Geekly Articles each Day
📜 ⬆️ ⬇️

Malware for OS X: the complete chronicle. The most iconic apple pests of this decade



The number of malicious programs under OS X grew with the growth of its popularity. Few people expected this (good security and the need for root created a sense of security), but now this fact can be considered established: the greater the people's love for the system, the higher the interest to it from the malicious partners, and the malware begins to appear even in a seemingly good basic way. secure systems. The last year was especially productive in this regard. We have made for you a chronological description of all the most visible malware that affects Apple products. Enjoy!

Excursion into the past


According to Kaspersky Lab, the number of apple parasites is approaching the 1800 mark, and only in the first eight months of 2014, about 25 new families of malware for OS X were identified.


Number of malicious files for OS X
')
Of course, this could not help but be affected by the fact that since 2008 the share of personal computers that have been running this OS has increased from 4.9 to 9.3%, that is, almost twice. The key difference between the development of malware for this platform and the malware for Windows was that there was no so-called “childish” period. Well, that is, lamer crafts were, but the massive dominance of Trojans, created on the knee, and just for fun was not. Let us briefly list some copies of past years.


OS distribution on desktop systems

Renepo aka Opener (October 2004)


Malicious bash script with backdoor and spyware features. Required root to work. Was able to spread via USB drives. I downloaded the John The Ripper password retrieval utility and tried to hack the passwords collected on the computer. Blocked the work of the built-in firewall and opened the port for receiving commands from a remote host.

Leap (February 2006)


It was distributed via iChat messenger. Having infected the computer, it sent itself to all the contacts found as the latestpics.tgz archive, after unpacking it was disguised as a JPEG image. Worked only with root rights.

RSPlug aka Jahlav (October 2007)


In fact, the implementation of the DNSChanger Trojan for the Mac platform. Infection occurred when a user visits a number of malicious porn sites. When I tried to watch the video, I received a message that I needed to download and install the missing codecs into the system. Malicious files were downloaded as a virtual disk image of the DWG format, for installation, again, root rights were required. In the future, there was a substitution of the DNS server and all traffic was redirected to phishing servers of attackers. The user was flooded with advertising streams, and this was still half the trouble. All credentials were also in the hands of bad guys. The DNSChanger family is rooted in the Zlob family, which, in turn, is of Russian origin and is associated with the activities of the notorious Russian Business Network .

MacSweeper (January 2008)


The first representative of rogue-software for Mac OS. Tried to clean the computer, don’t understand what it was and demanded money for it. Developed by some firm KiVVi Software, distributed through their website by hidden installation along with installers of other applications. It also had its own website macsweeper.com, in which the section about was entirely borrowed from the site of Symantec. As they say, with special cynicism.


MacSweeper interface

Tored (April 2009)


Email worm. Written in RealBasic, I used my own SMTP implementation to send my copies to everyone I found in my address book. It contained several errors, which in some cases could not function at all. In the subject line of the letter put the following line: "For Mac OS X! : (If you are not on Mac, please wait for the fault and for our fault :) ”, in the hope that Windows users will also send this letter to someone.

First wave


As you can see, all of these instances are not very inspired fear. True, but it was still ahead ...

FlashFake


In March 2012, Kaspersky Lab published information about a botnet consisting of about 600,000 Mac computers. All of them were infected with a trojan called FlashFake. This name was chosen due to the disguise as an installer of Adobe Flash Player. The first versions of FlashFake were discovered in September 2011. FlashFake used to connect with their command servers DGA.

The main feature of FlashFake is that now no action was taken by the Mac user, well, of course, besides visiting a site with malicious redirects. Prior to this, the malware was disguised as installation files, and for their success, the user had to enter a password, which significantly reduced the risk of infection. The first version of FlashFake also went the beaten track, but the second, which appeared in February 2012, began to use the vulnerabilities of the Java Virtual Machine CVE-2011-3544 and CVE-2008-5353 to install .

How did the infection happen? Google’s search results alone contained about four million web pages containing redirects to a malicious JAR file. In the case of a successful launch, the FlashFake loader, located in the JAR file, contacted the command center and loaded two modules. One of them was the main one and was responsible for further interaction with C & C and updating, and the second was used for embedding into the browser. The latest FlashFake versions have been noted using the search engine of their control centers via Twitter.

Having exploited the computing power of unsuspecting users, unidentified attackers turned off the shop in May 2012. It was then that the command centers ceased to function. The profit consisted in cheating traffic to visiting sites (advertising revenue) and manipulating the search results (website promotion service using “forbidden” Black SEO methods). The belief of Mac users in their “secure” platform is somewhat shaken.

