Table Of Contents
WireLurker for Windows
Researchers at AlienVault has found a older version of WireLurker which uses Windows devices to spread. Jaime Blasco from AlienVault Labs who discovered this variant of WireLurker notified it to Palo Alto Networks Inc who then republished a new report on the Windows variant of this malware.
The earlier research paper said that WireLurker used OS X applications to infect iOS devices and there was no details on the Windows version of the malware.
Windows Version considered as the Earliest variant of WireLurker
The Windows variant of WireLurker was distributed through Baidu YunPan (a public cloud storage service of Baidu) by user “ekangwen206”, Palo Alto Network said in there report.
A total of 247 files were uploaded by this user which consisted of 180 Windows executable files and 67 OS X applications and was uploaded on March 12th and 13th almost a month before the Mayaidi App store infections. most of these files were being spread through the pirated version of popular apps such as Facebook, Whatsapp, Instagram, Twitter, iBooks, iMovies, Calaulator, Keynote, Flappy Bird and others which contained the WireLurker hidden inside. These files were downloaded a total of 65,213 times. of which about 97.7% of the downloads were for Windows samples.
How the WireLurker Spreads
After the victim downloads and executes the file on his Windows device he is asked to download the iTunes from an official site of Apple China. If its already installed the iTune interface shows a message “waiting for iOS device connection” when the victim connects his device and installs the pirated version of the iOS app. the malware gets installed too but only on jail broken iOS devices.
The later is very similar to its Mac OS X descendent where it sends the stolen data to the same command and control server and uses Maiyadi app store to check for updates.
Palo Alto Networks has already published updates for Antivirus, ISP’s and other security vendors to update there product for the WireLurker detection
The WireLurker can also be detected using the opensource code released on Github https://github.com/PaloAltoNetworks-BD/WireLurkerDetector