[UPDATE] It appears the command and control infrastructure has been neutralized.
curl -O https://raw.githubusercontent.com/PaloAltoNetworks-BD/WireLurkerDetector/master/WireLurkerDetectorOSX.py</code> python WireLurkerDetectorOSX.py
On a clean system, you will get output like this:
WireLurker Detector (version 1.0.0) Copyright (c) 2014, Palo Alto Networks, Inc. [+] Scanning for known malicious files ... [-] Nothing is found. [+] Scanning for known suspicious files ... [-] Nothing is found. [+] Scanning for infected applications ... (may take minutes) [-] Nothing is found. [+] Your OS X system isn't infected by the WireLurker. Thank you!
Kudos to them for creating such a great script! If you wanted to use this in a roll-your-own sort of solution, you could do so using Hazel, Folder Actions, or launchd. According the script made by Palo Alto, these are the files you would need to watch out for:
/Users/Shared/run.sh /Library/LaunchDaemons/com.apple.machook_damon.plist /Library/LaunchDaemons/com.apple.globalupdate.plist /usr/bin/globalupdate/usr/local/machook/ /usr/bin/WatchProc /usr/bin/itunesupdate /Library/LaunchDaemons/com.apple.watchproc.plist /Library/LaunchDaemons/com.apple.itunesupdate.plist /System/Library/LaunchDaemons/com.apple.appstore.plughelper.plist /System/Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist /System/Library/LaunchDaemons/com.apple.systemkeychain-helper.plist /System/Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist /usr/bin/com.apple.MailServiceAgentHelper /usr/bin/com.apple.appstore.PluginHelper /usr/bin/periodicdate /usr/bin/systemkeychain-helper /usr/bin/stty5.11.pl /etc/manpath.d/ /usr/local/ipcc/