Given that most iPhone users update their Apple devices on Windows machines, it wasn’t really a shock to learn about the discovery of a Windows version of the WireLurker Trojan.
Last night, researcher Jaime Blasco of AlienVault tweeted he had discovered the malware, which as it turns out, pre-dates the Mac OS X version reported on Wednesday by Palo Alto Networks.
And like its relative for the Apple platform, the Windows variant of WireLurker is for the most part dead in the water because it too connects to the same command and control server as the Mac OS X version and that server, www[.]comeinbaby[.]com, is offline.
Palo Alto intelligence director Ryan Olson, however said, that an update URL for an older iOS component of WireLurker is operational and being hosted on the Chinese Maiyadi App Store’s webserver. Maiyadi is known for hosting pirated apps for Mac OS X and iOS and Palo Alto researchers found 467 apps for OS X infected with WireLurker; those apps have been downloaded more than 356,000 times.
Olson said that an iOS device infected with an older version of WireLurker—there are three known versions of the malware—it would make an update request to http[:]//app[.]maiyadi[.]com/app/getversion.php and receive the following instruction:
{“result”:{“version”:”4.0.2″,”url”:”http://www[.]comeinbaby[.]com/app/v4002/sfbase.dylib”}}
“This would instruct the malware to download an updated binary from the (offline) www[.]comeinbaby[.]com server. It’s possible this response could be updated by the attacker to point to a new server which would allow some infected devices to receive updates,” Olson said. “That’s very unlikely to have any impact devices that were making this request before yesterday would have already updated to version 4.0.2, which reports to the offline server.”
In a blog post, Palo Alto researcher Claud Xiao, who did most of work analyzing WireLurker for Mac OS X, said the Windows version is also plagued by some coding errors making it less successful than the Mac OS X variant. It dates back to March 13, and is hosted on a different Chinese website which currently hosts 180 Windows executables and 67 Mac OS X apps infected with WireLurker. Xiao wrote that those programs have been downloaded more than 65,000 times and 98 percent of those downloads being the Windows version. It too has a component that tries to infect jailbroken iOS devices.
WireLurker spreads from infected OS X computers to iOS once the mobile device is connected to a Mac via USB. The malware analyzes the connected iOS device looking for a number of popular applications in China, namely the Meitu photo app, the Taobao online auction app, or the AliPay payment application. If any of those are found on the iOS device, WireLurker extracts its and replaces it with a Trojanized version of the same app repackaged with malware.
A worrisome feature was WireLurker’s ability to infect non-jailbroken iOS devices; it did so by signing the malware with a legitimate certificate from a Chinese enterprise participating in Apple’s iOS Developer Enterprise Program, which allows iOS app developers to access Apple development resources and distribute homegrown and signed iOS apps via an enterprise provisioning profile, rather than uploading the application to the App Store. The certificate has been revoked by Apple, further slamming the door shut on the Mac OS X malware.
The Windows samples were directly uploaded to a public cloud storage service belonging to Chinese search giant Baidu. The same user uploaded the Mac OS X samples on March 12 and the Windows variant a day later; these infections pre-date the Maiyadi-related infections by one month.
The Windows samples are all labeled “Green,” or clean versions of IPA (Apple’s iOS application archive) installers for pirated iOS apps, Xiao said. The pirated apps include Facebook, Instagram, Minecraft and others, as well as pirated versions of pre-installed iOS apps such as iPhoto, iMovie and iBooks.
The Windows malware contains a malicious portable executable (PE) file that includes a malicious iOS app called apps.ipa and third.ipa, a pirated iOS app. Once the executable runs, a GUI appears asking the user to connect an iOS device via USB, and checks whether iTunes is installed; if not, the victim is pointed toward the official China Apple site.
Xiao wrote that Palo Alto used an iPhone 5S running a jailbroken version of iOS 7.1 and a third-generation iPad running jailbroken iOS 6. The malware did not execute smoothly, Xiao said.
“When using the iPhone 5s/iOS 7.1, the installer crashed after clicking the button; with the iPad, the interface shows “installation is successful”, but we did not find any new icon in the iPad display,” he wrote. “We believe this failure was caused by poor coding quality and incompatibility between the malware and the iOS device, but the malware code does attempt the installation.”
Xiao also pieced together some clues linking the two variants to the same hacker, including a certificate, identifier and copyright information referring to Maiyadi in both sets of samples.