Dr. Philip Cao (aka #DrPC), EDBA, MSCS, ZTX-I, CCISO, CISM, CMSC, CCSP, CCSK, CASP, GICSP, PCSPI is a Strategist, Advisor, Educator, Contributor and Motivator. He’s also a Cyber | Zero Trust Strategist & Evangelist and Chief Trust Officer. He has 24 years’ experience in IT/Cybersecurity industry in various sectors & positions.
We recently published a new research paper on WireLurker, a family of malware targeting both Mac OS and iOS systems for the past six months.
Shortly after we released the above research paper, Jaime Blasco from AlienVault Labs notified us about Windows executable file that contains WireLurker’s command and control server address. After analyzing and investigating the sample, it is confirmed that it is an older version of WireLurker. Read the follow on post here.
If you love great cybersecurity books we hope you will get involved in the Cybersecurity Canon by writing a review of your favorite and submitting it for consideration. Rick Howard explains how.
Ask firewall administrators about their day-to-day challenges and sooner or later they will come around to a challenge that Matt Keil describes as policy chaos. Here, he explores bringing a semblance oforder to this policy chaos.
There are many ways to look at cloud computing and what it means for your business. Overall, cloud governance means discovery, control and safe enablement. In this post from Isabelle Dumont, learn tips on doing your security due diligence on cloud services.
We’re on the road with VMware and VMUG in the U.S. and Canada to discuss how you can strengthen your data center security without compromising application performance. Find an event near you to learn best practices for implementing advanced security services in a SDDC, to hear customer insights for deploying VMware NSX with micro-segmentation, and to get hands-on experience test-driving an integrated VMware-Palo Alto Networks solution.
We’re also on the road across North and South America with Citrix and CA for the next few weeks to talk about how enterprises can streamline virtualized data centers, radically simply network services for delivering critical applications and reduce complexity and cost, all without sacrificing performance and security. Join us at an event near you.
Here are upcoming events around the world that you should know about:
The Asprox/Kuluoz malware family has a special place in our hearts at Palo Alto Networks. This botnet-related Trojan malware has evolved from its 2007 roots into a simple and yet robust mass e-mail phishing threat that is the origin of a significant percentage of Internet spam today. This post further explores trends for this malware family, based on October 2014 data from ourWildFire platform.
Some Background
The modern Kuluoz is known for the following:
High distribution volume through geolocation-associated spam e-mail templates
Use of e-mail attachments and Web links that masquerade as document or media files
Distinct, default botnet node roles of spam generator for continued botnet propagation, downloader of additional malware and distributor of generalized commercial spam
Platform-specific malware delivery based on user agent detection
Figure 1 depicts October 2014 WildFire sessions (individual occurrences) that were flagged as Kuluoz, broken out by day.
Figure 1: WildFire-detected Kuluoz sessions, by day, for October 2014
An interesting pattern emerges for significant session count valleys spaced roughly seven days apart, which are followed by major peaks two to five days out. These valleys correspond with weekends, while the peaks occur mid-week. This makes sense in the context of the standard business workweek and the broad swath of enterprises included in Kuluoz targeting.
Figure 2 displays WildFire unique Kuluoz sample counts (based on SHA256 hash) for the same period.
Figure 2: Unique WildFire-detected Kuluoz samples, by day, for October 2014
This second figure matches the general valleys and peaks trend for total sessions detected by WildFire. Note that this figure does not represent new/never-seen-before sample detections, but instead represents all unique Kuluoz samples detected for a given day. Kuluoz employs low-effort but effective methods of altering binaries enough to evade detection by hash alone, which significantly increases unique sample counts when comparing standard binary hashes. Accordingly, the above figure demonstrates the cumulative effect and possible escalation in unique Kuluoz sample generation, a trend previously noted by FireEye in June.
Closer inspection of WildFire session delivery/receipt for Kuluoz reveals the expected leader: e-mail/webmail (Figure 3).
Figure 3: WildFire-detected Kuluoz delivery/receipt for October 2014
Most of the remaining sessions were delivered via the Web, which includes cloud and file sharing services. A relatively small number of Kuluoz sessions leveraged File Transfer Protocol (FTP). Finally, WildFire also received a number of Kuluoz samples through user submission.
Over 98% of WildFire-detected Kuluoz filenames for October 2014 employed one of the following six themes, ordered by prevalence:
Notice to Appear in Court
Delta Airline Ticketing
Purchase Order / Invoice / Shipping
Voicemail Message
Starbucks eGift
Pizza Hut Coupon
Conclusion
Kuluoz continues to thrive, employing various social engineering pressure tactics to successfully propagate and serve as a bridge for other malware families.
