SophosLabs blog

Last week, SophosLabs released detection for OSX/LoseGame-A and following Symantec’s publishing detection (which they call OSX.Loosemaque) there has been some controversy about whether this is a game or malware (see 1, 2, 3).

From my point of view this is malware. Why?

1. The warning screen isn’t  multi-lingual if English isn’t your first language you will still recognize ‘PRESS ANY KEY TO CONTINUE’.
2. Even if English is your first language a child looking for games on the computer will not read the warning but press through to the game.



3. Would our corporate customers want this on their networks?

The concept behind OSX/LoseGame-A is ill conceived and it is likely to have malicious consequences not considered by the author.

With the release of the new version of OS X today (Snow Leopard OS X 10.6) Apple have added some malware protection. XProtect (we are calling it this as this is the name of the detection data file) provides a level of protection against variants OSX/iWorks-A (OSX.Iservices) and OSX/Jahlav-C (OSX.RSPlug.A).

Users who upgrade to Snow Leopard (OS X 10.6) and who encounter the Trojans while browsing for:

• hardcore porn
• Erin Andrews peepshow
• free software

and are not running a Mac specific security product (e.g. Sophos Anti-Virus for OS X), may receive a pleasant surprise:

As opposed to the message from Sophos:

When files are downloaded through the following applications:

• Entourage
• Safari
• Mail
• Firefox
• Thunderbird
• iChat
• and other programs that use LSQuarantine

then the files are tagged with an extended attribute called com.apple.quarantine. When the downloaded file is run (automatically or manually), this triggers the use of Launch Services. Launch Services then triggers the XProtect scan of the file.

Unfortunately, if variants of these threats find their way on to your system via an application that doesn’t set the com.apple.quarantine extended attribute, for example via:

• Skype
• Adium
• BitTorrent
• and Finder (via USB keys, network share, etc …)

XProtect is never triggered and thus these threats can run unfettered. However OSX/iWorks-A was distributed through infected torrents and so wouldn’t be blocked by XProtect.

Users who have Sophos Anti-Virus installed with the on-access scanner enabled will never see this new XProtect functionality - the malware is detected by Sophos long before Launch Services gets to search for it.

XProtect seems to be a natural progression from the functionality that Apple added in 10.5, that warned the user before running installers/applications which had been downloaded from the Internet or an untrusted source.

Thanks to Michael Shannon, Researcher, SophosLabs UK and Ben Jupp, Senior Mac Specialist, Sophos Global.

Mac malware can seem like buses - you see none for ages and then two come along at once.

Last night, SophosLabs was sent a message containing what claimed to be the “SRC CoDE of new Macintosh Worm” and so our Canadian labs released OSX/Tored-Fam, a generic way for us to detect future variants of the Tored family of malware.

One of the files was called ReadIt.txt and contained the following text:


RESPECT about what are you talking about me (cybercriminal..)
Dont say what you ignore !!!!!!!!


Then, this morning, Graham pointed me in the direction of the ParetoLogic blog which detailed a new piece of malware (which Sophos detects as OSX/Jahlav-C) hiding out on what presents itself as a hardcore porn website.

Is it safe to surf for porn on an Apple Mac? from SophosLabs on Vimeo.

OSX/Jahlav-C is an update to previous versions of Jahlav and will eventually run a Perl script that “uses http to communicate with a remote website and download code supplied by the attacker.”

What makes these events stranger is that yesterday afternoon I was being questioned by Ben Jupp, one of Sophos’s Senior Technical Support Specialists, about a talk he was giving on Mac malware at an OxMUG Meeting.

The last thing I said to him was that there would be more Macintosh malware. Prophetic words indeed.

Apple’s products such as the iMac, the Mac Mini, the iPod and the iPhone tend to generate a lot of interest and publicity around the world. Media publicity regarding the iPhone and its successor, the iPhone 3G have become so huge that these phrases have become such big buzz words.

As a result, it comes as no surprise that these Apple products are fast gaining more and more notoriety as targets of abuse by spammers, phishers and malware authors.

