PintSized.A mac OS X malware, Java vulnerability, etc.
Ref:- URL:- http://reviews.cnet.com/8301-13727_7-57570100-263/new-mac-malware-opens-secure-reverse-shell/
New Mac malware opens secure reverse shell
New malware for OS X is making the rounds in security circles, called "Pintsized," but has not yet been determined to be much of a threat.
by Topher Kessler February 19, 2013 11:48 AM PST
A new backdoor Trojan for OS X is making the rounds, attempting to set up a secure connection for a remote hacker to connect through and grab private information.
The malware, dubbed "Pintsized" by Intego, is suspected of using a modified implementation of OpenSSH to set up a reverse shell that creates a secure connection to a remote server.
The use of an encrypted connection makes it more difficult to detect and trace, especially since it uses the common SSH protocol. In addition, the malware attempts to hide itself by disguising its files to look like components of the OS X printing system, specifically the following:
com.apple.cocoa.plist cupsd (Mach-O binary) com.apple.cupsd.plist com.apple.cups.plist com.apple.env.plist
Intego does not state where these files are placed in the OS, but as with prior malware in OS X this requires an option to automatically launch the malware whenever the system is started or when a user logs in, which in OS X is the various launch agent directories in the system. Launch agents use a property list (plist) structure, and can be used to target a binary executable (such as the mentioned "cupsd" one above) to keep it always running on the system.
Therefore, to check for this malware, open the following directories in the system to check for the presence of any of the above files:
/System/Library/LaunchDaemons /System/Library/LaunchAgents /Library/LaunchDaemons /Library/LaunchAgents ~/Library/LaunchAgents
NOTE: You can highlight each folder path above individually, right-click the selection, and choose "Open" from the Services contextual submenu to open it in the Finder.
Because malware developers use these folders as a means of running their malware in OS X, one easy way to detect any misuse of them is to set up an alert that will notify you whenever files are added to them. I outlined how to do this with tools and services that are included in OS X, and the Luxembourg CIRCL subsequently developed a standalone installer that sets up a similar monitoring routine.
In addition to monitoring these folders, you can also install a reverse firewall like Little Snitch, which will notify you whenever a program attempts to make a connection to a remote server.
Currently it is unknown how the malware initiates its attack, whether it uses a previously documented vulnerability or one that is yet to be disclosed; however, the malware is not known to be widespread and is primarily being discussed on various security mailing lists. Nevertheless, by checking for the presence of the above files in the system's Launch Agent and Launch Daemon folders you should be able to determine if your system is free of it.
Please see this methods:-
Monitor OS X LaunchAgents folders to help prevent malware attacks
While malware scanners can detect threats once definitions for them are available, you can monitor or lock your systems' launch agents folders to more proactively prevent attacks on your system.
Recently the Mac platform has been hit with a few malware attacks, the most notable being the Flashback malware. The same vulnerabilities that this and others have used are now cropping up in other malware as well. These include yesterday's news of the SabPab malware and its MacKontrol variant, and also the Olyx malware that is a variant of the Tibet malware we previously discussed.
Some of these attacks are targeted for specific groups in China or Tibet, but others like Flashback are more widespread and have targeted as many Mac systems as possible, by exploiting vulnerabilities in the system when browsing Web pages and posing as fake Flash installer applications.
The LaunchAgents folders may contain numerous launcher files for various system and application processes such as scheduled updater routines, but have also been used by malware developers to launch their criminal activity.(Credit: Screenshot by Topher Kessler/CNET)
Despite this wave of malware and the variants of each that have followed, most of these attacks have one thing in common: they use Launch Agent scripts for at least one stage of their attacks.
The LaunchAgents folders (and their paired LaunchDaemons folder for managing service processes) are locations that contain scripts to automatically manage system processes. For instance, Apple uses one of these scripts to schedule the "backupd" process for Time Machine, and have it create backups every hour.
Most of the time developers use these scripts as components to their programs, but they can also be used for your own customizations. Recently I discussed how to do this for automatically changing Safari's downloads folder whenever an external drive is attached to the system.
