Newly Discovered Mac Malware Captures and Stores Screenshots

Discussion in 'MacRumors.com News Discussion' started by MacRumors, May 16, 2013.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    New Mac spyware was discovered earlier this week on a computer at the Oslo Freedom Forum, an annual human rights conference. Located by computer security researcher Jacob Appelbaum, the malware, which has been deemed OSX/KitM.A, is currently being investigated by anti-virus company F-Secure, reports CNET.

    The malware is a backdoor application called "macs.app," which launches automatically upon login and captures screenshots that it then sends to a MacApp folder in the user's home directory. Two command-and-control servers, located at securitytable.org and docsforum.info, are associated with the malware, but one does not function and the other gives a "public access forbidden" message.

    [​IMG]
    Interestingly, the malware is signed with an Apple Developer ID, which is designed to prevent the installation of malware. Apps that are unsigned are blocked by default by Apple's Gatekeeper security option.
    Currently, F-Secure is investigating where the malware originated, and though it does not appear to be widespread, it can be mitigated by removing the macs.app program from the log-in menu. Apple often addresses malware threats quickly, and has the ability to revoke the developer ID to further limit the spread of the software.

    Article Link: Newly Discovered Mac Malware Captures and Stores Screenshots
     
  2. VoR
    macrumors 6502a

    Joined:
    Sep 8, 2008
    Location:
    UK
    #2
    $99 is a small price to pay for a guaranteed safe install of your latest malware app :)
     
  3. macrumors 603

    ArtOfWarfare

    Joined:
    Nov 26, 2007
    #3
    So Apple can pull a kill switch on this then, right?

    Apple may have planted it themselves just so they'd have an opportunity to demonstrate how they can kill malware by making devs sign apps and forbidding unsigned apps from running.
     
  4. macrumors 6502

    shareef777

    Joined:
    Jul 26, 2005
    #4
    I always liked how Apple's gatekeeper design could be easily bypassed by a $100 Apple Developer account.
     
  5. macrumors newbie

    Joined:
    Jul 3, 2007
    #5
    Why is the cert for this not revoked already?
     
  6. macrumors 65832

    Tankmaze

    Joined:
    Mar 7, 2012
    #6
    well how do you get the macs.app downloaded and running in the first place unless it's a pebkac. just use common sense people, this malware seems not to be that harmful, albeit it's annoying.
     
  7. macrumors 68000

    BC2009

    Joined:
    Jul 1, 2009
    #7
    Hitting that kill switch will prevent further installations (since the app will no longer be trusted), but I don't think it will block the app from running if it is already installed on your Mac.
     
  8. macrumors 68000

    Parasprite

    Joined:
    Mar 5, 2013
    #8
    That's a new one... I wonder if it's triggered by anything in specific or of they are just random, because I can't think that looking through thousands of screenshots of Facebook posts, flash games, typing papers, and uTorrent windows will really be of that much use to anybody... I mean passwords are hidden by dots, okay maybe the length could give clues to brute-forcing?

    Don't even get me started on it showing up in the user folder...

    On another note, I love the nesting in this :D
     
  9. macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #9
    Some bad software is installed on a computer. Just one single computer? Did someone sit down and install it? Or was it spread over the network using some security flaw? If someone sat down and installed it, that's not what I'd call "malware." The origin is the key missing part of the story.

    Only if Apple can't pull the plug. That is the purpose of the certificate--not prevention of attempts in the first place.

    When did Apple receive the details on this? And what do they need to do to verify? (Obviously they can't simply obey any random request to shut a developer down, so there must be some verification steps.)
     
  10. macrumors 65816

    Simplicated

    Joined:
    Sep 20, 2008
    Location:
    Waterloo, ON
    #10
    Thankfully Gatekeeper is in place, so Apple can take swift actions.
     
  11. macrumors 6502a

    Joined:
    Sep 21, 2009
    Location:
    Tennessee
    #11
    The results of such a malware can be interrupted by using something like OpenDNS, too, with appropriate settings in place. If they can't phone home then they are somewhat neutered.
     
  12. macrumors demi-god

    lostngone

    Joined:
    Aug 11, 2003
    Location:
    Anchorage
    #12
    Maybe it has, have you checked?
     
  13. macrumors 68000

    spazzcat

    Joined:
    Jun 29, 2007
    #13
    Guessing Apple can block your app.
     
  14. macrumors 68000

    ThunderSkunk

    Joined:
    Dec 31, 2007
    Location:
    Durango, Co
    #14
    Apple should do something to stop this!

    Think of the children!




    hehehe
     
  15. macrumors P6

    Peace

    Joined:
    Apr 1, 2005
    Location:
    Space--The ONLY Frontier
    #15
    I'd put this one in the category of stupid-ware.
     
