Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
52,197
13,837



Well-known Windows backdoor malware "Snake" has been ported to the Mac for the first time, according to MalwareBytes. Described as "highly-sophisticated," Snake (also called Turla and Uroburos) has been infecting Windows systems since 2008 and was ported to Linux systems in 2014 before making its way to the Mac.

The Snake malware was found earlier this week in an installer masquerading as Adobe Flash Player, buried inside a file named "Install Adobe Flash Player.app.zip." It is designed to look like a legitimate Adobe Flash installer, but is signed by an illegitimate certificate.

snakemalwareinstaller.jpg

It does, actually, install Adobe Flash Player, but it is accompanied by additional software that is malicious and designed to provide a backdoor into the Mac. The malicious files are well hidden in the /Library/Scripts/ folder and disguised as an Adobe launch process.
In all, this is one of the sneakier bits of Mac malware lately. Although it's still "just a Trojan," it's a quite convincing one if distributed properly. Although Mac users tend to scoff at Trojans, believing them to be easy to avoid, this is not always the case.
Apple already revoked the certificate that the Snake malware was using to infect Mac machines, but another iteration could pop up, so Mac users should be aware of the possibility.

Those infected by Snake are vulnerable to having data stolen, including login information, passwords, and unencrypted files.

To avoid malicious software, Apple recommends downloading content only from the Mac App Store or from trusted developers.

Article Link: Windows 'Snake' Malware Ported to Mac, Imitates Adobe Flash Player Installer
 

VulchR

macrumors 68020
Jun 8, 2009
2,403
11,936
Scotland
I would have thought by now there would have been AI routines that could be used in the OS to help block this sort of thing. Also, it doesn't help that programmers have a tradition of naming files in an inscrutable way. Some sort of naming convention should be required, so that picking up malware is easier.
 
  • Like
Reactions: arkitect
Comment

Olz

macrumors regular
Mar 22, 2017
100
276
I feel like the people that wrote this malware wasted their time, all they needed to do was force people to install Flash...there are already enough backdoors in that to do what you want with, without adding extra ones.
 
Comment

ghostface147

macrumors 68040
May 28, 2008
3,469
3,360
So I've talked to people about this in the past, but I wonder how much of an issue this malware would be if PowerPC was still around. I wonder how much trouble it would have been to port to a RISC architecture.
 
Comment

redheeler

macrumors 604
Oct 17, 2014
7,662
7,524
Sadly, I run into a number of Computer-based Training courses that still use it.
It's better to just use Google Chrome for anything specific that still needs Flash. No need to run the installer.

With the amount of people using mobile devices these days, requiring Flash is quite a handicap for web-based content. But certain areas are always behind in updating to newer standards.
 
Comment

talonblade

macrumors newbie
Mar 3, 2012
6
0
Apple should take a page out of Microsoft's book and lock down macOS to be App Store only like Windows 10 S.

/s

They pretty much did. That is the default anyway. It can be changed by the user though, or exceptions can be made. Still
 
Comment

redheeler

macrumors 604
Oct 17, 2014
7,662
7,524
They pretty much did. That is the default anyway. It can be changed by the user though, or exceptions can be made. Still
Default is "App Store and identified developers", so signed apps can be installed from outside the App Store.

But freeware developers who can't pay the $99/year fee for a certificate still get screwed by that, unfortunately. I suppose it can be argued the increased security is worth it for average Mac users, but I always have mine set to allow from anywhere.
 
Comment

Sasparilla

macrumors 68000
Jul 6, 2012
1,566
2,561
So I've talked to people about this in the past, but I wonder how much of an issue this malware would be if PowerPC was still around. I wonder how much trouble it would have been to port to a RISC architecture.

It probably would have taken a minimal amount effort (recompile for x86/x64 / retarget) - if the gold pot is big enough they're going to come.

My wife is involved with creating training and the education system is loaded with Flash Player requirements...its bad. Am going to run malwarebytes on her machine tonight.
 
Comment

redheeler

macrumors 604
Oct 17, 2014
7,662
7,524
Youtube still runs better with it.
On my Late 2006 iMac running 10.8.5 I do use the Flash Player YouTube instead of Firefox's HTML5 because the latter is so heavy and sometimes won't even work. But most of the time, I use alternative methods of playback like PPC Media Center + Quicktime Player, YouTube extension for Kodi. When I boot into Linux, I use Google Chrome's HTML5 player (which works better than Flash Player on OS X).

For most people on modern or semi-modern hardware/software, there isn't any reason to use Flash over HTML5.
 
Comment

Chaos215bar2

macrumors regular
Jan 11, 2004
145
139
For all of those saying it's dumb to install flash, I have to for my homework and online classes for my university. I'd love to give it up, but some of us just don't have the option to.
Why not just use Chrome? If you're going to use Flash, I'm not sure there's a more secure way to do it than via a browser that self-updates and includes the plugin by default.

That, or you could make it as much of a headache for the IT support staff at your university to "fix" you Flash installation. Maybe the right people will get the point eventually…
 
  • Like
Reactions: Avenged110
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.