Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old May 16, 2013, 01:31 PM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Newly Discovered Mac Malware Captures and Stores Screenshots




New Mac spyware was discovered earlier this week on a computer at the Oslo Freedom Forum, an annual human rights conference. Located by computer security researcher Jacob Appelbaum, the malware, which has been deemed OSX/KitM.A, is currently being investigated by anti-virus company F-Secure, reports CNET.

The malware is a backdoor application called "macs.app," which launches automatically upon login and captures screenshots that it then sends to a MacApp folder in the user's home directory. Two command-and-control servers, located at securitytable.org and docsforum.info, are associated with the malware, but one does not function and the other gives a "public access forbidden" message.

Interestingly, the malware is signed with an Apple Developer ID, which is designed to prevent the installation of malware. Apps that are unsigned are blocked by default by Apple's Gatekeeper security option.
Quote:
This bit of malware is somewhat unique in that it is signed with what appears to be a valid Apple Developer ID associated with the name Rajender Kumar. Though not an uncommon name, this may be a reference to the late Bollywood actor of a similar name. Regardless, the use of the ID appears to be an attempt to bypass Apple's Gatekeeper execution prevention technology.
Currently, F-Secure is investigating where the malware originated, and though it does not appear to be widespread, it can be mitigated by removing the macs.app program from the log-in menu. Apple often addresses malware threats quickly, and has the ability to revoke the developer ID to further limit the spread of the software.

Article Link: Newly Discovered Mac Malware Captures and Stores Screenshots
MacRumors is offline   1 Reply With Quote
Old May 16, 2013, 01:36 PM   #2
VoR
macrumors 6502a
 
Join Date: Sep 2008
Location: UK
$99 is a small price to pay for a guaranteed safe install of your latest malware app
VoR is offline   22 Reply With Quote
Old May 16, 2013, 01:36 PM   #3
ArtOfWarfare
macrumors 603
 
ArtOfWarfare's Avatar
 
Join Date: Nov 2007
Send a message via Skype™ to ArtOfWarfare
So Apple can pull a kill switch on this then, right?

Apple may have planted it themselves just so they'd have an opportunity to demonstrate how they can kill malware by making devs sign apps and forbidding unsigned apps from running.
ArtOfWarfare is offline   4 Reply With Quote
Old May 16, 2013, 01:37 PM   #4
shareef777
macrumors 6502
 
Join Date: Jul 2005
I always liked how Apple's gatekeeper design could be easily bypassed by a $100 Apple Developer account.
__________________
MacBook Pro (mid 2012) | Retina 15.4" | 2.7GHz i7 | 16GB RAM | 768GB flash
iPhone 5S | Black | 64GB
iPad Air | Black | 128GB
shareef777 is offline   18 Reply With Quote
Old May 16, 2013, 01:40 PM   #5
kidde
macrumors newbie
 
Join Date: Jul 2007
Why is the cert for this not revoked already?
kidde is offline   11 Reply With Quote
Old May 16, 2013, 01:41 PM   #6
Tankmaze
macrumors 65816
 
Tankmaze's Avatar
 
Join Date: Mar 2012
well how do you get the macs.app downloaded and running in the first place unless it's a pebkac. just use common sense people, this malware seems not to be that harmful, albeit it's annoying.
__________________
Check out our game Tank Maze
Tankmaze is offline   6 Reply With Quote
Old May 16, 2013, 01:50 PM   #7
BC2009
macrumors 68000
 
BC2009's Avatar
 
Join Date: Jul 2009
Quote:
Originally Posted by ArtOfWarfare View Post
So Apple can pull a kill switch on this then, right?

Apple may have planted it themselves just so they'd have an opportunity to demonstrate how they can kill malware by making devs sign apps and forbidding unsigned apps from running.
Hitting that kill switch will prevent further installations (since the app will no longer be trusted), but I don't think it will block the app from running if it is already installed on your Mac.
BC2009 is offline   4 Reply With Quote
Old May 16, 2013, 01:53 PM   #8
Parasprite
macrumors 65816
 
Parasprite's Avatar
 
Join Date: Mar 2013
That's a new one... I wonder if it's triggered by anything in specific or of they are just random, because I can't think that looking through thousands of screenshots of Facebook posts, flash games, typing papers, and uTorrent windows will really be of that much use to anybody... I mean passwords are hidden by dots, okay maybe the length could give clues to brute-forcing?

Don't even get me started on it showing up in the user folder...

Quote:
Originally Posted by MacRumors View Post
On another note, I love the nesting in this
Parasprite is offline   3 Reply With Quote
Old May 16, 2013, 01:56 PM   #9
nagromme
macrumors G4
 
nagromme's Avatar
 
Join Date: May 2002
Some bad software is installed on a computer. Just one single computer? Did someone sit down and install it? Or was it spread over the network using some security flaw? If someone sat down and installed it, that's not what I'd call "malware." The origin is the key missing part of the story.

