新種惡意程式WireLurker鎖定蘋果用戶，先感染Mac再傳染給iOS

資安業者Palo Alto Networks公布一個鎖定中國市場蘋果用戶的新惡意程式家族WireLurker，WireLurker已經感染位於中國的第三方Mac App Store─Maiyadi（麥芽地）中的467個OS X程式，且已有超過35萬次的下載量。當iOS裝置透過USB連結這些已下載惡意程式的Mac裝置時，就可能受到感染，且不論iOS裝置有無越獄（jailbreak）都可能受駭。

根據Palo Alto Networks的統計，Maiyadi應用程式商店中已有467個程式受到WireLurker的感染，最近半年這些程式總計已被下載超過35萬次，可能影響數十萬名Mac用戶。已被下載到Mac的WireLurker會偵測透過USB連結至該電腦的iOS裝置，然後嘗試於iOS裝置上安裝第三方程式或自動產生惡意程式，不論該iOS裝置是否已越獄。

一般而言，iOS裝置的使用者在未越獄的情況下無法自蘋果App Store以外的地方下載程式。但Palo Alto Networks指出，過去已有研究人員透過類似的方法來攻擊未越獄的iOS裝置，WireLurker結合了各種新技術得以對所有的iOS裝置帶來全新的威脅。

Palo Alto Networks表示，此一重新包裝OS X程式的手法是他們迄今所見規模最大的，不但是史上第二個透過OS X與iOS間的USB連結進行攻擊的惡意程式，也是第一個能自動產生惡意iOS程式的惡意軟體，還是第一個利用企業供應機制（enterprise provisioning）於未越獄iOS裝置上安裝第三方程式的惡意軟體。

WireLurker擁有複雜的架構，具備內含不同元件的各種版本，而且會藏匿檔案，模糊程式規則，而且有特製的加密方式以躲避防毒軟體的偵測。它可以用來竊取使用者行動裝置的資訊，還可定期更新指令。Palo Alto Networks認為駭客仍在持續發展WireLurker，且目前攻擊目的不明。

[MAC資安]教您檢測Mac有無中WireLurker惡意程式與移除方法！

最近MAC OS X界受到很大關注的WireLurker惡意程式事件，直到最近被資安公司Palo Alto Ntworks整個爆發開來，該惡意程式據傳有開發者就在今年三月就已經發現，但沒有確實證據就沒特意提醒，該工具來源都指向大陸盜版網站Maiyadi（麥芽地），產地與來源都由這網站內流出，該網提供各種盜版MAC OS X APP與iOS APP免費提供用戶下載，但根據麥芽地聲明指出，這些都是來自國外破解、海盜灣等地收集而來，與該站無關！該網站上有467個OS X APP都有夾帶此惡意程式，已經有30萬以上用戶下載過，該惡意程式也會間接影響iOS用戶，此事件會造成多數MAC族群安危，特別教大家如何檢查與移除惡意程式。

如果檢測到中獎的就會出現很多驚嘆號狀態與WARNING：Your OS X system is highly字眼，就表示這些MAC OS X內的APP都是摻雜WireLurker惡意程式，而iOS設備應該也無一倖免，建議將iPhone、iPad重灌。

是喔～WireLurker惡意程式？不知道是長成什麼樣子？阿光我也來瞧瞧！

首先要去下載這個檢測程式。這個其實不是一般Mac程式，只不過是「純文字的UNIX指令碼」而已。

https://raw.githubusercontent.com/PaloAltoNetworks-BD/WireLurkerDetector/master/WireLurkerDetectorOSX.py

UNIX的指令碼內容如下：

#!/usr/bin/env python
# -*- coding: utf-8 -*-

"""Detecting the WireLurker malware family on Mac OS X."""


__copyright__    = 'Copyright (c) 2014, Palo Alto Networks, Inc.'
__author__       = 'Claud Xiao'
__version__      = '1.1.0'


import os
import sys
import stat
import platform
import plistlib
import subprocess
from os.path import expanduser


MALICIOUS_FILES = [
    '/Users/Shared/run.sh',
    '/Library/LaunchDaemons/com.apple.machook_damon.plist',
    '/Library/LaunchDaemons/com.apple.globalupdate.plist',
    '/usr/bin/globalupdate/usr/local/machook/',
    '/usr/bin/WatchProc',
    '/usr/bin/itunesupdate',
    '/Library/LaunchDaemons/com.apple.watchproc.plist',
    '/Library/LaunchDaemons/com.apple.itunesupdate.plist',
    '/System/Library/LaunchDaemons/com.apple.appstore.plughelper.plist',
    '/System/Library/LaunchDaemons/com.apple.MailServiceAgentHelper.plist',
    '/System/Library/LaunchDaemons/com.apple.systemkeychain-helper.plist',
    '/System/Library/LaunchDaemons/com.apple.periodic-dd-mm-yy.plist',
    '/usr/bin/com.apple.MailServiceAgentHelper',
    '/usr/bin/com.apple.appstore.PluginHelper',
    '/usr/bin/periodicdate',
    '/usr/bin/systemkeychain-helper',
    '/usr/bin/stty5.11.pl',
]

