Vulnerabilities / Threats

5/3/2011
02:53 PM
50%
50%

Apple Macs Targetted By Crimeware Toolkit

The OSX operating system now faces botnet software as well as a fake antivirus campaign launched via Google image searches on Osama Bin Laden.

Malware aimed at Macs has unexpectedly spiked in the early days of May. For starters, security experts are warning that the first-ever automated do-it-yourself crimeware kit that targets Apple OS X computers is now for sale on underground forums.

"Detailed information about this crimeware kit is not being leaked publicly and the authors of the kit are obviously trying to stay below the radar, allowing only vetted users of the forums to see most of the content," according to a Tuesday blog post from Peter Kruse, partner and security specialist at Danish information security firm CSIS Security Group. The crimeware toolkit is marketed as "Weyland-Yutani BOT" and retails for $1,000. Its creators have also promised forthcoming versions for Linux and the iPad.

Based on videos obtained by CSIS, Kruse said that the toolkit appears to be fully operational. "In the same way as several other DIY crimeware kits designed for PCs, this tool consists of a builder, an admin panel, and supports encryption," he said. "The Weyland-Yutani BOT supports Web injects and form grabbing in Firefox; however both Chrome and Safari will soon follow. The webinjects templates are identical to the ones used in Zeus and [SpyEye]."

Kruse said the emergence of an advanced crimeware toolkit that targets Macs is "quite disturbing news since MacOS previously to some degree has been spared from the increasing amount of malware which has haunted Windows-based systems for years."

Interestingly, on Tuesday, security software vendor Intego issued another Apple-related security warning, in this case for "MACDefender," which is new fake antivirus software that targets Apple users. Also known as fake AV or scareware, such software pretends to be legitimate antivirus software, but in fact is fake software designed to con users into paying for it. Like much scareware, MACDefender spreads via poisoned search engine results, including searches relating to the death of Osama bin Laden.

According to a post to the SANS Internet Storm Center from Rob VandenBrink, a senior consulting engineer at Canadian consulting company Metafore, some users are reporting that the software demands $99 upon installation, payable immediately via PayPal.

The scareware file arrives as a compressed zip file containing a JavaScript executable. VandenBrink warned that "if you have 'Open Safe files after downloading' enabled in Safari, downloading this file will auto-install this code."

According to Intego's security advisory, the risk posed by MACDefender is relatively low, and while the scareware is circulating in the wild, it's doing so in relatively small quantities.

That said, the software does a good job of disguising itself as the real deal. Furthermore, the malware can also make a major nuisance of itself. "MACDefender also opens Web pages for pornographic websites in the user's Web browser every few minutes. This is most likely to make users think that they are infected by a virus, and that paying for MACDefender will relieve them of the problem," said Intego.

While the software is relatively harmless, it's interesting because to date no scareware creators have bothered to target Apple OS X computers. "In the past, these types of sites--very common vectors of Windows malware--only delivered Windows .exe applications," said Intego. "The fact that such a site is providing a Mac rogue antivirus is new, and extremely rare. While the site itself still shows a fake Windows screen, the rogue antivirus itself is a well-designed Mac application."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Email, Social Media Still Security Nightmares
Dark Reading Staff 6/15/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12526
PUBLISHED: 2018-06-21
Telesquare SDT-CS3B1 and SDT-CW3B1 devices through 1.2.0 have a default factory account. Remote attackers can obtain access to the device via TELNET using a hardcoded account.
CVE-2018-1253
PUBLISHED: 2018-06-21
RSA Authentication Manager Operation Console, versions 8.3 P1 and earlier, contains a stored cross-site scripting vulnerability. A malicious Operations Console administrator could potentially exploit this vulnerability to store arbitrary HTML or JavaScript code through the web interface. When other ...
CVE-2018-1254
PUBLISHED: 2018-06-21
RSA Authentication Manager Security Console, versions 8.3 P1 and earlier, contains a reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim Security Console administrator to supply malicious HTML or JavaScript...
CVE-2018-12615
PUBLISHED: 2018-06-21
An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly, leaving it up to randomness (i.e., uninitialized memory) which supplementary groups are actually being set while lowering privileges.
CVE-2016-10723
PUBLISHED: 2018-06-21
** DISPUTED ** An issue was discovered in the Linux kernel through 4.17.2. Since the page allocator does not yield CPU resources to the owner of the oom_lock mutex, a local unprivileged user can trivially lock up the system forever by wasting CPU resources from the page allocator (e.g., via concurre...