Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Apple OS X Targeted By Remote Backdoor Malware

Researchers say a remote-controlled Trojan application, known as the Olyx backdoor, is going after OS X devices.

Apple WWDC Visual Tour: First Look At iCloud, Lion, iOS 5, And More
Slideshow: Apple WWDC Visual Tour: First Look At iCloud, Lion, iOS 5, And More
(click image for larger view and for slideshow)
Apple has recently released a slew of product updates, some timed to coincide with the release of its new OS X 10.7 Lion operating system. But illustrating the rapid pace at which malware evolves, on Monday, security researchers began reporting seeing a new, remote-controlled Trojan application now targeting Apple OS X.

The malware, known as the Olyx backdoor, resembles GhostNet, first seen in 2009, which targeted older versions of Windows. The new version, however, contains a malicious executable which is decidedly Mac-focused. It also includes a signed digital certificate to help it evade defenses.

Using the digital certificate, the malware "installs and runs in the background without root or administrator privileges," according to a blog post from Meths Ferrer at the Microsoft Malware Protection Center.

The application disguises itself as a Google application support file, then remains dormant until the infected user logs in. At that point, "the backdoor initiates a remote connection request to IP address 121.254.173.57, where it continues to make attempts until established," said Ferrer. Then, once the malware connects, "the remote attacker may take advantage of the backdoor file management feature which allows it to upload, download, and navigate through files and [directories]." But he said the valid digital certificate used by Olyx has now been revoked, which should neuter the attack.

Despite the emergence of the new, remote-controlled Olyx backdoor, malware that targets Apple OS X remains rare, despite a small spike in May, when security experts reported seeing the first-ever Apple crimeware pack appear. That same month, fake antivirus software known as "MACDefender" appeared, also targeting Apple OS X users. Ultimately, Apple hardcoded a patch into its operating system to block the fake AV software.

In other Apple patching news, last week the company released a massive Apple OS X security update, fixing 57 vulnerabilities in Safari, 46 of which might lead to remote code execution.

"The sheer number of vulnerabilities being patched in Safari is mind boggling," said Andrew Storms, director of security operations for nCircle, via email. "Microsoft and Oracle definitely release ... big patches, but the fixes they ship generally apply to many different applications and operating systems. This is a vast number of bugs for just Safari alone. There are so many code execution bugs alone I've gone cross-eyed."

Last week, Apple also released an iOS patch for iPhone, iPad, and iPod Touch devices, addressing a zero-day PDF vulnerability that could be used to remotely jailbreak the devices.

But that update was superseded by the new iOS 4.3.5 update, released on Monday. According to a blog post from Chester Wisniewski, a senior security advisor at Sophos Canada, "this update fixes a flaw in X.509 certificate handling and could allow attackers to intercept SSL/TLS secure connections from iDevices."

As with all iOS updates, the fix can be downloaded only from within iTunes.

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4095
PUBLISHED: 2019-12-10
IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158015.
CVE-2019-4244
PUBLISHED: 2019-12-10
IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to gain unauthorized information and unrestricted control over Zookeeper installations due to missing authentication. IBM X-Force ID: 159518.
CVE-2019-4521
PUBLISHED: 2019-12-10
Platform System Manager in IBM Cloud Pak System 2.3 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 165179.
CVE-2019-4663
PUBLISHED: 2019-12-10
IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245...
CVE-2019-19251
PUBLISHED: 2019-12-10
The Last.fm desktop app (Last.fm Scrobbler) through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts.