Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > Mac Blog Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Jul 24, 2013, 08:19 AM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Janicab.A Malware Targets Computers Running OS X and Windows




Researchers from F-Secure, Webroot, and Avast have uncovered Janicab.A, a new trojan that was discovered as a threat to Macs last week and Windows users on Monday, with findings being published recently.

For OS X users, Janicab.A was signed with a valid Apple Developer ID and also uses a special unicode character known as a "right-to-left override" (RLO) that is used in email malware attacks. From there, the trojan uses a YouTube page to hijack infected computers, directs them to command-and-control (C&C) servers, and then leaves the server and hides the infection by making the malware appear as a harmless PDF or DOC file.

Webroot writes:
Quote:
After a relatively long lag period without seeing any particular new and exciting Mac malware, last week we saw the surfacing of a new and interesting method of compromising the OSX system. Malware authors have taken a new approach by altering file extensions of malicious .app packages in order to trick users into thinking they are opening relatively harmless .pdf or .doc files. Changing file extensions in Mac OSX can be tricky due to a built in security feature of the OS that detects attempts to change the extension and automatically annexes the extension of its correct file or package type.
This news comes after Apple updated security definitions to combat 'Yontoo', an adware trojan this past March, while also regularly dealing with Java-related vulnerabilities. Apple introduced Gatekeeper in OS X Mountain Lion in order to better deal with security threats, offering a way for users to restrict installation of apps to those signed by Apple-issued Developer IDs.

Article Link: Janicab.A Malware Targets Computers Running OS X and Windows
MacRumors is offline   0 Reply With Quote
Old Jul 24, 2013, 08:27 AM   #2
Bhatu
macrumors member
 
Join Date: Apr 2013
:OMG: somebody call that Researcher cum Hacker!
Bhatu is offline   0 Reply With Quote
Old Jul 24, 2013, 08:31 AM   #3
whooleytoo
macrumors 603
 
whooleytoo's Avatar
 
Join Date: Aug 2002
Location: Cork, Ireland.
Send a message via AIM to whooleytoo
Cross-platform malware? And the Mac version was released first? Yaaaay!
__________________
Mac <- Macintosh <- McIntosh apples <- John McIntosh <- McIntosh surname <- "Mac an toshach" <- "Son of the Chief"
whooleytoo is offline   20 Reply With Quote
Old Jul 24, 2013, 08:49 AM   #4
blackcrayon
macrumors 6502a
 
Join Date: Mar 2003
If it's signed with a valid developer ID shouldn't that mean Apple should've already revoked it? Which brings up a question, if Apple revokes a developer ID because of malware, does OS X notify you that was the reason? Or do they just say it's "invalid" (in which case lots of people will still right click and open it

(I'm guessing the File Quarantine feature should have this added as well by now)
blackcrayon is offline   12 Reply With Quote
Old Jul 24, 2013, 09:05 AM   #5
hkenneth
macrumors regular
 
Join Date: Jul 2011
Mimic normal files using fake icons? It looks like the malware I coded in VB back to my middle school...
hkenneth is offline   0 Reply With Quote
Old Jul 24, 2013, 09:14 AM   #6
iThinkIt
macrumors regular
 
Join Date: Mar 2012
Location: Florida, USA
I love the idea of getting screwed over by malware... NOT

iThinkIt is offline   0 Reply With Quote
Old Jul 24, 2013, 09:34 AM   #7
jeznav
macrumors 6502
 
Join Date: Aug 2007
Location: Eh?
Not all OSX users have Adobe Acrobat Reader installed. Icon FAIL.

Should've used Preview.app PDF icon instead.
jeznav is offline   8 Reply With Quote
Old Jul 24, 2013, 09:53 AM   #8
redsoxunixgeek
macrumors member
 
Join Date: Dec 2006
Location: The Great SLC.
Send a message via AIM to redsoxunixgeek Send a message via MSN to redsoxunixgeek Send a message via Yahoo to redsoxunixgeek
Quote:
Originally Posted by blackcrayon View Post
If it's signed with a valid developer ID shouldn't that mean Apple should've already revoked it? Which brings up a question, if Apple revokes a developer ID because of malware, does OS X notify you that was the reason? Or do they just say it's "invalid" (in which case lots of people will still right click and open it

(I'm guessing the File Quarantine feature should have this added as well by now)
Apple's dev team is busy re-building a broken dev portal. We might have to wait until after they get us back on line to revoke certs.
__________________
MacBook Pro 15" 2.3 Ghz i7 - 8GB - 750Gb
iMac 2011 i5 27" 2.7 Ghz - 12GB 1.0TB (Home/Work)
iPhone 5s 64 GB - Space Grey
Black iPad Mini 32 GB Wifi/LTE
redsoxunixgeek is offline   0 Reply With Quote
Old Jul 24, 2013, 10:27 AM   #9
moderately
macrumors regular
 
Join Date: Sep 2010
Quote:
Originally Posted by whooleytoo View Post
Cross-platform malware? And the Mac version was released first? Yaaaay!
I really did laugh out loud.
__________________
Would you rather be right or would you rather be happy?
moderately is offline   2 Reply With Quote
Old Jul 24, 2013, 10:29 AM   #10
charlituna
macrumors 604
 
charlituna's Avatar
 
Join Date: Jun 2008
Location: Los Angeles, CA
Quote:
Originally Posted by Bhatu View Post
:OMG: somebody call that Researcher cum Hacker!
Tin foils would say that he created it and then dropped his attack on the developer site hoping it would delay them revoking the certificate on his malware.

Just to see what would happen of course. He isn't trying to hurt anyone.

