It’s 5:15 AM here in Barcelona and second day of the conference. For the past three years, I’ve been given an opportunity to present and discuss topic relating to malware or threats in Macs. And at the same time, attending VB conference allows you to meet, learn and discuss with fellow researcher sharing the same interest.
I have 30min. (11:20 – 11:50 am) this morning to discuss an interesting topic about Cyber attacks: how are Mac OS X and iOS users playing the role? The presentation is divided into two subtopics; I’ll first discuss Apple security defences and the financially motivated threats, then a topic that is complex because it’s beyond malware. However, in this forum, I’d like to draw attention and bring awareness of this subject.
Cyberattack is a form of threat motivated by ideals and belief, often responding to social and economic issues where people voluntarily participates and takes action as a response to an open call. Devices, system and application act as a tool and weapon – which aids in accomplishing a task or mission. Contrary to most people believe that threats are platform specific, and targets the biggest market share, this notion is not true. Attacks and threats today targets user’s data, the information space and user’s identity, and this occurs regardless of the platform.
On a sad note, I would like extend my deepest condolences and sympathy to a man of great spirit and high vision; his death is a great loss and his absence will surely be felt.
An interesting observation from a colleague, check out the digital certificate information of ‘Wolyx’ the Windows backdoor packaged with ‘Olyx’ below:
Issued By: WoSign Code Signing Authority
Issued To: CN, Yunnan, Kunming, Kunming Wuhua District YanXing Technology Sales Department, WoSign Class 3 Code Signing, Kunming Wuhua District YanXing Technology Sales Department
Effective On: 11/03/2009 00:00
Expired On: 11/02/2012 23:59
The place where the revoked digital certificate was issued to was Kunming, Yunnan China.
In the news, you’ll notice that this is the same city of the fake Apple stores.
China officials find 5 fake Apple stores in 1 city
A Chinese city government website says local trade officials have found five fake Apple stores in a southwestern city.
The Kunming government website says authorities in the city in Yunnan province took action against two of the stores, which were found to be operating without a business license.
Officials close 2 of 5 fake Apple stores
KUNMING – Officials looking into the illegal sale of Apple gadgets say they are waiting for the electronics company to respond before they decide whether to close three more possibly unlicensed stores. [Read http://www.chinadaily.com.cn/usa/us/2011-07/26/content_12980613.htm]
In my last blog post, I’ve discussed the early features of RAT ‘Blackhole’. Although, it was then in its early stage, I find this type of offensive development interesting due to the fact that they emerge and distribute as a hacking tool, with functional backdoor client-server mechanism.
Last month, we have spotted a new piece of malware, a backdoor server called ‘Olyx’. The file is a Mach-O binary and the traces of the working directory suggest that the Mac user name is ‘yxl’. So, this is where the name ‘Olyx’ came.
Backdoor ‘Olyx’ was spotted in a package called ‘PortalCurrent events-2009 July 5.rar”, where the content suggest that it was extracted from Wikipedia community portal current events 2009 July 5 page. If you will visit the Wikipedia current events 2009 July 5 page, and compare the screenshot below, you’ll find it very similar.
However, the extracted page includes a folder which contains photos of the 2011 June 15th protest in Athens, Greece and alongside the two malicious binary executable:
There’s another folder called ‘Photo-Current events 2009 July 5′, which contains 21 (disturbing) photos.
Q: So, the question now is, what happened on ’2009 July 5′ ?
The World Uyghur Congress website describes it,
On 5 July 2009, Uyghurs in Urumqi, the capital of East Turkestan, staged a peaceful protest which was suppressed by Chinese security forces and subsequently led to ethnic unrest in the city that left hundreds of people dead.
Q: Ok, that was 2 years ago right?
Yes, and in a press released titled “Worldwide Uyghur Protests on Second Anniversary of 5 July 2009″ describes the present,
On July 5, 2011 and in the days surrounding July 5th, the WUC called the Uyghurs in exile and their supporters around the globe to stage demonstrations and other actions to commemorate the second anniversary of one of the saddest and most tragic days in the history of the Uyghur people and of East Turkestan and to ensure that the world does not forget about the devastating plight of the Uyghur people.