Revir / Imuler


The whole of 2012 was held under the motto "more Makov Trojans in Tibet, good and different." The first sign was the Revir / Imuler family according to the F-Secure classification, the double name is explained as follows: Revir is the dropper, and Imuler is the backdoor (Dr.Web calls it Muxler), installed by the dropper.

Methods of distribution of Revir were rather primitive, but effective. The infection was targeted and targeted, in fact it was an APT class attack. Revir.A was an executable file that was disguised as a PDF. The variation of Revir.B, as well as Revir.A, secretly installed Imuler.A, but was disguised as a JPG image. Revir.C also camouflaged itself under the picture, but was placed in the archive, where, besides it, there was a bunch of real pictures of the Russian model Irina Shayk. The archive with Revir.D and another set of pictures was already loaded by Imuler.B.

It was suggested that the spread of these threats is related to the Sino-Tibetan conflict and is directed against various activist organizations fighting for Tibetan independence.

Crisis


Crisis line was contained within the code of the next sample of malware detected by Intego in July 2012 on the well-known VirusTotal website. Crisis was a cross-platform trojan and could be installed on computers with both Windows and Mac OS X. The infection of the computer began with the launch of a malicious Java applet called AdobeFlashPlayer.jar, which had a digital signature created using a self-signed certificate, allegedly owned by VeriSign. Depending on the target platform, the Java applet was extracted, saved to disk, and the installation module of the Win or Mac architecture was launched.

It should be noted that Crisis did not use any vulnerability exploits for its work. That was quite strange, since the Mac version contained a rootkit on board to hide files and processes, and you will not install a rootkit without root rights.

Many antivirus companies call Crisis differently: Symantec uses the “author's” name, Kaspersky Lab calls this malware Morcut, and Dr.Web - DaVinci, because Crisis is part of the DaVinci Remote Control System, developed by the Italian company Hacking Team. The Hacking Team themselves position their product as legal spyware, designed for use by governments and law enforcement agencies in various states. Over time, the Italians made a rebranding, and now RCS is called Galileo.

Researcher for Mac OS X internals under the pseudonym reverser conducted a detailed analysis of the Mac version of Crisis and concluded that the qualifications of the developers leave much to be desired. Despite the extensive spy functionality, the malware does not contain any new ideas, serves as a model for the mass borrowing of third-party developments, is written in the “Hindu” style, and many things in it could be done better and more efficiently.

Another interesting observation from the reverser: apparently, all the detected Crisis samples belong to 2012, despite the fact that they were found in 2013 and 2014.

Hackback


HackBack was originally discovered on the MacBook of an Angolan activist who attended the Freedom Forum human rights conference in Oslo. The irony of the situation was that one of the topics of the conference concerned protection from surveillance by government organizations.

The most interesting thing about HackBack is that it was signed by a valid Apple Developer ID, a certificate issued by Apple to some Rajinder Kumar, so HackBack has a middle name - KitM (Kumar in the Mac).

HackBack was used for targeted attacks from December 2012 to February 2013, and it was distributed via phishing emails containing ZIP archives. The HackBack installers hiding in these archives were Mach-O executable files, whose icons were replaced with icons of images, video files, PDF documents and Microsoft Word.

The main functionality: collecting files on a computer, creating screenshots, packing them in ZIP-archives and sending to a remote server.

Clapzok.A


In 2013, the first real virus was discovered for Mac and not only. It is a conceptual development illustrating the possibility of infecting the Windows, Linux and Mac platforms. Based on the source code of the 2006 development, for the authorship of a certain JPanic, the malware had the difficult to pronounce name CAPZLOQ TEKNIQ v1.0. So it can be said that Clapzok.A is version two. Written in assembly language.

The spread of this virus is limited by so many factors. First of all, only files with 32-bit architecture are infected. In addition, many files are digitally signed, so there’s no point in infecting them, since the OS X security system simply does not launch such a file.

Our days


In general, the following trends began to be observed: the use of Java and Adobe Flash vulnerabilities to install, code signing and the wide distribution of spyware used for targeted attacks on users of Apple products.

In 2014, the number of new families of malware for Mac was almost the same as their total number for all the years before.

Appetite


This malware is interesting information hype, which was going on around him. The generic name is Careto (mask in Spanish) or The Mask. In 2014, Kaspersky Lab published a report on another advanced cyber company. Advancement was to use in this company malware for different platforms, including Windows, Linux and OS X. For Windows, the modules were called dinner.jpg, waiter.jpg, chef.jpg, hence the name - Appetite.
The LC report, which is still available only in English, describes the components for Windows in some detail, but there are questions about the description of the Mac version.

