back to article Hide your Macs, iPhones and iPads: WireLurker nasty 'heralds new era'

The largest-scale attack of its kind on Apple Macs, phones and tablets – and believed the first to maliciously target non-jailbroken iPhones – has been detected. And it's hit thousands and thousands of devices in the wild. WireLurker infects OS X computers, and lies in wait for USB connections to Apple iPads and iPhones. It …

  1. Anonymous Coward
    Anonymous Coward

    Let the Fight Begin

    I'm getting some popcorn :D

  2. Steve Gill

    It had to happen one day - let's hope the infection can be stopped early

    1. Anonymous Coward
      Anonymous Coward

      It has happened a lot more than this instance. Apple's closed garden and incestuous OS has many weeds in the shadows.

      1. Anonymous Coward
        Anonymous Coward

        You did not read the article - it was not the official Apple App store.

  3. Andrew Moore

    This news calls for...

    http://www.sadtrombone.com/

  4. El_Fev
    Facepalm

    OK so let me get this straight..

    This worked by requiring people to jail break their phones and then connect to some dodgy Chinese app store website?

    Because I was reading this expecting it to be about software downloaded from the main apple webstore.

    So the whole gist of this article is if you jail brake your phone and then download apps from a foreign website , you could have malware installed on your system.

    .

    .

    And in other news, bears do in fact crap in the woods! :S

    1. Mage Silver badge

      Re: OK so let me get this straight..

      The point is that Apple users are complacent. Apple OSX or iOS isn't magically more secure. It's just been a smaller target.

      iOS will be targeted more, it depends on OSX share as to if it has much attention.

      Most malware gets installed by user interaction, lack of user care on Windows. Hence AV isn't really the solution.

      1. Mike 102

        Re: OK so let me get this straight..

        iOS a smaller target....cobblers...

    2. AMBxx Silver badge
      Windows

      Re: OK so let me get this straight..

      No, read it again - it says it's the first to affect non-jail broken phones.

      That said, it looks like it does need you to download software from a dodgy site.

    3. DaLo

      Re: OK so let me get this straight..

      From the first paragraph of the article:

      "The largest-scale attack of its kind on OSX devices, believed the first to maliciously target non-jailbroken iPhones"

      Keywords: OSX devices, non-jailbroken iPhones

    4. TheMole

      Re: OK so let me get this straight..

      "The largest-scale attack of its kind on OSX devices, believed the first to maliciously target non-jailbroken iPhones"

      implies otherwise.

      I interpreted the article to mean that it may have got into the Apple ecosystem via jailbroken phones but once on a Mac it can infect non-jailbroken devices via USB.

      1. DaLo
        Facepalm

        Re: OK so let me get this straight..

        "I interpreted the article to mean that it may have got into the Apple ecosystem via jailbroken phones"

        From the article: "WireLurker was used to trojanise (infect) 467 OS X applications on the Maiyadi App Store"

        keywords: OS X applications

        1. JLV

          Re: OK so let me get this straight..

          >keywords: OS X applications

          So, like I am wondering. Will the AV community actually have to do some work on OSX for once, rather than repurposing stuff to scan for Windows malware coming in somehow? And, will they catch WireLurker, or just claim it's not a virus, but user-installed?

          Wonder how successful their threat handling will be. I recently ditched my (free) Sophos AV for excessive CPU guzzling doing live scans. Using ClamXAV, on-demand instead. But, since these puppies haven't really been blooded on OSX, dunno how much to trust them...

          That said, it sounds like it's not exactly easy for the average (Western) Joe MacUser to catch this, at this point.

          As usual, those who believe Macs are inherently immune are naive. Inherently more robust (than Windows) most likely, but that's about it.

          1. Muscleguy

            Re: OK so let me get this straight..

            "I recently ditched my (free) Sophos AV for excessive CPU guzzling doing live scans. "

            Ditto. The iMac was going unresponsive for minutes at a time. Then I noticed in Activity Monitor the routine that was using 100% of CPU and removed it.

