
Proton.B: What this Mac malware does - open-source-ux
https://www.cybereason.com/labs-proton-b-what-this-mac-malware-actually-does/
======
inopinatus
_" Dialog boxes asking for passwords are a very popular social engineering
tactic designed to trick users into giving attackers their passwords"_

Apple is extremely guilty of normalizing the frequent entry of passwords. I
recently reinstalled a Mac and an iPad, and for each device I must've entered
my Apple ID password seven or eight times. in the normal course of getting
things done I then enter either this, or my local login password, many times a
week.

When your password is twenty characters of line noise or an extended
passphrase this is thoroughly irksome, especially on virtual keyboards like
the iPad. It is no surprise to me that less security conscious folks, faced
with this onslaught of excessive credential demand, choose shorter i.e. easily
cracked passwords; and no surprise that everyone becomes less suspicious of
the sham password dialog.

So when reading of yet another photographic burglary from a cracked iCloud
account, we should always lay part of the blame at Apple's feet, for
systematically normalizing the frequent entry of credentials.

That is not the end of Apple's social engineering enablement shame. Another
glaring blunder is in Apple Mail, where the "To:" field is shown with your
real name, even when the sender did not include this. The humans respond
positively to the use of their given name, so this heightens the
verisimilitude of scam messages.

~~~
peckrob
Yup. My Apple password is one of the very few remaining ones that isn't a
random string generated by 1Password because Apple makes me enter it all the
time. :(

~~~
Mtinie
"For your protection".

I agree, the number of times per week that I somehow end up entering my Apple
ID password is egregious. Couple that with the abysmal iCloud/Apple ID/iPhone
number conflicts that inevitably show up when you have more than one device.
I've spent more hours than I care to remember working on my parents' devices
fixing glitchy synchs.

------
simonhamp
The standard macOS password prompt surely needs to change. It's become too
familiar and I'm sure I've filled it in hastily before without wondering why
or what for. It needs to be implemented in a way that is _impossible_ for
nefarious apps to replicate.

~~~
jackewiehose
On Windows NT you had to press Ctrl-Alt-Delete at the login prompt because
that was a key combination that no other application could intercept. Nowadays
you work as a non-privileged user but then you have to enter your admin
password in various dialog boxes with no way of knowing if its legit
(sometimes ubuntu shows you an ugly-looking (i.e. wrong styled) gtk input
dialog during updates. But only sometimes. Thats very confusing.).

On the other hand, each desktop application should be able to request root
access. And if you trust these applications (e.g. handbrake on macos) you
wouldn't bother to press Ctrl-Alt-Delete or do whatever else it takes.

Any good solution for that?

~~~
freeone3000
"Full" UAC, also known as actual UAC, moves you to a secure desktop without
any other windows (which also prevents a few forms of keylogging). You can't
alt-tab into any of your previous applications, either, until the prompt has
been dealt with. Faking this requires kernel-mode permissions.

But then again, users will STILL enter the password, giving the app root
permission anyway. The warning here would be that the "fake" Handbrake would
not have been signed, and blocked by SmartScreen. (They could get a signing
cert, and use that, and aware users would have to know it differs...)

I still think the safest way is Windows XP style. Applications do not get
root. You cannot give them root. Things that require an administrative
password have to be done under the administrative account.

~~~
vbezhenar
That's what I always wondered — why it's hard to fake UAC? Surely I can create
a full-screen application which won't give away focus with alt-tab (that's
very frequent behaviour with bad games).

~~~
marak830
One software I was/am still working on has an onscreen display(clear always
top window ) so I can draw icons and text over a game, it's a pain to alt-tab
out of(due to me setting it to constantly check to see if it's ontop, and if
not, to set it).

So I would say that it's certainly possible, although I haven't tried
specifically to do that to emulate UAC.

Edit: Infact I had a bug at one stage where if I closed the main window, the
invisible window would remain running, with no entry in the start bar.

