Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] 30K Macs are infected with ‘Silver Sparrow’ virus and no one knows why (macworld.com)
124 points by CharlesW 11 days ago | hide | past | favorite | 49 comments

Discussion from a couple days ago:


This is why it's so problematic when people don't make a distinction between "virus" and "Trojan".

If we trusted that people, particularly a supposed tech site, made the distinction, the article would be MUCH more useful.

A new Trojan out there? I don't care much.

An actual virus that fits the definition of computer virus (that is, it infects and spreads without user interaction)? That's a huge deal.

Too bad they don't make a distinction.

>that is, it infects and spreads without user interaction

My understanding was that viruses that spread without interaction are called worms. Both trojans and worms are viruses.

The terminology is based on how the malware spreads. Worms actively exploit holes in network programs (e.g. emailing themselves to your contacts), trojans disguise themselves as something useful (e.g. a pirated game). True viruses spread by injecting copies of themselves into innocent files in such a way that opening the file triggers the payload.

True viruses are rare these days because the infection vector is passive and relatively slow: an infected file must be transferred by user action to another computer, for example by sharing an infected file via floppy disk.

>> for example by sharing an infected file via floppy disk.

Or an "excel" file attached to an email or posted in a chat group that is execute by the host automatically and inserts itself somewhere. Viruses remain alive and well online.

False. There were viruses in the PC and Mac world for years, long before the 1988 Morris worm incident popularized the "worm" term.

Viruses spread via interactions like booting an infected floppy disc, or running an infected program copied from another user.

A virus is simply a piece of malicious code which attaches itself to programs, arranges for itself to be executed when those programs to be run, and thereby spreads to more programs as programs are copied from system to system by unsuspecting users.

A Trojan horse is a malicious program which a user is somehow fooled into trusting, installing and running. It doesn't have to be a virus at all; for instance, it could be a fake authentication dialog that steals their credentials and then defers to the real authentication.

A malicious thumb drive deliberately dropped in the parking lot of a company is a modern example of a Trojan horse. It might not infect anything, just steal information and transmit it.

This definition of virus is actually referred to as worm.

A virus just attaches iself to a host (binary, document,...) to spread, like 30 years ago viruses spread via floppy disk which required a lot of manual doing.

A worm is what activley spreads by itself.

Both viruses or worms (malware so to speak) can be introduced to environments as trojans.

I think when someone says virus these days, including news, they just mean any kind of malware and it seems okay to me.

The important part is to start talking more about malware on macOS, as it seems a blind spot for many organizations.

> talking more about malware on macOS

That's also why it's important to make the distinction between the "naked-cheerleaders.jpg.exe" kind of malware, the "visited a website" or "opened a PDF" kind and finally the "had a machine online" kind. Because AFAIK the second kind of malware is very rare on macOS and the third kind is literally nonexistent. And some people rely on that (including me).

So, I appreciate you might consider this separate, but I would for most purposes include the various iMessage exploits in that last category (so: rare, but not unheard of).

>> to start talking more about malware on macOS

We had this debate in my office today. Imho malware is any software that the user/owner of a system doesn't want running. Others were of the opinion that "malware" doesn't include software for which someone, perhaps other than the user, has a legitimate use. So surveillance software isn't malware because it can be installed on a target device legitimately. So too most bloatware, stuff I call malware but many large corporations do not.

This has a good breakdown of how it works https://redcanary.com/blog/clipping-silver-sparrows-wings/

Unless I missed something, it doesn’t explain how they entice people into installing the malware?

Why would the malware use S3? Won't AWS just boot them off if they recognize malware? And report their payment details to the authorities?

The article mentions that using S3 makes it harder to block. You can't block Amazon S3 without breaking very many things.

Presumably the malware author would open an AWS account with a stolen or prepaid credit card. They could probably even get away with using AWS's free tier.

Or they could even abuse a random web service that uploads data to predictable locations on S3.

You need to host it somewhere. S3 won't set off any IDS/Firewall alert. IDS would pick up calls to China or Russia. Payment details are probably stolen credit cards or credit cards setup with fake/stolen identities. They'll be a dead end.

1. It may not be their bucket. Getting someone's credentials and uploading to S3 means the wrong party would be assigned blame/responsibility.

2. It may be their bucket, but with false credentials. Stolen CC and faked contact information.

Right, but if amazon disables the bucket then don’t they lose contact with all the infected hosts? And anyway, I can’t imagine expecting a recurring charge like an AWS account to last too long on a stolen CC.

Along with the apparent lack of any actual payload, it seems to point to this being some kind of proof of concept.

Bad guys have figured out there are tons of 1-year promo offers for AWS and hosting a single file stays well within the free tier. They toss a stolen card on the account to verify it, which honestly most people won't question a $1 charge then refund from Amazon.

They also had a backup hosted on Akamai.

It appears Amazon or the bucket owners have blocked the URLs the malware uses (at least those listed on the article).