Thorough mitigation of this threat includes several layers:
User awareness: Awareness and training for users is a good idea to reduce the impact of any type of e-mail phishing. A number of Kuluoz variants require extra steps to be performed by a user (e.g., unzipping of a ZIP archive and then running a malicious binary). Encourage users to be wary of unexpected/unsolicited e-mails, especially those that employ any sort of pressure tactic and/or leverage the themes cited above.
Protocol monitoring and control: Visibility into the protocols used by Kuluoz for delivery and Command and Control (HTTP, SMTP, IMAP, FTP) with structured and clearly defined response actions (most of which can and should be automated) prevent or reduce associated impacts. Palo Alto Networks Next Generation Firewall solutions offer this level of granular application monitoring and control.
Automated analysis: Automation of static and dynamic analysis for unknown samples addresses the natural gap between the development of a variant for a threat and its coverage through signature-based technology. Anti-virus and other security control related signatures fall short. Solutions such as Palo Alto Networks WildFire platform allow for enterprises to identify new and emerging threats that remain unknown to other security controls in the environment.
Intelligence fusion: Leveraging actionable intelligence is a cornerstone of Computer Network Defense (CND) operations. Threats such as Kuluoz rely heavily on embedded initial Command and Control (C2) communications to fully realize the potential of its role(s) within the botnet. Up-to-date feeds on malicious domains, IPs, file signatures and hashes, as well as integration of intelligence gleaned from automated solutions in the environment, enable robust security solutions that empower network defenders.
Yesterday we published a whitepaper introducing WireLurker, the first malware attacking both non-jailbroken and jailbroken iOS devices from a Mac OS X system. Shortly after we released the paper, Jaime Blasco from AlienVault Labs notified us that he’d found a Windows executable file that contains WireLurker’s command and control server address. We analyzed and investigated the sample and have confirmed that it is an older version of WireLurker.
This variant is being distributed by a different Chinese source that is hosting 180 Windows executables and 67 Mac OS X applications, each of which contains a version of the WireLurker Trojan. The Windows variant opens a new vector for iOS users to be infected with WireLurker, but appears to have been less successful than its Mac OS X descendent.
Samples of this older variant display a user interface and are advertised as an installer for specific pirated iOS apps. Between March 13 and today these programs have been downloaded 65,213 times, with 97.7% of the downloads being the Windows version. Like the latest WireLurker, this variant tries to infect jail-broken iOS devices with the WireLurker iOS malware.
This version of the malware also installs the sfbase.dylib tweak to the iOS file system, which is an earlier version of the malicious iOS binary file mentioned in our earlier report. These samples also indicate that the creator of WireLurker may have a direct relationship with the Maiyadi App Store.
Palo Alto Networks has released protections for all versions of WireLuker in our Antivirus, WildFire, IPS, and URL Filtering products. We’ve updated our detection code in Github to detect the older Mac OS versions of the malware and plan to release a tool to detect the Windows variant.
Early Versions of WireLurker for Windows and OS X
A Different Source
Previously we knew the WireLurker was distributed through the Maiyadi App Store. However, the newly revealed samples were directly uploaded to Baidu YunPan (a public cloud storage service of Baidu) by user “ekangwen206” (Figure 1). When we investigated this source we found the user had uploaded 247 samples in total, of which 180 are Windows software and the other 67 are OS X applications. All OS X samples were uploaded on March 12 and all Windows samples on March 13, over a month before the Mayaidi App store infections.
We downloaded and confirmed that all of these files belong to a new variant of WireLurker and should be classified as Trojan malware.
Figure 1: Samples of WireLurker list in the Baidu cloud storage system
These samples are listed as “green” (e.g. good or clean) IPA installers for specific pirated iOS apps. Some of the named iOS apps are extremely popular, while some of the others are pre-installed iOS system apps, including the following:
Facebook
WhatsApp Messenger
Twitter
Instagram
Minecraft
Flappy Bird
Bible
GarageBand
Calculator
Keynote
iPhoto
Find My iPhone
iMovie
iBooks
Baidu YunPan provides statistics of views and downloads for every single file. Through this feature, we found that in the past eight months, the 247 samples were downloaded a total of 65,213 times. Also according to their statistics, 97.7% of the downloads were Windows samples, which is consistent with the market share of Windows in China.
