WireLurker for Windows

Summary

Yesterday we published a whitepaper introducing WireLurker, the first malware attacking both non-jailbroken and jailbroken iOS devices from a Mac OS X system. Shortly after we released the paper, Jaime Blasco from AlienVault Labs notified us that he’d found a Windows executable file that contains WireLurker’s command and control server address. We analyzed and investigated the sample and have confirmed that it is an older version of WireLurker.

This variant is being distributed by a different Chinese source that is hosting 180 Windows executables and 67 Mac OS X applications, each of which contains a version of the WireLurker Trojan. The Windows variant opens a new vector for iOS users to be infected with WireLurker, but appears to have been less successful than its Mac OS X descendent.

Samples of this older variant display a user interface and are advertised as an installer for specific pirated iOS apps. Between March 13 and today these programs have been downloaded 65,213 times, with 97.7% of the downloads being the Windows version. Like the latest WireLurker, this variant tries to infect jail-broken iOS devices with the WireLurker iOS malware.

This version of the malware also installs the sfbase.dylib tweak to the iOS file system, which is an earlier version of the malicious iOS binary file mentioned in our earlier report. These samples also indicate that the creator of WireLurker may have a direct relationship with the Maiyadi App Store.

Palo Alto Networks has released protections for all versions of WireLuker in our Antivirus, WildFire, IPS, and URL Filtering products. We’ve updated our detection code in Github to detect the older Mac OS versions of the malware and plan to release a tool to detect the Windows variant.

Early Versions of WireLurker for Windows and OS X

A Different Source

Previously we knew the WireLurker was distributed through the Maiyadi App Store. However, the newly revealed samples were directly uploaded to Baidu YunPan (a public cloud storage service of Baidu) by user “ekangwen206” (Figure 1). When we investigated this source we found the user had uploaded 247 samples in total, of which 180 are Windows software and the other 67 are OS X applications. All OS X samples were uploaded on March 12 and all Windows samples on March 13, over a month before the Mayaidi App store infections.

We downloaded and confirmed that all of these files belong to a new variant of WireLurker and should be classified as Trojan malware.

Figure 1: Samples of WireLurker list in the Baidu cloud storage system

These samples are listed as “green” (e.g. good or clean) IPA installers for specific pirated iOS apps. Some of the named iOS apps are extremely popular, while some of the others are pre-installed iOS system apps, including the following:

  • Facebook
  • WhatsApp Messenger
  • Twitter
  • Instagram
  • Minecraft
  • Flappy Bird
  • Bible
  • GarageBand
  • Calculator
  • Keynote
  • iPhoto
  • Find My iPhone
  • iMovie
  • iBooks

Baidu YunPan provides statistics of views and downloads for every single file. Through this feature, we found that in the past eight months, the 247 samples were downloaded a total of 65,213 times. Also according to their statistics, 97.7% of the downloads were Windows samples, which is consistent with the market share of Windows in China.

File Information and Structures

Based on the file information in PE structure, all of the Windows samples of  were created on March 13 on a Windows XP computer. Each Windows sample contains a malicious PE executable file, six normal DLL files and a manual TXT file.

Each PE executable file has two extra IPA files (iOS app’s installation bundle file) appended to them, shown in Figure 2. The first IPA file, named “apps.ipa”, is a malicious iOS application; the second one, named “third.ipa”, is the pirated iOS app advertised by the sample. These two IPA files will be dropped to “C:\Documents and Settings\<USER>\Local Settings\Temp\” directory after the installer is executed.

Figure 2: Two IPA files were appended to the PE executable file

OS X samples of this variant have a fixed bundle executable name “appinstaller”. The IPA files are packed in the Resources directory in the OS X applications: one is named “infoplistab” for “apps.ipa”; the other is “third.ipa”.

User Interaction

After users download the samples and run them on Windows or OS X, a GUI appears as Figure 3 and Figure 4. If iTunes isn’t installed on the Windows system, the malware guides users to an official site of Apple China to download and install it.

Figure 3: GUI of a Windows sample

Figure 4: GUI of a OS X sample

If iTunes is installed the user interface shows a message of waiting for iOS device connection. After the user connects their device to the computer, the device’s name will appear in the GUI and a “click to install” button becomes available.

Install iOS application and iOS malware

If the user runs the samples and clicks the installation button the pirated iOS application shown in the interface will be installed on the device, but only if the device is jailbroken. At the same time the program will secretly install the apps.ipa file.

