New Mac Malware Targeting Adium, Firefox, Safari (and life/sleep hacking)

Use a Mac? Worried about attacks targeted at you? Stop using an admin account for day-to-day work, and kill Java. (among other things)

This example is a high-price bit of commercial malware. (That people are willing to pay good money for attacks ought to imply the counterpoint of what market there is for better defenses.) It targets instant-messaging programs and web browsers (and patches Activity Monitor to hide itself). That it doesn’t care about email programs ought to suggest something about the security of email.

The article points out the known infection route (Java) doesn’t work on Mac OS X Lion, implying there are still unknown infection route. So don’t leave your laptop lying around and practice basic hygiene. Any mechanical engineers want to design a locking plug for the Firewire port? It’d probably make a killing on Kickstarter.

Sleep hacking: Unusual side benefit I’ve noticed so far — a minor but very slowly healing injury on my foot has looked noticeably better than average on mornings after I’ve used the 555 blinkenlights gadget at night. They do say delta-wave sleep is good for healing. (Disclaimer: correlation is not causation, no medical benefits implied. “they say X is good for healing” isn’t necessarily reliable. Brain wave anything is perilously close to ‘new age’ stuff, and ‘new age’ appears to have it’s own Rule 37: if you can imagine it, it makes you healthier.)

That said, if you want to duplicate my 555 blinkenlights (“nighttime photic entrainment device”) to see if they help you sleep better at night… here are some more technical details I should have mentioned: 1uF capacitor from 555 pins 2 & 6 to ground
1M resistor from 555 pin 7 to pins 2 & 6
1K resistor from 555 pin 7 to V+
10nF (0.01uF) capacitor from 555 pin 5 to GND
555 pin 1 to GND
555 pins 8 & 4 to V+
(yes, basic astable timer setup)
555 pin 3 to a 2k resistor to the gate of a BC337 transistor (2.2K may work better)
V+ to a 6V/0.1A bulb to a 6V/0.4A bulb to the collector of the BC337 BC337 emitter to ground
4x 2000mAh NiMH (“low self discharge”) batteries in series between V+ and GND

Instructions for use: Use whatever’s at hand to rig up the lightbulbs so they dangle in front of your face. Turn off room lights. Go to sleep. Do not use if epileptic.

“The threat installs itself silently (no user interaction required) and does not need your user password to infect your Apple Mac. Further analysis now shows that the malware is actually set up to spy on your browsing and instant messaging activities.

Intego, which had to update its anti-malware signatures upon discovering the threat, refers to it as “OSX/Crisis.” First, the malware arrives as a Java applet (adobe.jar, AdobeFlashPlayer.jar, or something else entirely) that relies on social engineering. Given that OS X 10.7 Lion doesn’t include Java by default, however, it’s very likely there are other ways for it to find its way onto your Mac.

Once executed, the Java applet checks to see whether it’s on Windows or OS X (as you can see in the code snippet above). Recently, cross-platform Trojans have become more and more popular (one, two, three) and are probably one of the reasons Microsoft wants you update Java or kill it.[…]

If the dropper runs on a system with Admin permissions, it will drop a rootkit to hide itself. The malware creates 17 files when it’s run with Admin permissions, 14 files when it’s run without. Many of these are randomly named, but there are some that are consistent.[…]

Upon closer inspection, however, it turns out the backdoor patches several applications to spy on an infected user’s activities when they use those programs: Adium, Skype, Microsoft Messenger, and Firefox. It even patches the Activity Monitor to hide itself from the user.

Intego says the malware allows the person operating it to:

* Spy on Skype audio traffic and recording all conversations and phone calls. * Spy on Safari or Firefox browsers to record URLs and screenshots. * Record IM messages in both Microsoft Messenger and Adium. * Send file contents to the control server.

Furthermore, there are sections of code that point to this threat being part of Remote Control System (RCS), a €200,000 commercial malware package that is sold mostly in the U.S. and Europe. Since Intego has yet to see the malware in the wild (it was discovered on VirusTotal, a service for analyzing suspicious files and URLs), and since the security firm’s analysis concludes the threat is very advanced, you’re unlikely to get infected by it.”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: