Saturday, August 25, 2012

Mac Malware Roundup: 2012-08-24
Part I


Mac users have had the busiest and most detrimental year of malware in its history, and there are still four more months to go. The usual FUD explanation for the influx is the usual, 'Security Through Obscurity', that bogus doomsaying slogan first perpetrated against Macs back in 2005 by Symantec. No. Sorry! Even if you count up all the currently active Mac malware, which I estimate to be at worst about 87 (depending upon which version of OS X you're using), that number is a few orders of magnitude lower than the number of active malware for Windows on a per-user basis. IOW: The 'Security Through Obscurity' FUD remains unviable. (If you want the raw numbers and math, by all means ask me. You'll also find my methodology explained in previous posts on the subject).

So why has their been an increase in Mac malware this year? Much of it is coming out of Russia, presumably the Russian Mafia. Apple is now the most successful computer and electronics company both on the planet and in history. That gives Apple prestige and visibility. Much of the Windows-victim world has noticed and bought themselves Apple hardware and software. Therefore, malware rats have taken an interest in figuring out how to infect Macs alongside Windows boxes. For the most part, their efforts have been blundering and inconsequential. 

But then this happened:

One piece of malware, a version from the Flashback bot malware series from March, was surreptitiously planted on several websites across the world and was able to self-install itself (via a 'Drive-By' infection enabled by Java) onto an estimated 600,000 Macs. That Is Scandalous!  It was certainly the fault of the Java open source/Oracle project for creating the security hole. But the biggest blame goes to Apple and their idealistic assumption that Oracle was going to assist them in keeping the Mac Java RTM (runtime machine) up-to-date. It didn't happen. The well known, already exploited in-the-wild Java security hole sat wide open for more than two months before Apple got around to patching it. Even then, Apple blundered around with the patch process, leaving OS X 10.4 and older users out-in-the-cold. The 10.5 removal tool Apple provided was flaky at best and didn't provide any future protection. That's Apple security at its absolute WORST. Incredi-FAIL!

Has Microsoft done worse? Damned right! And frequently! So don't hold them in any esteem. But this is the very first time Apple has dropped the security ball on a monumental scale. The last count I could find estimated that at least 40,000 Macs remained infected with that version of Flashback, despite Apple's efforts. Within the history of the Mac community, that's unprecedented. 

Despite this catastrophe, Apple has continued its consistent improvement of OS X security in its release of OS X 10.8 Mountain Lion. Its Gatekeeper security certificate technology is able to, theoretically, stop all future Trojan horse malware infection. Apple has improved and tightened up its ASLR technology (address space layout randomization). Apple, at long bloody last, provides WPA2 encrypted Internet sharing. BSD UNIX, which is the source core of OS X, remains the single most secure OS on the planet. Meanwhile, Apple has made efforts to keep security hole ridden third party software off OS X. This includes Apple's never including Adobe's infamously insecure software with its installations. Instead, Apple offers their PDF enabled Preview software, to replace Adobe Reader. Apple provide their HTML5 enabled Safari web browser to help replace Adobe Flash. Thanks to the Java/Flashback malware infection fiasco, Apple now also turns off Java on a periodic basis, if you choose to install Java at all. Add to that Apple's insistence upon all software provided at the Apple Mac App Store using sandboxing, whereby apps have limited API access and capabilities.

What nasties still remain at large, enabling malware rats to infect and PWN Macs?

1) ECMAScript, aka 'JavaScript' and 'JScript' and 'ActiveScript'.
2) Bad PHP web programming.
3) Inherent SQL database security holes.
4) Inherently poor memory management (buffer overflows...) in nearly all our current, antiquated programming languages.
5) The LUSER Factor, aka LUSER Syndrome.
6) Human coding errors.
7) Deliberate software backdoors.
8) Government and company mandated user surveillance, frequently aka privacy infringement and spying.
9) The unexpected...

IOW: Don't expect any human written or accessible operating system to be totally, reliably secure. Not gonna happen. Security is going to remain a constant concern to all computer users.


