In an earlier blog post, we tackled what Wirelurker malware is and its security implications and risks for iOS and OSX devices. Within hours of the discovery of this malware, a Windows-based malware (detected as TROJ_WIRELURK.A) that performs the same attack was also seen in the wild. In this blog post, we’d like to share practices and recommendations for users and enterprises in order secure their devices from this threat.
The following are some simple steps for users to check whether their Apple devices are infected by this malware.
For Mac computers:
You may check whether the following launch daemons exist in your Mac:
- /Library/LaunchDaemons/com.apple.globalupdate.plist
- /Library/LaunchDaemons/com.apple.machook_damon.plist
- /Library/LaunchDaemons/com.apple.itunesupdate.plist
- /Library/LaunchDaemons/com.apple.watchproc.plist
- /Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist
- /Library/LaunchDaemons/com.apple.systemkeychain-helper.plist
- /Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist
- /Library/LaunchDaemons/com.apple.appstore.plughelper.plist
For jailbroken devices:
You may use SSH to connect to your device and check whether the following file exists:
- /Library/MobileSubstrate/DynamicLibraries/sfbase.dylib
For non-jailbroken iOS devices:
- Check whether there are any suspicious apps you did not install.
- Open the “Settings” app, click the “Profile,” and check whether there are any suspicious profiles.
Below are guideline to help you protect your Mac and iOS devices:
1. Do not jail break your iOS device.
2. Make sure your Mac and iOS are up-to-date.
3. Do not install any pirated software or software from untrusted sources. Only install software from the official App store.
Figure 1. Users can switch an option in “System Preferences” then select “Security & Privacy” to make sure only apps from official Mac App Store can be installed
Users who need to install software from other sources (and opt to select Mac App Store and identified developers) are strongly advised to practice extreme caution before installing them, and to make sure that the installers are from trusted sources and not tampered with.
4. Install security software on your Mac and make sure you always have the latest update.
5. Make sure you only connect your iOS devices to computers that you trust.
6. Pay attention to the installation request from enterprise provisioning applications. Allow only those from trusted sources to be installed on your device.
7. Remove any suspicious profiles from your iOS devices.
<
Figure 2. Users can check the profiles installed in their iOS device in “Settings”> “General” > “Profile(s)”
8. Carefully review any iOS application’s request for access to your camera, contacts, microphone, location information, and other sensitive data.
Figure 3. Review the privacy setting for each app in “Setting”. Users can prevent an app from accessing private information in “Settings” > “Privacy”
Enterprises that have joined Apple’s enterprise developer program can may boost their security with the following steps:
- Make sure you properly secure your private key.
- Make sure only those necessary employees can access the private key.
- Remember to deny former employees or team members access to the private key.
- Revoke your certificate(s) as soon as possible if you feel your private key has been compromised.
Revoking certificates is important as we have seen Windows malware that have been signed by stolen certificates. If enterprises lose their certificates, attackers could use the said certificates to impersonate them and use them to sign malware. Such actions may not only damage the enterprise’s reputation but also cost them a lot of resources in handling follow-ups.
Trend Micro protects users from this threat via its Trend Micro Antivirus for Mac that detects the malware in OS X devices. We also detect the malicious apps installed onto jailbroken iOS devices as IOS_WIRELURKER.A.
