New Mac OS X Botnet uses Reddit's Search function to get CNC servers list


Security Researchers at Russian Antivirus company Dr.Web have published
details of a new botnet that targets Mac OS X.

What is very interesting is that this malware uses the search function of Reddit to acquire the Command and control(C&C) servers list from comments posted in a 'Mine Craft Server Lists' sub reddit.

The malware calculates MD5 hash of the current date and uses the first 8 bytes of the hash to search in reddit.  The result contains the Server IPs with port numbers.

The malware dubbed as 'iWorm' has reportedly infected more than 17,000 Mac computers - 4,610 of which are in the US.

The reddit account used by the cyber criminals appears to be removed.  However, it is not going to stop the bad guys from controlling their botnet, they either create a new account or use any other online services.

StealthBit: New malware targeting Apple Mac OS X steals Bitcoins

A new Trojan Horse targeting Apple Mac OS X spies on web traffic of users and attempt to steal Bitcoins.  SecureMac says the malware referred as "OSX/CoinThief.A" is found in the wild.  Several users have reported that their Bitcoins have been stolen.

The malware hosted in Github with the name "StealthBit" disguising itself as an app to send and receive payments on Bitcoin Stealth Addresses.  A link to this project had also been posted in reddit  inciting users to download the app and have been voted by 100 people. 

The project had source code as well as a pre-compiled binary file.  Researchers say the binary file didn't match with the copy generated from source code. Those who installed the pre-compiled version of the app likely to be infected by this malware.

One user from reddit reported that his 20 Bitcoins(current value is around $10k) have been stolen by this malware app.

"I foolishly installed 'StealthBit' Anyone else find this to be a virus? The Post is still online.. I found 1 comment suggesting the possibility. https://pay.reddit.com/r/Bitcoin/comments/1wqljr/i_was_bored_so_i_made_bitcoin_stealth_addresses/" The user posted in the reddit.

Upon running the app for the first time, it installs browser extensions for Safari and Google Chrome and runs continually a program in background that looking for Bitcoin Wallet login credentials. The malware then steals Bitcoin login credentials, username and Unique identifier of infected Mac.

At the time of writing, the malicious project have been removed from the GitHub. 

It appears this is not the first time Mac users being fooled such kind of malicious apps.  One user shared his experience that he was scammed by similar app called "Bitvanity" which was also hosted in Github, stole 20 BTC from his account.

The user also has pointed out interesting facts about these two projects- The "StealthBit" hosted by "Thomas Revor" and "Bitvanity" was hosted by "Trevorscool".

New Mac Malware 'Janicab' abuses RLO character to hide real extension

A New Mac Malware has been spotted by F-Secure researchers which is capable of continuously taking screenshots and recording audio and uploading them to a remote server.

What's interesting about this mac malware is it abuses the Right-to-Left Override(RLO) character to hide it is real extension.  However, the method is not new for Windows malware which is used by Bredolab and other trojans.

The RLO character (U+202e in unicode) is designed to support languages that are written right to left, such as Arabic and Hebrew.

The malware analyzed by F-Secure uses "Recent New.ppa.pdf" as file name for the malicious file. By just looking at the extension, we may think it is just a pdf file, but in reality you are opening an executable .APP file.

Because of the RLO character in the malicious file, the usual file quarantine notification from OS X will be backwards.

file quarantine notification -Image Credits: F-Secure

The actual notification is "RecentNews. Are you sure you want to open fdp " is an application downloaded it" from Internet."

Once it's launched, the malware displays a decoy document while it silently install malicious code in the victim's computer.

According to the F-Secure Malware report, the threat is written in Python and uses py2app for distribution and it is signed with apple Developer ID.

Python-based malware exploits Java vulnerability,targets Mac &Windows


Sophos security researchers have identified a new malware that is targeting both Mac and Windows computers, exploiting the infamous Java security vulnerability that allowed the Flashback botnet to commandeer 600,000 Macs.

When a user visit a compromised webpage, it downloads the malicious software onto their computer by exploiting the Java vulnerability.

Depending on the operating system , it downloads different malicious files. Sophos detects the malicious file downloaded in windows as Mal/Cleaman-B and a malicious file downloaded in Mac OS X as OSX/FlsplyDp-A.

Once it infect the user system, it will download the further malicious code-downloading the Troj/FlsplyBD-A backdoor Trojan on Windows computers, and decrypting a Python script called update.py (extracted from install_flash_player.py) on Mac OS X.

"This Python script acts as a Mac OS X backdoor, allowing remote hackers to secretly send commands, uploading code to the computer, stealing files and running commands without the user's knowledge." Researcher said.


Security Tips:
  • Are you using still unpatched version of Java? It is time to update it.. Make it fast before you fall for this infection.
  • Not only Java, update all software.
  • Install Security solutions.

600,000+ Mac computers are infected with BackDoor.Flashback botnet


The research conducted by Dr.Web, Russian anti-virus firm , determined that more than 600,000 Mac computers are infected with BackDoor.Flashback botnet, most of infected systems are located in the U.S and Canada.

On April 2, F-Secure spotted a new Flashback variant exploiting CVE-2012-0507 (a Java vulnerability,Oracle released an update that patched this vulnerability back in February… for Windows.).  On April 3, Apple issued a patch for the six week old flaw with an update to Java 6 update 31.  Unfortunately, the malware spreads already in wild.

The exploit download an exe file in the victim site; The file is used to download malicious payload from a remote server and to launch it.

Security experts recommends Mac users to download and install a security update released by Apple from support.apple.com/kb/HT5228 to prevent infection of their systems by BackDoor.Flashback.39.

Flashback Mac Trojan exploits Java vulnerability or uses Social Engineering Attack

Security firm Intego is warning about a new version of Flashback Trojan that aims to steal victim's online banking details.

This new Trojan try to exploit one of two Java vulnerabilities in order to infect the Mac user's system.  If these vulnerabilities are patched and the system has updated version of Java, then it tries to trick users into accepting a fake digital certificate(Social Engineering Attack),

In order to avoid detection, Flashback.G will not install if VirusBarrier X6 is present, or if a number of other security programs are installed on the Mac .  It seems that the malware writers feel it is best to avoid Macs where the malware might be detected, and focus on the many that aren’t protected.

"Flashback.G injects code into web browsers and other applications that access a network, and in many cases causes them to crash. It installs itself in an invisible file in the /Users/Shared folder, and this file can bear many names, but with a .so extension. "Intego wrote on its security blog.

The goal of this malware appears to be to steal usernames and passwords for high-value sites such as Bank websties, Paypal and other sites. Intego said the malicious code injected into the running application causes them to become unstable and often will crash.

Security Tips:
  • Update your Java to the latest version
  • Intego says many Macs are getting infected by the social engineering trick of the bogus certificate purporting to be signed by Apple, as shown in the screenshot above. If you see this, don’t trust it, and cancel the process.
  • Install Intego VirusBarrier X6(detects all other variant of this Trojan)