During our analysis, we connected an iPhone 5s running iOS 7.1 (jailbroken) and a 3rd gen iPad running iOS 6 (jailbroken) to infected Windows 7 and Windows XP systems. When using the iPhone 5s/iOS 7.1, the installer crashed after clicking the button; with the iPad, the interface shows “installation is successful”, but we did not find any new icon in the iPad display.  We believe this failure was caused by poor coding quality and incompatibility between the malware and the iOS device, but the malware code does attempt the installation.

Pirated iOS Apps

The pirated iOS apps that the malware attempts to install are cracked versions of legitimate iOS apps. Their code signatures and DRM protection were removed before the IPA files were appended to EXE files or packed into OS X applications.

For example, in Figure 5, we can see the pirated WhatsApp has cryptid value 0, which means DRM encryption by Apple was removed by the attacker, something that can be easily achieved through many publicly available automatic hacker tools.

Figure 5: Pirated iOS apps haven’t DRM protection

The iOS Malware

The iOS malware these samples attempt to install into iOS devices contains both sfbase.dylib and sfbase.plist files. In our previous report on WireLurker, we mentioned that sfbase.dylib is a MobileSubstrate tweak that steals the user’s contacts information and other private data and sends it to a C2 server.

Figure 6: The iOS malware contains code for ARM64

The main executable of this malware is named “apps”. It’s a Mach-O universal binary file that contains binary code for three different architectures and CPU types:

  • 32-bit ARMv7
  • 32-bit ARMv7s
  • 64-bit ARM64

As far as we know, this is the first iOS malware that attacks the ARM64 architecture.

The main functionality of this malware is to copy sfbase.dylib and sfbase.plist in its Resources directory to specific locations to make them perform as a MobileSubstrate tweak, shown in Figure 7. Additionally, the malware will communicate with the C2 server “www.comeinbaby.com”, the same server used by the version of WireLurker we revealed yesterday.

Figure 7: The iOS malware copies sfbase.dylib to a specific location

The dropped sfbase.dylib has nearly identical code and functionalities as the sample we detailed in our previous report. However, the earlier version was listed as 4.0.0, 4.0.1 or 4.0.2. This sfbase.dylib is version 2.0.0 as shown by its [mydUtils getCurrentVersion] method.

Another difference in this older version is that it uses the following URL when checking for updated code (Figure 8):

Figure 8: Earlier version of sfbase.dylib check for update from Maiyadi

Note that, this domain name is that of the Maiyadi App Store which spread later versions of WireLurker. Later versions of WireLurker used the domain www[.]comeinbaby.com but accessed the exact same GET request path.

Similarly, when uploading the user’s contacts information and other private data, this version of sfbase.dylib uses this URL:

Clues link Attacker to Maiyadi

Based on our analysis of this earlier version of sfbase.dylib, we suspect that Maiyadi has a close relationship with the creator of WireLurker. Beyond the link to the command and control server we’ve found additional clues.

First, all OS X samples in this variant have a bundle identifier named “com.maiyadi.installer”, as well as a copyright information that contains  a reference to Maiyadi (Figure 9).

Figure 9: Copyright information in the OS X malware

Second, in the malicious iOS app, we found a certificate that belongs to “li fei” which was issued by Apple on March 6th, 2014 (Figure 10).

Additionally, the name “li fei” exists in all Windows malware samples and sfbase.dylib in the following strings:

  • E:\lifei\libimobiledevice-win32-master_last\Release\appinstaller.pdb
  • /Users/lifei/Library/Developer/Xcode/DerivedData/SDMMobileDevice-dbskckexyqfxypdzrwfwereecnot/Build/Products/Debug-iphoneos/sfbase.app/sfbase

These two strings are automatically generated by Visual Studio on Windows and Xcode on OS X for debugging when the developer built appinstaller and sfbase.dylib.

Figure 10: Attacker’s certificate in the iOS malware

Solutions

Palo Alto Networks has updated our signatures for Antivirus, WildFire, IPS, and URL Filtering products to protect our customers by blocking associated malicious URLs and traffic patterns of all known versions of WireLurker.

