x404.co.uk
http://www.x404.co.uk/forum/

another OS X trojan in wild
http://www.x404.co.uk/forum/viewtopic.php?f=19&t=13352		 Page 1 of 1
Author:  big_D [ Thu Apr 14, 2011 11:54 am ]
Post subject:  another OS X trojan in wild
Black Hole RAT (RAT stands for remote access trojan) has been around since the middle of Feb, but is now in the wild - mainly through infected software on popular download sites.

BlackHole RAT wrote:
"I am a Trojan Horse, so i have infected your Mac Computer. I know, most people think Macs can't be infected, but look, you ARE Infected!
I have full controll over your Computer and i can do everything I want, and you can do nothing to prevent it.
So, Im a very new Virus, under Development, so there will be much more functions when im finished."


It is similar to a Windows trojan, called darkComet, but the author of Black Hole RAT (or MusMinim as Sophos calls it) denies any relationship to the Windows trojan.

The trojan can:
  • create files on the desktop
  • send the contents of the clipboard home
  • shutdown, restart or sleep the Mac
  • run shell commands
  • displays a full screen message, which can only be dismissed by clicking the reboot button
  • Send URLs to the web browser to open pages
  • Display a fake Administrator password dialog, to trick users into divulging their passwords

Sophos clicky
Heise.de clicky (German)
Edit: heise security clicky (English)
The author calls it a "beta", with limited functionality, but the program is being updated with more features...

Interestingly, the trojan is written in RealBASIC for OS X. The current copy of Heise's "c't" magazine covers a more detailed piece on the trojan, but that content is not available on their website, until the next issue is published.
Author:  HeatherKay [ Thu Apr 14, 2011 12:19 pm ]
Post subject:  Re: another OS X trojan in wild
Interesting.

If it made it here, my first action would be to unplug from the internet...

What I'd do then, I'm not certain. Thankfully, I tend not to download from sites I don't already trust, though that's not a guarantee of immunity. I guess the time is approaching when the Mac OS will require some kind of AV. Still, a decade without it so far is worthy of note.
Author:  paulzolo [ Thu Apr 14, 2011 12:21 pm ]
Post subject:  Re: another OS X trojan in wild
HeatherKay wrote:
Interesting.

If it made it here, my first action would be to unplug from the internet...

What I'd do then, I'm not certain. Thankfully, I tend not to download from sites I don't already trust, though that's not a guarantee of immunity. I guess the time is approaching when the Mac OS will require some kind of AV. Still, a decade without it so far is worthy of note.


I’ve been running ClamXV on mine for a while. Nothing flagged to date. Giving Sophos Home Edition a spin - it’s scanning everything.
Author:  MrStevenRogers [ Thu Apr 14, 2011 9:11 pm ]
Post subject:  Re: another OS X trojan in wild
i have run clamXav for some time and have it looking at the download folder
any infected downloads are auto deleted i also scan the home folder the first Sunday of every month

as of yet no threats have been found on the home folder but i have had a couple of downloads deleted ...
Author:  big_D [ Fri Apr 15, 2011 4:19 am ]
Post subject:  Re: another OS X trojan in wild
How many times a day do ClamAV release new definitions? They used to be pretty bad, only offering a couple of updates a week, but I couldn't find anything about their definition update policy on their website, looking at the virus db, it looks like daily updates.

It is funny, a couple of year ago, companies were panned, because they didn't offer daily updates, now the AV software is considered useless, unless it gets updates at least every 2 hours.

The last test in the German Chip magazine gaves its detection performance as 4,6, "Mangelhaft"(inadequate or disfunctional).

@ Heather, a reputable site is no guarantee. The New York TImes was caught distributing a keylogger last year, as were several other high profile web sites, through specially crafted adverts slipped into their advertising networks.

Likewise, the massive SQL Injection vulnerabilities last month (hundreds of thousands of sites affected), would allow attackers to put malicious code and links on a site, including downloading malware through a perfectly legitimate site. You, unfortunately, can't be too careful these days.
Author:  jonbwfc [ Fri Apr 15, 2011 7:04 am ]
Post subject:  Re: another OS X trojan in wild
Might be worth checking if the security update Apple issued last night blocked this nasty.

Jon
Author:  HeatherKay [ Fri Apr 15, 2011 7:27 am ]
Post subject:  Re: another OS X trojan in wild
Apple wrote:
Security Update 2011-002
Certificate Trust Policy

Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.7, Mac OS X Server v10.6.7

Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

Description: Several fraudulent SSL certificates were issued by a Comodo affiliate registration authority. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue is addressed by blacklisting the fraudulent certificates.
Note: For iOS, this issue is addressed with iOS 4.3.2 and iOS 4.2.7. For Windows systems, Safari relies on the certificate store of the host operating system to determine if an SSL server certificate is trustworthy. Applying the update described in Microsoft Knowledge Base Article 2524375 will cause Safari to regard these certificates as untrusted. The article is available at http://support.microsoft.com/kb/2524375


http://support.apple.com/kb/HT4608
Author:  big_D [ Fri Apr 15, 2011 7:29 am ]
Post subject:  Re: another OS X trojan in wild
As Heather's post shows, this is a fix for a 3 month old actively exploited man-in-the-middle attack.

The update doesn't do anything to protect against the trojan. Patching the OS to recognise an exploit also ins't a long term solution, as exploits for OS X gain in popularity, Apple would have to release a couple of hundred patches a day, to stay on top of the situation.

Edit: Sorry, that is a fix for some fradulent certificates. The general SSL man-in-the-middle vulnerability hasn't been addressed.
Author:  jonbwfc [ Fri Apr 15, 2011 9:19 am ]
Post subject:  Re: another OS X trojan in wild
big_D wrote:
As Heather's post shows, this is a fix for a 3 month old actively exploited man-in-the-middle attack.
The update doesn't do anything to protect against the trojan. Patching the OS to recognise an exploit also ins't a long term solution, as exploits for OS X gain in popularity, Apple would have to release a couple of hundred patches a day, to stay on top of the situation.
Edit: Sorry, that is a fix for some fradulent certificates. The general SSL man-in-the-middle vulnerability hasn't been addressed.

I'm afraid I find your post a little self-contradictory. You seem to be saying that OS patching to block exploits is a futile activity, then are complaining that a particular exploit hasn't been patched yet.

The idea that an OS would need 'hundreds of patches a day' is patently false - that would only be the case if hundreds of different exploits a day were being found. It may possibly be that there could be hundreds of pieces of malware, but that doesn't mean each one would require an individual OS patch, if that's the approach you decided to take. Many malwares exploit the same security hole, or at least fall back though several known security holes. Removing one or two vulnerabilities might render hundreds of pieces of malware inert.

In any case, the best barrier for trojans is always an educated, careful user.

Jon
Author:  big_D [ Fri Apr 15, 2011 11:41 am ]
Post subject:  Re: another OS X trojan in wild
Blocking malware and patching for exploits are 2 totally different things. The Comodo update protects the system against a security breach.

The trojan, on the other hand doesn't use any exploits. It just needs to be mistakenly downloaded and run, probably by a user who thought they were downloadong alegitimate app from a legitimate site. These sorts of malware appear by the thousand every week. OS X users have been lucky so far, with the number of malware programs in the wild still in double digits.

If Apple patched the OS to recognise such malware, they would need to release a new patch every time a new piece of malware appeared. That is why good AV software uses heuristics and doesn't rely solely on its signature database.
Author:  MrStevenRogers [ Fri Apr 15, 2011 12:16 pm ]
Post subject:  Re: another OS X trojan in wild
i thought it just was me, some time ago, banging on about AV for OS X ...
Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/