This is a document for technical guys.
We also found a new variant of WireLurker that exists in both Windows and OS X. While the OS X detection code was updated to cover this variant, we decide to only fully disclose how to technically detect its Windows samples.
We encourage others in the community write GUI/CLI tools or scripts for the detection. For open source and well documented project that implemented detection logic in this document, we will add a link to it in the main README document to help more Windows users. Please just open an issue or pull request to let us know you.
This document may be updated if we found more variants on Windows.
-
Scan all PE executable files in the Windows system by following steps.
-
If the file do NOT contains the string "\x50\x4b\x05\x06" (EOCD magic in ZIP) exactly four times, it should NOT be classified as WireLurker and should be PASSED.
-
If the file contains ALL of these two strings: "Payload/apps.app/sfbase.dylib" and "Payload/apps.app/sfbase.plist", it should be classified as WireLurker. Otherwise, it should NOT be.
-
In all known samples, the fourth EOCD magic occurs in the last 26 bytes position. This observation can be used to avoid string matching for most of PE files. However, it may bring potential false negative.
-
You can chose to only scan or to not scan any specific directories with potential false negative.
You can decide to implement malware cleaning funtionality or not. The only requirement is, if you choose to, please list all files your tool are going to delete and ask for user confirmation before deleting them.
Basically, deleting these files is enough:
- all PE executable files that match the above detection logic
- apps.ipa and third.ipa under C:\Documents and Settings<USER>\Local Settings\Temp\ if they exist.
You can also further analyze the sample statically or dynamically by yourself to implement better cleanning.
You can find a original sample from http://contagiominidump.blogspot.com