
Sophisticated OS X Backdoor Discovered - cyphersanctus
https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/
======
bink
What is it that makes this malware sophisticated? I didn't see anything about
rootkits or process hiding / obfuscation. Is it not just a simple daemon that
can be configured to monitor audio/video/keyboard and send the results back
via an encrypted connection?

~~~
mauz0r
My guess would be that they figured out how to compile QT statically (hence
14MB file size)... Other then that it seems to be a common RAT

------
vemv
Is 'backdoor' the correct term if the vulnerability does not originate from
Apple?

~~~
linkregister
I agree, the terminology Kaspersky Labs is using is incorrect and misleading.
The further poster is right that this should be labeled as "rootkit."

~~~
throwaway76543
No, Kaspersky Labs is using correct terminology.

Some rootkits install a backdoor. Not all rootkits install a backdoor -- some
merely conceal themselves and operate locally. The famous Sony Rootkit is one
such example of a rootkit which did not add a backdoor.

The defining characteristic of a rootkit is that it conceals its presence from
the rest of the system. Backdoor.OSX.Mokes.a doesn't really do this -- it's
only a backdoor. Not a rootkit.

~~~
superuser2
Backdoor is a politically loaded term at this point. Backdoors (in privacy-
related discourse) are vulnerabilities inserted intentionally by the
manufacturer or government with supply-chain cooperation. The claim "Backdoor
found in X's product" is roughly equivalent to the claim "Evidence found that
X is a collaborator with the surveillance state" to many people, so we might
want to be careful about throwing it around when we don't mean that.

~~~
oso2k
At least for me, there is a distinction between a Phone Home capability and a
Backdoor.

------
drinchev
Can someone explain how the vicim gets infected?

As far as I can read from the article they discuss what happens if you are
infected.

Also, isn't running binary files on OS X from let's say "Finder" automatically
triggers Security alert ( like App-vendor lock )?

~~~
alexbecker
This isn't a virus, it's a payload. Once an attacker exploits a vulnerability
to gain RCE, this is the kind of thing they might install (if their goal isn't
to immediately trash the machine).

------
commentzz
I feel the use of 'backdoor' here is misleading.

The software described would usually be classified as an Advanced Persistent
Threat [1] or Rootkit [2] Backdoor [3] usually refers to methods to sidestep
authentication added by the vendor.

    
    
      1: https://en.wikipedia.org/wiki/Advanced_persistent_threat
      2: https://en.wikipedia.org/wiki/Rootkit
      3: https://en.wikipedia.org/wiki/Backdoor_(computing)

~~~
walrus01
Many commenters are pointing out that one possible definition of a rootkit is
something that elevates privilege, but does not necessarily have network
communications functions or a command and control server. But in recent times,
almost all modern rootkits seen in the wild have some form of network control
functionality.

~~~
woodman
A rootkit isn't for privilege escalation - you need root before you can
install the rootkit. This is typically obtained through a privilege escalating
exploit, the rootkit is for maintaining access and masking the attack.

------
epistasis
Really interesting to see a cross-platform malware with audio and video
support; a lot of non-malware has difficulty with that.

~~~
stephenr
A lot of cross platform software that attempts audio/video (e.g. Skype etc)
would be considered malware by some. Usually people who've had to use it at
least once.

~~~
kabdib
Serious question: Is this snark, or does the software in question do sketchy
things with privilege escalation that might be leveraged into attacks?

I agree that much software has terrible UI, but it's good to distinguish
surface stuff from objectively terrible security decisions.

~~~
Kliment
I don't know whether this is still the case but Skype used to use some of the
most advanced anti-debugging, runtime code obfuscation, etc etc methods of its
time for no obvious reason. See
[http://www.secdev.org/conf/skype_BHEU06.handout.pdf](http://www.secdev.org/conf/skype_BHEU06.handout.pdf)
for details. It certainly made people pause and think about what kind of shady
stuff they were up to.

------
manarth
Not sure whether to be amused, vindicated, or concerned that the most
prominent conversation here on HN is terminology: "Is 'backdoor' the correct
term?"

Malware, trojan, virus, rootkit, backdoor, squirglebunny (OK, I may have made
that last one up).

There's not a lot of talk about the threat vector though - does anyone know
how this infects systems?

~~~
darylteo
> After its first execution, the binary checks its own file path and ...

From the article it seems to be via executable. That's why the terminology is
important in this case. It's a executable rootkit that opens a backdoor, not a
OS remote execution exploit. And this article relates to the OS X variant of a
cross-platform package (so this affects Windows and Linux systems as well).

~~~
manarth
> _" It's a executable rootkit"_

I hate to join in the terminology argument, but is it really a rootkit? After
all, it doesn't (according to the reports) disguise its presence, which
discards "rootkit" as a classification.

It seems to be pretty much run-of-the-mill malware. It would be interesting to
understand the delivery mechanism (email, or whatever).

And if people will install untrusted third-party software, delivered by an
untrustworthy mechanism, then they inevitably accept a certain amount of
exposure.

------
baby
I came here to see a sophisticated backdoor. I left disappointed.

~~~
wruza
Same thing. All comments are about backdoor vs rootkit vs malware vs etc, as
if it was important. Hey guys, you really want me to go through a link and
read that article myself? Where is the discussion? Where is tl;dr comment
upvoted to the top?

------
snxss
What about ways to verify if you are infected or ways to remove?

------
chadlavi
Okay, but no information on what to do about it, or how to protect against it.

~~~
linkregister
Install Kaspersky Endpoint Protection, friend! ;)

In all seriousness, when a company releases a malware write-up, they typically
imply that their software would have prevented it or will prevent it.

