Friday, January 24, 2014

New OSX/Crisis Variant Invokes Pope Francis

A new sample of OSX/Crisis, the too popular Da Vinci rootkit from Hacking Team, reached our Malware Lab during the weekend. We currently do not have information about the origin of the file on VirusTotal, named “Frantisek,” but it is an Eastern European first name meaning Francis. Could it be related to Pope Francis?

Like the previous variants, OSX/Crisis.C is delivered through a dropper that installs silently, without requiring a password, and works on Mac OS X 10.5, 10.6, and 10.7. However, Hacking Team has updated some of the dropper code and the backdoor configuration file format.

The dropper executes an unusual segment: __INITSTUB. The original entry point EIP points to this code segment before reaching the almost empty _main function of the program. For this reason, an incautious researcher using a debugger could get infected without even noticing it. While it uses a different way to resolve system symbols, it crashes on OS X Mountain Lion or OS X Mavericks (segmentation fault). This might be a 64-bit bug in the malware.

When the dropper runs successfully, it hides the following files in the user’s home directory (in the Library/Preferences folder), inside a fake application bundle called

  • 1 backdoor: 8oTHYMCj.XIl (32-bit)
  • 1 configuration file: ok20utla.3-B
  • 2 kernel extentions: Lft2iRjk.7qa (32-bit) and 3ZPYmgGV.TOA (64-bit)
  • 1 scripting addition: EDr5dvW8.p_w (FAT)
  • 1 XPC service: GARteYof._Fk (FAT)
  • 1 TIFF image, a System Preferences icon, ripped of Linkinus preferences panel: q45tyh
  • Then it executes the backdoor and finishes the installation by creating a LaunchAgent file,

Similar to OSX/Crisis.B, this binary is obfuscated using MPress packer. It doesn’t run on OS X 10.9 as it is linked against the Apple System Profiler private framework, SPSupport, which is now 64-bit only; an “Image not found” exception is raised, and then it crashes. Furthermore, on a supported target, the backdoor simply uninstalls its files and quits. This could be related to a corrupted configuration file (the sample one starts with NULL bytes).

Other than a few new tricks, features implemented by the backdoor component are similar to previous variants: it patches the Activity Monitor application to hide itself, takes screenshots, captures audio and video, gathers user locations, connects to WiFi hotspots, syncs collected data with a Command and Control (C&C) server, and tricks the user using social engineering to gain System Administrator privileges and drop its rootkit.

At the time of this writing, the overhaul detection rate on VirusTotal is very low.

Intego VirusBarrier with up-to-date malware definitions protects Mac users against this malware, detected as OSX/Crisis.C.

Wednesday, January 22, 2014

Digitally signed data-stealing malware targets Mac users in "undelivered courier item" attack