We have also open sourced a project on Github to help everyone in detecting WireLurker on their desktop computers. That project is available here:

https://github.com/PaloAltoNetworks-BD/WireLurkerDetector

We’ve already updated our OS X script to cover this newly discovered variant and we’re planning to release another tool to help Windows users scan their computers for WireLurker.

Updates on the Threat from WireLurker

After we published the WireLurker report and related detection tool, some OS X users in China discovered that their Mac computers were infected by WireLurker and posted screenshots on Weibo (Chinese social network similar to Twitter), shown in Figure 11. One of the users contacted us and provided all detected samples on his Mac, which we identified as the newest known version of WireLurker (version C).

Figure 11: A Chinese victim reporting their Mac was infected by the WireLurker

As we were writing this blog, Apple also announced that they’ve “blocked the identified apps to prevent them from launching” and we noted that the command and control domain, www[.]comeinbaby.com no longer resolves to the command and control server IP.

Nick Arnott mentioned to us on Twitter that in iOS 8, the system no longer shows distribution profiles in the settings menu; users may need to use Xcode or the iPhone Configuration Utility to check or remove these abused enterprise distribution profiles.

Acknowledgements

Jaime Blasco from AlienVault first found a Windows variant of WireLurker and sent to us. Thank you Jaime!

We would like to thank Laura Hartmann, Zhi Xu, Wei Xu, Yanxin Zhang and Suli Xu at Palo Alto Networks for quickly processing this new variant and updating our products. It’s their work that ensures our products defend our customers from the latest threats.

We would also like to thank all people who have shared comments on the report and detection code or shared more information with us through Twitter, Github and email.

[Palo Alto Networks Blog]

Cloud Governance Means Discovery, Control, and Safe Enablement

There are many ways to look at cloud computing and what it means for your business. I personally like the definitions from cloud tutorial, which offers two classifications:

  1. Based on where the cloud infrastructure is located: Private, public or hybrid
  2. Based on the services that the cloud delivers, whether Infrastructure as a service (IaaS), Platform as a service (PaaS) and/or Software as a service (SaaS). Examples includeAmazon web services, or Rackspace (for IaaS), Google Application Engine, Force.com, or Microsoft Azure (for PaaS), Salesforce.com, Google Docs, (for SaaS). Online services like Facebook, Dropbox, Box.net and others that are used both by consumers for personal purposes but also by many B2C and even B2B companies to interact with their customers fall under this classification as well.

Technologists and network security administrators tend to focus on the first cloud classification because it’s based on how the cloud is being deployed, managed and what needs to be done to make it work and secure it. Business-oriented folks focus on the second classification because it provides a more explicit description of the service provided and its related benefits. End users and employees often refer to cloud computing as services or applications because of how they experience the cloud: as a service or an application on their computer or mobile device.

The mushrooming popularity of cloud services makes it impossible to continue to rely on a security approach focused primarily on the perimeter of your enterprise. Employees can too easily move data and content from protected areas on your own network to cloud services that you have no direct control over. And it’s too easy for the leakage of information to get out of control: your team starts using an online file repository tool to share large video or creative files with partners ahead of a major event. Maybe that sharing next turns into more strategic files – plans, roadmaps and other sensitive documents – posted on these external collaboration services because the service is so convenient to use.

Cyber criminals can also attack these 3rd party services to steal credentials from your employees and in turn use these credentials to infiltrate your network. Targeting enterprise business partners has been a more common first step of many of the breaches that have made the headlines in the past 12 months.

For a full view of the infographic, visit: http://www.skyhighnetworks.com/resources/cloud-adoption-risk-q2-2014/.

Doing your security due diligence on cloud services requires you to understand these cloud services better and why your company and your employees turn to them. As a starting point, read the top 50 list published by one of our technology partners, Skyhigh Networks. Then, consider the following steps to get a handle on the use of cloud services in your organization:

  • Identify cloud services in use in your organization, and the employees or departments that use them: Get our Palo Alto Networks enterprise security platform deployed in tap mode on your internet gateway and you’ll start to get visibility into many of these cloud services (note that this is a non-disruptive process and you can start to get valuable information in as little as 24 hours). Our App-ID technology can help you discover traffic for hundreds of file sharing and file storage cloud-based applications. This includes Dropbox, Box.net, and Evernote amongst others. You can visit our Applipedia database to see the full list of applications covered. In addition, turn on the url filtering function in our platform to enable the discovery of services that are 100% web based.
  • Understand the business need behind the use of the newly discovered cloud services:Whether these services are vetted on not by your IT department, you should proactively approach users and work with departments’ heads and IT to understand what’s the business need behind the use of any cloud service. Then you can decide whether the use of any specific service is legitimate and needs to be secured, whether the use needs to be restricted to specific departments, or finally whether the service represents too much risk to the business and you need to implement security policies to explicitly block it.
  • Diligently manage the lifecycle of these cloud services: One of the most overlooked aspects of cloud services is what happens (or rather what does not happen) when an employee leaves the company. You need to apply to cloud services all the off-boarding procedures that are standard to other enterprise applications to ensure that access is turned off once the employee has left. This is actually a great driver to pursue the discovery of who uses which cloud services. In addition, cloud services used for business purposes should never be attached to an employee personal email, but unfortunately that is often the case.
  • Revisit and update your security policies for the use of cloud services: Because there will be new, enticing cloud services launched every month, you need to continuously monitor activity on your network for the emergence of new cloud services adopted by your workforce. Keep repeating the above process on a quarterly basis at a minimum and proactively maintain a regular dialog with employees and users of these services. You might actually discover a few great applications in the process that should be used by everybody!

[Palo Alto Networks Blog]

WireLurker: A New Era in OS X and iOS Malware

Today we published a new research paper on WireLurker, a family of malware targeting both Mac OS and iOS systems for the past six months. We believe that this malware family heralds a new era in malware attacking Apple’s desktop and mobile platforms based on the following characteristics:

  • Of known malware families distributed through trojanized / repackaged OS X applications, it is the biggest in scale we have ever seen
  • It is only the second known malware family that attacks iOS devices through OS X via USB
  • It is the first malware to automate generation of malicious iOS applications, through binary file replacement
  • It is the first known malware that can infect installed iOS applications similar to a traditional virus
  • It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning

WireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store, a third-party Mac application store in China. In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users.

How It Works

WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken. This is the reason we call it “wire lurker”. Researchers have demonstrated similar methods to attack non-jailbroken devices before; however, this malware combines a number of techniques to successfully realize a new brand of threat to all iOS devices.

WireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing. In this whitepaper, we explain how WireLurker is delivered, the details of its malware progression, and specifics on its operation.

We further describe WireLurker’s potential impact, as well as methods to prevent, detect, contain and remediate the threat. We also detail Palo Alto Networks Enterprise Security Platform protections in place to counter associated risk.

WireLurker is capable of stealing a variety of information from the mobile devices it infects and regularly requests updates from the attackers command and control server. This malware is under active development and its creator’s ultimate goal is not yet clear.

We recommend users take the following actions to mitigate the threat from WireLurker and similar threats:

  • Enterprises should assure their mobile device traffic is routed through a threat prevention system using a mobile security application like GlobalProtect
  • Employ an antivirus or security protection product for the Mac OS X system and keep its signatures up-to-date
  • In the OS X System Preferences panel under “Security & Privacy,” ensure “Allow apps downloaded from Mac App Store (or Mac App Store and identified developers)” is set
  • Do not download and run Mac applications or games from any third-party app store, download site or other untrusted source
  • Keep the iOS version on your device up-to-date
  • Do not accept any unknown enterprise provisioning profile unless an authorized, trusted party (e.g. your IT corporate help desk) explicitly instructs you to do so
  • Do not pair your iOS device with untrusted or unknown computers or devices
  • Avoid powering your iOS device through chargers from untrusted or unknown sources
  • Similarly, avoid connecting iOS devices with untrusted or unknown accessories or computers (Mac or PC)
  • Do not jailbreak your iOS device; If you do jailbreak it, only use credible Cydia community sources and avoid the use or storage of sensitive personal information on that device

Download “WireLurker: A New Era in OS X and iOS Malware” here.

Visit Unit 42 for new research and a full list of speaking appearances, as well to subscribe to updates.

Unit 42 On the Road

Unit 42 team leads regularly appear at industry conferences throughout the world. In November, Unit 42’s regular roadshow will make three stops in Canada. Click each link to register, and watch for more Unit 42 roadshows coming to cities near you.

