Pint-Sized Backdoor for OS X Discovered - MAC
By Belly
at 2013-02-21T12:05
at 2013-02-21T12:05
Table of Contents
Pint-Sized Backdoor for OS X Discovered
Posted on February 18th, 2013 by Lysa Myers
A new backdoor which affects OS X has been announced to an AV industry
mailing list. Details are fairly limited right now, and the components we
have indicate a fairly small, simplistic but efficient threat. It’s believed
that this was a targeted attack, perhaps dropped by an exploit. At the time
of writing, all of the network components have been sinkholed so it’s unable
to receive commands.
From what we’ve seen, this threat likely starts with an exploit to get it
past Gatekeeper. Once on a system, it sets up a reverse shell. That is to
say, rather than announcing to the controller that the machine is infected
(because the machine has been targeted and they already know where it is),
the controller periodically contacts the infected machine to perform
commands. Initiating the contact from outside the affected machine
potentially helps it get past firewalls. This part of the threat is comprised
of clear text Perl scripts, which means it’s fairly easy to spot if someone
knows what to look for.
So that’s where the second part of this threat comes in. The binary
component uses a modified version of existing tools (namely OpenSSH 6.0p1)
for creating a secure connection to encrypt the traffic so that it is much
better hidden. The tool is further hidden by placing the file in a directory
that is usually used for printing, so that if anyone sees a list of processes
contacting the network, it will appear as if the affected machine is simply
printing from a networked printer. This version of the tool also has been
modified so that it will not save a log of its command histories.
The threat encrypts traffic with the command and control channel by use of an
RSA key.
The filenames as they were reported are:
com.apple.cocoa.plist
cupsd (Mach-O binary)
com.apple.cupsd.plist
com.apple.cups.plist
com.apple.env.plist
One of the (sinkholed) network addresses that the threat contacts is “
corp-aapl.com.” It’s been noted that this is a misspelling of Apple, but it
is the stock symbol for Apple.
http://goo.gl/0JNvs 訊息來的太快請審慎評估..
我的感覺是當年win上的手法又都搬到mac上來了下一步應該就是手機系統.
也有人問UBNTU上是否會有同樣的問題目前尚未被證實
還煩請各位mac使用者多留心電腦的使用習慣...
以上
thx
--
嗨嗨每個人
我的專長:迅速解毒 當機處理 資料救援 取回帳號 系統規劃 資訊整合
系統規劃:經濟,高效能,低污染,節約能源,(降低噪音震動,電磁波,廢熱,積塵,輻射)
省空間,使用舒適感佳,溫暖的鍵盤與滑鼠 (抗手冰冷) 鄉民說收卡是為了培養EQ
--
Posted on February 18th, 2013 by Lysa Myers
A new backdoor which affects OS X has been announced to an AV industry
mailing list. Details are fairly limited right now, and the components we
have indicate a fairly small, simplistic but efficient threat. It’s believed
that this was a targeted attack, perhaps dropped by an exploit. At the time
of writing, all of the network components have been sinkholed so it’s unable
to receive commands.
From what we’ve seen, this threat likely starts with an exploit to get it
past Gatekeeper. Once on a system, it sets up a reverse shell. That is to
say, rather than announcing to the controller that the machine is infected
(because the machine has been targeted and they already know where it is),
the controller periodically contacts the infected machine to perform
commands. Initiating the contact from outside the affected machine
potentially helps it get past firewalls. This part of the threat is comprised
of clear text Perl scripts, which means it’s fairly easy to spot if someone
knows what to look for.
So that’s where the second part of this threat comes in. The binary
component uses a modified version of existing tools (namely OpenSSH 6.0p1)
for creating a secure connection to encrypt the traffic so that it is much
better hidden. The tool is further hidden by placing the file in a directory
that is usually used for printing, so that if anyone sees a list of processes
contacting the network, it will appear as if the affected machine is simply
printing from a networked printer. This version of the tool also has been
modified so that it will not save a log of its command histories.
The threat encrypts traffic with the command and control channel by use of an
RSA key.
The filenames as they were reported are:
com.apple.cocoa.plist
cupsd (Mach-O binary)
com.apple.cupsd.plist
com.apple.cups.plist
com.apple.env.plist
One of the (sinkholed) network addresses that the threat contacts is “
corp-aapl.com.” It’s been noted that this is a misspelling of Apple, but it
is the stock symbol for Apple.
http://goo.gl/0JNvs 訊息來的太快請審慎評估..
我的感覺是當年win上的手法又都搬到mac上來了下一步應該就是手機系統.
也有人問UBNTU上是否會有同樣的問題目前尚未被證實
還煩請各位mac使用者多留心電腦的使用習慣...
以上
thx
--
嗨嗨每個人
我的專長:迅速解毒 當機處理 資料救援 取回帳號 系統規劃 資訊整合
系統規劃:經濟,高效能,低污染,節約能源,(降低噪音震動,電磁波,廢熱,積塵,輻射)
省空間,使用舒適感佳,溫暖的鍵盤與滑鼠 (抗手冰冷) 鄉民說收卡是為了培養EQ
--
Tags:
MAC
All Comments
By Ethan
at 2013-02-22T19:12
at 2013-02-22T19:12
By Emma
at 2013-02-23T00:06
at 2013-02-23T00:06
Related Posts
bootcamp win7 藍屏
By Jessica
at 2013-02-21T00:43
at 2013-02-21T00:43
Java又出包了
By Agnes
at 2013-02-21T00:39
at 2013-02-21T00:39
Nally的自動開燈是不是失效了?
By Poppy
at 2013-02-21T00:22
at 2013-02-21T00:22
Nally的自動開燈是不是失效了?
By Carolina Franco
at 2013-02-20T22:58
at 2013-02-20T22:58
macbook是否有網際直通車?
By Mia
at 2013-02-20T22:30
at 2013-02-20T22:30