Researchers at a
conference in Norway have uncovered a new piece of OS X malware which
attempts to present itself to systems as a signed and authorised
application.
The malware, spotted on the system of a
conventiongoer from Africa, uses the credentials of an Apple Developer
ID, allowing the program to appear authorised and possibly bypass
Apple's GateKeeper security tool.
According to researchers from F-Secure,
the malware functions as a spyware and backdoor tool, sitting on an
infected system and collecting data such as screen shots, which are then
stored on the compromised machine and later covertly transferred to a
command and control server.
Additionally, the malware attempts to set
itself as a startup item, displaying the name 'macs' within the Users
and Groups control panel on OS X.
Experts are suggesting that the signature
used in the attack was pulled from a legitimate application and
re-purposed within the malware. Sans researcher Daniel Weseman noted
that the process for extracting an Apple Developer ID from another
application is relatively simple and that such 'signed' malware may in
fact be more common than first believed.
News of the malware discovery comes as Apple is rolling out an update to its iTunes
media player platform which includes fixes for remote code execution
and man-in-the-middle attacks. The patch applies to both OS X and
Windows systems
No comments:
Post a Comment