Quote:
Originally Posted by shareef777 View Post
I always liked how Apple's gatekeeper design could be easily bypassed by a $100 Apple Developer account.
Only if Apple can't pull the plug. That is the purpose of the certificate--not prevention of attempts in the first place.

Quote:
Originally Posted by kidde View Post
Why is the cert for this not revoked already?
When did Apple receive the details on this? And what do they need to do to verify? (Obviously they can't simply obey any random request to shut a developer down, so there must be some verification steps.)
nagromme is offline   11 Reply With Quote
Old May 16, 2013, 01:56 PM   #10
Simplicated
macrumors 65816
 
Simplicated's Avatar
 
Join Date: Sep 2008
Location: Waterloo, ON
Thankfully Gatekeeper is in place, so Apple can take swift actions.
Simplicated is offline   2 Reply With Quote
Old May 16, 2013, 01:56 PM   #11
nwcs
macrumors 6502a
 
Join Date: Sep 2009
Location: Tennessee
The results of such a malware can be interrupted by using something like OpenDNS, too, with appropriate settings in place. If they can't phone home then they are somewhat neutered.
__________________
This space intentionally not blank
nwcs is offline   1 Reply With Quote
Old May 16, 2013, 01:57 PM   #12
lostngone
macrumors 6502a
 
lostngone's Avatar
 
Join Date: Aug 2003
Location: Anchorage
Quote:
Originally Posted by kidde View Post
Why is the cert for this not revoked already?
Maybe it has, have you checked?
lostngone is offline   5 Reply With Quote
Old May 16, 2013, 02:00 PM   #13
spazzcat
macrumors 68000
 
spazzcat's Avatar
 
Join Date: Jun 2007
Quote:
Originally Posted by VoR View Post
$99 is a small price to pay for a guaranteed safe install of your latest malware app
Guessing Apple can block your app.
spazzcat is offline   1 Reply With Quote
Old May 16, 2013, 02:01 PM   #14
ThunderSkunk
macrumors 68000
 
ThunderSkunk's Avatar
 
Join Date: Dec 2007
Location: Durango, Co
Apple should do something to stop this!

Think of the children!




hehehe
ThunderSkunk is offline   2 Reply With Quote
Old May 16, 2013, 02:02 PM   #15
Peace
macrumors P6
 
Join Date: Apr 2005
Location: Space--The ONLY Frontier
I'd put this one in the category of stupid-ware.
Peace is offline   14 Reply With Quote
Old May 16, 2013, 02:23 PM   #16
Sayer
macrumors 6502a
 
Sayer's Avatar
 
Join Date: Jan 2002
Location: Austin, TX
It's been over a year since I got my first Mac developer program setup and got a code-signing cert from Apple, but I think the process was slightly more complex than just providing any old credit card number to buy the membership.

More than likely there is some trail left behind that can help identify the person responsible from Apple's side. And I dobut Apple will be publicly documenting all the steps they can and will take to figure this out, to prevent that info from getting out and letting the next guy be even more clever.

Also I bet this malware was installed via physical access to the Mac since it was at some conference and the app was sitting in the home folder. Someone plugged in a thumb drive I'd wager.

It would be nice if Mac OS X had a built in method to block the mounting of external hard drives/shares and/or some more granular access controls beyond Parental Controls/Gatekeeper.
__________________
Obama is a true statesman whose experience as a state senator, half-term US Senator & guest lecturer in a Constitutional Law class has fully prepared him to take control of our nuclear arsenal.-Me
Sayer is offline   1 Reply With Quote
Old May 16, 2013, 02:23 PM   #17
Zaren
macrumors member
 
Join Date: Jul 2000
"whois" info on the domains

Domain Name:SECURITYTABLE.ORG
Created On:04-Mar-2013 06:58:36 UTC
Last Updated On:16-May-2013 16:02:07 UTC
Expiration Date:04-Mar-2014 06:58:36 UTC
Sponsoring Registrar:PDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant IDI_26714386
Registrant Name:Christopher
Registrant Organization:N/A
Registrant Street1E-10387
Registrant Street2:Nairobi
Registrant Street3:
Registrant City:Nairobi
Registrant State/Province:Central
Registrant Postal Code:50563
Registrant Country:KE
Registrant Phone:+254.204973957
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:n.christopher@mail.ru


