• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Mac   »   Removing Wirelurker from Your iOS or OSX Device

Removing Wirelurker from Your iOS or OSX Device

  • Posted on:November 10, 2014 at 3:10 am
  • Posted in:Mac, Malware, Mobile
  • Author:
    Trend Micro
2

In an earlier blog post, we tackled what Wirelurker malware is and its security implications and risks for iOS and OSX devices.  Within hours of the discovery of this malware, a Windows-based malware (detected as TROJ_WIRELURK.A) that performs the same attack was also seen in the wild. In this blog post, we’d like to share practices and recommendations for users and enterprises in order secure their devices from this threat.

The following are some simple steps for users to check whether their Apple devices are infected by this malware.

For Mac computers:

You may check whether the following launch daemons exist in your Mac:

  • /Library/LaunchDaemons/com.apple.globalupdate.plist
  • /Library/LaunchDaemons/com.apple.machook_damon.plist
  • /Library/LaunchDaemons/com.apple.itunesupdate.plist
  • /Library/LaunchDaemons/com.apple.watchproc.plist
  • /Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist
  • /Library/LaunchDaemons/com.apple.systemkeychain-helper.plist
  • /Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist
  • /Library/LaunchDaemons/com.apple.appstore.plughelper.plist

For jailbroken devices:

You may use SSH to connect to your device and check whether the following file exists:

  • /Library/MobileSubstrate/DynamicLibraries/sfbase.dylib

For non-jailbroken iOS devices:

  • Check whether there are any suspicious apps you did not install.
  • Open the “Settings” app, click the “Profile,” and check whether there are any suspicious profiles.

Below are guideline to help you protect your Mac and iOS devices:

1. Do not jail break your iOS device.
2. Make sure your Mac and iOS are up-to-date.
3. Do not install any pirated software or software from untrusted sources. Only install software from the official App store.

Wirelurker_fig1

Figure 1. Users can switch an option in “System Preferences” then select “Security & Privacy” to make sure only apps from official Mac App Store can be installed

Users who need to install software from other sources (and opt to select Mac App Store and identified developers) are strongly advised to practice extreme caution before installing them, and to make sure that the installers are from trusted sources and not tampered with.

4. Install security software on your Mac and make sure you always have the latest update.

5. Make sure you only connect your iOS devices to computers that you trust.

6. Pay attention to the installation request from enterprise provisioning applications. Allow only those from trusted sources to be installed on your device.

7. Remove any suspicious profiles from your iOS devices.

Wirelurker_fig2<
Figure 2.  Users can check the profiles installed in their iOS device in “Settings”> “General” > “Profile(s)”

8. Carefully review any iOS application’s request for access to your camera, contacts, microphone, location information, and other sensitive data.

Wirelurker_fig3
Figure 3. Review the privacy setting for each app in “Setting”.  Users can prevent an app from accessing private information in “Settings” > “Privacy”

Enterprises that have joined Apple’s enterprise developer program can may boost their security with the following steps:

  • Make sure you properly secure your private key.
  • Make sure only those necessary employees can access the private key.
  • Remember to deny former employees or team members access to the private key.
  • Revoke your certificate(s) as soon as possible if you feel your private key has been compromised.

Revoking certificates is important as we have seen Windows malware that have been signed by stolen certificates. If enterprises lose their certificates, attackers could use the said certificates to impersonate them and use them to sign malware. Such actions may not only damage the enterprise’s reputation but also cost them a lot of resources in handling follow-ups.

Trend Micro protects users from this threat via its Trend Micro Antivirus for Mac that detects the malware in OS X devices. We also detect the malicious apps installed onto jailbroken iOS devices as IOS_WIRELURKER.A.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: AppleiOSMacMac OS Xmalware. Mac malwareWirelurker

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.