There are three LaunchAgent folders in an OS X installation. The first is in your user account's Library, and the scripts in it are loaded when you log in. The others are in the global Library and System/Library folders, and are loaded when the system boots.
Launch agent files are XML files containing a list of properties, whose basic anatomy is as follows:
The most important component of the launch agent file is the "ProgramArguments" or "Program" key, which shows where the executable file is located that the launch agent is targeting.(Credit: Screenshot by Topher Kessler/CNET)
Each agent file contains a list of keys followed by their values. The keys and values in the file will differ depending on the agent's uses, but the main components are those outlined in the red squares. These are the process Label, and the Program Arguments (sometimes called simply "Program"), which are the name of the script as it appears to the launcher, and the executable file that is being managed by the script. The rest of the agent file contains other conditional elements for running the specified program, such as the "StartInterval" key here which tells the system launcher to run this program every 3523 seconds.
In many of the recent malware attacks on OS X, this Launch Agent structure is being used to initially load the malware and infect Mac systems. The malware exploits the user or a system vulnerability and places an executable file on the system (usually within the user account). The malware then places a launch agent file in the username/Library/LaunchAgents/ folder, which targets the malicious executable and continually launches it. In some instances the targeted executable is the malware that attempts to steal personal information, but at other times this is only the initial phase and the malware then downloads and installs additional components that are harder to detect.
While malware variants might use different names for files and the locations of where they put them, most to date have used one of the system's various LaunchAgents folders (generally the one in the user account) as a starting point for their malware. As a result, we can also use these folders to help proactively detect and prevent such malware intrusions.
Checking this box in the AppleScript Editor utility will add the script menu to the menu bar.(Credit: Screenshot by Topher Kessler/CNET)
There are two options available for doing this:
Set up a Folder Actions notification In OS X you can monitor folders using Folder Actions, which link applescripts to folders on the system so if they are changed then the scripts will run. While developing such a script might be difficult for some users, Apple offers a built-in script example that can be used to issue a notice whenever an item is added to a folder:
- Enable the Applescript menu Go to the /Applications/Utilities/ folder and open the program called AppleScript Editor. In the preferences settings for this application, check the box to Show Script Menu in menu bar." The resulting menu will be shown next to the battery life, date, and Wi-Fi indicators on the right-hand side of your menu bar.
Use the "add - new item alert" script as the script to append to the Launch Agents folders.(Credit: Screenshot by Topher Kessler/CNET)
- Enable Folder actions In this menu go to "Folder Actions" where you will see a link to the Folder Actions Setup utility, which can be used to configure your various folder action scripts. You can use either this utility or the "Enable Folder Actions" script in this same menu to enable folder actions on the system.
- Add a new-item folder actionIn the Folder Actions submenu, select the Attach Script to Folder option, followed by choosing the "add - new item alert" option from the list of scripts that appears. Then click Choose and follow this with selecting the folder to which you want to apply the action.
In this case, go to the username/Library/ folder, select the LaunchAgents folder, and click the Open button. In OS X Lion you will not see the Library folder by default, so first go to the Finder's Go menu, press the Option key, and then select Library. Then drag the Library folder to the Finder sidebar, and it should then become available in the sidebar in the Open dialogue.
The Folder Actions Setup utility can be used to configure the scripts that are bound to each folder.(Credit: Screenshot by Topher Kessler/CNET)
This alert will show when an item is placed in any of the monitored folders, and clicking Yes will open the folder and present the item to you.(Credit: Screenshot by Topher Kessler/CNET)
Repeat step 3 for the following folders on the system:
/Library/LaunchAgents /Library/LaunchDaemons /System/Library/LaunchAgents /System/Library/LaunchDaemons username/Library/LaunchAgents
You can check the results of this procedure by using the Folder Actions Setup utility, which is available in the new scripts menu and which will list the folder actions that you have bound to each of these folders. Some people may find this utility more intuitive than using the scripts in the menu to configure each folder.
To use this utility, select a folder in the left column and you will see the scripts that are bound to it listed in the right column. If there are no scripts listed for a folder then you can add them by clicking the plus button under the right-hand column. With this utility, you can add each of the aforementioned folders and then associate the "new item alert" script to them.
When this is done, adding a file to any of these folders will result in an alert, and if you click OK the system will display the file in the Finder. You can then open the file in TextEdit to see its contents (specifically check the "ProgramArguments" string), or otherwise investigate it to determine if it is legitimate or part of a malware package.
For the most part, files should only be added to these folders when you purposefully install a program or if you create your own launch agents for custom purposes, so if you randomly see this script run and display a new launch agent, then be suspicious.
If you find a suspect LaunchAgent file suddenly appear on your system, then immediately move the file to the Trash and then restart the system. This will clear it from the system launchers and prevent it from being automatically loaded. You can then remove the file from the trash to investigate it further, if needed.
Check this box to lock the launch agent folder and prevent any additional files from being added to it.(Credit: Screenshot by Topher Kessler/CNET)
Lock the LaunchAgent folders In addition to setting up a Folder Actions script, you can lock the LaunchAgents folder to block all changes to it. OS X supports a file and folder locking flag that if set will override permissions settings and prevent any modification to the file or folder. To do this, get information on the item of interest and then check the "Locked" check box. If you lock the LaunchAgents folder in your user account, then no program or process will be permitted to alter it, and therefore prevent any unwarranted additions to the folders.
Locking the LaunchAgents folder has its benefits, but be aware that in some instances it may cause problems. If you add any new programs that includes LaunchAgent scripts for your user account, then you may see some errors when you try to install or run them; however, this will only happen when installing the programs. Once your programs are all installed and set up, then you should be able to lock the LaunchAgents folder without any problems.
These actions to monitor or lock the LaunchAgents folders should help prevent malware attacks by blocking an easy means for malware to be automatically run. While some people may prefer to rely on a malware scanner like ClamXav, Sophos, or VirusBarrier, these tools first require proper definitions to be available in order to identify and remove malicious files.
Unfortunately sometimes these definitions take a while to be updated, as we have seen with the recent SabPub malware that has apparently been around for over a month and avoided the radar because of the attention the Flashback malware was receiving. Therefore, monitoring the LaunchAgents folders is an easy way to help proactively guard against future malware breakouts that use these as a means of attacking the system.
Apple issues Java update after security breach
The company releases a new security update for Java after its employees' computers are hacked.
Following recent security breaches that led to computers at Apple and other companies being compromised, Apple has issued an update for Java on OS X to close the hole.
The update went live this afternoon through Apple's Software Update service, which can be accessed from the Apple menu, and also available as a standalone update for OS X Snow Leopard or later from the following locations:
According to the update's release notes, it will disable all versions of Java that are supplied by Apple and will encourage users who need Java to download the latest version from Oracle.
Pint-Sized Backdoor for OS X Discovered
Posted on February 18th, 2013 by Lysa Myers
Updated February 19, 2013 to include more information
A new backdoor which affects OS X has been announced to an AV industry mailing list. Details are fairly limited right now, and the components we have indicate a fairly small, simplistic but efficient threat. It’s believed that this was a targeted attack, perhaps dropped by an exploit. At the time of writing, all of the network components have been sinkholed so it’s unable to receive commands.
From what we’ve seen, this threat likely starts with an exploit to get it past Gatekeeper. Once on a system, it sets up a reverse shell. That is to say, rather than announcing to the controller that the machine is infected (because the machine has been targeted and they already know where it is), the controller periodically contacts the infected machine to perform commands. Initiating the contact from outside the affected machine potentially helps it get past firewalls. This part of the threat is comprised of clear text Perl scripts, which means it’s fairly easy to spot if someone knows what to look for.
So that’s where the second part of this threat comes in. The binary component uses a modified version of existing tools (namely OpenSSH 6.0p1) for creating a secure connection to encrypt the traffic so that it is much better hidden. The tool is further hidden by placing the file in a directory that is usually used for printing, so that if anyone sees a list of processes contacting the network, it will appear as if the affected machine is simply printing from a networked printer. This version of the tool also has been modified so that it will not save a log of its command histories.
