Vulnerabilities / Threats
7/26/2011
01:21 PM
50%
50%

Apple OS X Targeted By Remote Backdoor Malware

Researchers say a remote-controlled Trojan application, known as the Olyx backdoor, is going after OS X devices.

Apple WWDC Visual Tour: First Look At iCloud, Lion, iOS 5, And More
Slideshow: Apple WWDC Visual Tour: First Look At iCloud, Lion, iOS 5, And More
(click image for larger view and for slideshow)
Apple has recently released a slew of product updates, some timed to coincide with the release of its new OS X 10.7 Lion operating system. But illustrating the rapid pace at which malware evolves, on Monday, security researchers began reporting seeing a new, remote-controlled Trojan application now targeting Apple OS X.

The malware, known as the Olyx backdoor, resembles GhostNet, first seen in 2009, which targeted older versions of Windows. The new version, however, contains a malicious executable which is decidedly Mac-focused. It also includes a signed digital certificate to help it evade defenses.

Using the digital certificate, the malware "installs and runs in the background without root or administrator privileges," according to a blog post from Meths Ferrer at the Microsoft Malware Protection Center.

The application disguises itself as a Google application support file, then remains dormant until the infected user logs in. At that point, "the backdoor initiates a remote connection request to IP address 121.254.173.57, where it continues to make attempts until established," said Ferrer. Then, once the malware connects, "the remote attacker may take advantage of the backdoor file management feature which allows it to upload, download, and navigate through files and [directories]." But he said the valid digital certificate used by Olyx has now been revoked, which should neuter the attack.

Despite the emergence of the new, remote-controlled Olyx backdoor, malware that targets Apple OS X remains rare, despite a small spike in May, when security experts reported seeing the first-ever Apple crimeware pack appear. That same month, fake antivirus software known as "MACDefender" appeared, also targeting Apple OS X users. Ultimately, Apple hardcoded a patch into its operating system to block the fake AV software.

In other Apple patching news, last week the company released a massive Apple OS X security update, fixing 57 vulnerabilities in Safari, 46 of which might lead to remote code execution.

"The sheer number of vulnerabilities being patched in Safari is mind boggling," said Andrew Storms, director of security operations for nCircle, via email. "Microsoft and Oracle definitely release ... big patches, but the fixes they ship generally apply to many different applications and operating systems. This is a vast number of bugs for just Safari alone. There are so many code execution bugs alone I've gone cross-eyed."

Last week, Apple also released an iOS patch for iPhone, iPad, and iPod Touch devices, addressing a zero-day PDF vulnerability that could be used to remotely jailbreak the devices.

But that update was superseded by the new iOS 4.3.5 update, released on Monday. According to a blog post from Chester Wisniewski, a senior security advisor at Sophos Canada, "this update fixes a flaw in X.509 certificate handling and could allow attackers to intercept SSL/TLS secure connections from iDevices."

As with all iOS updates, the fix can be downloaded only from within iTunes.

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1375
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.

CVE-2015-1376
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.

CVE-2015-1419
Published: 2015-01-28
Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.

CVE-2014-5211
Published: 2015-01-27
Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.

CVE-2014-8154
Published: 2015-01-27
The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overf...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.