
Mac Malware Spies On Email, Survives Reboots - narad
http://www.informationweek.com/news/security/attacks/240004583?google_editors_picks=true
======
lloeki
After the catchy headline, the article (unsurprisingly) babbles on obvious
platitudes, is inaccurate and skips the interesting bits entirely, focusing on
the osx-has-dangerous-malware wow factor. I wish we could get over the OS wars
and assess the threats and possible security flaws objectively.

> _While not widespread, the malware's ability to intercept email and IM,
> among other features, demonstrates that malicious applications written to
> target Macs can be just as powerful as malware that comes gunning for PCs._

Surprise surprise. A non-sandboxed process can access user files in
~/Library/Application Support/Mail. Shocker.

> _The rootkit also ensures that the malware can run automatically, without
> requiring administrator-level authentication_

A non-sandboxed process can survive a reboot by writing a plist in
~/Library/LaunchAgents. Wowz. Calling it a rootkit when it does not seem to
gain privileges is a bit of a stretch.

> _took the unusual step of altering OS X_

Updating an OS is now 'altering', providing a security update is now
'unusual'.

> _to disable outdated versions_

It does not disable outdated versions, it disables _all_ versions and forces
the user to manually opt-in to run applets.

> of Java

Of the Java _browser plugin_.

Now here are the interesting bits that I wish were elaborated on:

> _hides its malicious files and processes in the OS X system library_

/System/Library is writable by root only. Does it gain privileges or not? I
suppose the trojan installer asks for permissions.

> _allegedly been signed by VeriSign_

What hides behind this? a forged certificate? or simply the app being signed
by a legitimate certificate issued by VeriSign? Does it pass Mountain Lion's
Gatekeeper?

> _Notably, the code contains hooks into the Apple OS X operating system that
> allow it to..._

All of this is obvious. Non-sandboxed processes can do whatever they want in
the user's playground. What's interesting is indeed that this forms some
framework to leverage upon.

More importantly, the article completely sidesteps the core part: how is the
payload delivered? Being "disguised as an Adobe Flash Player installer" is a
bit lacking in explanation.

------
js2
The original article is tripe. Here's the beef -
[http://www.securelist.com/en/blog/719/New_malware_for_Mac_Ba...](http://www.securelist.com/en/blog/719/New_malware_for_Mac_Backdoor_OSX_Morcut)

~~~
sadga
Why is the source code using StringBuilder everywhere instead of "+"? Is it
designed for an ancient version of Java? Or is that some decompiled version?

[http://stackoverflow.com/questions/1532461/stringbuilder-
vs-...](http://stackoverflow.com/questions/1532461/stringbuilder-vs-string-
concatenation-in-tostring-in-java)

~~~
a1k0n
Do you think the author who found this malware in the wild had the original
source code to it?

------
Zirro
What I'm interested in is how the default setting for Gatekeeper in Mountain
Lion affects this. Assuming it hasn't been signed (which would allow a quick
revoke by Apple), Gatekeeper should keep it out of the system, yes?