The threat encrypts traffic with the command and control channel by use of an RSA key.
The filenames as they were reported are:
- cupsd (Mach-O binary)
One of the (sinkholed) network addresses that the threat contacts is “corp-aapl.com.” It’s been noted that this is a misspelling of Apple, but it is the stock symbol for Apple.
Intego VirusBarrier users with up-to-date virus definitions will detect the backdoor as OSX/Pintsized.A. At the time of writing, XProtect does not protect against this threat.
relevant to the above
According to Intego, PintSized.A malware is trying to exploits the Gateway. (See text above from Intego)
Will keep you informed if I get any info from CNET about the Xprotect updates.
But currently there is none!
So the only update is the Java.
Apple have been hacked with Java exploits.
So do the update now for you Java.
The only source to check is via the Apple Security Updates.
See the link below.
At the moment only, Intego, Eset, McAfee, Norton detect this malware.
Apple have been Hacked!
See F-Secure Weblog for details dated 22.Feb 2013,20 Feb.2013, 19.Feb 2013,18 Feb 2013.
If you runs F-Secure Antivirus for Mac then you are covered. See posting below.
However Xprotects still did not detects the malware at this times.
ClamAV or clamxav should be able to detects PintSized malware.
Please refer to this site.
Clamav detects both variants.
daily.cvd OSX.Trojan.Pintsized daily.cvd OSX.Trojan.Pintsized-1
Reference URL:- http://reviews.cnet.com/8301-13727_7-57573918-263/pintsized-malware-bypassed-gatekeeper-to-affect-tech-companies/
Check F-Secure Weblog for Adobe Flash details.
'Pintsized' malware bypassed GateKeeper to affect tech companies
Gatekeeper exploit in part adds to debate over the necessity of security software for OS X.
March 12, 2013 2:24 PM PDT
New findings show the recent malware attack that affected employees of Facebook, Apple, and Twitter was able to do so in part by bypassing Apple's GateKeeper security system in OS X.
Gatekeeper is a new technology in OS X Mountain Lion that allows programs to only execute if they are properly signed or if they only come from the MacApp Store. This works by the system blocking all execution and then settings up group-based rules to allow specific program types to run. For example, the default rule sets are for signed applications and those from the Mac App Store, but you can create your own toallow specific programs to run without warnings.
While this technology is intended to provide a layer of security against malware attacks, it apparently is not 100 percent successful. In the recent attacks where a threat by the name of "Pintsized" affected systems at Facebook, Twitter, and Apple itself, one aspect of this attack noted by security company Intego was the threat's ability to exploit GateKeeper and then set up a reverse shell on affected systems in an effort to steal sensitive information.
When this malware was first discovered its ability to bypass GateKeeper was suspected, but was largely just making rounds in security e-mail lists and other discussions; however, both Ars Technica and The Security Ledger are reporting that this aspect of the attack is likely what made it more effective and resulted in it affecting employees at tech companies.
The malware was otherwise spread using classic tactics of compromised Web sites that in this case discussed topics such as application development for Android systems. The fact that this effort was able to bypass GateKeeper serves as a good reminder that even stringent security measures like GateKeeper are not invulnerable, and the fact that it affected developers suggests that even those in the tech industry who are arguably quite computer savvy are vulnerable to attacks.
Granted even with this latest attack the malware scene for OS X is not large, but it does offer an increasing view that Mac users consider security software for their systems. OS X has been relatively free of malware and even with these and prior attacks included the need for security software is arguable, especially since some security software packages have historically been more of a problem than a benefit to users.
If you are concerned about malware and are wondering about the necessity of security software for OS X, then a good place to start for an understanding of how to protect yourself is Security Analyst Thomas Reed's Mac Malware Guide. Overall for most people this new development will not change anything, but only nudges the idea of anti-malware tools being a necessity a touch higher on the list of priorities.