Vulnerabilities / Threats
5/3/2011
02:53 PM
Connect Directly
RSS
E-Mail
50%
50%

Apple Macs Targetted By Crimeware Toolkit

The OSX operating system now faces botnet software as well as a fake antivirus campaign launched via Google image searches on Osama Bin Laden.

Malware aimed at Macs has unexpectedly spiked in the early days of May. For starters, security experts are warning that the first-ever automated do-it-yourself crimeware kit that targets Apple OS X computers is now for sale on underground forums.

"Detailed information about this crimeware kit is not being leaked publicly and the authors of the kit are obviously trying to stay below the radar, allowing only vetted users of the forums to see most of the content," according to a Tuesday blog post from Peter Kruse, partner and security specialist at Danish information security firm CSIS Security Group. The crimeware toolkit is marketed as "Weyland-Yutani BOT" and retails for $1,000. Its creators have also promised forthcoming versions for Linux and the iPad.

Based on videos obtained by CSIS, Kruse said that the toolkit appears to be fully operational. "In the same way as several other DIY crimeware kits designed for PCs, this tool consists of a builder, an admin panel, and supports encryption," he said. "The Weyland-Yutani BOT supports Web injects and form grabbing in Firefox; however both Chrome and Safari will soon follow. The webinjects templates are identical to the ones used in Zeus and [SpyEye]."

Kruse said the emergence of an advanced crimeware toolkit that targets Macs is "quite disturbing news since MacOS previously to some degree has been spared from the increasing amount of malware which has haunted Windows-based systems for years."

Interestingly, on Tuesday, security software vendor Intego issued another Apple-related security warning, in this case for "MACDefender," which is new fake antivirus software that targets Apple users. Also known as fake AV or scareware, such software pretends to be legitimate antivirus software, but in fact is fake software designed to con users into paying for it. Like much scareware, MACDefender spreads via poisoned search engine results, including searches relating to the death of Osama bin Laden.

According to a post to the SANS Internet Storm Center from Rob VandenBrink, a senior consulting engineer at Canadian consulting company Metafore, some users are reporting that the software demands $99 upon installation, payable immediately via PayPal.

The scareware file arrives as a compressed zip file containing a JavaScript executable. VandenBrink warned that "if you have 'Open Safe files after downloading' enabled in Safari, downloading this file will auto-install this code."

According to Intego's security advisory, the risk posed by MACDefender is relatively low, and while the scareware is circulating in the wild, it's doing so in relatively small quantities.

That said, the software does a good job of disguising itself as the real deal. Furthermore, the malware can also make a major nuisance of itself. "MACDefender also opens Web pages for pornographic websites in the user's Web browser every few minutes. This is most likely to make users think that they are infected by a virus, and that paying for MACDefender will relieve them of the problem," said Intego.

While the software is relatively harmless, it's interesting because to date no scareware creators have bothered to target Apple OS X computers. "In the past, these types of sites--very common vectors of Windows malware--only delivered Windows .exe applications," said Intego. "The fact that such a site is providing a Mac rogue antivirus is new, and extremely rare. While the site itself still shows a fake Windows screen, the rogue antivirus itself is a well-designed Mac application."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.