New 'MACDefender' Malware Threat for Mac OS X

[Member(TM)]

The proof-of-concept must be a web browser that I can use to navigate to an encrypted login, that will make the ssl connection with that login page, and then send login credentials to a destination other than the bank's web server in a form that the attacker (you) is able to read.

OK, I think I'll try that, although it will require a bit more time than I planned to dedicate to this matter. I'll tell you if/when I finish.

I'm a bit concerned that someone may try to use my proof of concept for their own evil purposes. I'll do my best to prevent that such thing can happen.

 

[munkery]

OK, I think I'll try that, although it will require a bit more time than I planned to dedicate to this matter. I'll tell you if/when I finish.

I'm a bit concerned that someone may try to use my proof of concept for their own evil purposes. I'll do my best to prevent that such thing can happen.

If you are successful and you only give me access to the PoC, I will make sure the Mac community is not exposed to it because I am a "fanboy." I will disclose the copy of the PoC that I have to Apple so the issue can be fixed.

But, I won't be waiting because you won't be able to do it.

Also, don't be too concerned because you won't be able to do it.

 

[cav23j]

I got the anti-malware.zip downloaded on my mac by accident but it was set not to automatically open so I instantly deleted it without ever opening it

am I still in danger?

 

[munkery]

For fun, since Member was so convinced that turning a browser into malware was possible, I decided to look and see if anything similar to what was described is a used technique in the wild.

I discovered that the possibility is not as remote as my posts suggested but still not possible to the degree suggested by Member depending on whether it could be abused remotely. The method relies on a vector that I did not think to include but fits into the basic elements of our discussion.

The following articles describe methods to modify Firefox into a "local" keylogger for some website logins. The method works for Firefox on all OSs but the file paths are different for each platform.

http://tech-buzz.net/2011/04/25/evil-series-turn-firefox-4-or-3-into-keylogger-and-steal-passwords/

http://www.techtalkz.com/blog/tips-...ave-passwords-from-secure-https-websites.html

One article describes how to get Firefox to automatically save passwords. The other article describes how to get Firefox to save SSL encrypted passwords. Combined the effect would be the automatic collection of encrypted passwords.

Apparently, the storage of that data is encrypted but is accessible locally if a master password is not set. I did find some utilities online that are able to decrypt the data storage to recover passwords. Following secure password guidelines when setting a master password prevents recovery.

If the ability to access this data remotely is possible, then I was wrong. A trojan in the wild that affected Windows recently used the methods in the links above as a component in a piece of malware. It relied on another component independent of the browser to upload the data collected to the attackers server. http://blog.webroot.com/2010/10/06/patchy-phisher-forces-firefox-to-forego-forgetting-passwords/

This issue seems unique to Firefox. Honestly, I am quite surprised by this. But, if similarly implemented in OS X without password authentication for any of the components, this would meet the requirements of the PoC discussed even though it requires more than just the modification of the browser given that a means to upload the data would be required.

Seems like this is a major security issue for any Firefox user on any OS given that both the encryption key file and the data storage file are read/write by the user. I guess this is good to know for users that prefer to use a third party browser, especially, if that browser does not use keychain for secure storage.

For safety reasons, Firefox should require users to set a master password by default. Having the service turned off may not be a solution if the file that stores the setting to disable password manager is also modifiable.

This issue does not affect Safari because this functionality in Safari is provided by keychain, which uses encryption linked to a password by default.

Sorry for hijacking this thread. Below is my attempt to get it back on track.

I got the anti-malware.zip downloaded on my mac by accident but it was set not to automatically open so I instantly deleted it without ever opening it

am I still in danger?

No, you are not in danger.

 

[GGJstudios]

I got the anti-malware.zip downloaded on my mac by accident but it was set not to automatically open so I instantly deleted it without ever opening it

am I still in danger?

No, you're not in danger. Read this:

Mac Virus/Malware Info​

The first section of that link deals specifically with the MacDefender/MacSecurity/MacProtector/MacGuard issue. I encourage you to read it.

 

[MacGekko]

DrudgeReport redirecting to OddSiti Malware Site

This is a warning, I just went to the Drudge Report and I noticed in the address bar a link to OddSiti leaving out the rest because I don't want to link to a bad site here, anyway, I stopped the site from loading, the page was completely white, not one part got loaded but others are reporting that this site is trying to load malware onto their computers, possibly to Macs but I can't confirm this, until we get confirmation that Drudge has fixed this, I think it is wise to stay away.