You can read through my previous list of Mac malware, posted 2011-07, HERE:

A quick summary list:

1) Trojan.OSX.MACDefender.A - O [15 strains]
2) Trojan.OSX.BlackHoleRAT.A - C [3 strains]
3) Trojan.OSX.Boonana.A
4) Trojan.OSX.OpinionSpy.A - B [2 strains]
5) Trojan.OSX.iServices.A - C [3 strains]
6) Trojan.OSX.PokerStealer.A
7) Trojan.OSX.RSPlug.A - Q [17 strains]

The total number of Mac malware species was 7.
The total number of Mac malware strains was 42.

Note that some of the malware in this list have aliases, which I have not provided. The names here are considered the 'standard' names despite claims to the contrary from childishly warring anti-malware companies. I also avoid including hacking tools in my list as they require direct access to user accounts in order to be installed and are not offered as Trojan horses.

Arguably, the RSPlug and BlackHoleRAT malware are now inert and need not be listed. The worst of the above malware was the iServices series. Infections occurred via 'spiked' warez versions of Adobe software and Apple iWork software, possibly others. iServices infections lead to a Mac botnet estimated to be over 10,000 Macs in number. iServices used to be the #1 Mac infection in history, previous to the 60x larger Java/Flashback infection this year.

2011-08 -> 2012-08

As I did last year, I'm going to proceed in reverse chronological order. Please note that my list is not definitive. Because of the competition and secrecy of anti-malware companies, I find it very difficult to keep track of all the versions and aliases of Mac malware. 

My list is, however, extensively researched and compared with that of my net friend and colleague Thomas Reed. You can access Thomas' security blog HERE. Thomas' Mac Malware Guide, including his Mac Malware Catalog, is HERE. You'll find that Thomas takes a different approach to Mac malware from me, which is entirely intentional and useful. You'll also find that Thomas provides more complete and up-to-date coverage of ongoing Mac malware infections than I. He's a terrific resource.

Thomas Reed and I are part of a terrific eList group of Mac specialists, writers and coders from around the world who keep track of ongoing Mac malware. We also work to keep the ClamAV project up-to-date with the latest mac malware signatures. I'll be sharing more about our group at another time.

1) Trojan/Backdoor.OSX.NetweirdRC.A 

Currently: Low Concern.

NetWeirdRC was first described and named by Intego on August 22, 2012. Their original article is available here:

An Analysis of the Cross-Platform Backdoor NetWeirdRC

Another alias being used is simply 'NetWeird'. I always stick with the name provided by the first people to discover new malware.

NetWeirdRC is essentially a malware kit being provided to malware rats for $60 over the Internet. It is designed to infect and bot either Windows or Mac computers. This is not the first time such kits have been created and offered for sale, as we will see ahead. This is, however, the first time such a kit has been offered at such a cheap price. Earlier in the year we learned about an iOS security vulnerability purported to be sold to our surveillance maniacal US federal government for $250,000. (Please note: For all we know, this was just another bogus or propagandist rumor).

At this time, it is not evident that NetWeirdRC is being actively used in-the-wild. However, it is likely to be used in the near future and is therefore of concern. The method of infection could be either as a Trojan horse offered to Mac users via social engineering. Or it could simply be used as a hacking tool to backdoor a Mac.

Thankfully, this first version of NetWeirdRC is buggy and incomplete. That may be why it is being sold on the cheap. Rebooting an infected computer makes it inert. When it is running, it acts as a bot, phoning home for Bot Wrangler instructions. Any 'reverse firewall' software, such as Little Snitch or VirusBarrier X, will catch the phoning home and stop it. As a bot, it of course PWNs (owns, or entirely takes over) the infected machine and can theoretically do anything with and to it. At this time, its activities have been restricted to downloading and installing new files (which could include new malware infections), performing remote Bot Wrangler commands, grabbing and sending screenshots, gathering and sending system and installed software information, as well as stealing encrypted passwords from email programs and web browsers. See the Intego article for further details.

This malware is easy to detect and remove. Most current anti-malware software should be able to stop infection as well as remove it.

2) Trojan.OSX.Crisis.A (aka Morcut, JVDrop, Remote Control System DaVinci)

-->Please continue on to Part II

No comments:

Post a Comment