Today, an eBay phishing scam came in the form of a seemingly innocent query about the sale of iPhones. The scam message is quite simple and appears as follows:

At first sight, it appears to be a product spam campaign to promote the iPhone. However, when clicking the link that came with the attached email, a fake eBay page comes up. This email is actually a ruse designed to steal an eBay user’s information.

SophosLabs analysts have encountered many instances of such misdirection of legitimate websites. They range from internet banking websites to online retail websites. As always, online users should take precautions and never attempt to follow an embedded weblink to an online store or a banking website from an email, even if by first appearances, it looks legitimate.

SophosLabs analysts have since blocked this scam campaign.

…well actually it’s a trojan, but it’s still malicious!

For those who had the misfortune of watching the viral video 2 Girls 1 Cup (SFW Wikipedia link) that spread across the internet like wildfire a couple years ago, people trying to sign up to view the video on the official site will now get more than they bargained for.

In fact, there are actually hundreds of compromised domains across the internet which we’ve seen over the last few days that have been infected. It seems some obfuscated javascript is being injected into these sites, which attempts to redirect the user to another domain hosting a malicious payload.

As you can see there’s nothing overly complicated about the obfuscation technique, it’s a simple matter of them escaping certain characters, and inserting a symbol at random intervals in the text. After deobfuscating the code, we see another script tag is written which points to the domain where the payload is hosted.

At the time of writing this blog the payload is no longer on the site but we suspect it will reappear sometime in the near future.

Earlier in the week we detected a file at the script target URL as Troj/SWFLdr-A but that file is no longer available.

Instead users are greeted with a simple message saying “/ No news…”. Customers will be happy to know that the original javascript redirector is detected as Troj/JSRedir-R.

Last week, SophosLabs received several reports of some new Mac malware (Intego and Threat Researcher). So I asked around for samples (sample exchange) and was able to write detection on for OSX/RSPlug-F (and updated it for a minor variant).

Like the last few pieces of Mac malware (OSX/iWorkS-A and OSX/iWorkS-B) OSX/RSPlug-F arrives via hacked/cracked files purporting to be a legitimate application (in this case MacCinema).

When it is installed however this users will see:

The authors of OSX/RSPlug-F have a bizarre set of influences (as mentioned by Intego and Threat Researcher) the file names of the scripts dropped name check various things.

Snippets from the scripts:


niagasekirtsogetni 666 nigeb
yksrepsak 777 nigeb
enialbdivad 777 nigeb


Looks strange until you see the rest of the script and realize that this is uuencoding reversed.

Running the scripts through a simple perl script:


#!/usr/bin/perl

while (<>) {
my $str = $_;
my $rev_str = reverse($str);
print $rev_str;
}


We would get:


begin 666 integostrikesagain
begin 777 kaspersky
begin 777 davidblaine


While anti-malware products often get mentioned in malware this is the first time I have seen an “illusionist”.

Update: This malware has also been seen on websites, posing as a legitimate download. You can read more about this over on Graham Cluley’s blog, or watch the video below:

Apple Mac malware: Caught on camera from Sophos Labs on Vimeo.

As I’m sure you’re by now aware, a security researcher named Charlie Miller was able to pwn Safari in 10 seconds at CanSecWest yesterday! A truly spectacular feat! I’m not even sure how he was able to type so fast! Let me read on…

Hmmm. Okay, so he didn’t actually do anything in those 10 seconds except copy and paste a URL into the browser. Still, it’s not like he had lots of time to prepare for his moment of supreme glory!

Oh wait. According to this Reg story, he actually had over a year to prepare. (No wonder he was able two weeks ago so confidently to “predict” that Safari would be the first to fall! Not so much his assertion that IE and Firefox would remain standing, though.) And, as numerous alarmed commentards have pointed out, he didn’t tell Apple about this critical security flaw in a piece of software used by millions of people every day.

As one of those users, I have to say I’m not exactly delighted to discover that a so-called security researcher was so breathtakingly cavalier about the safety of my data and the privacy of my personal information. Apparently I’ve been vulnerable to this “idiot-proof” exploit for at least a year, and have only good luck to thank for the fact that no-one used it to drain my bank accounts in the meantime.

