Detecting Wirelurker Malware

[UPDATE] It appears the command and control infrastructure has been neutralized.

Palo Alto has already written a script that will detect the Wirelurker malware.  It basically scans for the files known to be malicious.  Just download the script and run it from Terminal:

curl -O https://raw.githubusercontent.com/PaloAltoNetworks-BD/WireLurkerDetector/master/WireLurkerDetectorOSX.py</code>
python WireLurkerDetectorOSX.py

On a clean system, you will get output like this:

WireLurker Detector (version 1.0.0)
Copyright (c) 2014, Palo Alto Networks, Inc.
[+] Scanning for known malicious files ...
[-] Nothing is found.
[+] Scanning for known suspicious files ...
[-] Nothing is found.
[+] Scanning for infected applications ... (may take minutes)
[-] Nothing is found.
[+] Your OS X system isn't infected by the WireLurker. Thank you!

Kudos to them for creating such a great script!  If you wanted to use this in a roll-your-own sort of solution, you could do so using Hazel, Folder Actions, or launchd.  According the script made by Palo Alto, these are the files you would need to watch out for:

/Users/Shared/run.sh
/Library/LaunchDaemons/com.apple.machook_damon.plist
/Library/LaunchDaemons/com.apple.globalupdate.plist
/usr/bin/globalupdate/usr/local/machook/
/usr/bin/WatchProc
/usr/bin/itunesupdate
/Library/LaunchDaemons/com.apple.watchproc.plist
/Library/LaunchDaemons/com.apple.itunesupdate.plist
/System/Library/LaunchDaemons/com.apple.appstore.plughelper.plist
/System/Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist
/System/Library/LaunchDaemons/com.apple.systemkeychain-helper.plist
/System/Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist
/usr/bin/com.apple.MailServiceAgentHelper
/usr/bin/com.apple.appstore.PluginHelper
/usr/bin/periodicdate
/usr/bin/systemkeychain-helper
/usr/bin/stty5.11.pl
/etc/manpath.d/
/usr/local/ipcc/

Leave a Reply