    5. NumptyScrub

      Re: OK so let me get this straight..

      This worked by requiring people to jail break their phones and then connect to some dodgy Chinese app store website?

      Because I was reading this expecting it to be about software downloaded from the main apple webstore.

      No, this requires users to download (infected) software from the Maiyadi App Store for Macs, like a Macbook Air, or the new iMac with 5k screen, or whatever.

      It then also infects any iDevice connected to the compromised Mac via USB, so it can potentially compromise any iPhone, iPad and iPod you have as well as your Mac. The iDevices do not have to be jailbroken before they can be compromised.

      The moral of this story is that 3rd party vendors can contain compromised software, regardless of the target OS. Caveat emptor, as they say :)

      1. Wibble

        Re: OK so let me get this straight..

        How can caveat emptor apply to people stealing software?

        I don't want to claim the moral high ground but it does seem like just desserts...

    6. Anonymous Coward
      Anonymous Coward

      Re: OK so let me get this straight..

      OK so let me get this straight.. It's OK to use the "china excuse" when it comes to Apple exploits, but when it's Android in question, and it's a China-only problem, it doesn't get a single mention. It's malware mad headlines....

      This uneven playing field is why nobody takes these media outlets seriously anymore. They have long since lost all their technical credibility and are just a sensationalist gutter reporting, the techy's Daily Star if you will.

  5. Hans 1
    Coat

    Whatever you do, stay covered and watch out where you insert it... that is what me dad told me when I was 14. Applies to all USB devices I have around here as well ... ;-)

    Basically, an infected computer can infect non-jailbroken iphone. I assume that is a bug in both iTunes and iPhone, then.

    1. Anonymous Coward
      Anonymous Coward

      >Basically, an infected computer can infect non-jailbroken iphone. I assume that is a bug in both iTunes and iPhone, then.

      Not a bug, a feature - it's using ad hoc distribution as per enterprise apps and governmental malware.

      1. dogged

        It's only a bug if it's not Apple, right?

        1. Volker Hett

          It is a feature, and an important one if you ask android users. This is the way to install software on your iDevice without going through Apples App Store.

        2. Robert Helpmann??
          Childcatcher

          It's only a bug if it's not Apple, right?

          No, no, apples get worms!

      2. sisk

        Not a bug, a feature

        Normally that's meant as a joke, but in this case it really is a feature. Not only is it A feature, but it's THE feature as far as enterprises are concerned. Take this away and force them to install the apps they need on their corporate iWhatsits one at a time through the app store and you wouldn't be able to give the things to corporate users.

        Sadly, as with many features designed for convenience, it's also an attack vector. Such problems shall always exist as long as non-geeks want to use technology.

  6. Deimos
    Coat

    so once again

    We have malware that only infects those who leave the Apple walled garden (for the first infection that is).

    Only effects those who used a dodgy Chinese site I believe, also sophisticated code and appears to only monitor the user. Hmmmm looks like a certain non-democratic Government doesn't it me old China ? Or could it be Apple making sure we never leave the walled garden ?

    Sorry I'm going out now, I may be gone some time.

    1. DaLo

      Re: so once again

      Is there a walled garden for OS X? I've always bought Creative Suite direct from Adobe.

      1. Deimos

        Re: so once again

        Probably right there, all my apple toys are IOS fondleslabs and I haven't really used desktop version since 1980's.

        So it's not Apple, the bad guys are those naughty men from a certain non-democratic etc..

      2. Anonymous Coward
        Anonymous Coward

        Re: so once again

        No, for OSX there is no, enforced wall. One can configure/mutilate/change how you like, install what you like from where you like, write and install your own core dumping programme or infinitely recursive script in whatever language for which you can get a compiler under OSX. It's just a BSD UNIX plus bells land whistles and a consumer windows interface, but still with the ability to use any other you can find or just a terminal.

        IOS (for iPhones, iPads etc.) is restricted. But private firms may want private apps for company devices. From the article, it seems that they the possibility of providing an app store for their apps, accessed from a computer (OSX in this case). Presumably, one connects the IOS kit and uses iTunes to install the firm's app on the iPhone. So, someone has taken advantage of this to provide a dodgy app store. Fred Bloggs connects to that via his OSX host, gets that fascinating app., and so to IOS.

        So the IOS app store is irrelevant; the stanards consumer protection is irrelevant. Just as with any other computer (or goods), a user goes to an unauthorised dealer to obtain goods and so has got no guarantee, no support, no evidence of provider. Bit like buying bootleg DVDs or a hair dryer at the back ot a pub that fell off a lorry. It's just a bigger market and needs a bit more effort.

    2. Eddy Ito

      Re: so once again

      Don't worry, while you're out it will be updated to a drive by installer on some website you trust that will install itself on your Mac and wait patiently for you to plug in your iDevice into the usb port. But there's nothing to fear since you're not some godless Chinese peasant who jailbroke their iDevice. Then again, it's pretty clear you didn't actually read the article and don't understand the actual infection vector.

      Let me know how the whole head in the sand thing works out for you.

  7. Ted Treen
    Unhappy

    This operation...

    ...is following on what we've seen in the Windows world, and it's using the PICNIC* virus...

    *Problem In Chair Not In Computer

    There are some who, whatever OS they're using, will be as promiscuous (software wise) as a nympho at a Satyrs' convention...

  8. Big_Ted
    Happy

    Ah but......

    Ask any fanbois and they will tell you its only Android that's open to malware.

    Therefore their iphone is impossible to infect so this story is just made up by Apple haters.

    Its one reason they are happy with the walled garden, its totally safe from the worlds nasties.....

    1. Mike Bell
      Gimp

      Re: Ah but......

      Bollox.

      I don't mind calling myself a Fanboi. And guess what, I've adopted the recommended practise of getting my apps from the App Store. Not from some third party dodgy Chinese App Store or from an unrecognised Apple developer. In fact, with my current settings, my Mac would not allow me to obtain software from such a store.

      Enterprises are at liberty to install iPhone apps from an OS X computer. There's nothing new about that.

      In fact there's nothing new in this report at all, apart from the fact that it's a big deal in China.

      Don't install bad software from places you don't trust. If you don't give a shit, someone will take advantage of you.

      1. Colin Wilson 2

        Re: Ah but......

        >> Enterprises are at liberty to install iPhone apps from an OS X computer...

        As far as I know, to do this they have to install a provisioning profile on the iPhone - that's signed by an enterprise certificate backed by an Apple provisioning root CA (so no just some self-signed thing). The provisioning profile lets the iPhone run the application that's signed by the developer's certificate backed again by an Apple root CA.

        It would be interesting to know if these virus writers have found a way round all that - some Apple bug in iOS or iTunes; or if they've set up a rogue enterprise, had it approved by Apple, and somehow persuaded the users to install their provisioning profile.

        1. Mike Bell

          Re: Ah but......

          Yes, it would be interesting to know. My guess is that they've got a stolen certificate or two from somewhere. That would be the simplest way to do it.

          1. Synonymous Howard

            Re: Ah but......

            Then it ought to be trivial for Apple to examine said signed iOS apps and revoke said certificates. Macs certainly use OCSP a lot judging by the network traffic so should be able quickly spot a wrong 'un and block its use.

            1. Mike Bell

              Re: Ah but......

              Apple have since reported that the identified apps have been blocked to prevent them launching. Naturally, they don't go into details.

              There's an excellent investigative report that you can download here. The report makes it clear that the iOS apps that WireLurker offers to install are signed by enterprise certificates.

    2. heyrick Silver badge

      Re: Ah but......

      " Its one reason they are happy with the walled garden, its totally safe from the worlds nasties....." - if you read the article, it isn't an iOS virus. It is a Trojan in apps for OSX (a big Mac) that then compromises the big computer to look for tablets and such being connected, and they in turn are compromised by abusing, I presume, the update protocols. Clever stuff, but totally bypasses iOS, the walled garden, everything.

  9. graeme leggett Silver badge

    " trojanise " !

    Not even a bloody word.

    1. Deimos
      Facepalm

      Re: " trojanise " !

      Yes it is, see my fine example below.

      Under new laws in California, all male performers in the sex industry must use condoms.

      A spokesman was quoted as saying "Guys have got to Trojanise or no work".

      1. Anonymous Coward
        Anonymous Coward

        Re: " trojanise " !

        It's a linguistic virus, like most American.

        Actually, it's for those whose ability with English is limited - English spoken by foreigners.

        1. Martin Maloney
          Thumb Down

          Re: " trojanise " !

          Do you "butter" your bread? Do you "rake" your lawn? Does your mechanic "lube" your car?

          The facility of "verbizing/verbising" a noun is one of the strengths of the English language. Even though I just now invented a word, everyone with at least two functioning neurons grasped my meaning.

          Of course, being a foreigner -- I was born in and live in the US -- explains why my "ability with English is limited."

  10. Frankee Llonnygog

    The real vulnerability

    Is surely that the Maiyadi app store lets some geezer overwrite legit apps with dodgy infected versions?

  11. Stern Fenster

    Re: OK so let me get this straight.

    ***The point is that Apple users are complacent. Apple OSX or iOS isn't magically more secure. It's just been a smaller target.***

    Oh Jesus H Christ, not more of this...

    NO intelligent user of ANY OS supposes it to be "magically" completely secure (the ones who do don't count).

    Many users however can make an intelligent distinction between "completely secure" and "relatively secure".

    Unix systems are not magically "secure" but they are demonstrably "more secure". Their use across the web does not constitute a "small target".

    Let's say it yet, yet, yet again: There are currently no viruses proper - at all - for OSX (there will be, sometime, but this isn't one of them). There are however Trojans - ooh, must be 6 or 7 now. There already were Trojans - nothing has changed. Trojans require stupidity to work. No system, however secure, will guard against stupidity. Is this news?

    I (and a load of other people) use Macs for serious work, not because they're hip or shiny but because they're nicely thought out and work well. I do not imagine they are immune to nasties. But I have observed, from evidence, that they are comparatively immune. I'm sick to the back teeth of the yah-boo-sucks level of "fanbois" discussion (isn't that something to do with wooden ventilators?), the eternal repeats of the same old same old. Get a life, for Chrissake, there are different systems - just get over it.

    In other news (a few articles back):

    "Malware monitors PandaLabs says 227,747 new malware samples are released every day.

    The findings from its recent survey found 20 million samples were created in the third quarter of 2014.

    Three quarters of infections were trojans while only 9 percent were viruses and 4 percent worms.

    The number of trojans rose 13 percent over the last three months, displacing viruses which fell by 10 percent over the same period."

    Where do you suppose the overwhelming bulk of this stuff is targeted?

    1. Anonymous Coward
      Anonymous Coward

      Re: OK so let me get this straight.

      As far as iOS is concerned this is a virus. The original infection of the host may be via a torjan (many viruses are/were) but the fact it can replicate onto any number of iOS devices without user interaction makes it a virus.

      The replication of the virus may be limited to the first client as the infected iOS device can not spread it any further so it is still very limited.

    2. Stretch

      Re: OK so let me get this straight.

      Did you like just crawl out from under a rock? Heartbleed? Shellshock? Miss that shit? Decade old unix zero days? NSA must be so annoyed their lovely vulns got spread around.

      1. Volker Hett

        Re: OK so let me get this straight.

