New Mac Malware Breezes Past Gatekeeper Because It’s Signed By An Apple Developer ID

from cultofmac.com
A new Mac malware has been found in the wild that allowed attackers to steal data and install unauthorized apps on a compromised machine. What makes this malware different than other recent Mac malware, though, is that it breezes right past Gatekeeper… and the people behind it might have been gunning for the life of their malware victim.
Known security researcher and privacy activist Jacob Applebaum discovered the malware — which is being called OSX/KitM.A by Finnish antivirus firm F-Secure — on the laptop of a human rights activist at the Oslo Freedom Forum earlier this week.
KitM.A got on the machine as a result of a spear phishing attack, which is a phishing attack in which specific individuals (instead of a wider range of victims) are targeted. The malware takes screenshots of what is happening on the Mac amd sends them to servers in the Netherlands. It can also download and install other malware, executing commands on behalf of attackers and manipulating the network activity monitor so that its presence remains undetected.
What’s so interesting about this specific malware is that it was signed by a valid Apple Developer ID. This means that it just blew past Gatekeeper, OS X Mountain Lion’s anti-malware firewall that is supposed to keep out just this sort of program. But it also means that Apple can just revoke the app’s certificate, killing it instantly on all computers with Gatekeeper turned on. And hopefully, it means that the attackers behind this particularly insidious form of malware can be tracked down and prosecuted, because they’ve left a signature: their own Apple Developer ID.
Applebaum said that he may publish more details on the attack once he ascertains the threat to the victim’s life. Someone was gunning for him, after all, and given what’s going on in Angola these days, that’s a sensible precaution.

New Mac Malware Takes Screenshots And Uploads Them Without Permission

from cultofmac.com
A new piece of Mac malware has been discovered. The virus installs itself as “macs.app” and silently takes screenshots to then upload to shady servers. It doesn’t appear to be very widespread at the moment.
The malware was uncovered on an African activist’s Mac at the Oslo Freedom Forum, an annual event dedicated to “exploring how best to challenge authoritarianism and promote free and open societies.”
Once installed, macs.app runs in the background and repeatedly takes screenshots. Each image is then stored in an unsuspecting folder in the user’s home directory. From there, the screenshots are uploaded to “securitytable.org” and “docsforum.inf,” which are both unavailable domains.
Unlike most Mac malware, a valid Apple Developer ID is associated with macs.app to get it past Gatekeeper, Apple’s security system in OS X Mountain Lion. The ID is assigned to Rajender Kumar. Apple has the ability to revoke the ID’s privileges, and then this malware would assumedly be dead in the water.
A malicious tool that only takes screenshots to upload is pretty unique, so this is likely not part of a larger attack.

Hackers To Manage Your Apple ID, If Caught From Phishing Bait

from blog.trendmicro.com
Phishers appear to have concentrated their fire on a relatively new target: Apple IDs. In recent days, we’ve seen a spike in phishing sites that try to steal Apple IDs.
Upon looking at the URLS, we noted that there was a consistent pattern to the URLs of these phishing sites. They are under a folder named ~flight. Interestingly, trying to access the folder itself will load the following page:



Technically, the sites were only compromised, but not hacked (as the original content was not modified). It’s possible, however, that the sites may be hacked or defaced if the site stays compromised.

As mentioned earlier, the directory contains pages that spoof the Apple ID login page fairly closely:



We’ve identified a total of 110 compromised sites, all of hosted at the IP address 70.86.13.17, which is registered to an ISP in the Houston area. Almost all of these sites have not been cleaned.



The graph above shows the increase in phishing sites targeting Apple IDs. We’ve seen attacks targeting not only American users, but also British and French users. Some versions of this attack ask not only for the user’s Apple ID login credentials, but also their billing address and other personal and credit card information. It will eventually result in a page that states that access has been restored, but of course the information has been stolen. One can see in the sample page below how it asks for credit card information:



Users may be redirected to these phishing sites via spam messages that state that the user’s account will expire unless their information is subject to an “audit”, which not only gets users to click on the link, it puts them in a mindset willing to give up information.



One way to identify these phishing sites, is that the fake sites do not display any indications that you are at a secure site (like the padlock and “Apple Inc. [US]” part of the toolbar), which you can see in this screenshot of the legitimate site:



The screenshot above is from Chrome, but Internet Explorer and Firefox both have similar ways to indicate secure sites.

For the phishing messages themselves, legitimate messages should generally have matching domains all around – where they were sent from, where any links go to, etcetera. Mere appearance of the email isn’t enough to judge, as very legitimate-looking emails have been used maliciously. We also encourage users to enable the two-factor authentication that Apple ID recently introduced, for added protection.

In case you’re using mobile devices to manage your Apple ID or other parts of your online activities, you may read our ebook about avoiding bad mobile URLs to help protect yourself. We have blocked all sites and messages related to these attacks.

Mac malware found in malformed Word documents

from nakedsecurity.sophos.com

Our friends at F-Secure have blogged today about a boobytrapped Word document, that appears to be designed to infect computer systems running Mac OS X.

The malicious Word file, examined by the experts in SophosLabs, claims to be about the "6th International Uyghur Women's Seminar & 1st World Uyghur Women's Congress", run by the International Uyghur Human Rights & Democracy Foundation.



Vulnerabilities, exploited in malformed Word documents, install malicious code onto the recipients' computer and a legitimate-seeming Word file with content relevant to the victim is displayed as a smoke screen.

It's clear that the attack is targeted against Uyghur Mac users, and we have seen similar attacks in the past.