I’m not sure if this means that the malware is no longer a thread

Usually botnet control systems like this will generate a new domain every day using some difficult-to-predict algorithm. Maybe seed it off of the previous day Dow Jones Index closing figure or something. This makes it a race to try to register the domain before the bad guys do.

I find it weird how all of the stories about this thing have the tone of "oh no, what could it be for, there is no payload!?!", when it phones home to a control server regularly waiting for payload. Guys, it's a botnet. They're just waiting for it to get big enough to be worth selling. This isn't some huge mystery. It could be used for hundreds of uses from DDOSing, to spamming, to being a covert VPN network, to Warez distribution, porn, etc... Plus it will probably eventually install a keylogger on the system to harvest CC numbers and passwords from the infected users, maybe run some crypto-locking ransomware if the devs need some bitcoin. All of the typical stuff you can expect after a box is rooted by one of these botnet operators.

Stuxnet for example, didn't really seem to do anything useful. Unless you happened to have a very specific version of industrial control software installed.

No obvious payload is actually the worst kind of malware to deal with, because you have no idea if Matthew in accounting had the specific key on his machine that installed a second stage that you know nothing about and can't detect.

most malware infra uses AWS these days. amazon is terrible at preventing it, and in my experience make it nearly impossible to report.

Stolen buckets maybe.

I don't really think it pays off to make such distinction between virus and trojan.

`Trojan` is often used to refer to malware that provides a backdoor into your system, and if someone gets to run code on your machine it isn't your machine anymore.

The real value is in evaluating your risk, which includes an analysis of the infection vector. A virus (or worm) can be more risky because it typically exploits a weakness in the system. And some trojans are more risky to some demographics than others, depending on which social engineering techniques they use to trick a user into installing them.

If you are making a risk evaluation based on the generic term someone else uses to describe a threat, you've already lost.

The genie is out of the bottle and there is no putting it back - virus, malware, worm, trojan, etc. are all interchangeable marketing terms now.

I think technically a virus infects other files, but a worm is it's own file(s) that spread one way or another. A Trojan is just one means of spreading, and can be used by viruses, worms, or other malware. Though there really is no point in be pedantic about the definitions because all the lines have been blurred for decades.

Terminology descriptions aside (I believe what you are describing is a worm, not a virus), knowing how something spreads is important.

Obsessing over motivations of the developers without providing useful mitigation steps or any kind of even vague description of who is at risk by this is frustrating.

If the only vulnerability that was exploited was an unsuspecting user installing a software they thought was clean, it should just be classified as "30K macs have compromised software installed on them"

So which is it in this case? Is this the really bad kind or the one we shouldn't care about?

Apple has revoked the dev certificates to stop further infection: https://www.macrumors.com/2021/02/22/apple-revokes-silver-sp...

So what are they doing about previously infected computers?

If I had to guess, I'd say they will probably roll out new XProtect signatures [1] soon, assuming they haven't done so already for these samples.

I also just learned that you can see when the last update was with the following command:


system_profiler SPInstallHistoryDataType | grep -A 5 "XProtectPlistConfigData"


And then any updates are added to `/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara` (for macOS 11, at least).

[1] https://support.apple.com/guide/security/protecting-against-...

Is there an "approved" diagnostic tool that one should use to figure out whether your mac has the virus, or is vulnerable to it and needs patching?

Check for the existence of these files:

~/Library/._insu (empty file used to signal the malware to delete itself)

/tmp/agent.sh (shell script executed for installation callback)

/tmp/version.json (file downloaded from from S3 to determine execution flow)

/tmp/version.plist (version.json converted into a property list)


I think Malwarebytes was the company first identifying the thread. Correction : it was Red Canary working with Malwarebytes.

What a silly title. It may not have some active payload right now, but that doesn't mean it won't tomorrow. Seems like a reasonable strategy to spread the malware as wide as possible, then push an update to trigger whatever behavior you want. And yes, it does check for updates.

> Every hour, the persistence LaunchAgent tells launchd to execute a shell script that downloads a JSON file to disk, converts it into a plist, and uses its properties to determine further actions.


> In short, it doesn’t do anything. That’s not all that reassuring, given that tens of thousands of Macs could have potentially been infected, but based on the findings and investigations of multiple strains, the virus was “positioned to deliver a potentially impactful payload at a moment’s notice.”

Was the article changed after your comment?

> In short, it doesn’t do anything. > “positioned to deliver a potentially impactful payload at a moment’s notice.”

In my view, these are contradictory statements.

It hasn't done anything (according to evidence at the time of writing) is not the same as it doesn't do anything.

But no one knows what the payload will do. I thought the title was fine.

I guess that’s right. I was reading the title as “no one know why they bothered infecting these computers with a virus that doesn’t do anything.”

A more honest title would have ended with "no one knows what for".

Is there an easy way to see if you're infected?

To me, this looks like a government sponsored trojan. It's extremely sophisticated and seems highly targeted.

30,000 computers across virtually every country in the world is "highly targeted"?

And it's not that sophisticated, either.

I suspect the original poster was being sarcastic. But maybe not.

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact