Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
64,360
32,185



New Mac spyware was discovered earlier this week on a computer at the Oslo Freedom Forum, an annual human rights conference. Located by computer security researcher Jacob Appelbaum, the malware, which has been deemed OSX/KitM.A, is currently being investigated by anti-virus company F-Secure, reports CNET.

The malware is a backdoor application called "macs.app," which launches automatically upon login and captures screenshots that it then sends to a MacApp folder in the user's home directory. Two command-and-control servers, located at securitytable.org and docsforum.info, are associated with the malware, but one does not function and the other gives a "public access forbidden" message.

macapp.jpg
Interestingly, the malware is signed with an Apple Developer ID, which is designed to prevent the installation of malware. Apps that are unsigned are blocked by default by Apple's Gatekeeper security option.
This bit of malware is somewhat unique in that it is signed with what appears to be a valid Apple Developer ID associated with the name Rajender Kumar. Though not an uncommon name, this may be a reference to the late Bollywood actor of a similar name. Regardless, the use of the ID appears to be an attempt to bypass Apple's Gatekeeper execution prevention technology.
Currently, F-Secure is investigating where the malware originated, and though it does not appear to be widespread, it can be mitigated by removing the macs.app program from the log-in menu. Apple often addresses malware threats quickly, and has the ability to revoke the developer ID to further limit the spread of the software.

Article Link: Newly Discovered Mac Malware Captures and Stores Screenshots
 

VoR

macrumors 6502a
Sep 8, 2008
917
15
UK
$99 is a small price to pay for a guaranteed safe install of your latest malware app :)
 

ArtOfWarfare

macrumors G3
Nov 26, 2007
9,583
6,096
So Apple can pull a kill switch on this then, right?

Apple may have planted it themselves just so they'd have an opportunity to demonstrate how they can kill malware by making devs sign apps and forbidding unsigned apps from running.
 

Tankmaze

macrumors 68000
Mar 7, 2012
1,707
351
well how do you get the macs.app downloaded and running in the first place unless it's a pebkac. just use common sense people, this malware seems not to be that harmful, albeit it's annoying.
 

BC2009

macrumors 68020
Jul 1, 2009
2,251
1,461
So Apple can pull a kill switch on this then, right?

Apple may have planted it themselves just so they'd have an opportunity to demonstrate how they can kill malware by making devs sign apps and forbidding unsigned apps from running.

Hitting that kill switch will prevent further installations (since the app will no longer be trusted), but I don't think it will block the app from running if it is already installed on your Mac.
 

Parasprite

macrumors 68000
Mar 5, 2013
1,698
144
That's a new one... I wonder if it's triggered by anything in specific or of they are just random, because I can't think that looking through thousands of screenshots of Facebook posts, flash games, typing papers, and uTorrent windows will really be of that much use to anybody... I mean passwords are hidden by dots, okay maybe the length could give clues to brute-forcing?

Don't even get me started on it showing up in the user folder...


On another note, I love the nesting in this :D
 

nagromme

macrumors G5
May 2, 2002
12,546
1,196
Some bad software is installed on a computer. Just one single computer? Did someone sit down and install it? Or was it spread over the network using some security flaw? If someone sat down and installed it, that's not what I'd call "malware." The origin is the key missing part of the story.

I always liked how Apple's gatekeeper design could be easily bypassed by a $100 Apple Developer account.

Only if Apple can't pull the plug. That is the purpose of the certificate--not prevention of attempts in the first place.

Why is the cert for this not revoked already?

When did Apple receive the details on this? And what do they need to do to verify? (Obviously they can't simply obey any random request to shut a developer down, so there must be some verification steps.)
 

nwcs

macrumors 68030
Sep 21, 2009
2,722
5,262
Tennessee
The results of such a malware can be interrupted by using something like OpenDNS, too, with appropriate settings in place. If they can't phone home then they are somewhat neutered.
 