File Information and Structures
Based on the file information in PE structure, all of the Windows samples of were created on March 13 on a Windows XP computer. Each Windows sample contains a malicious PE executable file, six normal DLL files and a manual TXT file.
Each PE executable file has two extra IPA files (iOS app’s installation bundle file) appended to them, shown in Figure 2. The first IPA file, named “apps.ipa”, is a malicious iOS application; the second one, named “third.ipa”, is the pirated iOS app advertised by the sample. These two IPA files will be dropped to “C:\Documents and Settings\<USER>\Local Settings\Temp\” directory after the installer is executed.
Figure 2: Two IPA files were appended to the PE executable file
OS X samples of this variant have a fixed bundle executable name “appinstaller”. The IPA files are packed in the Resources directory in the OS X applications: one is named “infoplistab” for “apps.ipa”; the other is “third.ipa”.
User Interaction
After users download the samples and run them on Windows or OS X, a GUI appears as Figure 3 and Figure 4. If iTunes isn’t installed on the Windows system, the malware guides users to an official site of Apple China to download and install it.
Figure 3: GUI of a Windows sample
Figure 4: GUI of a OS X sample
If iTunes is installed the user interface shows a message of waiting for iOS device connection. After the user connects their device to the computer, the device’s name will appear in the GUI and a “click to install” button becomes available.
Install iOS application and iOS malware
If the user runs the samples and clicks the installation button the pirated iOS application shown in the interface will be installed on the device, but only if the device is jailbroken. At the same time the program will secretly install the apps.ipa file.
During our analysis, we connected an iPhone 5s running iOS 7.1 (jailbroken) and a 3rd gen iPad running iOS 6 (jailbroken) to infected Windows 7 and Windows XP systems. When using the iPhone 5s/iOS 7.1, the installer crashed after clicking the button; with the iPad, the interface shows “installation is successful”, but we did not find any new icon in the iPad display. We believe this failure was caused by poor coding quality and incompatibility between the malware and the iOS device, but the malware code does attempt the installation.
Pirated iOS Apps
The pirated iOS apps that the malware attempts to install are cracked versions of legitimate iOS apps. Their code signatures and DRM protection were removed before the IPA files were appended to EXE files or packed into OS X applications.
For example, in Figure 5, we can see the pirated WhatsApp has cryptid value 0, which means DRM encryption by Apple was removed by the attacker, something that can be easily achieved through many publicly available automatic hacker tools.
Figure 5: Pirated iOS apps haven’t DRM protection
The iOS Malware
The iOS malware these samples attempt to install into iOS devices contains both sfbase.dylib and sfbase.plist files. In our previous report on WireLurker, we mentioned that sfbase.dylib is a MobileSubstrate tweak that steals the user’s contacts information and other private data and sends it to a C2 server.
Figure 6: The iOS malware contains code for ARM64
The main executable of this malware is named “apps”. It’s a Mach-O universal binary file that contains binary code for three different architectures and CPU types:
32-bit ARMv7
32-bit ARMv7s
64-bit ARM64
As far as we know, this is the first iOS malware that attacks the ARM64 architecture.
The main functionality of this malware is to copy sfbase.dylib and sfbase.plist in its Resources directory to specific locations to make them perform as a MobileSubstrate tweak, shown in Figure 7. Additionally, the malware will communicate with the C2 server “www.comeinbaby.com”, the same server used by the version of WireLurker we revealed yesterday.
Figure 7: The iOS malware copies sfbase.dylib to a specific location
The dropped sfbase.dylib has nearly identical code and functionalities as the sample we detailed in our previous report. However, the earlier version was listed as 4.0.0, 4.0.1 or 4.0.2. This sfbase.dylib is version 2.0.0 as shown by its [mydUtils getCurrentVersion] method.
Another difference in this older version is that it uses the following URL when checking for updated code (Figure 8):
Figure 8: Earlier version of sfbase.dylib check for update from Maiyadi
Note that, this domain name is that of the Maiyadi App Store which spread later versions of WireLurker. Later versions of WireLurker used the domain www[.]comeinbaby.com but accessed the exact same GET request path.
Similarly, when uploading the user’s contacts information and other private data, this version of sfbase.dylib uses this URL:
Based on our analysis of this earlier version of sfbase.dylib, we suspect that Maiyadi has a close relationship with the creator of WireLurker. Beyond the link to the command and control server we’ve found additional clues.