Now I'm becoming a little more concerned, as I could also listen for hotkeys,
(such as Ctrl alt delete) and display my own 'secure login' page. Shit

~~~
MohammadLee
Listening for these hotkeys is kind of pointless. The whole idea of pressing
Ctrl + Alt + Del is that, while you can detect the keys being pressed, you
cannot prevent Windows to display its interface _on top of yours_. See
[https://en.wikipedia.org/wiki/Secure_attention_key](https://en.wikipedia.org/wiki/Secure_attention_key)
That's actually a good mechanism that should be brought back to all modern OS.
I wish Android had something similar (well, available physical input keys are
limited, but you get the idea)

~~~
marak830
I would like to hope so, I haven't tried intercepting something like that(I
just listen for certain keys), I do wonder if someone more experienced than me
could listen for Ctrl and alt, then intercept the delivery, and display their
own. (I would 'assume' the system gets first dibs on any keypress, but what if
you listened for Ctrl and alt then used a sendkey to upkey the Ctrl and alt,
and detect a del key press and then display a fake).

------
ams6110
I've used handbrake some time ago but not recently, and hadn't heard about
this. Summmary of the situation from the handbrake website:

 _HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES
NOT match the SHA1 / SHA256 hashes on our website or on our Github Wiki which
mirrors these:
[https://github.com/HandBrake/HandBrake/wiki/Checksums](https://github.com/HandBrake/HandBrake/wiki/Checksums)

The Affected Download mirror (download.handbrake.fr) has been shutdown for
investigation.

The Primary Download Mirror and website were unaffected.

Downloads via the applications built-in updater with 1.0 and later are
unaffected. These are verified by a DSA Signature and will not install if they
don't pass.

Downloads via the applications built-in updater with 0.10.5 and earlier did
not have verification so you should check your system with these older
releases_

~~~
nerdponx
It's a shame that it isnt easier to check for the correct hash on downloaded
software. I know it's a one liner in the terminal, but that scares prople.

~~~
fulafel
This is a HTML feature now, it's called sub-resource integrity. So you just
put the hash inside a new element called "integrity" when you refer to
external resources. Like so: <a href="..." integrity="...">

~~~
nerdponx
How does the browser know what hash algo to use?

~~~
CharlesW
[https://hacks.mozilla.org/2015/09/subresource-integrity-
in-f...](https://hacks.mozilla.org/2015/09/subresource-integrity-in-
firefox-43/)

 _" As you may have noticed, the integrity attribute does not just include the
hash value. It also contains the digest name. The syntax for the integrity
attribute allows multiple tokens of this name-value format. This allows site
owners to specify hashes of different strengths as well as the values of
multiple scripts that may be behind a URL. This is useful for browser sniffing
or content negotiation."_

------
bigiain
I'm intrigued and curious about why they download your 1Password databases…

I wonder if that's speculative - or if offline bruteforcing them works often
enough for it to be worthwhile for the malware authors?

~~~
mrcarrot
They have all your saved passwords from your web browser, too, and your mac
user account's password. I'd guess there's a reasonable amount of people who
re-use at least one of those as their 1password master password.

------
eecc
Mobile OS security models are bound to land on the desktop soon-ish. What does
any random App have to do with anything in ~/Library that is not its own
Application Support or .plist preferences?

To be honest I don't mind if all Apps are sandboxed with the exception of a
couple "user super-user"; I don't really care if my machine's root account is
secure if all my horses sitting in $HOME are let loose on the net.

------
polygot
This Handbrake outbreak could have been easily avoided. For instance,
Handbrake could create a separate server on say, Amazon EC2 and have it
download the file from their website every 30min or so, and check the
checksum. If it's not right, then it flips a kill switch on the website.

Doesn't fix the root cause, but could have caught it much sooner.

~~~
cpncrunch
Does anyone actually do that? And what if you have a million files? And what
happens within that 30 mins? I guess you could download and check your million
files once ever 30 seconds...

~~~
polygot
Well, you would just check the final download dmg/iso file, and only do it for
the first n-versions or so (since those will be the most popular.) The other
ones can be checked too, but at a much lower frequency.

------
diimdeep
I have been using homebrew to install handbrake. What's nice is that homebrew
checks SHA256 before installing.

    
    
      $ brew cask install handbrake
      ==> Satisfying dependencies
      complete
      ==> Downloading 
      https://download.handbrake.fr/handbrake/releases/1.0.7/HandBrake-1.0.7.dmg
      Already downloaded: 
      /Users/wolf/Library/Caches/Homebrew/Cask/handbrake--1.0.7.dmg
      ==> Verifying checksum for Cask handbrake
      ==> Installing Cask handbrake
      ==> Moving App 'HandBrake.app' to '/Applications/HandBrake.app'.
      handbrake was successfully installed!