So, there’s a call for an organized demonstration to remind the whole world of the 2009 event, and in support for Uyghur’s human rights and freedom.
Q: What’s the protest? This Facebook invitation page explains,
Approaching the second anniversary of these events, and despite international calls, no independent investigation into the incident has been allowed by the Chinese authorities and the number of people killed, detained, imprisoned, executed and disappeared remains unclear.
The activities surrounding this protest clearly took place in the cyberspace, resulting to attacks as described in press released titled World Uyghur Congress (WUC) Victim of DDoS Cyber Attacks,
Approaching the second anniversary of the 5 July 2009 events, the World Uyghur Congress (WUC) has again been the victim of cyber attacks.
So, how do you think Backdoor ‘Olyx’ fits in this picture?
The discovery of this threat should remind Mac users to carefully consider security and the real-life consequences of getting pwned. Remember, this type of threats are on the mission, and this is not cybercriminal that monetize infection nor steals money.
“Crimeware 2009″ extensive compilation of analysis, findings and intelligence report released in 262 pages, written by Jorge Mieres. [Refer this link]
In 2009, many in IT industry lost jobs because of the tremendous pressure to cut-cost – so companies could go through and survive the recession. However, not everything in IT were gloomy, IT services that are aligned to cost-reductions and value creation such as implementing virtualization, SaaS and cloud services are on the rise – and they are expected to grow in the coming year.
Because we’ve been in a difficult situation, where IT companies are expected to cut cost, maintain customers and at the same time, expected to adopt in changing market opportunity, many of us worked in survival mode. This provides opportunities for organized cyber criminals to take more steps in becoming sophisticated and expanding capabilities.
From Gartner futuristic security scenarios, “Perpetual Arm Race” is very close to what we have encountered this year, which I believe will continue in the next couple of years.
This is a perpetual fight where success changes sides. Hackers, cybercriminals, and criminal consortia invent and launch relentless and powerful attacks on enterprises and individuals. Enterprises and vendors relentlessly work on advancing protective measures, launch pre-emptive actions against hackers, and apply law and technology. Advanced technology laboratories exist inside vendors’ facilities, as well as inside criminal structures. Web business functions decently, but all necessary security precautions are taken.
Although, the “Security Nirvana” scenario is a good direction we look forward to.
The “good guys” prevail over the “bad guys.” Enterprises’ and vendors’ security specialists are always a few steps ahead of hackers. Security measures have created an impeccable shield around enterprises. Procured and subscribed software is “security bug-free.” This is a world without the fear of hackers. The entire world is happily and securely interconnected.
As the author describes “Lose/Lose is a video-game with real life consequences.”
This game works only in Mac, and as the warning explains, this game deletes files whenever the player kill those aliens. Yes, it is interesting but unfortunately it poses serious threat to users.
So, if you’ll happen to see this screen, I advise you to immediately quit the application (Command + Q) before it’s too late!
I should have posted this content here as well.
So, the presentation has a different twist on what I have wrote in the whitepaper. I started building the understanding about Mac security in my introduction, as I lead the context to analysis at the specific threat families. Then followed by taking the macro analysis by broadening the perspective into attackers’ underlying business models, the competitive advantages it brings while constructing the means, motive and how these aspects build and created opportunity that enables these organize group to perform and deploy threats and attacks to Mac users.
While the momentum of interest and excitement increases, my presentation suddenly froze and crash report pops-up. Indeed, an ice breaker as I continue to deliver the remaining slides.
At the end, the presentation shared some actual infection report and showed data how successful these threat into penetrating in this platform.
It was a great experience and same time meeting fellow researchers in this conference!
Jet d’eau (Water Fountain) as taken this morning. It was hot and sunny here in Geneva, so it’s best time to walk around, take some pictures and chill out after taking a good rest and recovering from long trip from Melbourne.
St. Pierre Cathedral is a cathedral in Geneva, Switzerland, belonging to the Swiss Reformed Church.