Just want to be sure that since I closed the page before it loaded, Am I safe?

 

[GGJstudios]

This is a warning, I just went to the Drudge Report and I noticed in the address bar a link to OddSiti leaving out the rest because I don't want to link to a bad site here, anyway, I stopped the site from loading, the page was completely white, not one part got loaded but others are reporting that this site is trying to load malware onto their computers, possibly to Macs but I can't confirm this, until we get confirmation that Drudge has fixed this, I think it is wise to stay away.


Just want to be sure that since I closed the page before it loaded, Am I safe?

If you're talking about the MacDefender issue, as long as you didn't complete the installation of any software, you're perfectly safe. If you're talking about being redirected to random sites, read the section "Why am I being redirected to other sites?" in the link in my post just before yours. The first section of that link deals specifically with the MacDefender/MacSecurity/MacProtector/MacGuard issue. I encourage you to read it.

The problem doesn't like with DrudgeReport.com. As we discussed in another thread, it's most likely an ad that sometimes pops up on that site that has the problem. For a Safari adblocker I use Safari AdBlock (not the extension, but the older version 0.4.0). As for Java, read the bottom section of the Virus/Malware link I posted for more information. I encourage you to take some time and read that whole post. It will make you a much more informed and aware Mac user.

 

[Blutarsky]

I had the same problem with Drudge this morning. The first time I closed it, was through the dialog box from firefox, I think. After that it really slowed down my firefox. I did permissions, cleaned all browser history, and all was still slow. Thinking Firefox was damaged I downloaded a new copy and moved it to app folder. No dice, still very slow. I then trashed FF user file. That did the trick, everything back to normal.

I then went to drudge again, and within a few minutes was re-directed, when I got to the page with Apple Security Center, I force quit FF through the apple menu, then started FF in safe mode and cleared history, as when safe wasn't used it would try to refresh the bad page, endless cycle.

Was frustrating at first to deal with this on my Mac, but much simpler than the crazy stuff I have to remove from PC's at work.

 

[Big-TDI-Guy]

I just got it from a CNN link - I'm seeing this thing more and more, and forget security issues related to some users - it's just getting to be a real annoyance as of late. When I'm researching, (from legitimate sources, no less) this stupid malware keeps blocking me from data. I have to force-quit, as when MacDefender pops up now, it obscures my menu bars - so I have to drop an entire session.

 

[MagnusVonMagnum]

I just got it from a CNN link - I'm seeing this thing more and more, and forget security issues related to some users - it's just getting to be a real annoyance as of late. When I'm researching, (from legitimate sources, no less) this stupid malware keeps blocking me from data. I have to force-quit, as when MacDefender pops up now, it obscures my menu bars - so I have to drop an entire session.

Don't worry friend. What you need is MACondom(tm), a super shield that helps prevent NTDs! It's like your sexy iMac with its sleek all-in-one design is just begging for attention...the wrong kind of attention! But you don't want to dress it down like some garden variety fatty PC. You can keep those looks and prevent NTDs with just a little protection. You need the MACondom(tm). It puts a security wrap around that network port so you don't catch a disease! It stops all incoming and outgoing traffic, making it impossible for something like MacDefender to ever bother you again. You just break the clear tape off the cutter and wrap it around your Ethernet junk. Oh and make sure that Airport is off baby. You don't want that kind of action! You are now completely safe from any and all forms of NTDs. Now when your friends come by and see that sexy iMac they'll give you a wink and you'll know its free from network diseases and ready to Paaartay! It's available for a limited time for only $19.95. And if you order now you'll get a 2nd roll of MACondom(tm) for free! Hurry because supplies are limited.

 

[Big-TDI-Guy]

Do you have any in Matte finish?

 

[munkery]

I have made another thread in relation to my post above.

https://forums.macrumors.com/threads/1161071/

The same issues can be found and are exploitable to the same degree in Firefox and Chrome as well as IE in Windows. The protected storage used by IE functions in the same manner as Chrome. Data contained within the storage can be extracted by malware when the user is logged in.

http://securityxploded.com/iepassworddecryptor.php

Safari on a Mac is more protected from this type of data leakage through integration with Keychain Access.

