What is it that makes this malware sophisticated? I didn't see anything about rootkits or process hiding / obfuscation. Is it not just a simple daemon that can be configured to monitor audio/video/keyboard and send the results back via an encrypted connection?
Some rootkits install a backdoor. Not all rootkits install a backdoor -- some merely conceal themselves and operate locally. The famous Sony Rootkit is one such example of a rootkit which did not add a backdoor.
The defining characteristic of a rootkit is that it conceals its presence from the rest of the system. Backdoor.OSX.Mokes.a doesn't really do this -- it's only a backdoor. Not a rootkit.
Backdoor is a politically loaded term at this point. Backdoors (in privacy-related discourse) are vulnerabilities inserted intentionally by the manufacturer or government with supply-chain cooperation. The claim "Backdoor found in X's product" is roughly equivalent to the claim "Evidence found that X is a collaborator with the surveillance state" to many people, so we might want to be careful about throwing it around when we don't mean that.
That is different wording. One can find an OS X backdoor in Microsoft Word, for example. Here the OS X backdoor was found not in OS X but in some other program.
Whether the terminology is technically correct or not, I think it's obvious that it can easily be interpreted in different ways, some of which are incorrect. As such, while it may not be wrong, it is poorly chosen, and may be misleading. A better way to phrase it might have been "A sophisticated backdoor targeting OS X discovered".
Yes, that's exactly what I was trying to address. I should have quoted the first sentence of the parent to make that obvious, since there were a few assertions in that comment.
Calling it a backdoor may be correct, but calling it an "OS X backdoor", particularly with no other context in the title, is not. It's merely clickbait.
Yes, I concluded from the title it's backdoor in OS X itself (which would be huge news), not merely a backdoor kit running on OS X (which is not really all that notable, absolutely no surprise that backdoor kits exist for OS X and this one is nothing special among them as it seems).
Let's call it "a window with a shitty lock" instead of a "back door", if it's an unintentional vulnerability. Then we can just use "back door [left open]" to mean something intentional. Or, you know "key under a rock in the garden" because only certain people know where it is. Actually, I think that's where "Window( with a )S(hitty lock)" 95 first got it's name.
rootkit comes from unix, it was a tool helping to restore admin privileges even after the admin found that the host was hacked (that's where the name comes from root = admin on unix). Its goal was to be invisible.
The sony rootkit was named somewhat incorrectly, because it also tried to hide itself and no other existing malware names fit it.
rootkit comes from unix, it was a tool helping to restore admin privileges even after the admin found that the host was hacked (that's where the name comes from root = admin on unix). Its goal was to be invisible.
Are you sure? It also commonly referred to such kits being used by hostile parties. I've personally interrupted an attempt at installing the "Hungarian Rootkit" in the 90's. (I put unpatched Red Hat 6 online when Red Hat 7 was out.)
(that's where the name comes from root = admin on unix)
The fact that you think this is something that bears explaining is interesting in the context of HN. I hope this is based on something you've noticed about recent user trends here. There was a time when someone would be very surprised if a user here didn't already know this.
I see my response was ambiguous. Of course I meant rootkit was always malicious. It was used by intruder to gain root back after admin though he restored the host after being hacked.
Rootkits are the reason why it is recommended to wipe the whole system after being hacked, because you can't be sure there there wasn't anything installed.
> It also commonly referred to such kits being used by hostile parties.
I suspect that's exactly what he means - a rootkit is deployed by an intruder so that when the admin discovers the host has been compromised and patches the vulnerability, the rootkit, if not addressed, will grant the intruder root capabilities once more.
A rootkit might come with tools for that, but the actual rootkit generally requires you having root (or some other privileged role) to deploy it. E.g. a Linux rootkit commonly is a kernel module, which you can only load if you have already obtained root privileges.
Looks to me like your run-of-the-mill malware. A rootkit is typically something that uses OS hooks to hide itself from the list of running processes for instance.
If you previously establish that the vulnerability was introduced by a third party, then "backdoor" might be an OK term afterward - after the context has been introuced.
In an example without context (like, a headline), "backdoor" strongly implies that it was built by the vendor. I have to disagree with you and concur with the other commenters saying this was a very misleading choice of words by Kaspersky. They should have just said "malware".
I agree. My first reaction when I read the headline was, I thought Apple had put it there, which I found disturbing seeing as how Apple has publicly spoken out against backdoors. I think a better title would be something like "Sophisticated OS X Backdooring Malware Discovered". That would make it clear that the backdoor is not present in the binaries shipped by Apple.
I make the same association. A door is part of a building, and is put there during construction (initial release) or in owner-planned renovations (software updates).
I've never heard of someone breaking into a building by cutting a hole into a wall to install their own entry door that they have a key to, but that's the scenario this "OS X backdoor" is describing.
Rootkit is more commonly used for something that actively messes with the system to avoid detection for itself and potentially other malware, often by intercepting system calls and removing evidence from the responses.
Malware that just runs some code to provide a backdoor isn't necessarily a rootkit. E.g. if I install a VNC server on your system and turn off the tray icon, it is a backdoor. I could use a rootkit in combination to also hide it's files on disk, remove it from process listings, hide it's open sockets, ...
A rootkit is a different beast. A backdoor is simply a (covert) way to gain remote access to a system. A rootkit involves being able to elevate user permissions such that you have full control over the computer. Rootkits also typically use such permissions to hide themselves from normal user accounts.
I guess in a way you could see them as related, in that they both are access tools. A backdoor gets you remote access to the system in the first place. A rootkit gets you elevated access after you are in the system.
A rootkit is the thing you install once you have root - not a way to get root initially. It usually gives the attacker a means to access the machine in the future, even if the vulnerability she used is fixed in the future.
Rootkits are designed to hide themselves. They are essentially attacker installed backdooors.
A backdoor is basically a rootkit that is part of the original software as written by the original developer. The words have different connotations (rootkit is extremely negative, backdoors slightly less).
"A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) while at the same time masking its existence or the existence of other software."
"A backdoor is a method, often secret, of bypassing normal authentication in a product, computer system, cryptosystem or algorithm etc. Backdoors are often used for securing unauthorized remote access to a computer, or obtaining access to plaintext in cryptographic systems.
A backdoor may take the form of a hidden part of a program,[1] a separate program (e.g. Back Orifice may subvert the system through a rootkit), or may be a hardware feature.[2] Although normally surreptitiously installed, in some cases backdoors are deliberate and widely known. These kinds of backdoors might have "legitimate" uses such as providing the manufacturer with a way to restore user passwords."
No, that is really wrong. Rootkits aren't for privilege escalation, see the paragraph immediately following your quote:
"... an attacker can install it once they've obtained root or Administrator access."
Calling BO a backdoor is a major corruption of the word, as you loose the only word for describing intentionally weakened security - so that you may describe a thing which already has several more explicitly defining names: malware, trojan, dropper, etc.
The installation of the rootkit is different from its purpose. A rootkit may require a root permission to install, perhaps piggybacking on another legitimate install such as in the famous Sony BMG rootkit. Or it may use an exploit to gain root access and install.
However, once installed, the purpose is the same: To provide the attacker with root permissions. It will also typically use its access to root permissions to hide itself from detection.
> A rootkit may require a root permission to install...
This sort of phrasing is misleading. If your OS restricts security sensitive kernel functions to the root user (hint: 99% of OSes do), then it isn't "may" - it is "must". Are there wrapper scripts that run privilege escalation exploits before installing the rootkit? Yes. Doesn't that make the exploit part of the rootkit? No, they are two very different things performing two different functions and are capable of operating independent of one-another.
> ...the purpose is the same: To provide the attacker with root permissions.
No, it is to allow code to run at the same privilege level as the kernel itself. Unrestricted loadable kernel modules. Think that is a distinction without a difference? OSX disagrees, as does Windows.
Regardless, the point of a rootkit is to provide an execution context with escalated privileges. Whether that means root user, kernel space, System user is I would think depends on the specific rootkit. (Whose name, of course, points to "root" privileges.) Which was my original definition and is inline with the posted definition from Wikipedia.
Well I guess we won't come to an agreement, because it seems that whatever reason you prefer a very loose definition. For example, you just couldn't help yourself in confusing the privilege escalation point: "...context with escalated privileges." The rootkit isn't escalating anything, in the same way that LKMs, bootloaders, tracetools, or drivers don't escalate - it executes at or below its own privilege level.
I'm obviously not communicating my point well. Let's try this:
A backdoor executes in a remote machine. It allows attackers to access that machine.
A rootkit executes in a "remote" privileged context. It allows attackers to access that privileged context. It's in this context that I refer to escalation; it allows the attacker in a non-priviledged context access to a privileged context; aka escalation. And yes, the actual escalation already happened in the past, when the rootkit was installed. However, a non-priviledged user is still gaining illicit access to a privileged context at the moment that the rootkit is utilized.
Also, at this point I think we're splitting semantic hairs that don't really matter, aside from pedantry.
Well I do appreciate you trying, but I disagree with you that it is pedantry that doesn't matter. This conversation is the best possible example of why we can't allow the corruption of previously well defined words - it causes confusion for no good reason.
A backdoor doesn't need to be remote and the user isn't necessarily an attacker. It is simply a secret method of access that the designer put in place, it isn't designed for end-user use. It is almost always security through obscurity, and it is always a bad idea. It can be activated in a variety of ways: port knocking, hardcoded passwords, preinstalled remote software, shorting ground to some magic pin, an undocumented serial terminal, etc.
A rootkit doesn't need to be remote and the user isn't necessarily an attacker. It doesn't need to have any functionality for user interaction - which means no "escalation" occurs (It could simply scan memory for passwords and log them to a file). It runs above user space, and can therefor be completely hidden (but it isn't always, see DTrace). It runs with the same privileges as the OS that it is part of. That is important to keep in mind, the rootkit becomes part of the running OS - that could mean any of the OSes running in your tower (CPU, HD firmware, BIOS, etc).
Your definitions work fine in a vacuum, but they quickly fall apart in real world usage. For example, by your definition: a remotely accessible privileged service is a rootkit, because an unprivileged internet user can interact with it - accessing data and executing code in the service's privileged context. 'sudo nginx' is not a rootkit.
> A rootkit doesn't need to be remote and the user isn't necessarily an attacker.
No one said a rootkit needs to be remote. (I used "remote" in quotes just to align it to the backdoor.) And in the context of security, it is definitely an attack. If there's not a user executing unauthorized commands, then it's simply installed and authorized software.
> It doesn't need to have any functionality for user interaction...
This is true, and I can see how some of my statements were maybe a bit more specific about this than they needed to be. The point is still to give an attacker a context with elevated permissions; it need not be an interactive context.
> It runs with the same privileges as the OS that it is part of.
This I still think is overly restrictive. I don't think running in ring 0/1/2 with the kernel and drivers is a necessary component; having "root" access such that it can invoke kernel functionality necessary to achieve its goals is sufficient. Now, it may use "root" access to modify kernel files and drivers, which is perhaps what you're referring to and where the line blurs and pedantry beings. If "root" access gives you unfettered access to the system, including modifying kernel executable files, then there is basically no difference between "root" and ring 0.
> For example, by your definition: a remotely accessible privileged service is a rootkit, because an unprivileged internet user can interact with it - accessing data and executing code in the service's privileged context. 'sudo nginx' is not a rootkit.
More pedantry. Clearly intended and authorized access to a service is just normal operation. This is why I'm very explicit about the usage being unauthorized and label the user an "attacker".
I think that we're as close as we'll get to agreeing - the main contention being the "attacker" part. I'd describe Symantic's data protection product as a rootkit, regardless of who installed it. I'd say the same for the LKMs that I've installed in honeypots.
I think you are spot on for rootkit, but you are absolutely wrong on backdoor.