Sophos products detect the malware as OSX/Agent-AADL and Troj/DocOSXDr-B.

The obvious question people are likely to ask is... are China to blame for this attack? After all, we have seen several attacks in the past which have targeted minority groups in the country.

There's no 100% proof connecting this attack with the-powers-that-be in Beijing, but you would be a brave man to bet against it.

All Mac users need to keep in mind that its important that all computers, regardless of operating system, are properly secured - and to be on their guard against attacks.

Whether it's likely that you aren't in China's good books or not, there are more and more cybercriminals investigating how they might infect the many Mac computers out there.

It is true that there is much less malware for OS X than there is for Windows, but that's not going to make you feel any better if you end up targeted in an attack like this.

Mac users, just like Windows users, need to ensure that they install the latest security patches and keep their software properly up-to-date.

If you're not already doing so, run anti-virus software on your Macs. If you're a home user, there really is no excuse at all as we offer a free anti-virus for Mac consumers.

iPhone more vulnerable than Android, BB, and WP combined

from phonearena.com

Security is always a hot topic with mobile platforms, but most of the time the focus is on Android and the malware issues that exist for the platform if you don't use the Google Play Store. But, a new study shows that maybe we should pay more attention to the iPhone's security issues, because the study claims that the iPhone has more security vulnerabilities than Android, BlackBerry, and Windows Phone combined.

The study was conducted by SourceFire, which analyzed vulnerabilities from the Common Vulnerabilities and Exposures (CVE) data and National Vulnerability Database (NVD) over the past 25 years. Yves Younan, senior research engineer at SourceFire's Vulnerabilities Research Team and author of the report, said that the results were "surprising", especially since despite Apple constantly releasing security fixes with each update, CVE continue to grow year over year.

According to the study, the iPhone has 210 vulnerabilities, which adds up to 81% of mobile phone platform vulnerabilities in the four platforms studied. Android has just 24 known vulnerabilities, Windows has 14, and BlackBerry has 11, which combined rounds out the remaining 19%. The study didn't extend to fringe systems like Symbian, bada, and the rest. To be fair, these numbers are a cumulative total since 2007, but even removing 2007 from the mix, iPhone still has 205 vulnerabilities to Android's 24.

Younan's theory to explain the results is that cybercriminals can't get at users through the iTunes App Store, and have to work harder to find iPhone vulnerabilities, so more are found. Whereas, because Android is an open platform, that makes it easier for criminals to attack the platform.

Of course, he doesn't mention that only 0.5% of malware comes through the Google Play Store, so criminals still have to find ways to get Android users to sideload infected apps. It is still very possible that Android simply has fewer vulnerabilities because it is open-source (which tends to be more secure), and the only real serious vulnerability with Android is that users are allowed to screw things up if they aren't careful.

New Apple Security Exploit Lets Someone Reset Your Password

from mashable.com

"That was easy..."

UPDATE: Apple's password-reset system currently appears to be down.

An Apple account exploit allows anyone with your email address and date of birth to reset your Apple ID and iCloud account password.


First reported by The Verge, the exploit uses Apple’s own tools to break into accounts, using a modified URL and entering someone’s date of birth of Apple’s iForgot page. Directions on how to take advantage of the vulnerability were published in a step-by-step tutorial.

On Thursday, Apple launched two-step verification for Apple ID and iCloud account passwords. When set up, two-step verification would prevent someone from using the vulnerability to access accounts.

Much like the two-step verification process for other services, Apple's two-step-verification verifies your identity when your account is accessed from a new device.

Verification is done using another one of your devices, such as your iPhone. For instance, if you buy a new computer and sign into iCloud on it, Apple will send a numerical code to your iPhone via text message. You take the numerical code sent to your phone, and enter it into your computer to verify you are in fact who you say you are.

You can, and should, set up two-step verification on your Apple accounts now.

Mac malware that infected Facebook bypassed OS X Gatekeeper protection

from arstechnica.com

New family of Mac malware masqueraded as printer software.

Researchers have identified the Mac malware that infected employees of Apple, Facebook, and Twitter, and say it may have been used to compromise machines in other US organizations, including auto manufacturers, government agencies, and a leading candy maker, according to a published report.

Pintsized.A is a new family of Mac malware that uses an exploit to bypass Gatekeeper, an OS X protection that allows end users to tightly control which sources are permitted to install apps, according to an article published Monday by The Security Ledger. Mac antivirus provider Intego says the trojan masquerades on infected machines as Linux printing software known as cupsd, although it runs from a different location than the legitimate title. It's unclear exactly how the malware gets around Gatekeeper.

Once installed, Pintsized establishes a reverse shell to a command and control server controlled by the attackers. It uses a modified version of the OpenSSH utility to encrypt traffic, a measure that can help it remain undetected on infected networks. One of the domain names that hosted such a server was corp-aapl.com. It caught the attention of members of Facebook's security team, tipping them off that there was an infected machine inside their network. When they later took control of the domain, they discovered multiple other companies were also compromised by the same attackers. Around the same time, Apple, Twitter, and Microsoft were also hit with attacks that meet the same pattern.

The Security Ledger brought to light several other new revelations about the attacks. For one, attackers used a variety of third-party websites to infect employees who frequented pages involving a variety of topics, including the development of applications for Google's Android operating system. Previously, only iphonedevsdk.com, a website for iPhone developers, had been identified as being compromised. Also interesting, the latter site was booby-trapped in such a way that it attacked some visitors and not others. Investigators are still investigating exactly what caused the selective exploiting and how specific targets may have been chosen.