• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Mac   »   Removing Wirelurker from Your iOS or OSX Device

Removing Wirelurker from Your iOS or OSX Device

  • Posted on:November 10, 2014 at 3:10 am
  • Posted in:Mac, Malware, Mobile
  • Author:
    Trend Micro
2

In an earlier blog post, we tackled what Wirelurker malware is and its security implications and risks for iOS and OSX devices.  Within hours of the discovery of this malware, a Windows-based malware (detected as TROJ_WIRELURK.A) that performs the same attack was also seen in the wild. In this blog post, we’d like to share practices and recommendations for users and enterprises in order secure their devices from this threat.

The following are some simple steps for users to check whether their Apple devices are infected by this malware.

For Mac computers:

You may check whether the following launch daemons exist in your Mac:

  • /Library/LaunchDaemons/com.apple.globalupdate.plist
  • /Library/LaunchDaemons/com.apple.machook_damon.plist
  • /Library/LaunchDaemons/com.apple.itunesupdate.plist
  • /Library/LaunchDaemons/com.apple.watchproc.plist
  • /Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist
  • /Library/LaunchDaemons/com.apple.systemkeychain-helper.plist
  • /Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist
  • /Library/LaunchDaemons/com.apple.appstore.plughelper.plist

For jailbroken devices:

You may use SSH to connect to your device and check whether the following file exists:

  • /Library/MobileSubstrate/DynamicLibraries/sfbase.dylib

For non-jailbroken iOS devices:

  • Check whether there are any suspicious apps you did not install.
  • Open the “Settings” app, click the “Profile,” and check whether there are any suspicious profiles.

Below are guideline to help you protect your Mac and iOS devices:

1. Do not jail break your iOS device.
2. Make sure your Mac and iOS are up-to-date.
3. Do not install any pirated software or software from untrusted sources. Only install software from the official App store.

Wirelurker_fig1

Figure 1. Users can switch an option in “System Preferences” then select “Security & Privacy” to make sure only apps from official Mac App Store can be installed

Users who need to install software from other sources (and opt to select Mac App Store and identified developers) are strongly advised to practice extreme caution before installing them, and to make sure that the installers are from trusted sources and not tampered with.

4. Install security software on your Mac and make sure you always have the latest update.

5. Make sure you only connect your iOS devices to computers that you trust.

6. Pay attention to the installation request from enterprise provisioning applications. Allow only those from trusted sources to be installed on your device.

7. Remove any suspicious profiles from your iOS devices.

Wirelurker_fig2<
Figure 2.  Users can check the profiles installed in their iOS device in “Settings”> “General” > “Profile(s)”

8. Carefully review any iOS application’s request for access to your camera, contacts, microphone, location information, and other sensitive data.

Wirelurker_fig3
Figure 3. Review the privacy setting for each app in “Setting”.  Users can prevent an app from accessing private information in “Settings” > “Privacy”

Enterprises that have joined Apple’s enterprise developer program can may boost their security with the following steps:

  • Make sure you properly secure your private key.
  • Make sure only those necessary employees can access the private key.
  • Remember to deny former employees or team members access to the private key.
  • Revoke your certificate(s) as soon as possible if you feel your private key has been compromised.

Revoking certificates is important as we have seen Windows malware that have been signed by stolen certificates. If enterprises lose their certificates, attackers could use the said certificates to impersonate them and use them to sign malware. Such actions may not only damage the enterprise’s reputation but also cost them a lot of resources in handling follow-ups.

Trend Micro protects users from this threat via its Trend Micro Antivirus for Mac that detects the malware in OS X devices. We also detect the malicious apps installed onto jailbroken iOS devices as IOS_WIRELURKER.A.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: AppleiOSMacMac OS Xmalware. Mac malwareWirelurker

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack
  • Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK
  • Patched GIF Processing Vulnerability CVE-2019-11932 Still Afflicts Multiple Mobile Apps
  • Mac Backdoor Linked to Lazarus Targets Korean Users

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • 49 Disguised Adware Apps With Optimized Evasion Features Found on Google Play
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.