The Mac Security Blog
Intego has reported on two versions of a new Trojan horse, called iServices. The first version, found in an iWork installer, and the second version, found in a Photoshop CS4 installation disk image, are very similar, connecting to remote servers over the Internet. While Intego’s antivirus program VirusBarrier X5 will protect you, ensuring you don’t get infected, Intego’s firewall and antivandal, NetBarrier X5 can also be helpful in times of trouble. The program’s Trojan horse protection blocks outgoing connections of a number of Trojan horses, if you are infected.
With NetBarrier X5′s Trojan horse protection activated, the program blocks all outgoing traffic and creates a log entry saying that the data was blocked, and why.
NetBarrier X5 with filters dated January 26, 2009 or later protect against this Trojan horse. Make sure you keep your Mac safe with all the tools at your disposal: both an antivirus and a firewall are needed for optimal protection from today’s malware.
Intego has discovered a new variant of the iServices Trojan horse that the company discovered on January 22, 2009. This new Trojan horse, OSX.Trojan.iServices.B, like the previous version, is found in pirated software distributed via BitTorrent trackers and other sites containing links to pirated software. OSX.Trojan.iServices.B Trojan horse is found bundled with copies of Adobe Photoshop CS4 for Mac. The actual Photoshop installer is clean, but the Trojan horse is found in a crack application that serializes the program.
After downloading this version of Photoshop, users will run the crack application to be able to use it. The crack application extracts an executable from its data, then installs a backdoor in /var/tmp/, a directory which is not deleted when the computer is restarted. (If the user runs the crack application again, the Trojan horse creates a new executable with a different name; these random names make it harder to ensure safe removal of the malware.)
The crack application then requests an administrator password, launching the backdoor with root privileges. This copies the executable to /usr/bin/DivX, then creates a startup item in /System/Library/StartupItems/DivX. The program checks to see if it has been launched with root privileges, then saves the root hash password in the file /var/root/.DivX. It listens on a random TCP port, and answers requests such as GET / HTTP/1.0 by sending a 209-byte packet, and makes repeated connections to two IP addresses.
Next, the crack application opens a disk image which is hidden in its resource folder, in a folder named .data, and proceeds to crack the Photoshop program, allowing it to be used.
Since the malicious software connects to a remote server over the Internet, the creator of this malware will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.
For more information, see the full Intego Security Alert .
Intego has discovered a new Trojan horse, OSX.Trojan.iServices.A, which is currently circulating in copies of Apple’s iWork 09 found on BitTorrent trackers and other sites containing links to pirated software. The version of iWork 09, Apple’s productivity suite, are complete and functional, but the installer contains an additional package called iWorkServices.pkg.
When installing iWork 09, the iWorkServices package is installed. The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password. This software is installed as a startup item (in /System/Library/StartupItems/iWorkServices, a location reserved normally for Apple startup items), where it has read-write-execute permissions for root. The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac.
Intego is issuing this alert to warn Mac users not to download iWork 09 installers from sites offering pirated software. (As of 6 am EST, at least 20,000 people have downloaded this installer.) The risk of infection is serious, and users may face extremely serious consequences if their Macs are accessible to malicious users.
For more information, see the full Intego security alert.
We’ll be posting more information here as it becomes available.
Update: Intego is getting reports of the iServices.A Trojan horse actively downloading new code and acting as a botnet, participating in distributed denial of service attacks on certain websites.
Apple has released a new version of its Leopard Security Configuration Guide (available here), a 260-page document discussing ways that users can customize security, or “harden” their computers. There are two versions of this document, one for Leopard client, and another for Leopard Server. In addition, users will find similar documents for Tiger and Panther on the same download page. While most users won’t want to apply many of the security techniques presented in this document, it’s a good reference showing the many areas where security can be enhanced in Mac OS X.
Apple has issued two security updates for QuickTime, which moves to version 7.6, and the QuickTime MPEG-2. This update patches seven issues, most of which deal with “Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.” These issues involve MPEG-2 files, H.263 encoded files, AVI files and more. Detailed information regarding this update is available here. You can install the update via Software Update, or by download from Apple’s QuickTime download page.
According to The Register, a security researcher has found a new way to attack Macs by injecting hostile code directly into memory, rather than by installing files that leave traces. While malware generally installs files, which then act on a computer, this new attack allows hackers to send, via a network vulnerability, malicious commands and information which will never be stored on a Mac. When it goes into the memory of a running application, the code is active as long as the application is, and can eventually reproduce itself in other running applications.
The technique, discovered by Vincenzo Iozzo, and to be presented at next month’s Black Hat security conference, “allows someone to execute a binary completely within the OS X application or process that’s being attacked. That means the operating system doesn’t need to open a new process and the exploit code need not ever touch the hard disk of the infected machine,” the article says. (Note that while the code may be written to virtual memory swap files, it will not be stored on the computer’s hard disk in file format.)
Attacks using this technique will still need to exploit a vulnerability in an application that has access to the Internet, such as Safari or QuickTime, but if it gets through those cracks, it could do serious damage. Since Apple is notoriously slow in issuing security updates, there’s a real potential that this type of attack can harm man Macs.