Sayer

macrumors 6502a
Jan 4, 2002
981
0
Austin, TX
It's been over a year since I got my first Mac developer program setup and got a code-signing cert from Apple, but I think the process was slightly more complex than just providing any old credit card number to buy the membership.

More than likely there is some trail left behind that can help identify the person responsible from Apple's side. And I dobut Apple will be publicly documenting all the steps they can and will take to figure this out, to prevent that info from getting out and letting the next guy be even more clever.

Also I bet this malware was installed via physical access to the Mac since it was at some conference and the app was sitting in the home folder. Someone plugged in a thumb drive I'd wager.

It would be nice if Mac OS X had a built in method to block the mounting of external hard drives/shares and/or some more granular access controls beyond Parental Controls/Gatekeeper.
 

Zaren

macrumors regular
Jul 21, 2000
159
114
"whois" info on the domains

Domain Name:SECURITYTABLE.ORG
Created On:04-Mar-2013 06:58:36 UTC
Last Updated On:16-May-2013 16:02:07 UTC
Expiration Date:04-Mar-2014 06:58:36 UTC
Sponsoring Registrar:pDR Ltd. d/b/a PublicDomainRegistry.com (R27-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_26714386
Registrant Name:Christopher
Registrant Organization:N/A
Registrant Street1:DE-10387
Registrant Street2:Nairobi
Registrant Street3:
Registrant City:Nairobi
Registrant State/Province:Central
Registrant Postal Code:50563
Registrant Country:KE
Registrant Phone:+254.204973957
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:n.christopher@mail.ru


Domain Name:DOCSFORUM.INFO
Created On:04-Mar-2013 05:10:28 UTC
Last Updated On:16-May-2013 16:03:02 UTC
Expiration Date:04-Mar-2014 05:10:28 UTC
Sponsoring Registrar:pDR Ltd. dba PublicDomainRegistry.com (R159-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:DI_26714386
Registrant Name:Christopher
Registrant Organization:N/A
Registrant Street1:DE-10387
Registrant Street2:Nairobi
Registrant Street3:
Registrant City:Nairobi
Registrant State/Province:Central
Registrant Postal Code:50563
Registrant Country:KE
Registrant Phone:+254.204973957
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:n.christopher@mail.ru

Same registrant for both servers, both created less than two weeks ago, both servers appear to be dead in the water. Good to see some people on the case here.
 

iMikeT

macrumors 68020
Jul 8, 2006
2,304
1
California
Interestingly, the malware is signed with an Apple Developer ID, which is designed to prevent the installation of malware.


This reminds me of the Imperial shuttle that was stolen and used by the rebels in Return of the Jedi.

I wonder how many Bothans died to secure this Apple Developer ID hehe. :p
 

Attachments

  • 1253637441-admiral_ackbar.jpg
    1253637441-admiral_ackbar.jpg
    21.4 KB · Views: 5,753

drspringfield

macrumors newbie
Dec 11, 2009
18
0
$99 is a small price to pay for a guaranteed safe install of your latest malware app :)

Most likely this guy: http://www.linkedin.com/pub/rajender-kumar/5a/859/636
Works for an outsourcing company in India. This would not be the first time to happen: sketchy company hires outsourcing company to develop their malware, outsourcing company makes the mistake of signing the malware with their cert, gets cert revoked, breaks all legitimate software signed by outsourcing company.
 

sw1tcher

macrumors 603
Jan 6, 2004
5,603
19,842
.... I can't think that looking through thousands of screenshots of Facebook posts, flash games, typing papers, and uTorrent windows will really be of that much use to anybody...

I guess you don't do any online banking, shopping, or trade stocks because your account numbers are not always hidden by dots after you're logged in.

The same goes for your social security number and birth date. Those aren't hidden by dots when you're typing them in to pull up a free credit report on yourself or getting online quotes for car insurance.
 

B2k1977

macrumors regular
Mar 15, 2009
191
194
Gatekeeper

I like the gatekeeper. I usually leave it set to be as restrictive as possible, and when I need to install something, I open the control panel and change the setting, then change it back afterwards.


Brian
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.