 

[MagnusVonMagnum]

Do you have any in Matte finish?

Steve, my boss, doesn't like matte. He says glossy is the way to go. Consumers prefer it for its life-like realism. He said you can almost see yourself in the reflection that occurs and Steve likes to see himself.

 

[Big-TDI-Guy]

Steve, my boss, doesn't like matte. He says glossy is the way to go. Consumers prefer it for its life-like realism. He said you can almost see yourself in the reflection that occurs and Steve likes to see himself.

That sucks for Vampires and Ugly People, though. Steve has been beautiful too long, I think. If he had to look at my mug every day at the computer - ultra-matte displays would be the only choice...

 

[Member(TM)]

If you are successful and you only give me access to the PoC, I will make sure the Mac community is not exposed to it because I am a "fanboy." I will disclose the copy of the PoC that I have to Apple so the issue can be fixed.

Apple doesn't need to fix it because it's not a system flaw. The system is meant to work that way, and the same applies to Linux and Windows. The fix is that users learn that they shouldn't execute Trojans, regardless of whether they are asked for an admin password or not.

The proof of concept is ready. It's a web browser that will make SSL connections and will send me all the data you post to any site (up to a certain size to avoid saturating my bandwidth). I've tried to send you a private message with the URL, but this site is telling me that you have chosen not to receive private messages.

About my concerns, I've been thinking that it's not a problem to publish the application because I have put enough disclaimers on it so that potential users clearly see what it's about. However, for the sake of my bandwidth, I prefer to only provide the URL on a case by case basis to those who expressly request it (I'm not referring to the bandwidth wasted on the download, which is quite small, but to the captured data, which may be big depending on user activity). Limiting the number of users of my web browser will also simplify my search of your data in my logs.

 

[munkery]

Apple doesn't need to fix it because it's not a system flaw. The system is meant to work that way, and the same applies to Linux and Windows. The fix is that users learn that they shouldn't execute Trojans, regardless of whether they are asked for an admin password or not.

Sorry, only PMs from contacts enabled.

Is it based on the PoC I explained above? If it is, then no need for me to test it. I will use Safari to avoid the issue (see the thread I made about this issue).

If it is not based on that PoC, please feel free to disclose it publicly. That seems to be the best way to get a response, especially, if it affects all systems.

To understand if it works, all I need to know is how do you tamper the ssl connection that is made with the secure logins web server? That connection is established prior to entering data to be sent. I have been lead to believe that ssl prevents the connection from being redirected in a manner where the data is useful to the reciever.

There are tools that can hook into APIs to see the data but I am pretty sure that these tools require authentication to install.

Publicly release the PoC and provide a good explaination of the method. I prefer an explanation over a demonstration.

 

[Member(TM)]

I've had other users send me PMs, it should work?

I don't know. Maybe you have PMs restricted to your contacts, or maybe it's because I'm a new member.

Is it based on the PoC I explained above?

No.

To understand if it works, all I need to know is how do you tamper the ssl connection that is made with the secure logins web server? That connection is established prior to entering data to be sent. I have been lead to believe that ssl prevents the connection from being redirected in a manner where the data is useful to the reciever.

Your misconception is thinking that ssl connections protect your data from client programs. They are only intended to protect your data from a third party spying the network. The client doesn't need to hack system APIs nor to have system privileges. The client program is the one who reads data from the user, encrypts it and sends it to the server. SSL encryption occurs after the application has already read the data. The client may use APIs or it may provide its own SSL implementation.

Publicly release the PoC and provide a good explaination of the method. I prefer an explanation over a demonstration.

I've really done nothing special. I simply read the user request, then I send myself a copy and finally I send it to the destination server. Except for the copy sent to myself, it's the way all web browsers work.

EDIT: What I've just said is essentially true, and it's how I did it initially, but because my html rendering was very poor I used an alternate approach that allowed me to have better html rendering. However, this doesn't affect the concept.

 

[GGJstudios]

I don't know. Maybe you have PMs restricted to your contacts, or maybe it's because I'm a new member.

New members can send PMs as soon as they have a post count of 5 and have been a member for at least 1 day. Go to User CP > Edit Options > Enable Private Messaging.

 

[munkery]

I am moving my reply over to the thread I created so that this thread is no longer hijacked.

https://forums.macrumors.com/threads/1161071/