  16. macrumors 6502a

    Sayer

    Joined:
    Jan 4, 2002
    Location:
    Austin, TX
    #16
    It's been over a year since I got my first Mac developer program setup and got a code-signing cert from Apple, but I think the process was slightly more complex than just providing any old credit card number to buy the membership.

    More than likely there is some trail left behind that can help identify the person responsible from Apple's side. And I dobut Apple will be publicly documenting all the steps they can and will take to figure this out, to prevent that info from getting out and letting the next guy be even more clever.

    Also I bet this malware was installed via physical access to the Mac since it was at some conference and the app was sitting in the home folder. Someone plugged in a thumb drive I'd wager.

    It would be nice if Mac OS X had a built in method to block the mounting of external hard drives/shares and/or some more granular access controls beyond Parental Controls/Gatekeeper.
     
  17. macrumors member

    Joined:
    Jul 21, 2000
    #17
    "whois" info on the domains

    Domain Name:SECURITYTABLE.ORG
    Created On:04-Mar-2013 06:58:36 UTC
    Last Updated On:16-May-2013 16:02:07 UTC
    Expiration Date:04-Mar-2014 06:58:36 UTC
    Sponsoring Registrar:pDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
    Status:CLIENT TRANSFER PROHIBITED
    Registrant ID:DI_26714386
    Registrant Name:Christopher
    Registrant Organization:N/A
    Registrant Street1:DE-10387
    Registrant Street2:Nairobi
    Registrant Street3:
    Registrant City:Nairobi
    Registrant State/Province:Central
    Registrant Postal Code:50563
    Registrant Country:KE
    Registrant Phone:+254.204973957
    Registrant Phone Ext.:
    Registrant FAX:
    Registrant FAX Ext.:
    Registrant Email:n.christopher@mail.ru


    Domain Name:DOCSFORUM.INFO
    Created On:04-Mar-2013 05:10:28 UTC
    Last Updated On:16-May-2013 16:03:02 UTC
    Expiration Date:04-Mar-2014 05:10:28 UTC
    Sponsoring Registrar:pDR Ltd. dba PublicDomainRegistry.com (R159-LRMS)
    Status:CLIENT TRANSFER PROHIBITED
    Registrant ID:DI_26714386
    Registrant Name:Christopher
    Registrant Organization:N/A
    Registrant Street1:DE-10387
    Registrant Street2:Nairobi
    Registrant Street3:
    Registrant City:Nairobi
    Registrant State/Province:Central
    Registrant Postal Code:50563
    Registrant Country:KE
    Registrant Phone:+254.204973957
    Registrant Phone Ext.:
    Registrant FAX:
    Registrant FAX Ext.:
    Registrant Email:n.christopher@mail.ru

    Same registrant for both servers, both created less than two weeks ago, both servers appear to be dead in the water. Good to see some people on the case here.
     
  18. macrumors member

    Joined:
    Feb 2, 2010
    Location:
    Leeds, UK
    #18
    "Origination"? you mean origin right?
     
  19. macrumors 68020

    Joined:
    Jul 8, 2006
    Location:
    California
    #19

    This reminds me of the Imperial shuttle that was stolen and used by the rebels in Return of the Jedi.

    I wonder how many Bothans died to secure this Apple Developer ID hehe. :p
     

    Attached Files:

  20. macrumors newbie

    Joined:
    Mar 22, 2011
    #20
    It's called mise en abyme :)
     
  21. macrumors newbie

    Joined:
    Dec 11, 2009
    #21
    Most likely this guy: http://www.linkedin.com/pub/rajender-kumar/5a/859/636
    Works for an outsourcing company in India. This would not be the first time to happen: sketchy company hires outsourcing company to develop their malware, outsourcing company makes the mistake of signing the malware with their cert, gets cert revoked, breaks all legitimate software signed by outsourcing company.
     
  22. Moderator

    dejo

    Staff Member

    Joined:
    Sep 2, 2004
    Location:
    The Centennial State
    #22
    It wouldn't? Do you have some previous examples? Just curious...
     
  23. macrumors member

    Joined:
    Feb 1, 2011
    #23
    He was probably talking about previous Mac malware attacks.
     
  24. macrumors 65816

    sw1tcher

    Joined:
    Jan 6, 2004
    #24
    I guess you don't do any online banking, shopping, or trade stocks because your account numbers are not always hidden by dots after you're logged in.

    The same goes for your social security number and birth date. Those aren't hidden by dots when you're typing them in to pull up a free credit report on yourself or getting online quotes for car insurance.
     
  25. macrumors regular

    Joined:
    Mar 15, 2009
    #25
    Gatekeeper

    I like the gatekeeper. I usually leave it set to be as restrictive as possible, and when I need to install something, I open the control panel and change the setting, then change it back afterwards.


    Brian
     

Share This Page