~~~
kalleboo
Homebrew updated their hash to the infected one (differing from the Handbrake
download page!), so people who installed using Homebrew got infected too. Do
NOT trust homebrew.

[https://news.ycombinator.com/item?id=14282116](https://news.ycombinator.com/item?id=14282116)

------
desdiv
>The malware obtains the time and date by creating a new environment variable
called $hcresult that contains what’s being returned by sending an HTTP
request to the Google hosted link by executing this command:

>curl -sL
[https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRb...](https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec)

What the hell, Google? Your domain name is one of the most trusted on the
internet and yet you're hosting random user submitted scripts on there? What
happened to googleusercontent.com?

~~~
ryanlol
Looks like its getting the _current time_ from the json response. How _dare_
Google distribute the _current time_?

~~~
wilkystyle
The parent comment isn't talking about the payload being returned, it's about
what domain Google is hosting user content on.

~~~
whatgoodisaroad
The response from script.google.com is a 302 redirect to
script.googleusercontent.com. IOW, google.com itself does not serve that user
content.

~~~
snowwrestler
But why does Google redirect that? Why not just return an error?

It's not like users will accidentally type in script.google.com and get mad if
it fails. Those script URLs are being used only by app developers, who will
test their apps and fix script source URLs that are broken. Calling a
googleusercontent script at google.com should return a 4xx status code telling
them to use the googleusercontent domain.

Google.com is a trusted domain. I don't think it should be 302'ing to
untrusted domains for arbitrary URLs.

~~~
ryanlol
>Google.com is a trusted domain. I don't think it should be 302'ing to
untrusted domains for arbitrary URLs.

I think you should read this again and then take a moment to think about the
services people primarily visit google.com for.

Also, what exactly are "trusted domains"? Why do they matter to users clicking
links?

On a website there's no way for an user to verify where a link is going to
take them without actually clicking the link. The tooltip for example tends to
be relatively easy to spoof.

------
vels
Ive got handbrake saved in my users application folder

So i ran the following in terminal

COMMAND : `cd /Applications shasum -a 1 HandBrake-* && shasum -a 256
HandBrake- _`

and got this response which seems to be blank.. any ideas wether this is
saying that i have an infected file or if ive just run the initial terminal
command wrong ?

RESPONSE : `shasum: HandBrake-_: Sams-MacBook-Pro:Applications Sam$ `

~~~
hackerboos
You run it against the DMG not the app.

------
sleepychu
> _Note: The domains in red were not registered at the time of my research,
> although they were registered last night by an unknown entity. They seem to
> be back up domains in case one of the first two stops working._

Or they could be domains for checking if you're in a sandbox like WanaCrypt.
Why wouldn't you just use 20 well known domains otherwise?

------
onmobiletemp
Why were they going after 1password filevaults? I assume 1password is like
keypass, where all your passwords are in an encrypted file? How could they
decrypt all those files? Or do they assume people use weak passwords?

~~~
danieldk
According to the article this malware also does keylogging. So, presumably,
they'll have the vault password as well.

~~~
onmobiletemp
Derp

------
grandalf
Is there a good virus scanner for OSX?

~~~
chmars
There are no good virus scanners – that is a general issue, not a Mac OS-
related one.

------
Cole_Jontrane
Does the Mac have any ability to warn when someone attempts to install
malicious software, other than the usual warnings about unsigned software?
Windows 10, for example, will scan every attachment before opening it,
catching a lot of stuff before it can do any harm.

~~~
hRrrm1
"scan everything before opening" is not always desirable as it exposes a large
attack surface:

[https://bugs.chromium.org/p/project-
zero/issues/detail?id=12...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1252&desc=5)

~~~
AlexCoventry
"Avoid running your scan with elevated privileges" could have greatly
mitigated this failure.

> NScript is the component of mpengine that evaluates any filesystem or
> network activity that looks like JavaScript. To be clear, this is an
> unsandboxed and highly privileged JavaScript interpreter that is used to
> evaluate untrusted code, by default on all modern Windows systems. This is
> as surprising as it sounds.

