The magical virus-proof Apple operating systems have had a rough couple of weeks. Apple (AAPL) released security updates for OS X Lion and Snow Leopard, iOS, Numbers for iOS, and Pages for iOS. UK-based security company Sophos says that the OS X patch addressed 75 known vulnerabilities. Most of the vulnerabilities could lead to arbitrary code execution, while others lead to denial of service or privilege escalation. The bug fix weighs in at a whopping 880MB with recovery download.
Next Apple released a gargantuan update to iTunes for Windows that fixes 79 vulnerabilities. Sophos reports that the patch fixes 73 holes that could cause remote code execution in WebKit, used to render HTML content. Other fixes resolve remote code execution bugs.
Despite the huge patches, cyber-criminals have figured out how to disable the rudimentary anti-virus protection XProtect Apple has built into Mac OS X by enhancing an existing trojan horse Flashback. The Flashback trojan leaves the Mac vulnerable by preventing XProtect from receiving security definition updates. Sophos makes the point that Mac malware writers are eager to infect Apple computers because of the potential financial rewards.
The Mac malware authors are not resting on their laurels. Within days, of spotting Flashback in the wild, Sophos reported that Tsunami, a new backdoor trojan horse for Mac OS X, had been discovered. Sophos indicates that the new Mac malware may be a port of Kaiten, a Linux backdoor Trojan horse that uses an IRC channel for instructions.
Code like this is used to commandeer compromised computers into a DDoS (distributed denial-of-service) attack, flooding a website with traffic. ESET notes that as well as enabling DDoS attacks, the backdoor can enable a remote user to download files, such as more malware or updates to the Tsunami code. The malware can also execute shell commands, giving it the ability to essentially take control of the affected Mac.
Only a few more days passed before the DevilRobber (Miner-D) Mac OS X Trojan horse was discovered. DevilRobber was embedded in hacked versions of Mac OS X image editing app GraphicConverter version 7.4 distributed via file-sharing torrent sites such as PirateBay. Miner-D tries to generate Bitcoins, the currency of the anonymous digital cash system, by stealing lots of GPU (Graphics Processing Unit) time. GPUs are better than regular CPUs at performing the mathematical calculations required for Bitcoin mining.
Sophos reports that in addition to Bitcoin mining, Miner-D also spies on its victim by taking screen captures and stealing usernames and passwords. In addition, it runs a script that copies information to a file called dump.txt regarding truecrypt data, Vidalia (TOR plugin for Firefox), Safari browsing history, and .bash_history. To complete the assault – if the malware finds the user’s Bitcoin wallet it will also steal that.
DevilRobber was recently been updated according to F-Secure researchers. F-Secure researchers point out that the newly discovered Trojan is the third iteration of the malware and that it poses as the popular image-editing app PixelMator.
Help Net Security says this version of DevilRobber has new features that the original version is lacking. It tries to harvest the shell command history, the system log file, and the contents of 1Password, the popular software for managing passwords. Unfortunately, its Bitcoin mining and stealing capabilities are still there, as well.
rb-
So despite Apple’s continued instance that their machines do not need anti-malware software, standard malware prevention techniques apply to Macs. Clearly, Mac users like their Windows cousins should practice safe computing. Some of the safer computing practices for Mac and Windows users include
- Never open an email attachment unless you are POSITIVE about the source.
- Do NOT click on any pop-up that advertises anti-virus or anti-spyware software especially a program promising to provide every feature known to humanity.
- Use an AntiVirus program. A free one is better than none. There are several free versions that work well, like Microsoft Security Essentials which is also free has had good reviews.
- Keep your OS and AV updated. Make sure that you install those important updates. An out-of-date antivirus program does not help in detecting new infections.
- Use a personal firewall. Use a firewall between your DSL router or cable modem and the computer will protect you from inbound attacks. A software firewall on the computer can protect you from both inbound and outbound attacks.
- Do NOT download freeware or shareware unless you have must. These often come bundled with spyware, adware, or fake anti-virus programs. Be especially wary of screensavers, games, browser add-ons, peer-to-peer (P2P) clients, and any downloads claiming to be “cracked” or free versions of expensive applications.
- Avoid questionable websites. Some sites may automatically download malicious software onto your computer.
- Browse responsibly. Sometimes you might not even have to download and install something but just open a website in your browser for a rogue program to infect your computer. So be careful where you go when you are browsing.
- Pay attention to your incoming e-mails. Some of them can contain viruses or content pointing to malicious sites. Don’t click on links provided by false institutes that invite you to change passwords or similar.
- “Phishing” describes scams that attempt to acquire confidential information such as credit card numbers and passwords by sending out e-mails that look like they come from real companies or trusted people. If you happen to receive an e-mail message announcing that your account will be closed, that you need to confirm an order, or that you need to verify your billing information, do not reply to the e-mail or click on any links. If you want to find out whether the e-mail is legitimate, you can go to their website by directly typing their address into your browser or by calling them.
Related articles
- Tsunami Trojan: First Mac attack based on Linux crack (go.theregister.com)
- New Mac OS X malware with DDoS functionality spotted in the wild (zdnet.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.