Newly Discovered Mac Malware Captures and Stores Screenshots

[mcrawley]

Notice where the the malware was found?

Notice where the the malware was found? A human rights conference. Strikes me as a possible indication of state-sponsored. Not an encouraging sign.

I really don't want to see the entry of state-sponsored malware into the Mac world any more than it already may be.

 

[ALange]

The more interesting question is can the credit card (used to pay the $99) be linked to a real human being who can then be arrested?

- In the US I would assume the answer is yes.

- If he's in India I assume the answer is also yes (presumably India has no interest in hurting its reputation for SW).

- If he's in Pakistan (or wherever else Bollywood fans might hang out) WTF knows? You may get a name but so what, if there is no extradition treaty, or if the foreign government is not interested in co-operating.

remember that cc can be stolen, and then used to buy apple account

 

[SmileyBlast!]

Domain Name:SECURITYTABLE.ORG
Created On:04-Mar-2013 06:58:36 UTC
Last Updated On:16-May-2013 16:02:07 UTC
Expiration Date:04-Mar-2014 06:58:36 UTC
Sponsoring RegistrarDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant IDI_26714386
Registrant Name:Christopher
Registrant Organization:N/A
Registrant Street1E-10387
Registrant Street2:Nairobi
Registrant Street3:
Registrant City:Nairobi
Registrant State/Province:Central
Registrant Postal Code:50563
Registrant Country:KE
Registrant Phone:+254.204973957
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:n.christopher@mail.ru


Domain NameOCSFORUM.INFO
Created On:04-Mar-2013 05:10:28 UTC
Last Updated On:16-May-2013 16:03:02 UTC
Expiration Date:04-Mar-2014 05:10:28 UTC
Sponsoring RegistrarDR Ltd. dba PublicDomainRegistry.com (R159-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Registrant IDI_26714386
Registrant Name:Christopher
Registrant Organization:N/A
Registrant Street1E-10387
Registrant Street2:Nairobi
Registrant Street3:
Registrant City:Nairobi
Registrant State/Province:Central
Registrant Postal Code:50563
Registrant Country:KE
Registrant Phone:+254.204973957
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:n.christopher@mail.ru

Same registrant for both servers, both created less than two weeks ago, both servers appear to be dead in the water. Good to see some people on the case here.

What's up with the Russians and all the hacking?

 

[adamtore]

Funny, the Windows platform has orders of magnitude more malware, the few (lame) sporadic incidents reported on the Mac platform is not even a blip on the radar in comparison.

Exacly. Just like any other mac software. Its always behind the windows unless made by apple.

 

[splitpea]

So is this thing somehow a drive-by install, or how is it getting onto people's machines?

 

[munkery]

So is this thing somehow a drive-by install, or how is it getting onto people's machines?

Apparently, the distribution method is emails that rely on social engineering to trick users into installing the software.

http://www.zdnet.com/lame-mac-malware-finds-success-in-spearphishing-7000015541/

 

[Tech198]

I'm beginning not to read these articles in full anymore, as people know what to do by not getting them in the first place "or should know"

Trouble is, people never listen or learn. ..even with "education" since this is not always the answer.

I'm in I.T, but i've given up helping people till they learn and understand this themselves....

How else are they gonna learn ? Force it on them, and you'd be surprised how quickly it works.

 

[subsonix]

I'm beginning not to read these articles in full anymore, as people know what to do by not getting them in the first place "or should know"

Trouble is, people never listen or learn. ..even with "education" since this is not always the answer.

In this case it was found on the computer of a human rights activist participating in a conference (check the link). If I can speculate, I would say that It's pretty likely that it was targeted at that single individual or a special group, not something that is spread randomly.

The Oslo Freedom Forum is an annual event "exploring how best to challenge authoritarianism and promote free and open societies." This year's conference (which took place May 13-15) had a workshop for freedom of speech activists on how to secure their devices against government monitoring. During the workshop, Jacob Appelbaum actually discovered a new and previously unknown backdoor on an African activist's Mac.

 

[the Rebel]

New Mac spyware was discovered earlier this week on a computer

What makes this program "spyware" rather than just a rudimentary monitoring program?

The malware is a backdoor application called "macs.app,"

In what way is it a "backdoor application" when nothing about it even seems to be hidden?

which launches automatically upon login

Launching a program automatically at login is a function of OS X. Many non-spyware programs make use of it.

captures screenshots that it then sends to a MacApp folder in the user's home directory.

That is not very covert.

Two command-and-control servers, located at securitytable.org and docsforum.info, are associated with the malware, but one does not function and the other gives a "public access forbidden" message.

Since the generically named application does not hide itself and does not even send the screenshots to the remote servers, it really sounds like it is just a beta program under development. It could be a precursor for malicious spyware or a precursor for a legitimate commercial app for employers/parents wanting to monitor computer usage.

 

[msephton]

I like the gatekeeper. I usually leave it set to be as restrictive as possible, and when I need to install something, I open the control panel and change the setting, then change it back afterwards.

I keep it on all the time, and if I need to make an exception I right click the app and choose Open from the context menu - this makes Gate Keeper give you different options for running the app.