One of the components of Careto was a backdoor, created on the basis of an open-source netcat utility clone called Shadowinteger's Backdoor (SDB), developed in 2004 already.

Infection with a dropper occurred when a link was opened in a phishing email that redirected the request for an exploit pack. In particular, he exploited Java ( CVE-2011-3544 ) and Adobe Flash ( CVE-2012-0773 ) vulnerabilities . The dropper file was called banner.jpg, but was an executable file of Mach-O format.

Dropper did the following:


SDB communicated with the remote server on port 443 and used AES encryption. Three different C & Cs were identified: itunes212.appleupdt.com, itunes214.appleupdt.com, itunes311.appleupdt.com.

Interestingly, the dropper banner.jpg with MD5 02e75580f15826d20fffb43b1a50344c Kaspersky Lab did not provide for the information security community. So, it is not in the VirusTotal database. There is a SDB backdoor (Trend Micro wrote a note about the traffic encryption algorithm), but the dropper does not.

It seems that this is again PR. The attackers borrowed third-party code, used quite old exploits (however, at the time of use, they might not be that old). The exploit for Adobe Flash ( CVE-2012-0773 ), by the way, has an interesting origin. It was first shown in action in 2012 by the French from VUPEN, an office that does not disclose information about vulnerabilities, but sells. By the way, the Hacking Team also used this exploit.

What is the general verdict? Careto is just an order that they are trying to present as another mega cool development.

iWorm


Oddly enough, it's still a trojan, not a worm. Discovered by Doctor Web in September 2014.

Dropper creates the directory / Library / Application Support / JavaW, and in this directory is a file of the malware itself called JavaW. It also creates a configuration file named% pw_dir% /. JavaW and a file /Library/LaunchDaemons/com.JavaW.plist for autoloading.

The reddit.com website is used to get the addresses of its command servers. First, the current day value is calculated using the following formula: cur_day = year_day + 365 * year, the MD5 hash is calculated from the obtained value, the values ​​of the first 8 bytes of which are used for the query of the type www.reddit.com/search?q= <MD5_hash_first_8_bytes>.

Having established a connection with the controlling server, the Trojan exchanges a special set of data with it, using which the authenticity of the remote node is verified using a series of calculations. The data sent is encrypted using the AES-256 algorithm.

Trojan contains a built-in interpreter of the Lua scripting language. This feature allows attackers, if necessary, to expand the functionality of the Trojan, loading and executing scripts designed for specific tasks.

A set of basic backdoor commands allows you to perform the following operations:


The binary code of the Trojan is packaged by UPX and written in C ++, from which researchers conclude that the developer most likely writes under Linux, because most Mac programs are written in Objective-C.

The scale of infection is about 18 thousand computers. Some confusion is caused by the fact that in their description the Doctor Web employees did not bother to tell about the infection vector, and the name worm seems to be present in the title. We fill this gap. There was no self-replication mechanism, the distribution went in a rather trivial way - by infecting popular distributions followed by putting them on The Pirate Bay torrent tracker. Thanks to this, users did not care about the message about the need to enter a password to obtain administrator rights. By the way, information about the infection method was obtained by the owner of the site The Safe Mac (thesafemac.com) by email from an anonymous sender.


Links to infected iWorm software

XSLCmd


Another sample of malware used in the course of attacks of the class APT. Mac version found in August 2014. It is the eponymous port of the reverse shell for Windows, which has been used for attacks since 2009. The XSLCmd version for OS X adds two features that are not available in the Windows versions: reading keystrokes and creating screenshots.

Authorship is attributed to the cyber-grouping, called GREF, because of the characteristic desire to use Google Analytics code to embed scripts that redirect to the exploit pack. GREF members do not favor attacks using phishing emails and prefer the Watering Hole technique — hacking websites popular among workers in certain industries and introducing malicious JavaScript files onto their pages.

The goals of GREF are quite versatile - from Pentagon contractors to electronic and engineering companies, as well as foundations and non-governmental organizations, especially those with interests in Asia. Quite often, the group uses the following IP for its command servers: 210.211.31.x (China Virtual Telecom - Hong Kong), 180.149.252.x (Asia Datacenter - Hong Kong) and 120.50.47.x (Qala - Singapore), which leads to some suspicions about the involvement of China.