Our colleagues at SophosLabs pointed us at a interesting item of malware the other day, namely a data-stealing Trojan aimed at Mac users.
In fact, it was somewhat more than that: it was one of those "undelivered courier item" emails linking to a dodgy web server that guessed whether you were running Windows or OS X, and targeted you accordingly.
You're probably familiar with "undelivered item" scams.
The idea is surprisingly simple: you receive an email that claims to be a courier company that is having trouble delivering your article.
In the email is a link to, or an attachment containing, what purports to be a tracking note for the item.
You are invited to review the relevant document and respond so that delivery can be completed.
We've seen a wide variety of courier brands "borrowed" for this purpose, including DHL, the UK's Royal Mail and even, in one bewildering case, a made-up courier company called TNS24, with its very own website, featuring its very own amusingly ill-Photoshopped planes, ships and automobiles.
But a competently-executed courier scam can be fairly convincing, especially if the criminals behind it know enough about you to create what becomes atargeted attack.
Even a modest amount of detail (if that is not an oxymoron) can do the trick.
For example, the crooks will sound a lot more believable if they know your address and phone number; are aware of what you do in your job; and have a general idea about some of the projects you are working on right now.
Of course, if you open the attachment or click on the link in one of these scams, you are immediately put into harm's way: the attachment might try to trigger an exploit in your unpatched copy of Word, for instance, or the link might attack an unpatched Java plugin in your browser.
Here's what the emails looked like in this attack, with some details changed or redacted for safety:
We wish to inform you that we have a pending parcel for the past 10 days bearing your name Mr. Jonathan Sidebottom,with parcel number (MV-45-QA566). The parcel was sent for delivery on the below mentioned address but nobody was there to receive it. Your parcel content has a set of engineering documents, which was discovered during our security checks of parcels brought into our head office. So, we are sending you a scanned copy of that parcel. Give your positive response, if it belongs to you.
If you are a native speaker of English, you will notice that the wording of the email is clumsy and unidiomatic, and if you were to receive a message like this you might well be suspicious on those grounds alone.
But if Mr Sidebottom really is in the engineering business, and regularly deals with inbound documents from courier companies around the world, an email of this sort could easily pass muster.
The link, of course, doesn't really lead to, but instead takes you to a domain name that is controlled by the attackers.
If you are on a mobile device, the server delivers an error message.
If you are using a desktop browser that isn't Safari, you receive a ZIP file containing a Windows program detected by Sophos Anti-Virus asMal/VBCheMan-C, a vague relative of the Zbot or Zeus malware.
But if you are using Safari, you receive Mac malware, delivered as an Application bundle packaged inside a ZIP file.
By default, on OS X 10.9.1 (the latest update to Mavericks, Apple's most recent operating system version), Safari directly downloads the file, showing you an empty Safari window with the icon of the downloaded file in the Dock at the bottom of the screen:
Clicking on the download button shows you what looks like a PDF file:
There is no PDF file, as a visit to the Terminal windows quickly reveals.
Safari has automatically unzipped the download, producing an Application bundle (actually just a subdirectory tree with a special structure) that has deliberately been given a PDF icon:
As you can imagine, the temptation is to click on what looks like a PDF file to see what it contains.
OS X does try to advise you that you aren't opening a document, although you can argue that the warning would be more compelling if it explicitly said that you were about to "run a software program", rather than merely to "open" the file:
Note that you don't get a warning about the App being from an "unknown developer" because it is digitally signed, something that happens surprisingly often with modern malware.
→ The quantity of digitally-signed malware in circulation prompted Microsoft, which sees a lot more malware than Apple, to publish a recent blog post with the uncompromising title "Be a real security pro - Keep your private keys private." In that article, Microsoft documents a malware family it calls "Winwebsec" of which it has more than 15,000 digitally-signed samples, signed with 12 different stolen keys.
If you do click the [Open] button, nothing seems to happen: you end up back at the desktop with your email software open and an empty Safari window in front of it.
But a trip back to the Terminal shows that what looked like a PDF file is now running in the background as a process named foung:
As it happens, foung, like its counterpart delivered to Windows computers, is a bot, short for "robot malware", detected by Sophos Anti-Virus asOSX/LaoShu-A.
LaoShu-A as good as hands control of your Mac over to the attackers, but its primary functions appear to be more closely associated with data stealing than with co-opting you into a traditional money-making botnet.
(You will often hear the term RAT, or Remote Access Trojan, rather than the more common term bot, used to describe this sort of malware.)
In other words, the attackers seem more concerned with digging around on your computer for what they can steal than with abusing your computer and your internet connection to aid and abet other cybercriminal activities.
Amongst other things, LaoShu-A contains code to:
  • Search for files with extensions such as DOC, DOCX, XLS, XLSX, PPT and PPTX.
  • ZIP those files.
  • Upload (exfiltrate) them to a server operated by the attackers.
However, this RAT also knows how to:
  • Download new files.
  • Run arbitrary shell commands.
For example, during our tests, LaoShu-A downloaded a second application that took a screenshot with OS X's built-in screencapture command, and tried to exfiltrate the image it had just grabbed.
But the behaviour of that second application can be varied by the attackers at any time, which is why, in our recent podcast, Understanding botnets, SophosLabs expert James Wyke warned as follows:
Without analysing the full network capture of the entire interchange between a bot and the person controlling it, you can't say for sure exactly what that bot might have done... [it] might go and download some completely different piece of malware which carries out a completely different set of functionality.
James went on to recommend:
Be more suspicious of things you get in e-mail. E-mail is still one of the most common ways people get infected, and it is predominantly through social engineering attacks... So when you receive an e-mail from someone you've never heard of before, or you've never communicated with before, and there's some interesting attachment to the e-mail or [a link to click], ...don't do that! That's one of the that most common ways people get infected.
Let's hope this malware reminds OS X users of a few simple truths that some Mac fans still seem willing to ignore:
  • Mac malware is unusual, but not impossible.
  • Data thieves are interested in what Mac users have on their computers.
  • Malware writers can often get their hands on digital certificates to give software to give it a veneer of respectability and to bypass operating system warnings.
  • Mac malware doesn't have to ask for a password before running.
  • Mac malware can run directly from a download without an installation step.
  • Bots and RATs are particularly pernicious because they can update and adapt their behaviour after you are infected.
As always, prevention is better than cure.
And that "undelivered courier item" almost certainly doesn't exist.

Saturday, January 11, 2014

Flashback trojan still infecting 22,000 Macs

A screenshot of an Apache Server log showing infected Macs connecting to a Flashback command and control server. The user agent strings and referrer strings showing Windows NT 6.1 machines, are set by Flashback. Intego has confirmed that the machines are, in fact, infected Macs.