Of course, discovering a bug is not the same thing as discovering a ready-to-go exploit, and he had to dig at it with his hacking implements before he was able to make it bleed. But arguably the very fact that he sat on it so long implies he knew it at least had the potential to be exploitable (read: profitable). So rather than reporting the bug to Apple to ensure Safari users around the world would be protected as soon as possible, Miller filed it away so that he might bag himself yet another laptop.

The point I’m trying to make is that this wasn’t “his exploit” to do with as he saw fit. With today’s highly monetized black market for malware authors this kind of bug must not be permitted to exist even for a day, let alone a year. The public good must trump personal gain if we’re to make any headway against today’s increasingly sophisticated criminals. For an employee of a reputable security company to place in danger through his inaction the security, privacy and finances of millions of people is to my mind grotesquely irresponsible, all for the sake of a few grand and another 15 minutes in the limelight. With a successful drive-by browser exploit now likely to cause many millions of dollars worth of damage - not to mention further erode the perceived viability of the Internet as a safe place to do business - I consider such reckless disregard to be unconscionable.

“If this competition hadn’t existed, I never would have found this bug,” Miller told The Reg, with the implication that we, the unwashed know-nothing iProles, should be grateful to him and TippingPoint and CanSecWest for their altruism. But anything laudable about this misguided competition and the bugs it (eventually) reveals is, in my opinion, entirely negated by the absolute ethical void that must accompany any system that incentivizes such antisocial behavior.

But surely I’m going too far. As The Reg points out, critical browser exploits can fetch up to $100,000 on the black market. Isn’t it “remarkable”, then, that these heroic souls were “willing to [sell the exploits to TippingPoint] for well under the going rate”?

I must agree. If we as an industry really have sunk so low that we’re genuinely impressed by the fact that our colleagues aren’t working for criminals then “remarkable” doesn’t seem to quite do it justice.

SophosLabs heard some reports today regarding another Trojan affecting dubious downloads from torrent (Intego and Graham Cluley). This Trojan, OSX/iWorkS-B, is affecting Adobe Photoshop CS4 downloads on torrent.

OSX/iWorkS-B has a similar modus operandi to OSX/iWorkS-A.

The differences mean that for the disinfection you will need to kill the service DivX instead of iWorkService.

sudo killall -9 DivX

Plus remove the folder /System/Library/StartupItems/DivX

sudo rm -rfd /System/Library/StartupItems/DivX

Network administrators who monitor network traffic should look for traffic to:

*freehostia.com:1024

OSX/iWorkS-B is yet another reason to have a security program on a Mac.

Yesterday, SophosLabs was made aware of a new Mac OS X Trojan affecting a dubious copy of iWork ‘09 (an update to Apple’s popular rival to Microsoft Office).

In the news and blogosphere there were several write-ups and descriptions (Threat Researcher, Intego, ProtectMAC and our own Graham Cluley), SophosLabs has now written detection for this new Trojan which we identify as OSX/iWorkS-A (aka OSX.iWorkServices.A, OSX.Iwork and OSX.Trojan.IServices.A).

The Trojanised copy of iWork ‘09 was made available on the infamous PirateBay torrent site as a ZIP file. When unpacked you would get a proper Mac .pkg file.

As you can see the ZIP was ~450Mb and there were over 500 torrent sites up last night offering it for download. Looking into the .pkg file (actually a folder) shows that there is a suspiciously new file.

iWorkServices.pkg is the install package for OSX/iWorkS-A. When installed OSX/iWorkS-A will create several files and a process.

Sophos Anti-Virus for Mac will detect and delete the files created under StartupItems and bin. The process called iWorkService can be killed manually.

sudo killall -9 iWorkServices

Network administrators who monitor network traffic should look for traffic to:

*freehostia.com:1024
69.92*:59201

as traffic is indicative of an infection of OSX/iWorkS-A.

The comments posted to the PirateBay blog are quite explicit about the dangers involved in downloading this torrent. Though it appears that the author of this Trojan (or perhaps an accomplice) was posting to say that the file wasn’t a Trojan. Either that or they were quite dim.

Graham asked late last year “Do you really need anti-virus on your Apple Mac?”. This Trojan once again proves the answer to be yes.