Tin foils also think he is the phisher.
__________________
Return of the Non Tech's Wish List
(She's family so I'm biased )
charlituna is offline   1 Reply With Quote
Old Jul 24, 2013, 10:29 AM   #11
thekingofnerds
macrumors regular
 
Join Date: Jun 2013
Quote:
Originally Posted by hkenneth View Post
Mimic normal files using fake icons? It looks like the malware I coded in VB back to my middle school...
Reminds me of the script I wrote to bypass my school's proxies. I hid it as a visual C++ .cpp file.
thekingofnerds is offline   1 Reply With Quote
Old Jul 24, 2013, 10:49 AM   #12
Habberkuk
macrumors member
 
Join Date: Mar 2013
Location: Under your bed...
But what does it actually do?
Habberkuk is offline   0 Reply With Quote
Old Jul 24, 2013, 11:08 AM   #13
Michael Scrip
macrumors 68010
 
Join Date: Mar 2011
Location: NC
Quote:
Originally Posted by Habberkuk View Post

But what does it actually do?
It gets an article on MacRumors

Michael Scrip is online now   10 Reply With Quote
Old Jul 24, 2013, 11:47 AM   #14
justperry
macrumors 603
 
justperry's Avatar
 
Join Date: Aug 2007
Location: 7 Km South of an active upside down (boat) volcano.
Quote:
MacRumors


Researchers from F-Secure, Webroot, and Avast have uncovered Janicab.A, a new trojan that was discovered as a threat to Macs last week and Windows users on Monday, with findings being published recently.
Scaremongering by all highlighted in Bold, I don't expect anything more from them except from MR.
justperry is offline   0 Reply With Quote
Old Jul 24, 2013, 01:42 PM   #15
Peace
macrumors P6
 
Join Date: Apr 2005
Location: Space--The ONLY Frontier
Quote:
Originally Posted by redsoxunixgeek View Post
Apple's dev team is busy re-building a broken dev portal. We might have to wait until after they get us back on line to revoke certs.
I don't think software engineers build web pages.

Not in this case at least.
Peace is offline   2 Reply With Quote
Old Jul 24, 2013, 02:32 PM   #16
Morod
macrumors 65816
 
Join Date: Jan 2008
Location: On The Nickel, over there....
Quote:
Originally Posted by MacRumors View Post
For OS X users, Janicab.A was signed with a valid Apple Developer ID

offering a way for users to restrict installation of apps to those signed by Apple-issued Developer IDs.
Yep, that'll work.
__________________
Everything should be made as simple as possible, but not simpler.
Albert Einstein
Morod is offline   0 Reply With Quote
Old Jul 24, 2013, 04:03 PM   #17
Nightarchaon
macrumors 65816
 
Nightarchaon's Avatar
 
Join Date: Sep 2010
Quote:
Originally Posted by whooleytoo View Post
Cross-platform malware? And the Mac version was released first? Yaaaay!
Who says apple mac users don't get software first
__________________
iWatch in action http://media.joe.ie/wp-content/uploa...ael-Knight.jpg
MacBook Pro/iPad Mini/TV1/iMac/iPhone5
Nightarchaon is offline   1 Reply With Quote
Old Jul 24, 2013, 06:53 PM   #18
Amer.Dababneh
macrumors newbie
 
Join Date: May 2013
Quote:
Originally Posted by jeznav View Post
Not all OSX users have Adobe Acrobat Reader installed. Icon FAIL.

Should've used Preview.app PDF icon instead.
Dude... Don't give them ideas! :P
Amer.Dababneh is offline   0 Reply With Quote
Old Jul 24, 2013, 07:04 PM   #19
Parasprite
macrumors 65816
 
Parasprite's Avatar
 
Join Date: Mar 2013
Quote:
Originally Posted by MacRumors View Post
Malware authors have taken a new approach by altering file extensions of malicious .app packages in order to trick users into thinking they are opening relatively harmless .pdf or .doc files.
New because of the .app part maybe, but .pdf.exe is not a new approach by any means.

Also, who here uses Adobe for PDFs? (beyond filling out that one form that didn't work right in Preview for some reason)
Parasprite is offline   3 Reply With Quote
Old Jul 24, 2013, 11:41 PM   #20
moxin
macrumors regular
 
Join Date: Feb 2011
Quote:
Originally Posted by jeznav View Post
Not all OSX users have Adobe Acrobat Reader installed. Icon FAIL.

Should've used Preview.app PDF icon instead.
Reminds me of that 'New Folder' virus that used to infect XP back in the days. It used XP styled folder icon. So when you are using icon packages the threat was half gone.
moxin is offline   1 Reply With Quote
Old Jul 25, 2013, 01:38 AM   #21
antonis
macrumors 6502a
 
Join Date: Jun 2011
Still, don't get surprised if people that don't even have the adobe reader installed on their mac will still open a "pdf" that is using the acrobat icon. There are users and users.
antonis is offline   2 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > Mac Blog Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Windows XP running (yes, running) on AppleTV XD. hackerwayne Apple TV and Home Theater 0 Feb 2, 2013 02:26 PM
Windows machines now come with malware preinstalled munkery Community Discussion 3 Sep 14, 2012 09:16 PM
Windows Malware Stows a Ride in iOS App Store App MacRumors iOS Blog Discussion 33 Jul 25, 2012 01:57 PM
Running Windows XP on iMac, also utilizing Windows 2000 Word? MacLady54 Windows, Linux & Others on the Mac 1 Jun 29, 2012 10:00 PM
[WINDOWS] Researchers Warn Netizens Against New Super Malware ellaimac Apple, Industry and Internet Discussion 2 May 31, 2012 05:37 AM

Forum Jump

All times are GMT -5. The time now is 06:48 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC