Monday, August 27, 2012

Apple zombie malware 'NetWeird' rummages for browser and email passwords


When we write Naked Security articles about Mac malware, we often end up creating a bit of a stir. Usually that's not on account of the malware itself, but on account of us writing about it in the first place.

Here's how it goes down.
Apple Password Zombie Malware
We write the article. The politically-sensitive Apple fanbuoys come out swinging, saying we only write about Apple malware because we're down on Cupertino.

The artistic fanbuoys (Apple users who are in a band, for example) chime in even more fiercely, saying Mac malware is a figment of everyone else's unimaginative delusion.

The geeky fanbuoys (the ones who know where bash is, and what it's for) come out firmly to remind us - utterly without any accuracy - that if it doesn't ask for the Admin password, it can't be malware.

And then the long-suffering but battle-hardened Windows users pop up and say, "Back in 1991, we felt the same way. It didn't end well." Those of a philosophical bent repeat, with sincerity and concern, the words of George Santayana. "Those who cannot remember the past are condemned to repeat it."

So, with a deep breath, here's some Mac malware news.

There's been a touch of fuss in the media about it, which is the first reason we thought that we ought to tell you about it; the second reason is that it has an engagingly curious name: NetWeird. (No, I don't know why, either.)

NetWeird is interesting primarily because it is uninteresting. It's not very well written; it's not very well tested; it's probably not going to catch you unawares (but watch out if you're in a band!); and so far as we can tell, it's not in the wild.

But someone has gone to the trouble of creating it and, according to our chums at French Mac anti-virus outfit Intego, is actually trying to sell it on the underground market for the ambitious price of $60.

And that makes it interesting: it seems that the crooks really are getting into the habit of churning out new Mac malware, not to show how clever they are, but merely to see if they can repeat the trick that's worked on Windows for years: making money out of next to nothing. Those who remember the past often choose to repeat it, especially if there's money to be made.

And now about the malware.

NetWeird installs itself into your home directory as an application bundle called That makes it rather obvious.

It adds itself to your login items, presumably with the intention of loading up every time you reboot your Mac. But a bug means that it adds itself as a folder, not an application. All that happens when you log back in is that Finder pops up and displays your home directory.

NetWeird also calls home to a hosted server located in The Netherlands. This makes it a bot, or zombie.

Bots use an outbound connection to listen for command-and-control signals from a cybercrook known as a botmaster. This works because a TCP connection, once established, is fully bidirectional, so the client side can behave as a server, and vice versa.

The commands that the bot can process allow it to run arbitrary programs via the shell, monitor running processes, take screenshots, exfiltrate files, and to rummage through the password files of well-known third-party browsers and email clients Opera, Firefox, SeaMonkey and Thunderbird.

You're not likely to see this thing, but if you do, Sophos Anti-Virus will mop it up for you under the name OSX/NetWrdRC-A.

If you do get infected, deleting the above-mentioned application bundle and rebooting should get it off disk and out of memory.

And if you're running Mountain Lion in its default security settings, you won't be able to run it anyway, because it's not from the App Store and isn't digitally signed by an Apple-endorsed developer.

That's about all you need to know about it.

Thursday, August 23, 2012

Ex-Apple Store Employees Allege Shocking Behavior, Fraud

What's it like working inside one of Apple's shiny, bustling retail stores?
I'm just erased your stuff!!
Gizmodo recently published an exposé  about the "most corrupt Apple Store," based on interviews with two ex-employees who were once active on the Apple selling floor. The anonymous Apple Geniuses, as the retail employees are called, dished on apparently crooked management practices and antics that might make you reconsider leaving your precious MacBook at the Genius Bar overnight.
"[W]e just erase people's hard drives that are assholes," one of the employees told Gizmodo . When asked what happened if people complained, he noted that the customers "signed a form that legally made us not responsible for data."
The "corrupt" Apple Store's regional manager was reportedly no better than her underlings. Gizmodo's sources alleged that  she "heavily discounted computers to local plastic surgeons" in order to receive a stomach stapling procedure. They also claimed that fake transactions were rampant in the store, as was blatant manipulation of the company's return policy.
While this particular Apple Store may be the exception, there have been other less-than-rosy reports about the corporate culture within Apple. Bloomberg News reports  that a former Apple employee is suing the company, claiming that Steve Jobs had guaranteed him a "job for life."
The company also apologized recently for multiple staffing issues that lead to some employee's hours being cut ; the managerial error left stores understaffed and fueled rumors on the blogosphere that Apple was beginning layoffs. John Browett, senior vice president of retail, "instructed leadership teams to tell employees that that the company 'messed up,'" per PC Mag . Apple is not issuing layoffs, according to Browett -- on the contrary, the company is currently hiring.

Saturday, August 18, 2012

Hacker discovers iPhone SMS spoofing issue, asks Apple to fix for iOS 6

An independent security researcher in the UK has publicized an iPhone SMS spoofing issue that he hopes Apple will address in iOS 6. 

According to a blog posting by "pod2g" the way iOS handles SMS messages supports transmission of optional, advanced features in the SMS specification's User Data Header, including a "reply to" address.

Not all phones support these features, and "most carriers don't check this part of the message, which means one can write whatever he wants in this section," the hacker writes. This would apparently limit the audience of SMS spoofing largely to iPhone users.

Because the iPhone only displays the "reply to" address of incoming SMS messages, there's no way for users to verify the identity of the depicted sender, or to determine if it has been sent from someone other than the displayed phone number (unless the message is delivered via Apple's iMessage, which is both encrypted and unaffected by the SMS flaw because it is not an SMS).

In describing the SMS issue, Pod2g says "I consider [the flaw] to be severe, while it does not involve code execution."

A malicious user could send "spoofed" SMS messages that appear to come from another source (which is routinely done with email spam, as the standard email specification does not authenticate parties in header date either), falsely appearing to come from a friend or trusted source (such as a bank) for example.

The hacker asks Apple to address this issue before releasing iOS 6, noting that this behavior is still present in the latest, fourth developer beta of iOS 6.

Sunday, August 5, 2012

Apple Tech Support Gave Attackers Access to Journalist's iCloud


Last week, attackers socially engineered Apple tech support to hack into a Wired writer's iCloud account, wiping out the journalist's iPhone, iPad, and Macbook Air, as well as compromising his Gmail and Twitter accounts.

Mat Honan recounted the gory tale in a blog post:

"At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere."

"The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed."

"At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air."

Furthermore since Honan's Twitter account was linked to Gizmodo's, from when he used to
write for them, the attackers briefly tweeted racist, belligerant slurs from that account on Friday.

The attackers, a group called VV3, also disabled Honan's Sprint service and changed all corresponding information to his Apple account (dumping it onto Pastebin), which prevented Honan from being able to verify his account on the phone with Apple and stop the wiping process.

Unfortunately for Honan, it sounds like he hadn't backed up his Macbook with Time Machine, but I'm willing to bet a lot of money that he (AND HOPEFULLY YOU) will never make that same mistake again.

It's important to note that this account pwnage, like many, was completely unrelated to the strength of Honan's passwords. Plus, he used 1Password to manage all his passwords.

So the key question now is how the attackers convinced Apple tech support to reset Honan's iCloud password. It's unclear from Honan's post, it sounds like the hackers didn't even need to know Honan's mother's maiden name. "They got in via Apple tech support and some clever social engineering that let them bypass security questions," Honan wrote.

Apple, can you comment?