You say "This conversation is the best possible example of why we can't allow the corruption of previously well defined words - it causes confusion for no good reason." when YOU(and others like you) are the one corrupting the meaning of backdoor.
Backdoor has meant for ages to be a way to access a computer/program while bypassing the normal authentication method, whether added by the designer or by someone else. You are trying to redefine it to mean only methods of bypassing normal authentication added by the designer. If you find it confusing that both types of backdoor are backdoors, then make up a new word that can be considered a subtype of backdoor don't try to coop an existing word and change its meaning.
> ... whether added by the designer or by someone else.
Your exception seems to hing on the word designer. I'd describe the individual responsible placing the backdoor as the designer. So if you place a modified version of /usr/sbin/sshd, then you've designed the backdoor for that system. I see no redefinition.
> Calling BO a backdoor is a major corruption of the word, as you loose the only word for describing intentionally weakened security - so that you may describe a thing which already has several more explicitly defining names: malware, trojan, dropper, etc.
Thinking in that context, it sounded like you were arguing further for the fact that backdoors should only be describing intentionally weakened security. Have you changed your mind about that?
No. Unlike a rootkit, context really matters in the case of a backdoor - not so much the implementation means. BO is no more a backdoor than vnc or sshd. Now if Dell decides to secretly package BO in their product line, then it is a backdoor.
> ...backdoors should only be describing intentionally weakened security.
I can't think of a backdoor that does not meet that description, do you have anything in mind?
There are too many "No, that's wrong"'s here for a bunch of people that aren't getting this quite correct. You do not need root access to install a rootkit, you simply need to exploit a security flaw that allows you to install, run, and avoid detection. This is easiest done by modifying the host to disable it's ability to even find you on the device. This is much more difficult on modern systems, so for most modern systems, they're installed as trojans using the privilege escalation of another application or install.
The connotation difference is the difference between getting hit with a 10mm and a 9mm. Negligible, as it's leaving a hole that you really don't want there.
No, it refers to different things. Back-door is a technique or practice and a rootkit is a type of malware. Rootkits often (but not always) install backdoors.
I don't like the use of backdoor for malicious cracks, as it confuses the argument between malware and bad security practices. Though technically, backdoor is the correct term.
This isn't a virus, it's a payload. Once an attacker exploits a vulnerability to gain RCE, this is the kind of thing they might install (if their goal isn't to immediately trash the machine).
The software described would usually be classified as an Advanced Persistent Threat [1] or Rootkit [2]
Backdoor [3] usually refers to methods to sidestep authentication added by the vendor.
Many commenters are pointing out that one possible definition of a rootkit is something that elevates privilege, but does not necessarily have network communications functions or a command and control server. But in recent times, almost all modern rootkits seen in the wild have some form of network control functionality.
A rootkit isn't for privilege escalation - you need root before you can install the rootkit. This is typically obtained through a privilege escalating exploit, the rootkit is for maintaining access and masking the attack.
> The modified compiler would detect attempts to compile the Unix login command and generate altered code that would accept not only the user's correct password, but an additional "backdoor" password known to the attacker...This exploit was equivalent to a rootkit.
> Establish Foothold – plant remote administration software in victim's network, create net backdoors and tunnels allowing stealth access to its infrastructure.
> A backdoor is a method, often secret, of bypassing normal authentication in a product, computer system, cryptosystem or algorithm etc. Backdoors are often used for securing unauthorized remote access to a computer, or obtaining access to plaintext in cryptographic systems.
I read all of that as a backdoor being an umbrella term, of which one type is a rootkit, and APTs create backdoors, perhaps of a type other than rootkit (e.g. net backdoor).
Me thinks it would be nice to scan for Qt at the `exec()` level. I don't have a huge use for Qt, it would be nice to have to white list apps that use it.
A lot of cross platform software that attempts audio/video (e.g. Skype etc) would be considered malware by some. Usually people who've had to use it at least once.
