Newly Discovered Mac Malware Captures and Stores Screenshots

[V.K.]

It would be nice if Mac OS X had a built in method to block the mounting of external hard drives/shares and/or some more granular access controls beyond Parental Controls/Gatekeeper.

Sever admin tools provide GUI to do just that. Most regular users don't need such capabilities though so it's not surprising that it's not included in basic OS X. But those so inclined running non server OS X can install Workgroup manger (free download) and go at it.

I'd put this one in the category of stupid-ware.

my thoughts exactly. Most of os x malware I've seen falls into this category btw. The article doesn't say how the infection process works ( a crucial piece of info) but from what we can see already it looks like something written by a 12 year old so I highly doubt it's anything sophisticated. I mean putting the screenshot in a non-hidden directory at the top of the home folder?! That's terribly sneaky. and so is using login items (which are visible to the user from regular GUI) to run the program. I shouldn't be surprised if it doesn't mute the sound when taking screenshots.

 

[asiga]

If a "security" company is mentioned several times in an article, no other company is mentioned, and the article seems to encourage to use antimalware tools from third parties, it's obvious to conclude this malware wouldn't exist if the mentioned "security" company didn't exist.

 

[baryon]

So, Gatekeeper is quite pointless, then, if anyone can just sign their malware and make everyone trust something they'd otherwise double check. It just makes people blindly think that a file is safe and they won't even check…

Also, who makes malware as lame as this? Windows has much cooler malware that can be totally invisible, with special abilities like reinstalling itself and disabling anti virus software.

 

[VoR]

Most likely this guy: http://www.linkedin.com/pub/rajender-kumar/5a/859/636
Works for an outsourcing company in India. This would not be the first time to happen: sketchy company hires outsourcing company to develop their malware, outsourcing company makes the mistake of signing the malware with their cert, gets cert revoked, breaks all legitimate software signed by outsourcing company.

My half-joking point was simply saying that absolutely anyone can pay a tiny fee and get a signed application through a system that is designed to inspire safety - Getting blocked doesn't seem like much of an issue.
In your example, both the malware author and the software house can simply start again. They both have motivation, simple checks (not that I think there's anything they can realistically do) are a minor inconvenience.

 

[toaster64]

I'm surprised this got signed, but I could easily make something that does this with a combination of Automator and shell scripts. How does one even get this malware?

----------

That's a new one... I wonder if it's triggered by anything in specific or of they are just random, because I can't think that looking through thousands of screenshots of Facebook posts, flash games, typing papers, and uTorrent windows will really be of that much use to anybody... I mean passwords are hidden by dots, okay maybe the length could give clues to brute-forcing?

Don't even get me started on it showing up in the user folder...



On another note, I love the nesting in this

Hah, almost makes it seem benign.

 

[zanderpants930]

My last macbook pro got a virus. Unfortunately, its a reality that macs can get them.

That, and other reasons, is why I sold it for a Surface Pro. Could not have been happier!

 

[subsonix]

That, and other reasons, is why I sold it for a Surface Pro. Could not have been happier!

Funny, the Windows platform has orders of magnitude more malware, the few (lame) sporadic incidents reported on the Mac platform is not even a blip on the radar in comparison.

 

[stuffradio]

Funny, the Windows platform has orders of magnitude more malware, the few (lame) sporadic incidents reported on the Mac platform is not even a blip on the radar in comparison.

In the end, it's the end-user that makes it harder or easier for you to be infected regardless of the OS you use.

 

[subsonix]

In the end, it's the end-user that makes it harder or easier for you to be infected regardless of the OS you use.

Not really true. But regardless it's besides the point.

 

[V.K.]

My last macbook pro got a virus. Unfortunately, its a reality that macs can get them.

That, and other reasons, is why I sold it for a Surface Pro. Could not have been happier!

yeh right. just what "virus" did you get on your macbook?

 

[aerok]

yeh right. just what "virus" did you get on your macbook?

Yeah he smells like a troll

 

[ValSalva]

My last macbook pro got a virus. Unfortunately, its a reality that macs can get them.

That, and other reasons, is why I sold it for a Surface Pro. Could not have been happier!

That is funny. The Surface Pro runs Windows 8 (x86) which has more malware than any other platform.

 

[PurdueGuy]

I like the gatekeeper. I usually leave it set to be as restrictive as possible, and when I need to install something, I open the control panel and change the setting, then change it back afterwards.


Brian

Do you have to do that? Can't you just right-click on the application, click Open, say OK, and move on?

Or does that only work when you have Gatekeeper set to "Mac App Store and identified developers?"

