The iPhone just lost its perfect security record — now what?

The Verge ^ | 6 Nov 2014 | Russell Brandom

[for-q-clinton]

For most of the iPhone's lifespan, it's been effectively immune to malware. There were theoretical attacks and viruses targeting jailbroken phones, but thanks to the tight controls of the App Store, finding iOS malware in the wild has been nearly impossible. If you didn't jailbreak your phone and you weren’t targeted by the NSA, you simply didn't have to worry about catching a virus.

Yesterday, that changed. A security firm called Palo Alto Networks discovered a malware program they’re calling Wirelurker, which sneaks into computers through unauthorized Chinese apps, then attacks iOS devices when they connect over USB. It’s an obscure line of attack (when’s the last time you actually plugged your iPhone into your computer?), confined to China, and so far the effects have been minimal. The actual payload for non-jailbroken phones was just a test balloon, side-loading a comic book app to prove the attack really worked. Jailbroken phones got a nastier payload, infecting payment apps, but that's to be expected. Last night, Apple blocked the apps, saying "We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources." Less than 24 hours after Palo Alto Networks published its report, Wirelurker appears to be mostly wiped out. Still, that doesn't mean Apple is completely in the clear. The vulnerabilities exploited by Wirelurker will be around for much longer, and could pose a serious threat to Apple's otherwise spotless record. Now that the platform has had its first real virus scare, there's reason to think it won't be the last.

[Swordmaker]

Well screw you very much.

If I say something happened, bet your ass it happened.

TS if that warps your personal paradigm.

*I* find it literally “incredible” that your machine has run for 7 years.

So there.

Well, Salamander, my apologies. If you say it happened. OK. It just flies in the face of ALL of my very considerable PROFESSIONAL experience with numerous Macs.

And, yes, Salamander, not only has my personal 24" iMac been running 24/7 for seven years, we NEVER turn off the Macs at my office. Never. There are numerous Macs there from MacBook Airs through Mac Minis and iMacs, all the way up to MacPros. . . that one is eight years old and they are only shut down (warm start) for upgrades. They are ALL on high density uninterruptible power supplies, so even the very rare power outages do not shut them off completely. Macs do housekeeping things overnight when left on. Oh wait a second, each of them was shut off several months ago when I upgraded the RAM in them in preparation to upgrading to OS X.9 Mavericks. Each of them, except for the MacBook Airs, was off, for maybe ten minutes.

I have never heard of iMacs in a store all crashing as you reported. Macs simply do not crash. The three I told you about had hard drives that were dying.

I can believe you ran into an a**hole sales person in a privately owned store. . . but not in an Apple Store. How long ago was this? Are you certain it was an iMac and not an older model? What you described sounds like it may have happened back on Mac-OS and not on OS X.

Again, my apologies, but there have been so many untruths being tossed about on this thread, I thought your story was just one more.

[Swordmaker]

iOS 8.1.1 beta was just released for testing the other day. Maybe that will fix it.

I did have some Safari issues with iOS 8. . . especially in FreeRepublic. Those are not yet resolved to my satisfaction. Most went away with iOS 8.1. Occasionally, backspacing while i am editing a reply or a post causes Safari to freeze completely. . . and that happens only in FreeRepublic's editing mode. I cannot find out why. It does not even generate an error code. Strange. The only way to get out of the freeze is to wait long enough and sometimes it clears itself. If it doesn't I have to quit Safari and then reload. Sometimes my work i am editing is still there, sometimes it is gone PFFFT, and I have to start over. Strange. Other then that, no issues.

[Nifster]

Just wow.....why not run a line from the desktop and fix your laptop? I mean USB adapters are notorious for all sorts of bad things happening to the user. Wouldn’t use it for any reason what so ever

[Salamander]

It was in the 90s and they were a bunch of these things.

Just like I said.

And every time I tried to bring up particular websites, they all locked up.

The smart ass working there was first perplexed and then hyper-defensive and finally, just offensive.

I actually have one of these things, just for the quirky kick of it.

I also have an old Bronze G3 laying around.

OS X is on that one, Panther, if I recall rightly.

It's a royal PITA to use so I don't.

Years ago, I used it to "surf safely" [when it worked] and to receive attachments from a Mac-using friend.

Somewhere in between, I had a couple of the cute little fruit flavored clam shell notebooks that I played with.

I use PS heavily and they could not handle that.

I like my Alienwares.

2G video and 32G of ram works for me.

However, I don't totally freak out and denigrate people who don't like Windows or Alienware.

I'm not an emotional slave to my computers nor do I proselytize any machine, in particular.

People should be able to buy what pleases them without others treating them like subhumans.

[Salamander]

It’s out of warranty and Qosmio repairs are not cheap.

Other than using it to update music on my iPods, it serves only as a backup laptop if all my other, better ones would crash.

[Mortimer St. Hubbins]

Nice job in kickin’ some liberal troll anti-Apple bahonkas, Swordmaker.

Facts nails em every time. And they’re quoting from a liberal activist created source, no less.

I salute you.

[Swordmaker]

It was in the 90s and they were a bunch of these things.

Thank you, Salamander. As I thought, you were not talking about a modern Mac, you were talking about a Mac that was made in 1998. Sixteen years ago. You were not talking about the same hardware or even the same operating system as a modern Mac. Nor even in the same ball park. These machines we were discussing are completely divorced from each other. They literally are not even the same species of computer; different processor, different operating system. You might as well as been talking about an Atari or an Amaga machine as a Mac. They merely share a Manufacturer and a name.

2G video and 32G of ram works for me.

How would you like this?

27" iMac with 5K, 5,120 x 2,880, 14,745,600 pixel display.
4.0GHz Quad-core Intel Core i7, Turbo Boost up to 4.4GHz,
32GB 1600MHz DDR3 SDRAM - 4x8GB, 3TB Fusion Drive
AMD Radeon R9 M295X 4GB GDDR5, 3.5 Teraflop Graphics
$3795

Basic Configuration with 3.5GHz Quad-core Intel i5
8GB 1600MHZ DDR3 SDRAM, 1TB Fusion Drive,
AMD Radeon R9 M290X 2GB GDDR5,

$2495

That basic configuration iMac with 5K Retina Display sells for the same price as Dell's 5K monitor!

Apple's iMac with 5K Retina site

EndGadget—"Here's your first look at Apple's new 5K iMac with Retina display"

One power cable. . . everything else wireless.

And yes, Salamander. it can run Windows and Linux, too.

[Swordmaker]

ALL PING LIST MEMBERS: Re: the purported OS X and iOS WireLurker Malware.

Let this be the last post in this thread. While it was mostly FUD and there was an attempt at creating an OS X Trojan, it has now been handled. Apple has blocked any possibility of the trojan being loaded or the software from being installed. Apple made this statement tonight.

"‘We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching, As always, we recommend that users download and install software from trusted sources.'”

This malware prevention has been pushed out to all Macs connected to the Internet in Apple's normal anti-malware Security system automatic update.

[Swordmaker]

OK. . . one more post on this thread.

This come via MacIssues.com and is a FAQ on how to remove any possible infestation of WireLurker, assuming you got it. . . by visiting Chinese alternate OS X app store and downloading a Chinese App. . .

Keep in mind, this is a trojan and it can ONLY get on your system by the user himself doing something stupid. The user has to install it himself. The something stupid in this case is downloading software from an unknown website.

While Apple will warn a user they are downloading a Trojan, one can still go ahead and download it. As noted above in their statement, Apple has stepped up and completely blocked this Trojan from even loading.

One word of warning, you can still bypass the developer certificates if you know how. Don't do it.

Swordmaker

-------------------------------

Following the recent Wirelurker malware that was discovered yesterday, Apple has taken some rapid steps to fix it, including releasing an XProtect update to detect programs that are run on OS X which may contain the malware, and revoking developer certificates for compromised applications that are being used as vectors to spread the malware. In addition to these steps, if you suspect your Mac or iOS system might have been infected, then there are some steps you can take to detect and remove it from your system.

How could I be infected?

This malware infects systems by first being distributed through modified software packages. These packages are downloaded through third-party app stores (not the App Store Apple includes in OS X), and from underground Web sites that distribute pirated software. If you suspect software on your system that you have downloaded in the past six months has been from suspect sources such as these, then there might be an area for concern; however, if you have only installed software from the App Store or from an official download from a reputable distributor or developer, then you likely have nothing to worry about.

Are there known symptoms of an infection?

There are no known telltale symptoms of Wirelurker; however, malware-infected apps will usually be unstable and crash, or hang, or show similar odd behavior while they run. Even though these alone are not signs of a malware infection, if you have run apps from third-party app stores and unvetted Web sites, and they have not run as expected, then you might take caution and investigate your situation more.

How do I detect WireLurker?

The WireLurker malware installs a number of files on your OS X system, which set it up to detect any iOS systems you attach by a USB cable, and then install malware into that iOS device. If you have any of these files on your Mac, then you likely have the malware installed. These have been outlined by Palo Alto Networks, the company that discovered the malware, and for the current variant of the malware include the following files:

1. A file called “run.sh” in the Macintosh HD > Users > Shared folder
2. Any of the following files in the Macintosh HD > Library > LaunchDaemons folder

   com.apple.machook_damon.plist
   com.apple.globalupdate.plist
   com.apple.watchproc.plist
   com.apple.itunesupdate.plist

3. Any of the following files in the Macintosh HD > System > Library > LaunchDaemons folder

   com.apple.appstore.plughelper.plist
   com.apple.MailServiceAgentHelper.plist
   com.apple.systemkeychain-helper.plist
   com.apple.periodic-dd-mm-yy.plist

4. In addition, the following files and folders will be in the hidden usr/bin directory, which can be opened by pressing Shift-Command-G in the Finder and then then entering “/usr/bin” in the path field that shows up:

• globalupdate/usr/local/machook/
  WatchProc
  itunesupdate
  com.apple.MailServiceAgentHelper
  com.apple.appstore.PluginHelper
  periodicdate
  systemkeychain-helper
  stty5.11.pl