Domain NameOCSFORUM.INFO
Created On:04-Mar-2013 05:10:28 UTC
Last Updated On:16-May-2013 16:03:02 UTC
Expiration Date:04-Mar-2014 05:10:28 UTC
Sponsoring Registrar:PDR Ltd. dba PublicDomainRegistry.com (R159-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Registrant IDI_26714386
Registrant Name:Christopher
Registrant Organization:N/A
Registrant Street1E-10387
Registrant Street2:Nairobi
Registrant Street3:
Registrant City:Nairobi
Registrant State/Province:Central
Registrant Postal Code:50563
Registrant Country:KE
Registrant Phone:+254.204973957
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:n.christopher@mail.ru

Same registrant for both servers, both created less than two weeks ago, both servers appear to be dead in the water. Good to see some people on the case here.
__________________
Join the University of Mars! Classes start soon!
Zaren is offline   2 Reply With Quote
Old May 16, 2013, 02:39 PM   #18
liamoblomy
macrumors member
 
Join Date: Feb 2010
Location: Leeds, UK
"Origination"? you mean origin right?
liamoblomy is offline   1 Reply With Quote
Old May 16, 2013, 02:57 PM   #19
iMikeT
macrumors 68020
 
Join Date: Jul 2006
Location: California
Quote:
Interestingly, the malware is signed with an Apple Developer ID, which is designed to prevent the installation of malware.

This reminds me of the Imperial shuttle that was stolen and used by the rebels in Return of the Jedi.

I wonder how many Bothans died to secure this Apple Developer ID hehe.
Attached Images
 
iMikeT is offline   1 Reply With Quote
Old May 16, 2013, 03:09 PM   #20
venusboy
macrumors newbie
 
Join Date: Mar 2011
Quote:
Originally Posted by Parasprite View Post
On another note, I love the nesting in this
It's called mise en abyme
venusboy is offline   1 Reply With Quote
Old May 16, 2013, 03:18 PM   #21
drspringfield
macrumors newbie
 
Join Date: Dec 2009
Quote:
Originally Posted by VoR View Post
$99 is a small price to pay for a guaranteed safe install of your latest malware app
Most likely this guy: http://www.linkedin.com/pub/rajender-kumar/5a/859/636
Works for an outsourcing company in India. This would not be the first time to happen: sketchy company hires outsourcing company to develop their malware, outsourcing company makes the mistake of signing the malware with their cert, gets cert revoked, breaks all legitimate software signed by outsourcing company.
drspringfield is offline   1 Reply With Quote
Old May 16, 2013, 03:21 PM   #22
dejo
Moderator
 
dejo's Avatar
 
Join Date: Sep 2004
Location: The Centennial State
Quote:
Originally Posted by drspringfield View Post
This would not be the first time to happen...
It wouldn't? Do you have some previous examples? Just curious...
__________________
dejo is offline   1 Reply With Quote
Old May 16, 2013, 03:23 PM   #23
funone0
macrumors member
 
Join Date: Feb 2011
Quote:
Originally Posted by dejo View Post
It wouldn't? Do you have some previous examples? Just curious...
He was probably talking about previous Mac malware attacks.
__________________
Developer (OS X and iOS)
funone0 is offline   2 Reply With Quote
Old May 16, 2013, 03:24 PM   #24
sw1tcher
macrumors 6502a
 
sw1tcher's Avatar
 
Join Date: Jan 2004
Location: Los Angeles
Quote:
Originally Posted by Parasprite View Post
.... I can't think that looking through thousands of screenshots of Facebook posts, flash games, typing papers, and uTorrent windows will really be of that much use to anybody...
I guess you don't do any online banking, shopping, or trade stocks because your account numbers are not always hidden by dots after you're logged in.

The same goes for your social security number and birth date. Those aren't hidden by dots when you're typing them in to pull up a free credit report on yourself or getting online quotes for car insurance.
sw1tcher is offline   2 Reply With Quote
Old May 16, 2013, 03:41 PM   #25
B2k1977
macrumors member
 
Join Date: Mar 2009
Gatekeeper

I like the gatekeeper. I usually leave it set to be as restrictive as possible, and when I need to install something, I open the control panel and change the setting, then change it back afterwards.


Brian
B2k1977 is offline   2 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Bitcoin-Stealing Mac OS X Trojan Discovered MacRumors Mac Blog Discussion 34 Feb 19, 2014 12:50 PM
How to install Mac OS X on a newly installed HD Ramtink OS X 7 Nov 21, 2012 11:04 AM
ONDESOFT RELEASES NEW W3Capture FOR MAC CAPTURES WEBPAGES AS PDF FILES, EXACTLY AS ondesoft Mac Applications and Mac App Store 0 Sep 29, 2012 12:52 AM
Newly-Discovered Java 7 Security Vulnerability Poses Risks to Macs MacRumors MacRumors.com News Discussion 149 Aug 30, 2012 03:16 PM
New Mac OS X backdoor discovered borcanm OS X 5 Jul 4, 2012 06:19 PM

Forum Jump

All times are GMT -5. The time now is 11:23 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC