The Mac Security Blog
Intego’s researchers have been examining the OSX/Koobface.A Trojan horse for some time, and the company provided some information about this Trojan horse yesterday. Following a number of questions, Intego would like to present some additional information about this Trojan horse.
This malware, unlike what one company claims, is not a “critical” risk, for several reasons. The level of risk for any given malware depends on several criteria, and this risk is fluid. As time changes, the risk level can increase or decrease depending on how common the malware is, whether new variants appear, and other conditions.
First of all, OSX/Koobface.A is not very widespread. While there is evidence that a handful of Mac users have been infected, there is no evidence to suggest that there is any large number of infections. (We’re only looking at infections to Mac users; since the Trojan horse can infect Windows and Linux users as well, it is very possible that there are more infections occurring on those platforms, especially Windows.)
Second, the malware is flawed, and does not work correctly in all situations. Intego’s researchers have not been able to found it to be operable on Macs running Mac OS X 10.6. In addition, the presence of a Java alert, and the appearance of an installer asking for an administrator’s password, show that the installation does not occur surreptitiously.
Finally, the installer for this malware contacts a number of remote servers to download files. The installer contacts 5 servers at a time until one responds. Intego has isolated dozens of servers that are contacted, yet all but one of them seem to be currently off line. (This does not mean that these servers will not come back on line, or that future variants of this malware will not contact other servers.)
In addition to the servers used to provide elements installed on Macs, one part of the malware contacts IRC servers. As of today, all the IRC servers contacted have been blacklisted and are off line.
Concerning the files that are installed, there is a combination of Java files for the malware’s main operation, together with Mac, Windows and Linux files. Some files are archives containing Java classes or other Windows or Mac files. The following is a list of files downloaded:
cad.scp
cplibs.zip
cplib_x86_osx.tnw
cplib_x86_win.klf
jnana.pix
jnana.tsa
NirCmd.chm
nircmd.exe
nircmd.zip
nircmdc.exe
ofex.avi
ofex.exe
ofex.zip
OSXDriverUpdates.tar
pax_wintl
pax_wintl.zip
pex.bsl
rawpct
rawpct.zip
RingOnRequest.lock
rvwop
rvwop.zip
VFxdSys.exe
VfxdSys.zip
VfxdSysAdm.exe
WinStart.exe
WinStart.zip
One of the Java classes found in the above archives is called FaceBookWorm.class.
Intego has no doubt that there will be variants of this malware in the future, but for now, the threat is minimal. Intego’s Virus Monitoring Center is remaining vigilant in order to detect any new variants that may cause serious threats to Mac users.
Malware: OSX/Koobface.A
Risk: Low
Description: Intego has discovered a Mac version of the Koobface worm, which spreads via social networks such as Facebook, MySpace and Twitter. Intego’s Virus Monitoring Center has been examining this malware for some time, and given the low level of risk, has not publicly issued information about it. Since other reports have been made public about this malware, Intego has decided to publish this security memo.
Reports have circulated discussing a Trojan horse, but without understanding either the scope or the functioning of this malware. This threat is a Mac OS X version of the Koobface worm, which is served as part of a multi-platform attack via a malicious Java applet. The malware itself is made up of a number of elements, though in order to simplify, we will use the term “Trojan horse” to describe it. (Technically, it propagates as a worm, is installed via a Trojan Horse, and installs a rootkit, backdoor, command and control, and other elements.)
Users first encounter this malware via links on Facebook, MySpace and Twitter, but links can and do exist from other web sites as well. They are taken to malicious web sites in order to view videos, and these sites attempt to load a Java applet. Users are alerted to this via the standard Mac OS X Java security alert.
Clicking Show Details displays information about the certificate that is attempting to be authorized:
Users can deny or allow the applet access to their computers. If they click Deny, the applet will not run, and no infection will occur. If they click Allow, however, the applet will run, and will attempt to download files from one or more remote servers. At this point, VirusBarrier X6’s Anti-Spyware feature, if activated, will alert users to an outgoing connection by Java. If this occurs, click Deny to block the connection.
If files are downloaded, they are stored in an invisible folder (.jnana) in the current user’s home folder. These files include elements designed to infect Mac OS X, Windows and Linux. The Java applet should also download an installer that will then launch and attempt to install the malware. While Intego has evidence of several infections in the wild, we are not currently able to go beyond this step, as either the malicious malware has bugs preventing it from running correctly, or the servers it contacts are not active or are not serving the correct files.
Potentially, if it installs correctly, it functions the same as the Koobface worm running on Windows. It runs a local web server and an IRC server, acts as part of a botnet, acts as a DNS changer, and can activate a number of other functions, either through files initially installed or other files downloaded subsequently. It spreads by posting messages on Facebook, MySpace and Twitter, usually trying to get people to click a link to view some sort of video.
