Wednesday, July 17, 2013

FileSteal.D Trojan Horse variant discovered:
aka Hackback.D
aka KitM.D,
aka Janicab.D

--

Via some file name spelling trickery, a nasty script and fraudulent use of an Apple developer security certificate, a new variant of the FileSteal malware has shown up on the net. This malware series has had four different names, depending upon what 'professional' anti-malware company 'discovered' it. IOW: It's a case of the usual deliberate lack of sharing and cooperation among the 'professionals'. Just shoot me. I'm simply going to call it Trojan.OSX.FileSteal, which was the source name. I listed the other names in this article's title. As far as I know, the current variant is the fourth in the series, therefore FileSteal.D. I am always pleased to be corrected when I am incorrect.

This series of malware is extremely easy to make inert by way of Apple revoking it's faked developer security certificate. The dangerous period is between a variant's release and  Apple's revocation its security certificate.


What it does:

A) FileSteal commonly shows up as an email attachment, pretending to be an innocent document file. But it could just as easily hide out somewhere on the web, looking just as innocent.


B) As a Trojan horse, no matter what you see as the file name and file icon, it is actually an application. The faked file name and icon trick is done via some file name spelling trickery of which I was not previously aware. A special "right-to-left override (RLO) character" in the name makes the characters that follow it read backwards from how it is actually spelled. Therefore 'FDP.app' at the end of the real file name can appear instead on screen as 'ppa.PDF', making you and OS X think you are looking at a PDF file, which it is NOT.  Creepy, eh?  I'm going to send you off to read the relevant article by my net bud Thomas Reed for further explanation. Don't worry about the malware being called 'Janicab'. It's still just FileSteal.D.


New Signed Malware called Janicab
http://www.thesafemac.com/new-signed-malware-called-janicab/


C) If you are fooled into opening the application, it installs itself somewhere into your system then tosses a launch script into one of the various login items folders inside one of your Library folders. These login item folders could include:

/Library/LaunchAgents/

/Library/LaunchDaemons/
~/Library/LaunchAgents/

OR theoretically it could list itself into your user account's Login Items list located here:


~/Library/Preferences/com.apple.loginitems.plist


OR the app can run as a system cron job process.

IOW: It gets booted every time you log into your computer.


D) When running, the malware opens a back door to your computer, grabbing and sending anything it likes off to a malware wrangler site on the net. It has been known to take screenshots, record audio and send off user files to the malware wrangler location. Some researches are calling this 'spyware' behavior. I personally would call it a bot.


Cures:

The cures for this malware depends upon the variant installed. The new variant FileSteal.D, aka 'Janicab', plugs itself into the system using a cron job process. Therefore, one easy way to eliminate it is to remove all your system's cron jobs. Thomas Reed's article provides a simple Terminal command you can use.


From my reading, it appears that Intego, Sophos and F-Secure are staying on top of this malware series. Their anti-malware programs, if kept up-to-date, should be able to detect the infection and remove it. Apple also has been speedily revoking these malware apps' security certificates.


ClamXav will likely catch whether you have been infected. Or perhaps I should say that friends in my Mac security discussion group are attempting get the malware's signature into the ClamAV database.


~~~~~

Here are some related articles, in reverse chronological order, about the FileSteal series for your perusal:


2013-07-16

Signed Mac Malware Using Right-to-Left Override Trick

2013-07-15
New back-to-front Mac malware records audio and grabs screenshots on infected computers
http://grahamcluley.com/2013/07/mac-malware-janicab/

2013-05-21
Yet Another FileSteal Variant Found Today
http://www.intego.com/mac-security-blog/yet-another-filesteal-variant-found-today/

2013-05-17
Two New Variants of Backdoor Trojan Found Targeting Activists
http://www.intego.com/mac-security-blog/two-new-variants-of-backdoor-trojan-found-targeting-activists/

2013-05-17
Mac malware signed with Apple ID infects activist’s laptop
Backdoor took screenshots, sent them to attackers.
http://arstechnica.com/security/2013/05/mac-malware-signed-with-apple-id-infects-activists-laptop/

~~~~~

BTW: Thomas Reed maintains a reasonable current list of Mac malware HERE:

Thomas and I have not compared lists recently, and you're going to see some differences in what is named what and what is different from what. This is all thanks to the unprofessional naming chaos innate amidst today's competing anti-malware companies. Some time Thomas and I will bump heads again and coordinate our lists. In the meantime, I consider Thomas' Mac malware list to be the best.


--

No comments:

Post a Comment