SUSPICIOUS_FILES = [
    '/etc/manpath.d/',
    '/usr/local/ipcc/',
    os.path.join(expanduser('~'), 'Library/Caches/com.maiyadi.appinstaller/'),
    os.path.join(expanduser('~'), 'Library/Saved Application State/com.maiyadi.appinstaller.savedState/'),
]


def scan_files(paths):
    results = []

    for f in paths:
        if os.path.exists(f):
            results.append(f)

    return results


def is_file_hidden(f):
    if not os.path.exists(f) or not os.path.isfile(f):
        return False

    if hasattr(stat, 'UF_HIDDEN'):
        return os.stat(f).st_flags & stat.UF_HIDDEN

    else:
        try:
            proc = subprocess.Popen("ls -ldO '%s' | awk '{print $5}'" % f, shell=True, 
                    stdout=subprocess.PIPE,
                    stderr=subprocess.STDOUT)
            output = proc.stdout.read()
            proc.communicate()
            return output.find('hidden') != -1

        except Exception, e:
            return False


def is_app_infected(root):
    try:
        pl = plistlib.readPlist(os.path.join(root, 'Contents', 'Info.plist'))
        be = pl['CFBundleExecutable']
        bundle_exec = os.path.join(root, 'Contents', 'MacOS', be)
        bundle_exec_ = bundle_exec + '_'
        if is_file_hidden(bundle_exec) and is_file_hidden(bundle_exec_):
            return True

        the_script = os.path.join(root, 'Contents', 'Resources', 'start.sh')
        the_pack = os.path.join(root, 'Contents', 'Resources', 'FontMap1.cfg')
        if is_file_hidden(the_script) and is_file_hidden(the_pack):
            return True

        the_installer = os.path.join(root, 'Contents', 'MacOS', 'appinstaller')
        the_mal_ipa = os.path.join(root, 'Contents', 'Resources', 'infoplistab')
        if os.path.isfile(the_installer) and os.path.isfile(the_mal_ipa):
            return True

        return False

    except Exception:
        return False


def scan_app():
    infected_apps = []

    for target in ['/Applications', expanduser('~/Applications')]:
        for root, __, __ in os.walk(target):
            if root.lower().endswith('.app'):
                if is_app_infected(root):
                    infected_apps.append(root)

    return infected_apps


def main():
    print 'WireLurker Detector (version %s)' % __version__
    print __copyright__
    print ''

    if platform.system() != 'Darwin':
        print 'ERROR: The script should only be run in a Mac OS X system.'
        sys.exit(-1)

    print '[+] Scanning for known malicious files ...'
    mal_files = scan_files(MALICIOUS_FILES)
    if len(mal_files) == 0:
        print '[-] Nothing is found.'
    else:
        for f in mal_files:
            print '[!] Found malicious file: %s' % f

    print '[+] Scanning for known suspicious files ...'
    sus_files = scan_files(SUSPICIOUS_FILES)
    if len(sus_files) == 0:
        print '[-] Nothing is found.'
    else:
        for f in sus_files:
            print '[!] Found suspicious file: %s' % f

    print '[+] Scanning for infected applications ... (may take minutes)'
    infected_apps = scan_app()
    if len(infected_apps) == 0:
        print '[-] Nothing is found.'
    else:
        for a in infected_apps:
            print '[!] Found infected application: %s' % a

    if len(mal_files) == 0 and len(sus_files) == 0 and len(infected_apps) == 0:
        print "[+] Your OS X system isn't infected by the WireLurker. Thank you!"
        return 0
    else:
        print "[!] WARNING: Your OS X system is highly suspicious of being infected by the WireLurker.\n" \
              "[!] You may need to delete all malicious or suspicious files and/or applications above.\n" \
              "[!] For more information about the WireLurker, please refer: \n"\
              "[!] http://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"
        return 1


if __name__ == '__main__':
    main()

然後打開「應用程式 / 工具程式」裡面的「終端機」再輸入「cd downloads」指令，打開「下載檔案夾」。

然後輸入「python WireLurkerDetectorOSX.py」執行這個UNIX指令碼。

最後就會看到這樣的畫面：

WireLurker Detector (version 1.1.0)
Copyright (c) 2014, Palo Alto Networks, Inc.

[+] Scanning for known malicious files ...
[-] Nothing is found.
[+] Scanning for known suspicious files ...
[-] Nothing is found.
[+] Scanning for infected applications ... (may take minutes)
[-] Nothing is found.
[+] Your OS X system isn't infected by the WireLurker. Thank you!

結論是「Your OS X system isn't infected by the WireLurker. Thank you!」！蝦米～我的OS X系統並沒有感染病毒？唉～真是太可惜了！本來想要瞧瞧WireLurker惡意程式是啥玩意的說！