Ventir


Mac backdoor with two keyloggers on board. It would seem, why two? In the absence of root rights to the disk from the _keylog section, in the dropper data area, the file was saved as EventMonitor, the implementation of which used the Carbon Event Manager API function. It should be noted that this method does not always work correctly. For example, for the latest version of OSX 10.10 at the moment, only the keystrokes of the modifier keys (Ctrl, Alt, Shift, etc.) are logged, and that’s because this interface is considered obsolete.

If there were root rights, the kext.tar archive from the _kext_tar section was saved to disk, from which the files were extracted:


This second keylogger is based on the open source project LogKext, the source code of which is available on GitHub. The driver was loaded into the kernel using the standard OS X kextload utility.

All malware files were saved in /Library/.local for root or in ~ / Library / .local for a regular user (~ is the path to the current user's home folder). The backdoor was nothing out of the ordinary, here’s a list of the commands it supports:


As you can see, keylogger worked independently of the backdoor, it saved the log to the Library / .local / .logfile file, which attackers could upload to their C & C server on command.

As already mentioned, the method using the driver is much more versatile and reliable, but requires root rights. Probably, the authors assumed that working with root rights would be the main mode of operation of their Trojan. It is possible that the dropper was introduced to the computer using a parent application that could use exploits to elevate privileges. Unfortunately, the mechanisms for the distribution of Ventir are still unclear.

Wirelurker


Winner of numerous epithets, including the representative of the “new era of malware”. Discovered and investigated in detail by experts of Palo Alto Networks. Brief description: Of all known Mac families that used installer trojanization, it has the highest number of infections; able to infect iOS devices, even those for which jailbreak was not used.

To infect Wirelurker, the third-party Chinese application catalog Maiyadi App Store was used. It contained 467 applications with an embedded trojan. These applications downloaded 356 104 times, so the Trojan probably installed on hundreds of thousands of computers and mobile devices. The first reports of suspicious activity appeared in June 2014. Infected applications were, overwhelmingly, games.

The work algorithm is shown in the figure; As you can see, one of the processes Wirelurker was constantly monitoring the USB connection to the infected computer. To infect iOS devices, the Masque vulnerability was used.


Algorithm of Wirelurker

There were three versions of Wirelurker. Wirelurker.A version was just contained in the installers, its distribution began on April 30, 2014. A week later, on April 7, Wirelurker.B began to spread from command servers. Since August 2014, Wirelurker has already been loaded with C & C. The main differences between the versions:


The latest version implemented two methods of infecting iOS devices. First of all, Wirelurker defined the jailbreak status by accessing the iOS service called AFC2 (com.apple.afc2), which is the standard interface for jailbreak utilities. If the AFC2 service was present, the sfbase.dylib file was downloaded to the mobile device.

Also for devices with jailbreak the following operations were performed:


For devices without a jailbreak, another method was used: an application signed with an enterprise-certificate was downloaded to a computer; Apple issues such certificates to companies for signing corporate applications. It is usually not difficult to obtain such a certificate, which can be actively used by attackers.

The sfbase.dylib malicious file was the main backdoor that interacted with C & C. In particular, data from the address book and SMS texts were sent to the management server.

The information about the device itself was sent by the main Wirelurker module, these were:


Built-in applications sent their name and serial number to C & C, which allowed attackers to track the infection dynamics of mobile devices.

By the way, the developers did not long remain free after their atrocities. According to a report by the Beijing Municipal Bureau of Public Security (Beijing Municipal Bureau of Public Security), in the late fall, Chinese law enforcement authorities arrested three alleged developers and distributors of Wirelurker. Investigators have revealed only the names of the suspects - Wang, Lee and Chen (Wang, Lee and Chen). The Chinese anti-virus company Qihoo 360 Technology contributed greatly to the capture of intruders.

Conclusion


The whole of 2014 was particularly “fruitful” for the new Mac malware. The following characteristics of the current period of development of malware for Apple can be distinguished:


All this, coupled with the strange policy of Apple, which in March removed several anti-virus applications from the App Store, and the particular obstinacy of individual fans of its products in terms of "we have no malware," makes us suspect that everything is just beginning. , Mac iOS , , , Windows, , . , , . , — .

Masque


2014 FireEye , iOS, Masque. , . bundle identifier, enterprise provisioning, , Apple. , iOS Safari . , . , Gmail . jailbreak.


« » OSX.Ventir.

image

#196.
:

Subscribe to "Hacker"

Source: https://habr.com/ru/post/260879/

More articles:


All Articles