First, all OS X samples in this variant have a bundle identifier named “com.maiyadi.installer”, as well as a copyright information that contains a reference to Maiyadi (Figure 9).
Figure 9: Copyright information in the OS X malware
Second, in the malicious iOS app, we found a certificate that belongs to “li fei” which was issued by Apple on March 6th, 2014 (Figure 10).
Additionally, the name “li fei” exists in all Windows malware samples and sfbase.dylib in the following strings:
These two strings are automatically generated by Visual Studio on Windows and Xcode on OS X for debugging when the developer built appinstaller and sfbase.dylib.
Figure 10: Attacker’s certificate in the iOS malware
Solutions
Palo Alto Networks has updated our signatures for Antivirus, WildFire, IPS, and URL Filtering products to protect our customers by blocking associated malicious URLs and traffic patterns of all known versions of WireLurker.
We have also open sourced a project on Github to help everyone in detecting WireLurker on their desktop computers. That project is available here:
We’ve already updated our OS X script to cover this newly discovered variant and we’re planning to release another tool to help Windows users scan their computers for WireLurker.
Updates on the Threat from WireLurker
After we published the WireLurker report and related detection tool, some OS X users in China discovered that their Mac computers were infected by WireLurker and posted screenshots on Weibo (Chinese social network similar to Twitter), shown in Figure 11. One of the users contacted us and provided all detected samples on his Mac, which we identified as the newest known version of WireLurker (version C).
Figure 11: A Chinese victim reporting their Mac was infected by the WireLurker
As we were writing this blog, Apple also announced that they’ve “blocked the identified apps to prevent them from launching” and we noted that the command and control domain, www[.]comeinbaby.com no longer resolves to the command and control server IP.
Nick Arnott mentioned to us on Twitter that in iOS 8, the system no longer shows distribution profiles in the settings menu; users may need to use Xcode or the iPhone Configuration Utility to check or remove these abused enterprise distribution profiles.
Acknowledgements
Jaime Blasco from AlienVault first found a Windows variant of WireLurker and sent to us. Thank you Jaime!
We would like to thank Laura Hartmann, Zhi Xu, Wei Xu, Yanxin Zhang and Suli Xu at Palo Alto Networks for quickly processing this new variant and updating our products. It’s their work that ensures our products defend our customers from the latest threats.
We would also like to thank all people who have shared comments on the report and detection code or shared more information with us through Twitter, Github and email.
There are many ways to look at cloud computing and what it means for your business. I personally like the definitions from cloud tutorial, which offers two classifications:
Based on where the cloud infrastructure is located: Private, public or hybrid
Based on the services that the cloud delivers, whether Infrastructure as a service (IaaS), Platform as a service (PaaS) and/or Software as a service (SaaS). Examples includeAmazon web services, or Rackspace (for IaaS), Google Application Engine, Force.com, or Microsoft Azure (for PaaS), Salesforce.com, Google Docs, (for SaaS). Online services like Facebook, Dropbox, Box.net and others that are used both by consumers for personal purposes but also by many B2C and even B2B companies to interact with their customers fall under this classification as well.
Technologists and network security administrators tend to focus on the first cloud classification because it’s based on how the cloud is being deployed, managed and what needs to be done to make it work and secure it. Business-oriented folks focus on the second classification because it provides a more explicit description of the service provided and its related benefits. End users and employees often refer to cloud computing as services or applications because of how they experience the cloud: as a service or an application on their computer or mobile device.
The mushrooming popularity of cloud services makes it impossible to continue to rely on a security approach focused primarily on the perimeter of your enterprise. Employees can too easily move data and content from protected areas on your own network to cloud services that you have no direct control over. And it’s too easy for the leakage of information to get out of control: your team starts using an online file repository tool to share large video or creative files with partners ahead of a major event. Maybe that sharing next turns into more strategic files – plans, roadmaps and other sensitive documents – posted on these external collaboration services because the service is so convenient to use.
Cyber criminals can also attack these 3rd party services to steal credentials from your employees and in turn use these credentials to infiltrate your network. Targeting enterprise business partners has been a more common first step of many of the breaches that have made the headlines in the past 12 months.
