Vulnerabilities / Threats
5/3/2011
02:53 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Apple Macs Targetted By Crimeware Toolkit

The OSX operating system now faces botnet software as well as a fake antivirus campaign launched via Google image searches on Osama Bin Laden.

Malware aimed at Macs has unexpectedly spiked in the early days of May. For starters, security experts are warning that the first-ever automated do-it-yourself crimeware kit that targets Apple OS X computers is now for sale on underground forums.

"Detailed information about this crimeware kit is not being leaked publicly and the authors of the kit are obviously trying to stay below the radar, allowing only vetted users of the forums to see most of the content," according to a Tuesday blog post from Peter Kruse, partner and security specialist at Danish information security firm CSIS Security Group. The crimeware toolkit is marketed as "Weyland-Yutani BOT" and retails for $1,000. Its creators have also promised forthcoming versions for Linux and the iPad.

Based on videos obtained by CSIS, Kruse said that the toolkit appears to be fully operational. "In the same way as several other DIY crimeware kits designed for PCs, this tool consists of a builder, an admin panel, and supports encryption," he said. "The Weyland-Yutani BOT supports Web injects and form grabbing in Firefox; however both Chrome and Safari will soon follow. The webinjects templates are identical to the ones used in Zeus and [SpyEye]."

Kruse said the emergence of an advanced crimeware toolkit that targets Macs is "quite disturbing news since MacOS previously to some degree has been spared from the increasing amount of malware which has haunted Windows-based systems for years."

Interestingly, on Tuesday, security software vendor Intego issued another Apple-related security warning, in this case for "MACDefender," which is new fake antivirus software that targets Apple users. Also known as fake AV or scareware, such software pretends to be legitimate antivirus software, but in fact is fake software designed to con users into paying for it. Like much scareware, MACDefender spreads via poisoned search engine results, including searches relating to the death of Osama bin Laden.

According to a post to the SANS Internet Storm Center from Rob VandenBrink, a senior consulting engineer at Canadian consulting company Metafore, some users are reporting that the software demands $99 upon installation, payable immediately via PayPal.

The scareware file arrives as a compressed zip file containing a JavaScript executable. VandenBrink warned that "if you have 'Open Safe files after downloading' enabled in Safari, downloading this file will auto-install this code."

According to Intego's security advisory, the risk posed by MACDefender is relatively low, and while the scareware is circulating in the wild, it's doing so in relatively small quantities.

That said, the software does a good job of disguising itself as the real deal. Furthermore, the malware can also make a major nuisance of itself. "MACDefender also opens Web pages for pornographic websites in the user's Web browser every few minutes. This is most likely to make users think that they are infected by a virus, and that paying for MACDefender will relieve them of the problem," said Intego.

While the software is relatively harmless, it's interesting because to date no scareware creators have bothered to target Apple OS X computers. "In the past, these types of sites--very common vectors of Windows malware--only delivered Windows .exe applications," said Intego. "The fact that such a site is providing a Mac rogue antivirus is new, and extremely rare. While the site itself still shows a fake Windows screen, the rogue antivirus itself is a well-designed Mac application."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web