About Mac OS X v10.6.4 ‘XProtect’ Update
Pob of SophosLabs found this interesting update, please read this blog post Updated XProtect protects against OSX.HellRTS
Apple Mac OS X Snow Leopard Anti-Malware signature file ‘XProtect.plist’ has new definition detecting “OSX.HellRTS” in the latest Security Update 2010-004 / Mac OS X v10.6.4.
XProtect.plist is stored inside the Resources folder of a bundle called, CoreTypes.bundle.
CoreTypes.bundle contains specifications that allow Mac OS X uniquely identify data types, file format, associated icons and UTIs (Uniform Type Identifiers) as defined in the Info.plist file.
In this update (Mac OS X v10.6.4), there are two major update for Mac OS X detection feature (Quarantine and Anti-Malware):
1) Risk assessment for Safari extensions(.safariextz) is unsafe, which triggers Mac OS X quarantine feature and displays a warning “..Are you sure you want to open it?”.
This assessment is reflected to an XML file called System which contains risk definitions for certain file types and extensions. The risk assessment has 3 categories:
As shown below, Safari extensions (.safariextz) was added under LSRiskCategoryUnsafeExecutable key.
Apple recently released Safari 5 with support for browser extensions, and this security update make sure that nothing gets executed without a warning.
System file location:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/System
2) Mac OS X Anti-Malware signature file “XProtect.plist” now includes detection for HellRaiser version 4.2 server application.
There are 3 definitions for OSX.HellRaiser. As highlighted in the screenshot above, it’s detecting 2 components namely: rbframework.dylib and RBShell.rbx_0.129.dylib, and searches defined hex strings for a pattern matching the Hellraiser server auto launch entry (adding login items) command.
The latest XProtect.plist time stamp suggest that it was updated on 24th of April, just couple days after the discovery HellRaiser 4.2 server (in-the-wild). Unfortunately, it seems that it has to wait for the combo update as released on 15th of June.
XProtect.plist location:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist
“PremierOpinion” Spyware Now in Mac OS X
From Intego security advisory today:
——————————————————————————————————–
Malware: OSX/OpinionSpy
Risk: High
Description: Intego has discovered a spyware application that is installed by a number of freely distributed Mac applications and screen savers found on a variety of websites.
Who’s PremierOpinion?
PremierOpinion is part of an online market research community with over 2 million members worldwide. PremierOpinion relies on its members to gain valuable insight into Internet trends and behavior. In exchange for participating in periodic surveys on topics of interest to the Internet community, and for having their Internet browsing and purchasing activity monitored, PremierOpinion sponsors select software that its members can enjoy for free.
Website: http://www.premieropinion.com/Home.aspx
So, who’s the partner?
“PremierOpinion” Mac OS X Spyware are distributed by 7art-screensavers and published in this link: http://7art-screensavers.com/Mac_OS_X.shtml
Intego blog published detailed list of “PremierOpinion” Mac OS X Spyware.[here]
There are 48 screensaver Mac OS X apps in this source, and there are two different packages.
How to spot “PremierOpinion” Mac OS X Spyware?
1. It uses IzPack “Package once. Deploy everywhere.” software installer generator. You’ll notice from a package inspection (press control+click on the application and from the pop-up menu choose ‘Show Package Contents’), the icons are different – 7art while the other izpack.icns.
2. IzPack generated installers are in Java Archive (.JAR) file.
3. 7art screen savers installation do NOT require root password. While, PremierOpinion sponsored free software or application requires root password. Why? Because it installs spyware, which will track and monitor users’ browsing behaviour, scans and gather information from the disk and sends back to its remote server. This is very persistent spyware, meaning it does NOT want to be uninstalled.
4. Spyware installs software without user’s consent or notification. It is often bundled with other clean application to misleads users of its true purpose and gain access to users’ system. So, in this case, if you click “Cancel”, the IzPack installer will still continue by two pop-up screen: 1) PremierOpinion survey (screenshot) 2) 7art screen saver installation (screenshot).
“Package once. Deploy everywhere.”
This sneaky Mac OS X threat could be everywhere bundled and distributed in the internet.
Be cautious and stay safe!
——–> Threat Info FYI
File Name: poinstaller
File Type: Mach-O executable i386
File Size: 470,352 bytes
Threat Type: Backdoor, Downloader, Sniffer, Stealer,
Installation Requirement: root
Remote Activity: Installation of other threats
Remote Download File: Rule14.xml
Remote Download: PermissionResearch.zip
Installation: RunPermissionResearch.sh
Package Name: PermissionResearch.app
File Name: PermissionResearch
File Type: Mach-O executable i386
File Name: macmeterhkSafari users still vulnerable to “carpet-bombing” attack
Apple Safari carpet-bombing is a vulnerability that allows remote attacker via malicious website to silently download arbitrary files in users’ default download directory (~/Download).
This issue became serious in Windows because the default download is in users’ Desktop. Attackers can craft any file to look like a link file (.LNK) and or image file (.JPEG) to entice users into clicking it. Apple immediately address this issue in Safari for Windows 3.1.2.