        Two questions, have they been used to infect Linux and Unix Hosts in the last couple of decades? And if not, why?

    3. NumptyScrub
      Trollface

      Re: OK so let me get this straight.

      Let's say it yet, yet, yet again: There are currently no viruses proper - at all - for OSX (there will be, sometime, but this isn't one of them).

      If you are using a definition of "virus" that does not include compromised software that;

      a) deliberately spreads itself to other devices from the infected device, and deliberately modifies existing applications so they contain it's own code

      b) deliberately harvests information from the infected device and uploads that to a 3rd party server

      c) contains the ability to autoupdate to add additional functionality or update existing functionality

      d) deliberately obfuscates itself to avoid detection

      then AFAIK Windows currently has no "proper viruses" either. I'm struggling to define "virus" such that this malware doesn't fit the definition but current Windows malware does, since it seems to have almost exactly the same MO as any of the Windows crop.

    4. sisk

      Re: OK so let me get this straight.

      NO intelligent user of ANY OS supposes it to be "magically" completely secure (the ones who do don't count).

      Don't be ridiculous. Of course they count. And some of them (at least one whom I personally know) are quite intelligent.

      Unix systems are not magically "secure" but they are demonstrably "more secure".

      True enough.

      Their use across the web does not constitute a "small target".

      As far as user-targeting malware is concerned, yes it does. Servers are another matter, but servers are much harder to infect than desktops to begin with. For starters, they almost never hang out in sleazy websites like users do.

      Let's say it yet, yet, yet again: There are currently no viruses proper - at all - for OSX (there will be, sometime, but this isn't one of them).

      You do realize that even Apple stopped trying to push that particular line of bull 5 years ago, right? Yes, OSX viruses do exist and are in the wild and have been around since at least 2006. For a few examples, see

      OSX_IWORM.A OSX_SLORDU.A OSX_MACKONTROL.A and OSX_MUSMINIM.A all of which are viruses that can be picked up via drive-by-downloads. And those are just a few examples. Yes, there is much less malware of all types around for OSX, but don't be one of those fools going around believing it doesn't exist.

      OSX (and anything else *nix based) is harder to infect that Windows, but by no means is it so difficult as to not be worth it were there a greater number of potential targets. The diminutive market share of non-Windows PCs is very much one of the reasons we don't see more non-Windows malware.

    5. Someone Else Silver badge
      Coat

      @ Stern Fenster -- Re: OK so let me get this straight.

      NO intelligent user of ANY OS supposes it to be "magically" completely secure (the ones who do don't count).

      Yes they do...but only to 10.

      1. Mike 102

        Re: @ Stern Fenster -- OK so let me get this straight.

        in binary....

        ;-)

      2. Martin Maloney
        Coat

        Re: @ Stern Fenster -- OK so let me get this straight.

        If they were able to count to twenty, would you then congratulate them on their tremendous feet?

        (So many puns, so little time...)

  12. Stretch

    Anyone got a link to this malware so I can send to all the macscum I know?

    1. Kebablog

      I'm assume all the Macscum you know are probably aware that you are an idiot so wouldn't bother taking any notice of you.

      1. Stretch

        @ Kebablog

        They are macscum. Who cares what they think? They have proved themselves incapable of rational thought.

    2. Steve Davies 3 Silver badge

      Be careful what you wish for

      those Macscum might send it back to you with lots of extra bells and whistles.

    3. Frankee Llonnygog

      Re: Anyone got a link?

      @Stretch - try www.infect-this-jerk's-crusty-dell-pc.com

  13. Jess

    The myth is that all malware is viruses.

    The Mac is pretty resistant to viruses.

    People wrongly extrapolate this to it being immune to all malware.

    1. Craig 2

      Re: The myth is that all malware is viruses.

      The Mac is pretty irrelevant to virus writers.

      People wrongly extrapolate this to it being more resistant to malware.