~~~
based2
[http://blog.talosintel.com/2016/08/vulnerability-
spotlight-m...](http://blog.talosintel.com/2016/08/vulnerability-spotlight-
multiple-dos.html)

------
gre
Please clarify the title. It sounds like Apple put a backdoor into OSX.

~~~
acqq
I suggest "sophisticated malware backdoor payload for OSX discovered." Then
it's clear it's not a part of the OSX itself and that it's something that has
to be somehow installed by some third party (e.g. using any malware
installation method or a real spy).

------
tuxone
Kaspersky, the most paid and legalized backdoor ever commercialized, ruining
web experience of the average user. Although I'm glad they discover
interesting things, I would love they stop messing with third parties http
connection and html pages.

------
givinguflac
I think it's pretty funny that they go through all the trouble of making this
for MacOS, yet it searches for only MS Office file extensions and not Apple's
iWork extensions. It also seems to me that this all hinges on having
gatekeeper disabled.

------
saosebastiao
Is there any diagnostic tool out there to determine if you've been infected?

~~~
clinton_sf
> Is there any diagnostic tool out there to determine if you've been infected?

From what I can tell, they posted the SHA256 of the offending binary under the
IOCs section of that web page. So you should be able to do this in the root of
your home directory to detect if such a file exists:

# find . -type f -print0 | xargs -0 shasum -a 256 | grep
664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c

~~~
drdrey
Binary checksums are usually not very helpful for identifying malware. The
fact that the binary they were looking at was called "unpacked" suggests that
there would be packed versions out there, and they would have a different
checksum.

~~~
clinton_sf
Yes. And the malware could be polymorphic. Or there could be multiple versions
of the same "core" out there. It's not clear to me how sophisticated virus
(malware) scanners for OS X are with dealing with that.

~~~
lm2s
From what I know (which is not much) scanners, among other things, search for
identifying patterns in files. So there is an identifying pattern of each
discovered malware/virus in a database.

------
_Codemonkeyism
Looks like it's not only OS X - the OS X variant is newly discovered.

Title should be 'OS X Variant of Backdoor Discovered', shouldn't it?

"OS X variant of a cross-platform backdoor which is able to operate on all
major operating systems (Windows,Linux,OS X). Please see also our analysis on
the Windows and Linux variants."

------
toyg
That list of directories is really weird. On my machine, none of them exists,
neither in ~/Library nor /Library. And I do run most of that software
(Dropbox, Skype, Firefox, Chrome in the past...).

Either the malware targeted very old versions of such software and/or OSX, or
somebody between the malware author and the blog writer f###ed up.

~~~
richardwhiuk
The aim is to look legitimate, but not clobber applications - merely to look
like something the user shouldn't delete.

~~~
toyg
But the post says that the malware checks if any of those folders exists, only
_then_ writing the necessary plist. By your reasoning, one of these folders
should have been created in advance by another process. So this "backdoor" is
even incomplete...

~~~
sordidfellow
It says it checks if those folders are available - which could mean checking
if the name is not already taken, and then creating the path for itself to
use.

------
marmot777
I'm curious why my Malware app wouldn't be on top of this? I did a search for
it here:
[https://blog.malwarebytes.com/threats/](https://blog.malwarebytes.com/threats/)

Is it too new a threat? Outside the scope of my Malware app?

------
mrmondo
1\. This is not a backdoor, it's malware or an exploit.

2\. This is not specific to OS X, it affects many operating systems, so this
sounds like an attempt at slandering software that someone doesn't like, or
has a reason not to like.

------
Mizza
Are video captures actually possible? I could imagine video capture as part of
a RAT, but what scares me is the idea of video capture that doesn't turn on
the camera activity light. Are there any examples of that?

~~~
jobu
It was definitely possible a couple years back -
[https://jscholarship.library.jhu.edu/handle/1774.2/36569](https://jscholarship.library.jhu.edu/handle/1774.2/36569)

 _We describe how to disable the LED on a class of Apple internal iSight
webcams used in some versions of MacBook laptops and iMac desktops. This
enables video to be captured without any visual indication to the user and can
be accomplished entirely in user space by an unprivileged (non- root)
application._

~~~
landr0id
> It was definitely possible a couple years back

Yeah, a few years back studying MacBooks from _2008_.

~~~
strictnein
Have they been updated since then?

~~~
landr0id
Assuming this is a serious question, yes, the camera and MacBooks both have
changed a lot since 2008. This is probably why they did the study on 2008
MacBooks as opposed to later models. They wouldn't get the results they wanted
otherwise.

------
coldcode
Useless article makes no mention of how this gets into the system at all. Plus
its not all that sophisticated or a backdoor. Nor do they point out that Apple
was notified before posting this.

------
throwanem
I like how the images all jump a centimeter to the left on mouseover! Makes
the page feel exciting.

~~~
dota_fanatic
An extension or something you're using is causing that. Mouseover should show
social media icon links on the left side of the pictures.

~~~
throwanem
Oh, it does that, too.

------
bronz
so has this been patched for windows?

------
jesalg
This sounds a lot like the zero-day exploit used in the show Mr.Robot. Life
imitating art.

~~~
niij
I think Mr. Robot is art imitating life. Life, if course, being exploits like
these.

~~~
jesalg
Well I think the show depicted something like this before it became public
knowledge. But point taken, they were inspired by similar exploits.

------
yuja_wang
I thought MacOS was "Secure By Design". This is what Apple states in their
official product descriptions.

In fact, it says it on this current page:

[http://www.apple.com/business/mac/](http://www.apple.com/business/mac/)

"Because OS X is secure by design, there’s no need for IT to install
additional tools or lock down functionality for employees. And with an
automated zero-touch deployment process, they don’t even have to open the
box."

~~~
kyriakos
I think that myth got shot down years ago. Along with magical and courageous
marketing terms.

