Mac malware that infected Facebook bypassed OS X Gatekeeper protection

from arstechnica.com

New family of Mac malware masqueraded as printer software.

Researchers have identified the Mac malware that infected employees of Apple, Facebook, and Twitter, and say it may have been used to compromise machines in other US organizations, including auto manufacturers, government agencies, and a leading candy maker, according to a published report.

Pintsized.A is a new family of Mac malware that uses an exploit to bypass Gatekeeper, an OS X protection that allows end users to tightly control which sources are permitted to install apps, according to an article published Monday by The Security Ledger. Mac antivirus provider Intego says the trojan masquerades on infected machines as Linux printing software known as cupsd, although it runs from a different location than the legitimate title. It's unclear exactly how the malware gets around Gatekeeper.

Once installed, Pintsized establishes a reverse shell to a command and control server controlled by the attackers. It uses a modified version of the OpenSSH utility to encrypt traffic, a measure that can help it remain undetected on infected networks. One of the domain names that hosted such a server was corp-aapl.com. It caught the attention of members of Facebook's security team, tipping them off that there was an infected machine inside their network. When they later took control of the domain, they discovered multiple other companies were also compromised by the same attackers. Around the same time, Apple, Twitter, and Microsoft were also hit with attacks that meet the same pattern.

The Security Ledger brought to light several other new revelations about the attacks. For one, attackers used a variety of third-party websites to infect employees who frequented pages involving a variety of topics, including the development of applications for Google's Android operating system. Previously, only iphonedevsdk.com, a website for iPhone developers, had been identified as being compromised. Also interesting, the latter site was booby-trapped in such a way that it attacked some visitors and not others. Investigators are still investigating exactly what caused the selective exploiting and how specific targets may have been chosen.