While this is an especially malicious piece of malware, the current Mac OS X implementation is flawed, and the threat is therefore low. However, Mac users should be aware that this threat exists, and that it is likely to be operative in the future, so this Koobface Trojan horse may become an issue for Macs.
Means of protection: The first step is for users who see the Java alert dialog shown above to click Deny; the Java applet will not run, and the malware will not be installed. Second, if a user sees an Installer window display spontaneously, without the user having double-clicked an installation package, they should quit the installer. Intego VirusBarrier X6 and X5 detect and eradicate this malware, which they identify as OSX/Koobface.A, with their current threat filters.
An iPhone bug has been reported which allows users to bypass a locked iPhone and access certain features. This occurs when someone attempts to make an emergency phone call, then quickly presses the hardware lock button. According to the person who seems to have discovered this, the iPhone then gives access to the Phone app, where one can see contacts and make calls. This bug is present on both regular and jailbroken iPhones running iOS 4.1. Apparently, it is not, however, present in the latest beta version of iOS 4.2, so Apple had either already found the bug and corrected it, or corrected the root cause of the issue when fixing other problems in iOS.
As computer power has increased, the tools that allow hackers to infiltrate computers have gotten stronger as well. It’s widely recommended that you don’t use common words for your passwords – don’t use “password,” the name of your pet, or you child’s first name, the latter two being easy to discover. Recommendations generally tell you to use a word that’s not in a dictionary, to mix letters, numbers and punctuation, and to make a password long enough.
But are these passwords secure? And how long is long enough? A Swiss company, Objectif Sécurité, has developed a system for cracking passwords based on tables that are stored on SSD drives. Why SSD? Well, it turns out that using SSD drives is much faster than traditional hard drives, allowing more than 300 billion tests per second.
Here’s how it works. Your password is not stored on your computer, but a “hash” of it is. This is a string of letters and numbers that is created by applying mathematical functions to your password. Since multiple passwords could have the same hash, there’s no way of working back from the hash to the password, but software can test billions of possible combinations to see if they do, indeed, produce the hash of your password.
In a test, it was found that this password cracking tool could find complex 14-character passwords used with Windows XP in less than ten seconds. Passwords this long are considered to be very strong by Mac OS X (even ten-character random passwords are considered strong).
But this cracking technology suggests that anyone with such a tool, and the ability to infiltrate a computer and obtain password hashes, would be able to hack accounts as fast as characters do in movies. Granted, one still needs to access those hashes, so a hacker either needs physical access to a computer, or needs to break into it and obtain the necessary privileges to get different users’ hashes. But if, for example, your laptop is lost or stolen, a thief or hacker will be able to easily get this information.
It has been widely reported that the new Mac Book Air comes with an operating system devoid of Flash, and it has now been confirmed that, in the future, Macs will no longer ship with the Flash plug-in. There are a number of reasons for this – Apple’s tiffs with Adobe, and perhaps the frequent security updates required for Flash – but new Mac users will have to download and install Flash themselves.
It’s not that hard. Usually, if you go to a site that has a Flash item on a page, and you don’t have Flash installed, you’ll see a link to download it. However, what’s important is keeping Flash up to date. Apple did update Flash player, but not with the frequency that Adobe updated it. This means that Mac users who depended on Apple for the updates would find themselves with at-risk versions of the software often.
Note that at the same time, Apple has announced that they have “deprecated” Java, meaning that some time in the future, they will not be providing a Java environment with Mac OS X. Presumably, this will be available from another vendor such as Sun, but Apple has not, as yet, announced as of when they will stop shipping Java.
If you’ve been following this blog, you’ll know that we publish a post every time there is a Flash security update (as well as for security updates to other major Mac software). So check in regularly to be warned when you need to download a new version.
Apple yesterday had a “Back to the Mac” event, where they provided a sneak peak at a few of the features to be included in the next version of Mac OS X 10.7, Lion. In the approximately 90 minute event, Steve Jobs, assisted by several key Apple personnel, presented the new Mac App Store, Launchpad, Mission Control and full-screen apps. With a goal of bringing the best of the iOS to Mac OS X, Apple showed of a few of the ways they are working to simplify the Mac’s operating system.
Intego is looking forward to this new version of Mac OS X, announced for release in summer 2011, and is excited about these new features. Intego, as always, will have all of its software – such as VirusBarrier and Internet Security Barrier updated for full compatibility with Lion on the day of its release, if not before, so Intego customers can be sure that their Macs will be protected from the dangers of the Internet.