The Flashback trojan that hijacked well over 500,000 Macs at its peak is still clinging to life, with about 22,000 infected machines in recent days, a security researcher said.

The compromised Macs were observed connecting to command and control servers that had been "sinkholed—meaning taken over for research or security purposes—by analysts from security firm Intego. During a five-day period ending January 7, 22,000 Flashback-infected computers reported to server domains recently acquired by Intego, Arnaud Abbati, a researcher with the company, wrote in a blog post. Those machines could be maliciously controlled by anyone who has access to one of the many domain names programmed into a Flashback algorithm, assuming they know how the internals of the malware works.

Flashback first came to light in 2011 when it took hold of people's machines by masquerading as a legitimate installer of Adobe's ubiquitous Flash media player. By early 2012, Flashback morphed from a socially engineered threat to one that performed surreptitious drive-by attacks by exploiting vulnerabilities in Oracle's Java software framework. Flashback was among the most sophisticated pieces of malware ever to target mainstream Mac users.

Self-encryption made it tough for researchers to reverse engineer or hijack the malware. Flashback was used primarily as a "click fraud" tool that caused infected Macs to view sponsored links that had the potential to generate millions of dollars in fraudulent ad revenue. It also had the ability to do much more, including sending spam, engaging in denial-of-service attacks, or logging passwords. Ars has published articles showing how to detect and remove Flashback here and here.

One Flashback capability included the ability to periodically generate a new set of domains that infected Macs would report to. To prevent Flashback operators from losing control of their machines, the malware was programmed to check a new pseudo-randomly generated domain each day in five separate top-level domains (TLDs). In an e-mail, Abbati explained:

"An infected Mac tries to contact the same domain on five TLDs (.com, .net, .info, .in, .kz) until it finds one correct bot response. To block that chain you can't just buy the .com; there is a chance the hacker will test for all TLDs and purchase and use the others for malicious activity. The process is that the server answers back the infected Mac with a secret data to prove that it is a Flashback botnet controller. After that handshake, the network packets are encrypted with the unique identifier given by the infected Mac on the first request to the C&C server. Then the server sends commands over the network to execute on the infected Mac, commands that can be: update your code with an external executable (by downloading it), execute a system command, launch a process, send local files from the infected Mac, etc. To resume, after the handshake with the secret data, the botnet server has a full control against the infected Mac."

Abbati went on to say that Apple countered the threat by reverse engineering the domain-generation algorithm and buying all of the names through the end of 2013. That prevented him or anyone else outside of Apple from monitoring the Flashback botnet. Then, at the beginning of the year, Apple briefly allowed those domain name registrations to expire failed to purchase some domain names, making it possible once again for Intego to peer into the inner workings of Flashback. Over the past few days, Apple has bought all of the 2014 domains. Abbati said that's a good thing for the safety of those who remain infected.

"With the number of computers still infected," he explained, "it’s conceivable that someone with malicious intent could also crack the algorithm, buy the domains, and use them to instruct the computers into nefarious action."

Friday, January 10, 2014

82% of enterprise Mac users not getting security updates

Last week I saw a post by Computerworld journalist Gregg Keizer about the fragmentation of OS X versions and how it flew in the face of Apple's plans to unite users onto OS X Mavericks.

I have worked with Gregg for years and immediately began to think of the security implications.

Paul Ducklin wrote of the security fixes included in Mavericks, but strangely it appeared that Apple had not released similar fixes for OS X 10.6, 10.7 and 10.8.

The Net Applications data Gregg quoted was interesting, but I thought I would look into how Sophos customers have approached Mavericks.

Enterprise IT departments are often far more hesitant to deploy new operating system versions quickly and this time it might come along with some rather risky security consequences.

As you can see in the charts, 55% of Sophos Anti-Virus for Mac Home Edition (Free!) users have upgraded to OS X Mavericks, whereas only 18% of enterprise users have jumped on board.

After only 77 days these numbers reflect one of the highest adoption rates of a new OS I have seen. Unfortunately, that may not be good enough.

Without saying it in so many words, or any words for that matter, Apple appears to have stopped releasing security updates for OS X 10.6.8, 10.7.5 and 10.8.5.

It is a nice gesture that OS X 10.9 Mavericks is a free upgrade, but not everyone can upgrade. OS X 10.8 Mountain Lion has only been available for 15 months and is apparently already orphaned.

Microsoft has been taking heat for discontinuing Windows XP after supporting it for more than 12 years. I think Apple might be able to do a little better than 15 months.

If you are an Apple user, please update to OS X Mavericks or if you can't, perhaps install Windows 7 or Linux.

If you must run an older version of OS X, you may want to follow the advice Duck and I had in a recent Techknow for Windows XP users to minimize the risk of compromise.