 

[charlituna]

So Apple can pull a kill switch on this then, right?

For those that are on 'install only Mac App Store' it's dead in the water. Those on MAS yes they can invalid the certificate so it won't install anymore

But how is this getting out. What is the app that folks think they are getting and where from.

 

[ArtOfWarfare]

Hitting that kill switch will prevent further installations (since the app will no longer be trusted), but I don't think it will block the app from running if it is already installed on your Mac.

I'm pretty sure the certificate is checked at run time, not at download time. That's why gatekeeper blocks you (if you have it enabled) when you try to run an app, not when you download it. My guess is that if Apple actually has a kill switch of any kind that works on user's computer is that they have a blacklist file that says which developer certificates shouldn't be trusted.

Xcode and the code sign utility could also check to make sure the certificate they're using isn't on Apple's blacklist.

 

[name99]

$99 is a small price to pay for a guaranteed safe install of your latest malware app

The more interesting question is can the credit card (used to pay the $99) be linked to a real human being who can then be arrested?

- In the US I would assume the answer is yes.

- If he's in India I assume the answer is also yes (presumably India has no interest in hurting its reputation for SW).

- If he's in Pakistan (or wherever else Bollywood fans might hang out) WTF knows? You may get a name but so what, if there is no extradition treaty, or if the foreign government is not interested in co-operating.

 

[Verbatim Cookie]

My last macbook pro got a virus. Unfortunately, its a reality that macs can get them.

That, and other reasons, is why I sold it for a Surface Pro. Could not have been happier!

You could not have been happier when you acquired your Surface Pro. But now that you've used it a bit...

 

[InfoTime]

How do we know for sure that the program is really nefarious? The developer may have whipped up a quick app because he had a remote system he wanted to monitor.

Just because something like this is found on one computer does not mean it's a malware outbreak or in the wild. There was no mention of how it was spread or of it being found on more than that one machine.

(OK, to be fair the naming of his servers and app is a little suspicious, it likely is malware, but it may not be just as well)

 

[coolfactor]

Currently, F-Secure is investigating where the malware originated, and though it does not appear to be widespread, it can be mitigated by removing the macs.app program from the log-in menu.

There is a trend of hastily-written articles these days, which is very sad. The above statement is an example of that.

"log-in menu" - what the heck is that? Take an extra 5 minutes and write that properly. Thanks.

----------

My last macbook pro got a virus. Unfortunately, its a reality that macs can get them.

That, and other reasons, is why I sold it for a Surface Pro. Could not have been happier!

BS. hahaha

 

[tech4all]

My last macbook pro got a virus. Unfortunately, its a reality that macs can get them.

That, and other reasons, is why I sold it for a Surface Pro. Could not have been happier!

So you go to Windows which has even more malware...that's some great logic there.

http://www.youtube.com/watch?v=i3My4MHr51c

 

[X5-599]

Answer me this please: When Apple revokes this developer id, does it only prevent newly "infected" machines from executing the app? Because I can't imagine that OSX contacts an Apple server everytime an app is opened just to validate the developer id. Right?

Also, where is this log-in menu that I'm supposed to remove the app? Sorry, but I'm still fairly new to OSX...

 

[wackymacky]

My last macbook pro got a virus. Unfortunately, its a reality that macs can get them.

That, and other reasons, is why I sold it for a Surface Pro. Could not have been happier!

I just love it when people create a profile just to post an inane comment like this.

I'm sure there are lots of Surface Pro forums you can find to discuss your new found joy.

 

[macpeach55]

Answer me this please: When Apple revokes this developer id, does it only prevent newly "infected" machines from executing the app? Because I can't imagine that OSX contacts an Apple server everytime an app is opened just to validate the developer id. Right?

Also, where is this log-in menu that I'm supposed to remove the app? Sorry, but I'm still fairly new to OSX...

Go to System Preferences, System, Users & Groups, click on your login name, and then the tab marked Login items.

by highlighting the log in item and hitting the minus button below the window you will remove it.

 

[zanderpants930]

I just love it when people create a profile just to post an inane comment like this.

I'm sure there are lots of Surface Pro forums you can find to discuss your new found joy.

Its funny, because I post something in relation to the topic and have a different opinion than the Apple fanboys on here, and it becomes flame city. My solution is don't be a fanboy of an obsolete brand.

 

[pirg]

Its funny, because I post something in relation to the topic and have a different opinion than the Apple fanboys on here, and it becomes flame city. My solution is don't be a fanboy of an obsolete brand.

It most probably became "flame city" because you said you got a virus. exactly which virus did you get? Hmm?