Doing your security due diligence on cloud services requires you to understand these cloud services better and why your company and your employees turn to them. As a starting point, read the top 50 list published by one of our technology partners, Skyhigh Networks. Then, consider the following steps to get a handle on the use of cloud services in your organization:
Identify cloud services in use in your organization, and the employees or departments that use them: Get our Palo Alto Networks enterprise security platform deployed in tap mode on your internet gateway and you’ll start to get visibility into many of these cloud services (note that this is a non-disruptive process and you can start to get valuable information in as little as 24 hours). Our App-ID technology can help you discover traffic for hundreds of file sharing and file storage cloud-based applications. This includes Dropbox, Box.net, and Evernote amongst others. You can visit our Applipedia database to see the full list of applications covered. In addition, turn on the url filtering function in our platform to enable the discovery of services that are 100% web based.
Understand the business need behind the use of the newly discovered cloud services:Whether these services are vetted on not by your IT department, you should proactively approach users and work with departments’ heads and IT to understand what’s the business need behind the use of any cloud service. Then you can decide whether the use of any specific service is legitimate and needs to be secured, whether the use needs to be restricted to specific departments, or finally whether the service represents too much risk to the business and you need to implement security policies to explicitly block it.
Diligently manage the lifecycle of these cloud services: One of the most overlooked aspects of cloud services is what happens (or rather what does not happen) when an employee leaves the company. You need to apply to cloud services all the off-boarding procedures that are standard to other enterprise applications to ensure that access is turned off once the employee has left. This is actually a great driver to pursue the discovery of who uses which cloud services. In addition, cloud services used for business purposes should never be attached to an employee personal email, but unfortunately that is often the case.
Revisit and update your security policies for the use of cloud services: Because there will be new, enticing cloud services launched every month, you need to continuously monitor activity on your network for the emergence of new cloud services adopted by your workforce. Keep repeating the above process on a quarterly basis at a minimum and proactively maintain a regular dialog with employees and users of these services. You might actually discover a few great applications in the process that should be used by everybody!
Today we published a new research paper on WireLurker, a family of malware targeting both Mac OS and iOS systems for the past six months. We believe that this malware family heralds a new era in malware attacking Apple’s desktop and mobile platforms based on the following characteristics:
Of known malware families distributed through trojanized / repackaged OS X applications, it is the biggest in scale we have ever seen
It is only the second known malware family that attacks iOS devices through OS X via USB
It is the first malware to automate generation of malicious iOS applications, through binary file replacement
It is the first known malware that can infect installed iOS applications similar to a traditional virus
It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning
WireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store, a third-party Mac application store in China. In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users.
How It Works
WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken. This is the reason we call it “wire lurker”. Researchers have demonstrated similar methods to attack non-jailbroken devices before; however, this malware combines a number of techniques to successfully realize a new brand of threat to all iOS devices.
WireLurker exhibits complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing. In this whitepaper, we explain how WireLurker is delivered, the details of its malware progression, and specifics on its operation.
We further describe WireLurker’s potential impact, as well as methods to prevent, detect, contain and remediate the threat. We also detail Palo Alto Networks Enterprise Security Platform protections in place to counter associated risk.
WireLurker is capable of stealing a variety of information from the mobile devices it infects and regularly requests updates from the attackers command and control server. This malware is under active development and its creator’s ultimate goal is not yet clear.
We recommend users take the following actions to mitigate the threat from WireLurker and similar threats:
Enterprises should assure their mobile device traffic is routed through a threat prevention system using a mobile security application like GlobalProtect
Employ an antivirus or security protection product for the Mac OS X system and keep its signatures up-to-date
In the OS X System Preferences panel under “Security & Privacy,” ensure “Allow apps downloaded from Mac App Store (or Mac App Store and identified developers)” is set
Do not download and run Mac applications or games from any third-party app store, download site or other untrusted source
Keep the iOS version on your device up-to-date
Do not accept any unknown enterprise provisioning profile unless an authorized, trusted party (e.g. your IT corporate help desk) explicitly instructs you to do so
Do not pair your iOS device with untrusted or unknown computers or devices
Avoid powering your iOS device through chargers from untrusted or unknown sources
Similarly, avoid connecting iOS devices with untrusted or unknown accessories or computers (Mac or PC)
Do not jailbreak your iOS device; If you do jailbreak it, only use credible Cydia community sources and avoid the use or storage of sensitive personal information on that device
Download “WireLurker: A New Era in OS X and iOS Malware” here.
Visit Unit 42 for new research and a full list of speaking appearances, as well to subscribe to updates.
Unit 42 On the Road
Unit 42 team leads regularly appear at industry conferences throughout the world. In November, Unit 42’s regular roadshow will make three stops in Canada. Click each link to register, and watch for more Unit 42 roadshows coming to cities near you.
