What is WireLurker?
The WireLurker malware, known to infect OS X powered Macs and iOS devices has stirred up the Apple community. Malware that successfully infects Apple products is rare. On the Mac that was because criminals tended to go after the much bigger Windows market, while on the iPhone and iPad, Apple's App Store security has been exemplary. Known to exist as a threat in China
How do I detect WireLurker?
The WireLurker malware installs a number of files on your OS X system, which set it up to detect any iOS systems you attach by a USB cable, and then install malware into that iOS device. If you have any of these files on your Mac, then you likely have the malware installed. These have been outlined by Palo Alto Networks, the company that discovered the malware, and for the current variant of the malware include the following files:
1. A file called run.sh in the Macintosh HD > Users > Shared folder
2. Any of the following files in the Mac into sh HD > Library > Launch Daemons folder
com.apple.machook_damon.plist
com.apple.globalupdate.plist
3. Any of the following files in the Macintosh HD > System > Library > Launch Daemons folder
com.apple.appstore.plughelper.plist
com.apple.MailServiceAgentHelper.plist
com.apple.systemkeychain-helper.plist
4. In addition, the following files and folders will be in the hidden usr/bin directory, which can be opened by pressing Shift-Command-G in the Finder and then then entering “/usr/bin” in the path field that shows up:
globalupdate/usr/local/machook/WatchProcitunesupdate
com.apple.MailServiceAgentHelper
If you see any or all of these files in your Mac’s hard drive, then your Mac has likely been compromised.com.apple.MailServiceAgentHelper
How to protect against WireLurker?
The first step Mac users can take to protect themselves is to not download or run any applications that come from third-party app stores. Go to OS X's System Preferences, click "Security and Privacy," and then select "Allow apps downloaded from Mac App Store (or Mac App Store and identified developers)." This will prevent the Mac from installing any software unauthorized by Apple. Next, install a decent OS X antivirus application. Some of the best ones are free, so you have nothing to lose. Be sure to keep all the software on all your iOS and OS X devices up-to-date. Apple is quite responsive about patching vulnerabilities. Never connect your iPhone to an unknown or untrusted computer, whether it's a Mac or a PC, or even an untrusted charger, chargers can actually be mini-computers.
How do I remove WireLurker?
Fortunately, WireLurker appears to be easy to remove. All you have to do is delete the related files from the affected Macs or iOS devices.
For Jailbroken Users
Step 1: Install a File manager such as iFile or Filza. You could also use SSH capabilities to gain access to your iDevice from your Mac or PC.
Step 2: Navigate to > Library > MobileSubstrate > DynamicLibraries.
Step 3: Here, look for a file named sfbase.dylib and if found, you know your device is infected. However, if no such file exists, breathe a sigh of relief. Normally one would perceive deleting this file as a removal of the threat that WireLurker is, but it is recommended that you do a complete restore of your iOS device from iTunes.
For Non-Jailbroken Users
Although there’s no way you can be infected by WireLurker at this point, considering Apple has placed in appropriate security measures, but, there’s a possibility that you conceived the malware a while back before the Cupertino giant took action. And if you believe that you’re infected, and don’t happen to be jailbroken, then read on.
Step 1: Open the Settings app and go to General > Profile.
Step 2: Check for any anomalous profile and if you find one delete it.
Step 3: Check all installed apps for strange behavior, and delete all strange or suspicious ones that you find installed. Again, it is highly recommended that you do a complete restore of your iOS device from iTunes till a more effective and sure fire solution comes up.