I don't know whether this is still the case but Skype used to use some of the most advanced anti-debugging, runtime code obfuscation, etc etc methods of its time for no obvious reason. See http://www.secdev.org/conf/skype_BHEU06.handout.pdf for details. It certainly made people pause and think about what kind of shady stuff they were up to.
This is an excellent example of where user visibility into authorized processes could improve trust in software. Specifically, this software is ideal as a trojan horse; the user likely felt slightly coerced into installing it (install this plugin or you can't take part in this meeting / talk with love interest / remote family) and so they likely did so, possibly bypassing blessed trust sources. And even worse, the software is being granted privileges that are particularly ripe for abuse.
So this would lead a reasonably paranoid person to conclude that such software would be the ideal vehicle for privacy violation. Thus, if ever there is a software package for which a user ought to have visibility and enhanced control, this would be it.
Not sure whether to be amused, vindicated, or concerned that the most prominent conversation here on HN is terminology: "Is 'backdoor' the correct term?"
Malware, trojan, virus, rootkit, backdoor, squirglebunny (OK, I may have made that last one up).
There's not a lot of talk about the threat vector though - does anyone know how this infects systems?
> After its first execution, the binary checks its own file path and ...
From the article it seems to be via executable. That's why the terminology is important in this case. It's a executable rootkit that opens a backdoor, not a OS remote execution exploit. And this article relates to the OS X variant of a cross-platform package (so this affects Windows and Linux systems as well).
I hate to join in the terminology argument, but is it really a rootkit? After all, it doesn't (according to the reports) disguise its presence, which discards "rootkit" as a classification.
It seems to be pretty much run-of-the-mill malware. It would be interesting to understand the delivery mechanism (email, or whatever).
And if people will install untrusted third-party software, delivered by an untrustworthy mechanism, then they inevitably accept a certain amount of exposure.
Same thing. All comments are about backdoor vs rootkit vs malware vs etc, as if it was important. Hey guys, you really want me to go through a link and read that article myself? Where is the discussion? Where is tl;dr comment upvoted to the top?
I suggest "sophisticated malware backdoor payload for OSX discovered." Then it's clear it's not a part of the OSX itself and that it's something that has to be somehow installed by some third party (e.g. using any malware installation method or a real spy).
Kaspersky, the most paid and legalized backdoor ever commercialized, ruining web experience of the average user. Although I'm glad they discover interesting things, I would love they stop messing with third parties http connection and html pages.
I think it's pretty funny that they go through all the trouble of making this for MacOS, yet it searches for only MS Office file extensions and not Apple's iWork extensions. It also seems to me that this all hinges on having gatekeeper disabled.
> Is there any diagnostic tool out there to determine if you've been infected?
From what I can tell, they posted the SHA256 of the offending binary under the IOCs section of that web page. So you should be able to do this in the root of your home directory to detect if such a file exists:
# find . -type f -print0 | xargs -0 shasum -a 256 | grep 664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c
Binary checksums are usually not very helpful for identifying malware. The fact that the binary they were looking at was called "unpacked" suggests that there would be packed versions out there, and they would have a different checksum.
Yes. And the malware could be polymorphic. Or there could be multiple versions of the same "core" out there. It's not clear to me how sophisticated virus (malware) scanners for OS X are with dealing with that.
From what I know (which is not much) scanners, among other things, search for identifying patterns in files. So there is an identifying pattern of each discovered malware/virus in a database.
Looks like it's not only OS X - the OS X variant is newly discovered.
Title should be 'OS X Variant of Backdoor Discovered', shouldn't it?
"OS X variant of a cross-platform backdoor which is able to operate on all major operating systems (Windows,Linux,OS X). Please see also our analysis on the Windows and Linux variants."
That list of directories is really weird. On my machine, none of them exists, neither in ~/Library nor /Library. And I do run most of that software (Dropbox, Skype, Firefox, Chrome in the past...).
Either the malware targeted very old versions of such software and/or OSX, or somebody between the malware author and the blog writer f###ed up.
But the post says that the malware checks if any of those folders exists, only then writing the necessary plist. By your reasoning, one of these folders should have been created in advance by another process. So this "backdoor" is even incomplete...