However, Safari Mac OS X users remain exposed to this vulnerability. In May 2008, Nitesh Dhanjani disclosed details about this flaw and a year later, while I was writing my paper for VB2009, I revisited this issue and found that it is still unpatched. I have contacted him and verified whether my findings is true, and unfortunately he answered “yes”.
Ok, two years later, again I am writing and reviewing same old tricks, and found that Nitesh Dhanjani recently revisited this issue in his blog post titled “2 Years Later: Droppin’ Malware on Your OSX, Carpet Bomb Style (and Then Some!)“.
I smiled when I saw the screenshot and bonus notes, it reminds me how tricky it can get when it’s combined with other known tricks/exploits – makes it easier to get users’ click.
Example,
What is this monkey doing in my download? Opss, carpet-bomb! That monkey is a trick, it’s not an image file.
Recommended reading:
http://www.theregister.co.uk/2010/05/24/safari_carpet_bombing_bug/
0day: Apple Safari “parent.close()”
Release Date : 2010-05-07
Criticality level : Highly critical
Impact : Remote code execution
Solution Status : Unpatched
Description:
A vulnerability has been discovered in Apple Safari, which can be exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to an error in the handling of parent windows and can result in a function call using an invalid pointer. This can be exploited to execute arbitrary code when a user e.g. visits a specially crafted web page and closes opened pop-up windows.
The vulnerability is confirmed in Safari version 4.0.5 for Windows. Other versions may also be affected.
Solution:
Do not visit untrusted web sites or follow links from untrusted sources.
PROVIDED AND/OR DISCOVERED BY:
Krystian Kloskowski (h07)
Original Advisory:
http://h07.w.interia.pl/Safari.rar
Advisory Reference:
http://secunia.com/advisories/39670/
RAT for Mac
RAT for Mac?
When there’s too much RAT (Remote Administration Tool) available for Windows, people wonder if there’s good and useful RAT for Mac as well.
The search and discussions about this topic goes on and on; at one point an online poll favored to continue the development:
A useful description of RATs that works in OSX can be found here.
The most recent/updated development is HellRaiser version 4.2, coded by DCHKG an Underground Mac Programming Team.
HellRaiser includes a configuration component, where the remote controller can specify the server parameters.
The server component is the application distributed to target OS X user. It requires manual execution to install and enable the server to run in background (hidden from dock). Once successful, the server component (or the slave) will report back to the master as shown below.
This is the same version that Intego recently discovered in-the-wild disguised as iPhoto installer.
How would I know if HellRaiser server is installed/running?
option 1: You may open network utility and activity monitor (/Applications/Utilities/) and kill the process.
option 2: You may open terminal, and type lsof -i (this will list running processes and its matching network/internet connection). Search dubious name and internet connection, take note of the PID, and in terminal type kill -9 <PID> (this will kill the process).
If you’re using Mac security scanner, then it’s best time to check for signature update! (most vendors detects this as OSX HellRTS)
CVE-2010-1120
DESCRIPTION:
A vulnerability has been reported in Apple Mac OS X, which can be
exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to an indexing error in Apple Type
Services within the “TType1ParsingContext::SpecialEncoding()” method
in libFontParser.dylib when parsing embedded fonts. This can be
exploited to corrupt memory e.g. via a specially crafted PDF file
opened in Preview.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in Mac OS X Server 10.5, Mac OS X 10.5,
Mac OS X 10.6, and Mac OS X Server 10.6.
SOLUTION:
Apply Security Update 2010-003.
Sourced: http://secunia.com/advisories/39426/
Reference: CVE-2010-1120 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1120
Description:
Unspecified vulnerability in Safari 4 on Apple Mac OS X 10.6 allows remote attackers to execute arbitrary code via unknown vectors, as demonstrated by Charlie Miller during a Pwn2Own competition at CanSecWest 2010.
Mac OS X Ransomware
I just read the blog post of Dancho this morning titled “Mac OS X SMS ransomware – hype or real threat?”
Well, the Mac security community is pretty much aware of this since early last month (February 03). The package we received is source code, which serves as heads up to security researchers of what’s to come.
The underground intelligence allowed us to obtain a copy of the code for the purpose of learning disinfection to help protect Mac users for possible emergence of this threat.
In January, I blogged about an observation where Blackhat SEOs redirection scripts checks the browser’s USER-AGENT to identify and redirect Mac user traffics – for the hope of monetizing it. Following this post, Dancho found similar trend, where Koobface gang is also using USER-AGENT to redirect and monetize Mac users traffic. This trend raised an awareness to security community to investigate and learn why these guys are monitoring and interested to Mac users traffic – and we got our answer, we recieved the Mac OS X ransomware source code.
Now the questions,
Is it a threat to Mac users? No (not yet at the moment), but YES – this is absolutely emerging threat in Mac.
Is it a hype? No – there’s no exaggeration, but instead the message should serve as an awareness of this emerging threat in Mac.
However, we have to acknowledge that there’s on-going offensive developments in Mac and Mac users should not take chances.
Recent Comments