MacOS: Remove Wirelurker malware

In this practical tip, we explain what the malware Wirelurker does and how you can remove it.

Wirelurker: What he does and where he comes from

• The Wirelurker malware arrives on your Mac via downloads from the Chinese download portal "Maiyadi App Store", presumably via the OS X security vulnerability "Rootpipe".
• The site is well known for its wide range of pirated copies of popular software and is often used.
• The malware does no harm to your Mac, except that it starts a service running in the background. This is just waiting for you to connect an iOS device to the Mac.
• Here, Wirelurker then records the serial and telephone number, iTunes account data and other personal details from the iOS device. These are sent to a server. If the iOS device is jailbroken and the afc2 service is switched on, additional malware is installed. The history of iMessage, contacts from the address book and other data are thus tapped and sent to a server.

This is where the Wirelurker malware gets stuck

The individual components of the Wirelurker are spread over several directories on your Mac. The following list shows the files and directories.

• File: run.sh - Directory: / Users / Account Name / Public
• File: com.apple.machook_damon.plist - directory: / Library / LaunchDaemons
• File: com.apple.globalupdate.plist - directory: / Library / LaunchDaemons
• File: com.apple.watchproc.plist - Directory: / Library / LaunchDaemons
• File: com.apple.itunesupdate.plist - directory: / Library / LaunchDaemons
• File: com.apple.appstore.plughelper.plist - directory: / System / Library / LaunchDaemons
• File: com.apple.MailServiceAgentHelper.plist - directory: / System / Library / LaunchDaemons
• File: com.apple.systemkeychain-helper.plist - directory: / System / Library / LaunchDaemons
• File: com.apple.periodic-dd-mm-yy.plist - directory: / System / Library / LaunchDaemons
• File: globalupdate / usr / local / machook / - directory: / usr / bin
• File: WatchProc directory: / usr / bin
• File: itunesupdate - directory: / usr / bin
• File: com.apple.MailServiceAgentHelper - directory: / usr / bin
• File: com.apple.appstore.PluginHelper - directory: / usr / bin
• File: periodicdate - directory: / usr / bin
• File: systemkeychain-helper - directory: / usr / bin
• File: stty5.11.pl - directory: / usr / bin

How to get rid of the Wirelurker malware

In order to remove the malware, it is sufficient to delete the various components from the directories. However, since these are distributed in different directories, the search is quite complex. A small python script does the work for you.

1. Download the WireLurkerDetector script from GitHub. To do this, start the terminal on your Mac and enter the command "curl -O //raw.githubusercontent.com/PaloAltoNetworks-BD/WireLurkerDetector/master/WireLurkerDetectorOSX.py".
2. Enter the command "python WireLurkerDetectorOSX.py" to run the script. Then you see the result of the detector.
3. Then you have to reset all iOS devices connected to the infected Mac.