It says it checks if those folders are available - which could mean checking if the name is not already taken, and then creating the path for itself to use.
1. This is not a backdoor, it's malware or an exploit.
2. This is not specific to OS X, it affects many operating systems, so this sounds like an attempt at slandering software that someone doesn't like, or has a reason not to like.
Are video captures actually possible? I could imagine video capture as part of a RAT, but what scares me is the idea of video capture that doesn't turn on the camera activity light. Are there any examples of that?
We describe how to disable the LED on a class of Apple internal iSight webcams used in some versions of MacBook laptops and iMac desktops. This enables video to be captured without any visual indication to the user and can be accomplished entirely in user space by an unprivileged (non- root) application.
Assuming this is a serious question, yes, the camera and MacBooks both have changed a lot since 2008. This is probably why they did the study on 2008 MacBooks as opposed to later models. They wouldn't get the results they wanted otherwise.
I don't know that it's possible on recent Apple hardware. I remember reading somewhere that the green LED is triggered by the camera power line, or something along those lines.
Note to anyone developing a new webcam: if you want to be able to flash your LED to indicate something to the user, add another color, and keep the main LED tied to the power line (ideally with a hardware-implemented delayed shutoff on the power so a single-frame grab lights the LED for a long time).
Interestingly, on my battered, el cheapo Asus 12" netbook (2011 Intel Atom), this problem is solved very well: the on/off webcam switch physically blocks the webcam lens in the off state.
Apparently this malware doesn't take webcam screenshots (as law inforcement illegally does).
It just takes screenshots, possibly to match keystrokes to the window, to be able to match password entries to the application or url. And then exploit that furtheron. I wonder why it takes audio captures though? Just for the thrill? Or is it the government?
Useless article makes no mention of how this gets into the system at all. Plus its not all that sophisticated or a backdoor. Nor do they point out that Apple was notified before posting this.
"Because OS X is secure by design, there’s no need for IT to install additional tools or lock down functionality for employees. And with an automated zero-touch deployment process, they don’t even have to open the box."
By that level of standard, nothing is secure. Linux has vulnerabilities. Windows has vulnerabilities. I have a deadbolt on my door and the package read "Keep your home secure!" but someone could still get through if they really wanted to.
"Secure by design" doesn't mean 100% secure no matter what. Part of that design is the update/patch process that addresses vulnerabilities quickly, and mitigating controls like lower default permissions and application signing.
The fact that you're so quick to call everyone an astroturfer because you made a ridiculous statement just proves that your only interest is trolling.
Me saying this is downvote-worthy in itself and I'll gladly take my lumps because I'm only adding to the noise, but let's break this down:
(1) You claim that because someone wrote malware that requires root access to install, but can't be used to get root access to a system in the first place, that the vendor who makes that system should no longer publicly state (in their marketing materials no less) that they care about security and design their operating systems with security in mind.
(2) When people downvote your incredibly astute, mature, and insightful comment, you feel the need to follow up on it and complain publicly about people giving downvotes. Because everyone knows that the most appropriate response to downvotes is to complain about getting downvoted.
(3) You don't stop there, though! Why would you? You are so confused as to why someone would disagree with you that instead of reconsidering your original opinion, you assume that a huge corporation must be paying people to downvote the deep, deep wisdom you've chosen to express here. You don't keep this suspicion to yourself though- you are so certain of its veracity that you publicly state your conspiracy theory as well, because of course you will.
Any one of these things is incredibly downvote-worthy. All of these things combined are a perfect storm of comically stereotypical Internet forum asshattery that everyone has seen a million times over during the past 20 years and has no desire to ever, ever see again. Sadly, it will never completely go away because there's always a new generation to keep the traditions of Slashdot circa 1997 alive (or Usenet after September 1993). All anyone can do is downvote on sight and hope that each generation learns these lessons a little more quickly than the one that came before it. Honest critical thinking == good, mindless hateful tribalism == bad, that's all there is to it.