[Palo Alto Networks Blog]

Web Security Tips: How PAN-DB Plays an Important Role in the Cyber “Kill Chain”

Organizations are facing persistent, elusive and sophisticated cyber-attacks more than ever. Sometimes these attacks might seem unavoidable, leading you to believe that your network and data cannot be protected. But if you think about how cybercriminals need to successfully infiltrate your network, remember the various steps in the cyber kill chain required to do so, including “breach premier,” “deliver malware,” “endpoint operation” and “exfiltrate data.”

The good news is that blocking just one step in this cyber-attack chain, you can protect your network and data from attack.

The above model shows how we think about the cyber kill chain at Palo Alto Networks. PAN-DB plays a critical role in three of the four stages, highlighted in red. As we discussed in the recent blog post, “Web security tips: How PAN-DB works,” PAN-DB has a rich database of malicious URLs that can be used to block malware downloads, and to disable Command and Control (C&C) communications. This database will help you to block attacks throughout the cyber kill chain.

Here are a few examples

Breach perimeter

Advanced attacks commonly try to breach the perimeter. PAN-DB gives you protection against breach perimeter by blocking risky websites such as hacking, phishing, malware, drive-by-download and exploit sites.

Deliver malware

Once the perimeter is breached, attackers try to make you download malware on to your network. PAN-DB helps you to block downloads from malware sites. In addition, by blocking file downloads from unknown URL category (as we discussed in another recent blog, “Web security tips: Using URL categories in your security policy”), you can reduce the risk of downloading malware significantly.

Exfiltrate data

Malware can enter your network by evading your gateway security, such as through an employee’s own laptop or USB drive. Malware in your network communicates with the attackers and exfiltrates data. But PAN-DB helps you to disable such C&C communications by utilizing C&C URL and IP database as provided in WildFire.

URL filtering should do more than prevent unwanted web browsing

Traditional URL filtering was born to block non-business web access for productivity and compliance purposes. Although those purposes still hold true for URL filtering, the solution is incomplete unless it can also filter harmful websites to protect your network and data from cyber-attacks.

PAN-DB will add more protection to your Palo Alto Networks Enterprise Security Platform. We hope you utilize the power of PAN-DB to protect your network from advanced attacks.

To learn more about web security, please visit our resource page, “Control Web Activity with URL Filtering.

[Palo Alto Networks Blog]

Bringing a Semblance of Order to Policy Chaos

Ask firewall administrators about their day-to-day challenges and sooner or later they will come around to one that I am calling policy chaos. The term chaos aptly defines both the daily fire drills associated with physical firewall appliances as well as the rapid rate of change typical of moving into a cloud or virtualized environment. Maybe the marketing team needs a new application and the deadline is tomorrow, or an employee needs access to a restricted database for research. The necessary management approvals on the business side might go quickly, but in most companies, the firewall policy changes require more steps– review, approve, request change control, implement, push live.

As companies move toward virtualization and cloud computing, this chaos will only increase. The beauty of virtualization is that it lets organizations efficiently use of a pool of compute resources to create virtual machines and associated applications that are spun up and taken down in minutes to meet changes in demand. But that rate of change in a virtualized or cloud computing environment is far faster than the traditional process for deploying security policies allows. Enter more policy chaos.

One of the many ways to address a chaotic environment is through automation, a technique that has proven effective across a wide range of industries in bringing order to policy chaos. At Palo Alto Networks, we can bring some semblance of order to your policy chaos using Dynamic Address Groups, VM-Monitoring and the XML API – all standard features in PAN-OS.

Here’s how these features work. Your computing resource pool may include a combination of both physical and virtual servers. These servers all have an IP address, but they also have other attributes or characteristics such as the OS, the application, and perhaps location. The policy automation with begins with VM-Monitoring collecting the compute resource attributes from resource management tools such as vCenter, ESXi and AWS-VPC or the XML-API. PAN-OS then converts those attributes into tags, which you can use to define a Dynamic Address Group.

Based on the tags you use in the group definition, the associated compute resource IP addresses are collected and used as part of the security policy. As new VMs or physical servers that fulfill your group definition are added or their attributes change, the policy automatically updates. The result is your security policy can now keep pace with the rate of change occurring in your virtualization environment.

Another piece that excites firewall administrators is automated policy removal. As servers or VMs are taken out of service, the address group is updated automatically, as is the policy. The end result is your policy chaos is reduced and you may say, “We don’t know what that rule is, but we left it because it might have broken something,” far less frequently.

Check out a short video below to see these features in action.

[Palo Alto Networks Blog]

English
Exit mobile version