      1. El_Fev

        Re: The myth is that all malware is viruses.

        well considering that Mac users tend to have more disposable income, then surely they are a target worth hitting, also considering all the banking system run using UNIX, that's is a colossal target, windows is just not as secure get over it man!

  14. Planky

    To infect your iOS device you have to:

    1. Plug it into the USB port of and infected Computer.

    2. Select Yes in the "Trust the Computer" pop-up on the iOS device.

    3. Ok the Install of the enterprise provisioning .

    Then and only then will it install on your device.

    Update: Apple have already revoked the license of that particular enterprise provisioning system.

    1. Rootkitten
      Trollface

      Actually a couple of the exploits we have seen and have to play with allow remote infection over wireless and even allow us to turn on your Bluetooth and infect your non jail broken phone or iPad. Have case numbers where it was reported to Apple in April. Where is my bounty Apple!

  15. Christian Berger

    I wonder when we are at the 1000th "first" Mac-virus

    Seriously, those have existed for decades, there even were some for old 68k Macs.

  16. DerekCurrie
    Thumb Up

    Apple Kicks Butt...

    Setting aside all the searing 'PAIN'...

    Apple kicked this malware in the bunghole in a HURRAY, yeah! After Palo Alto Networks had announced their discovery, Apple's turnaround time to block the malware was < 24 hours.

    BTW: Palo Alto Networks' free WireLurker Detector is available at the link below. It runs in the Terminal.

    https://github.com/PaloAltoNetworks-BD/WireLurkerDetector

  17. Geoffrey Thomas

    syntax.

    "Bit like buying bootleg DVDs or a hair dryer at the back ot a pub that fell off a lorry"

    Big lorry!

  18. chris lively

    Let's see. I have an iphone and ipad. But I don't have a Mac and my Windows machine doesn't download crap from China.

    Sounds like the best plan here is to just not buy a Mac.

  19. William Donelson
    Thumb Down

    Jeez, from the headline of this article you'd think we all go to illegal 3rd part apps stores IN CHINA.

    1. Rootkitten

      We have seen a couple apps with rootkits on the Apple store this year, so it is here in the US too, and no jail breaking required.

  20. Rootkitten
    Trollface

    Reported with examples to Apple 7 months ago, also hits windows and android

    I reported to Apple in April, no need to jailbreak, it does write to firmware too. It is not just USB, it is also spread via wifi and Bluetooth with infected machines able to remotely turn on wifi or Bluetooth and even infect iOS set to airplane mode. It appears to be something like a law enforcement or Apple included backdoor or rootkits that has been taken over. It is similar to the mask malware in that is will infect anything. We have it documented to infect Ford vehicles via Bluetooth, and possibly medical devices. Have case numbers and documentation to show Apple denied for a couple months, then plugged it in to their Mac at the local Apple store and have been spreading it since.

    Apple is playing a game of chance with users and making false claims and providing false sense of security on devices that are easier to infect and take full control of than many.

    Apple failed miserably here and as latest software updates have shown, have lost their way, and it works on any version including latest iOS 8.1.1 beta and Yosemite. Apple took an arrogant stance, denied it, flashed and returned with even more malware on it. Nice and buggy like my new macbookpro that has sloppy OS bugs I had to fix myself.

    Apple still has not replaced a couple iPads mini retinas I have that were infected right after purchase if anyone wants to check out or verify. Apple will die in enterprise like they want in on with this type of behavior.

    Just like the back doors found on Intel epsd systems this year, Intel denies it, then accuses who submitted the found exploits, then hides behind saying it is NSA (when we verified it was not), then gets hacked by it themselves, then denies its possibility even though we have verification from their chip engineers down to their marketing people it's real, then you find some of it was written by Intel employees, released at black hat, but they never fixed it in their bios.n

    Security is a joke, and places are too quick to say NSA backdoor or other false claims, it's the companies back doors, schlock programmers, and priming for future products according to several insiders.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like