Vulnerabilities / Threats
7/26/2011
01:21 PM
50%
50%

Apple OS X Targeted By Remote Backdoor Malware

Researchers say a remote-controlled Trojan application, known as the Olyx backdoor, is going after OS X devices.

Apple WWDC Visual Tour: First Look At iCloud, Lion, iOS 5, And More
Slideshow: Apple WWDC Visual Tour: First Look At iCloud, Lion, iOS 5, And More
(click image for larger view and for slideshow)
Apple has recently released a slew of product updates, some timed to coincide with the release of its new OS X 10.7 Lion operating system. But illustrating the rapid pace at which malware evolves, on Monday, security researchers began reporting seeing a new, remote-controlled Trojan application now targeting Apple OS X.

The malware, known as the Olyx backdoor, resembles GhostNet, first seen in 2009, which targeted older versions of Windows. The new version, however, contains a malicious executable which is decidedly Mac-focused. It also includes a signed digital certificate to help it evade defenses.

Using the digital certificate, the malware "installs and runs in the background without root or administrator privileges," according to a blog post from Meths Ferrer at the Microsoft Malware Protection Center.

The application disguises itself as a Google application support file, then remains dormant until the infected user logs in. At that point, "the backdoor initiates a remote connection request to IP address 121.254.173.57, where it continues to make attempts until established," said Ferrer. Then, once the malware connects, "the remote attacker may take advantage of the backdoor file management feature which allows it to upload, download, and navigate through files and [directories]." But he said the valid digital certificate used by Olyx has now been revoked, which should neuter the attack.

Despite the emergence of the new, remote-controlled Olyx backdoor, malware that targets Apple OS X remains rare, despite a small spike in May, when security experts reported seeing the first-ever Apple crimeware pack appear. That same month, fake antivirus software known as "MACDefender" appeared, also targeting Apple OS X users. Ultimately, Apple hardcoded a patch into its operating system to block the fake AV software.

In other Apple patching news, last week the company released a massive Apple OS X security update, fixing 57 vulnerabilities in Safari, 46 of which might lead to remote code execution.

"The sheer number of vulnerabilities being patched in Safari is mind boggling," said Andrew Storms, director of security operations for nCircle, via email. "Microsoft and Oracle definitely release ... big patches, but the fixes they ship generally apply to many different applications and operating systems. This is a vast number of bugs for just Safari alone. There are so many code execution bugs alone I've gone cross-eyed."

Last week, Apple also released an iOS patch for iPhone, iPad, and iPod Touch devices, addressing a zero-day PDF vulnerability that could be used to remotely jailbreak the devices.

But that update was superseded by the new iOS 4.3.5 update, released on Monday. According to a blog post from Chester Wisniewski, a senior security advisor at Sophos Canada, "this update fixes a flaw in X.509 certificate handling and could allow attackers to intercept SSL/TLS secure connections from iDevices."

As with all iOS updates, the fix can be downloaded only from within iTunes.

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.