If you see any or all of these files in your Mac’s hard drive, then your Mac has likely been compromised. You can remove the malware by removing these files and restarting your system, which should clear it fully; however, Palo Alto Networks has released a python script that will do this for you. The script can be found at this github project, and you can also run it by opening the Terminal and then running the following two commands (copy and paste all lines of each command). The first command downloads the script, and the second runs it in the Terminal–you will need administrative access to run these scripts:

curl -O https://raw.githubusercontent.com/PaloAltoNetw\
orks-BD/WireLurkerDetector/master/WireLurkerDetectorOSX.py

python WireLurkerDetectorOSX.py

How do I remove WireLurker from iOS?

If you have detected WireLurker on your Mac and have attached your iOS device to it with a USB cable, then you likely have compromised your iOS device. In this case, you should take no chances and wipe your iOS device:

1. Use iCloud to back up your device and all personal data on it
2. Go to Settings > General > Reset
3. Tap “Erase All Content and Settings” to clear all apps and data from the device
4. Restart your iOS device and set it up again
5. Sign into iCloud when you set up your iOS device and restore your backed up data
6. If needed, download your apps again from the App Store

You can also attach your iPhone or iPad to your Mac and use the “Restore iPhone/iPad” button in iTunes to factory-reset the device. The key to these steps is they clear out all programs on your iOS device which may have been compromised, and replace them with fresh copies. Your data and files should all be preserved, though you might lose some application settings.

[palmer]

This malware prevention has been pushed out to all Macs connected to the Internet in Apple's normal anti-malware Security system automatic update.

Except mine since I do not allow any updates to my mac for any reason.

[palmer]

A file called “run.sh” in the Macintosh HD > Users > Shared folder

I just ran sudo find / -name "*.sh"

I found a couple hundred bash scripts mostly within packages I installed myself (matplotlib probably has 200 alone). I looked at all of the ones that were not in packages that I installed and all of them are benign.

[smokingfrog]

I have had the keyboard freeze up as well, but only a few times. Come to think of it, it might have been when I was backspacing.

[kevkrom]

Every upgrade of the apple OS, I read dozens of stories from studios whose associated hard/software stopped working.

The operating systems they don't upgrade suddenly stop working when a new OS comes out? Hogwash.

If they have problems, it's because they CHOOSE TO UPGRADE knowing the risks involved. Unlike in a normal enterprise environment, I suppose, where patches and new versions are tested before fully rolling out, these particular industries I guess just magically have all their machines upgraded against their will with no testing at all.

Just these industries. And only the Apple-using businesses.

In the real world, not your fantasy one of unsourced and unbelievable anecdotes, an existing system doesn't suddenly stop working when a new version of software is published and you don't install it. There's no "kill switch" in the software that says "break on [date] if not upgraded". The only people affected by updates are the ones who actually update, and if it's a mission-critical system, then those updates should be tested before they're rolled out.

I don't care what business you're in or what computer/OS combination you're using, that's just IT Services 101.

[Norm Lenhart]

Then hit some of the industry sites and explain why it is that every single version, a crapload of software/ drivers/hardware stop working.

I guess that all those people reporting all those problems over several YEARS are simply mac haters making it all up to piss off 3-4 groupies on a political website.

Everyone is a liar except FR’s Mac Brigade. Everyone. I understand now. Although it’s sort of confusing how people with no experience with the issues involved, or the hardware, are gospel experts on the ‘non existent’ problems but oh well. the script they read from doesn’t really need to be made sense of, just read over and over until all complaints are driven away Democrat style.

[kevkrom]

Then hit some of the industry sites and explain why it is that every single version, a crapload of software/ drivers/hardware stop working.

1) No one forces them to upgrade. If they don't upgrade, nothing stops working.

2) If they aren't testing these things out before putting them on mission-critical systems, the first place blame should be assigned is the person in the mirror.

3) Neither #1 nor #2 is Apple-specific.

I'm also confused as to why you think 3rd-party vendors' failure to use the multi-month developer previews to update their software and drivers for new OS versions is an Apple problem.

[Norm Lenhart]

You aren’t paying attention to anything I said are you. Just repeating the script.

[kevkrom]

Oddly enough, I was thinking the same thing about you.

Although I suppose the NSA is forcing these people to upgrade through the backdoor you insist they have installed. I’m sure they have a good reason. Now, adjust your tinfoil hat and go pretend to be an expert somewhere else.

[conservatism_IS_compassion]

???

No “software update” target under the apple?

automatic updates??

[Swordmaker]

??? No “software update” target under the apple?

automatic updates??

Malware definitions only are pushed to a secure location on OS X. It is similar to what's done on every antivirus package. It does not touch the OS at all. It's part of what keeps OS X safe.

[TheBattman]

What OS X malware? Have never seen one “in the wild”, at least none that didn’t require the user install it himself, giving permission to do its deed...

Then again - I don’t just hand over my house keys to any stranger off the street...