OMG, WireLurker

前几日,美国著名网络安全公司 Palo Alto Networks 发布了一则消息,监测到一个新型病毒 WireLurker。让它区别于众多病毒的地方在于,它运行于一直及其安全的 Mac OS X,并能感染与其连接的 iOS 设备,而且并不要求 iOS 设备被越狱。这也是第一个可以感染 iOS 程序的病毒。

病毒来源为中国著名的苹果技(dào)术(bǎn)论坛-麦芽地,论坛中很多二次打包的盗版软件、游戏中加入了 WireLurker,国内非常多的 Mac 用户被感染。

简单地判断自己有没有中招,可查看 /usr/local 中有没有一个名叫 machook 的目录,如果有,恭喜中招!

machook 目录中的内容:

Terminal
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ tree /usr/local/machook/
machook
├── com.apple.globalupdate.plist
├── com.apple.machook_damon.plist
├── dylib
│ ├── libcrypto.1.0.0.dylib
│ ├── libiconv.2.dylib
│ ├── libimobiledevice.4.dylib
│ ├── liblzma.5.dylib
│ ├── libplist.2.dylib
│ ├── libssl.1.0.0.dylib
│ ├── libusbmuxd.2.dylib
│ ├── libxml2.2.dylib
│ └── libz.1.dylib
├── globalupdate
├── machook
└── watch.sh

Palo Alto 为我们提供了一个查杀 WireLurker 的 python 脚本(暴露了,曾经在麦芽地下过一个游戏..)。

Terminal
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ python WireLurkerDetectorOSX.py
WireLurker Detector (version 1.2.0)
Copyright (c) 2014, Palo Alto Networks, Inc.
[+] Scanning for known malicious files ...
[!] Found malicious file: /Library/LaunchDaemons/com.apple.machook_damon.plist
[!] Found malicious file: /Library/LaunchDaemons/com.apple.globalupdate.plist
[!] Found malicious file: /usr/local/machook/
[!] Found malicious file: /System/Library/LaunchDaemons/com.apple.appstore.plughelper.plist
[!] Found malicious file: /System/Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist
[!] Found malicious file: /System/Library/LaunchDaemons/com.apple.systemkeychain-helper.plist
[!] Found malicious file: /System/Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist
[!] Found malicious file: /usr/bin/com.apple.MailServiceAgentHelper
[!] Found malicious file: /usr/bin/com.apple.appstore.PluginHelper
[!] Found malicious file: /usr/bin/periodicdate
[!] Found malicious file: /usr/bin/systemkeychain-helper
[!] Found malicious file: /usr/bin/stty5.11.pl
[+] Scanning for known suspicious files ...
[!] Found suspicious file: /etc/manpath.d/
[+] Scanning for infected applications ... (may take minutes)
[!] Found infected application: /Applications/Sim City 4 Deluxe Edition.app
[!] WARNING: Your OS X system is highly suspicious of being infected by the WireLurker.
[!] You may need to delete all malicious or suspicious files and/or applications above.
[!] For more information about the WireLurker, please refer:
[!] http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/

Mac 平台也被恶人盯上了,据说与数字公司有关。远离盗版,MAS 里有的尽量在 MAS 里下载,保证安全。