Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Newly Discovered Mac Malware Captures and Stores Screenshots

Sayer said:
It would be nice if Mac OS X had a built in method to block the mounting of external hard drives/shares and/or some more granular access controls beyond Parental Controls/Gatekeeper.
Click to expand...

Sever admin tools provide GUI to do just that. Most regular users don't need such capabilities though so it's not surprising that it's not included in basic OS X. But those so inclined running non server OS X can install Workgroup manger (free download) and go at it.

Peace said:
I'd put this one in the category of stupid-ware.
Click to expand...

my thoughts exactly. Most of os x malware I've seen falls into this category btw. The article doesn't say how the infection process works ( a crucial piece of info) but from what we can see already it looks like something written by a 12 year old so I highly doubt it's anything sophisticated. I mean putting the screenshot in a non-hidden directory at the top of the home folder?! That's terribly sneaky. and so is using login items (which are visible to the user from regular GUI) to run the program. I shouldn't be surprised if it doesn't mute the sound when taking screenshots.
 
If a "security" company is mentioned several times in an article, no other company is mentioned, and the article seems to encourage to use antimalware tools from third parties, it's obvious to conclude this malware wouldn't exist if the mentioned "security" company didn't exist.
 
So, Gatekeeper is quite pointless, then, if anyone can just sign their malware and make everyone trust something they'd otherwise double check. It just makes people blindly think that a file is safe and they won't even check…

Also, who makes malware as lame as this? Windows has much cooler malware that can be totally invisible, with special abilities like reinstalling itself and disabling anti virus software.
 
drspringfield said:
Most likely this guy: http://www.linkedin.com/pub/rajender-kumar/5a/859/636
Works for an outsourcing company in India. This would not be the first time to happen: sketchy company hires outsourcing company to develop their malware, outsourcing company makes the mistake of signing the malware with their cert, gets cert revoked, breaks all legitimate software signed by outsourcing company.
Click to expand...

My half-joking point was simply saying that absolutely anyone can pay a tiny fee and get a signed application through a system that is designed to inspire safety - Getting blocked doesn't seem like much of an issue.
In your example, both the malware author and the software house can simply start again. They both have motivation, simple checks (not that I think there's anything they can realistically do) are a minor inconvenience.
 
I'm surprised this got signed, but I could easily make something that does this with a combination of Automator and shell scripts. How does one even get this malware?

----------
Parasprite said:
That's a new one... I wonder if it's triggered by anything in specific or of they are just random, because I can't think that looking through thousands of screenshots of Facebook posts, flash games, typing papers, and uTorrent windows will really be of that much use to anybody... I mean passwords are hidden by dots, okay maybe the length could give clues to brute-forcing?

Don't even get me started on it showing up in the user folder...



On another note, I love the nesting in this :D
Click to expand...

Hah, almost makes it seem benign.
 
Last edited by a moderator:
My last macbook pro got a virus. Unfortunately, its a reality that macs can get them.

That, and other reasons, is why I sold it for a Surface Pro. Could not have been happier! :)
 
zanderpants930 said:
That, and other reasons, is why I sold it for a Surface Pro. Could not have been happier! :)
Click to expand...

Funny, the Windows platform has orders of magnitude more malware, the few (lame) sporadic incidents reported on the Mac platform is not even a blip on the radar in comparison.
 
subsonix said:
Funny, the Windows platform has orders of magnitude more malware, the few (lame) sporadic incidents reported on the Mac platform is not even a blip on the radar in comparison.
Click to expand...

In the end, it's the end-user that makes it harder or easier for you to be infected regardless of the OS you use.
 
B2k1977 said:
I like the gatekeeper. I usually leave it set to be as restrictive as possible, and when I need to install something, I open the control panel and change the setting, then change it back afterwards.


Brian
Click to expand...

Do you have to do that? Can't you just right-click on the application, click Open, say OK, and move on?

Or does that only work when you have Gatekeeper set to "Mac App Store and identified developers?"
 
ArtOfWarfare said:
So Apple can pull a kill switch on this then, right?
Click to expand...

For those that are on 'install only Mac App Store' it's dead in the water. Those on MAS yes they can invalid the certificate so it won't install anymore

But how is this getting out. What is the app that folks think they are getting and where from.
 
BC2009 said:
Hitting that kill switch will prevent further installations (since the app will no longer be trusted), but I don't think it will block the app from running if it is already installed on your Mac.
Click to expand...

I'm pretty sure the certificate is checked at run time, not at download time. That's why gatekeeper blocks you (if you have it enabled) when you try to run an app, not when you download it. My guess is that if Apple actually has a kill switch of any kind that works on user's computer is that they have a blacklist file that says which developer certificates shouldn't be trusted.

Xcode and the code sign utility could also check to make sure the certificate they're using isn't on Apple's blacklist.
 
VoR said:
$99 is a small price to pay for a guaranteed safe install of your latest malware app :)
Click to expand...

The more interesting question is can the credit card (used to pay the $99) be linked to a real human being who can then be arrested?

- In the US I would assume the answer is yes.

- If he's in India I assume the answer is also yes (presumably India has no interest in hurting its reputation for SW).

- If he's in Pakistan (or wherever else Bollywood fans might hang out) WTF knows? You may get a name but so what, if there is no extradition treaty, or if the foreign government is not interested in co-operating.
 
zanderpants930 said:
My last macbook pro got a virus. Unfortunately, its a reality that macs can get them.

That, and other reasons, is why I sold it for a Surface Pro. Could not have been happier! :)
Click to expand...
You could not have been happier when you acquired your Surface Pro. But now that you've used it a bit... :p
 
How do we know for sure that the program is really nefarious? The developer may have whipped up a quick app because he had a remote system he wanted to monitor.

Just because something like this is found on one computer does not mean it's a malware outbreak or in the wild. There was no mention of how it was spread or of it being found on more than that one machine.

(OK, to be fair the naming of his servers and app is a little suspicious, it likely is malware, but it may not be just as well)
 
MacRumors said:
Currently, F-Secure is investigating where the malware originated, and though it does not appear to be widespread, it can be mitigated by removing the macs.app program from the log-in menu.
Click to expand...

There is a trend of hastily-written articles these days, which is very sad. The above statement is an example of that.

"log-in menu" - what the heck is that? Take an extra 5 minutes and write that properly. Thanks. :)

----------
zanderpants930 said:
My last macbook pro got a virus. Unfortunately, its a reality that macs can get them.

That, and other reasons, is why I sold it for a Surface Pro. Could not have been happier! :)
Click to expand...

BS. hahaha
 
Answer me this please: When Apple revokes this developer id, does it only prevent newly "infected" machines from executing the app? Because I can't imagine that OSX contacts an Apple server everytime an app is opened just to validate the developer id. Right?

Also, where is this log-in menu that I'm supposed to remove the app? Sorry, but I'm still fairly new to OSX...
 
X5-599 said:
Answer me this please: When Apple revokes this developer id, does it only prevent newly "infected" machines from executing the app? Because I can't imagine that OSX contacts an Apple server everytime an app is opened just to validate the developer id. Right?

Also, where is this log-in menu that I'm supposed to remove the app? Sorry, but I'm still fairly new to OSX...
Click to expand...

Go to System Preferences, System, Users & Groups, click on your login name, and then the tab marked Login items.

by highlighting the log in item and hitting the minus button below the window you will remove it.
 
wackymacky said:
I just love it when people create a profile just to post an inane comment like this.

I'm sure there are lots of Surface Pro forums you can find to discuss your new found joy.
Click to expand...

Its funny, because I post something in relation to the topic and have a different opinion than the Apple fanboys on here, and it becomes flame city. My solution is don't be a fanboy of an obsolete brand.
 
zanderpants930 said:
Its funny, because I post something in relation to the topic and have a different opinion than the Apple fanboys on here, and it becomes flame city. My solution is don't be a fanboy of an obsolete brand.
Click to expand...

It most probably became "flame city" because you said you got a virus. exactly which virus did you get? Hmm?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back