (not the App Store Apple includes in OS X), and from underground Web sites that distribute pirated software. If you suspect software on your system that you have downloaded in the past six months has been from suspect sources such as these, then there might be an area for concern; however, if you have only installed software from the App Store or from an official download from a reputable distributor or developer, then you likely have nothing to worry about.
Are there known symptoms of an infection?
How do I detect WireLurker?
The WireLurker malware installs a number of files on your OS X system, which set it up to detect any iOS systems you attach by a USB cable, and then install malware into that iOS device. If you have any of these files on your Mac, then you likely have the malware installed. These have been outlined by Palo Alto Networks, the company that discovered the malware, and for the current variant of the malware include the following files:
- A file called “run.sh” in the Macintosh HD > Users > Shared folder
- Any of the following files in the Macintosh HD > Library > LaunchDaemons folder
com.apple.machook_damon.plist com.apple.globalupdate.plist com.apple.watchproc.plist com.apple.itunesupdate.plist
- Any of the following files in the Macintosh HD > System > Library > LaunchDaemons folder
com.apple.appstore.plughelper.plist com.apple.MailServiceAgentHelper.plist com.apple.systemkeychain-helper.plist com.apple.periodic-dd-mm-yy.plist
- In addition, the following files and folders will be in the hidden usr/bin directory, which can be opened by pressing Shift-Command-G in the Finder and then then entering “/usr/bin” in the path field that shows up:
globalupdate/usr/local/machook/ WatchProc itunesupdate com.apple.MailServiceAgentHelper com.apple.appstore.PluginHelper periodicdate systemkeychain-helper stty5.11.pl
If you see any or all of these files in your Mac’s hard drive, then your Mac has likely been compromised. You can remove the malware by removing these files and restarting your system, which should clear it fully; however, Palo Alto Networks has released a python script that will do this for you. The script can be found at this github project, and you can also run it by opening the Terminal and then running the following two commands (copy and paste all lines of each command). The first command downloads the script, and the second runs it in the Terminal–you will need administrative access to run these scripts:
curl -O https://raw.githubusercontent.com/PaloAltoNetw\ orks-BD/WireLurkerDetector/master/WireLurkerDetectorOSX.py
How do I remove WireLurker from iOS?
If you have detected WireLurker on your Mac and have attached your iOS device to it with a USB cable, then you likely have compromised your iOS device. In this case, you should take no chances and wipe your iOS device:
- Use iCloud to back up your device and all personal data on it
- Go to Settings > General > Reset
- Tap “Erase All Content and Settings” to clear all apps and data from the device
- Restart your iOS device and set it up again
- Sign into iCloud when you set up your iOS device and restore your backed up data
- If needed, download your apps again from the App Store
You can also attach your iPhone or iPad to your Mac and use the “Restore iPhone/iPad” button in iTunes to factory-reset the device. The key to these steps is they clear out all programs on your iOS device which may have been compromised, and replace them with fresh copies. Your data and files should all be preserved, though you might lose some application settings.