mac malware by: shane binkerd, shane moreland, travis gardner
TRANSCRIPT
Mac Malware
By: Shane Binkerd, Shane Moreland,Travis Gardner
Amphimix• Appeared in 2004• Trojan Horse• Disguised as an MP3 file
o Including the MP3 icon
Leap• First appeared in 2006• Worm• Used a graphic icon to mimic a JPG• Spread by a file claiming to be the latest Leopard
Mac OS X screenshotso Through iChat messenger
Inqtana• Appeared in 2006• Worm• Used the Bluetooth OBEX Push request
Jahlav• Appeared in 2007• Trojan Horse• Fake video codec
o Claims to solve an Active X object error
• Disguises itself as a MacAccess installer
Macsweeper & iMunizator
• Appeared in 2008• First reported scareware• Fake security application
o Claimed to be a 3-in-1 Mac cleaner
• Flagged legitimate applications and processeso Offered to fix for money
• iMunizator closely related to Macsweeper
HellRTS aka the Hellraiser
• First malware of 2010• Backdoor Trojan• Intercept passed information• Spread by Social Engineering
OpinionSpy• Appeared 2010• Spyware• Spread by part of the installation process for a
number of screensavers• Allowed backdoor access
Boonana• Appeared 2010• Java-based Trojan
o Can infect Windows, Linux, Mac
• Spread across social network sites as a form of video
• Attempt to retransmit via a reblog or repost
BlackHole• Appeared in 2011• Backdoor Trojan• Execute shell commands remotely
MacDefender• Appeared in 2011• Spread via bad links• Made use of some Safari exploits
Kitmos & Hackback• Appered in 2013• Backdoor Trojan• Allows attacker to run executables sent to
victim’s machine o Take screenshots and send them to the attacker
• Modifies loginitems.plist to ensure startup execution
• Hackback zips .txt, .doc, .eml, .pdf, etc. and sends to attacker
• Tied to Operation Hangover
Icefog• Found in 2013• Backdoor• Targeted attacks against East Asian companies
and governments• Disguised as legitimate programs like AppDelete
and CleanMyMac
CoinThief• Appeared in 2014• Multiple legitimate applications used to hide
o BitVanity, StealthBit, Litecoin Ticker, Angry Birds
• Browser extensions• Attacks Bitcoin-QT wallets
o Modified to send Bitcoins to remote machine
• Found by only F-Secure, Sophos, Trendmicro
LaoShu• Appeared in 2014• Trojan• Spread by fake email from FedEx• Cleverly disguised as PDF of legitimate FedEx
domaino Actually executable
• LaoShu is digitally signedo Gatekeeper lets it pass
Appetite• Appeared in 2014• Backdoor• Seems to be aimed at government, diplomatic,
and corporate targets• Contains Windows components• Uses rootkit and bootkit techniques to hide• Noted for encoding configuration data and
encrypting network traffic
Conclusion• There is no safe haven for Windows or Macs• Windows is a much larger percentage of the OS’s
used• 9.9% Mac users• 81% Windows users (9.4% XP)
o http://www.w3schools.com/browsers/browsers_os.asp
References• "Antivirus scan for CoinThief - VirusTotal." Antivirus scan for CoinThief - VirusTotal. 14 Feb. 2014. 27
Apr. 2014 <https://www.virustotal.com/en/file/398aa459eea689dafdb98567644a2ab1f4d5b90cb4e3ad3a06ab7e0b2da4d8ad/analysis/>.
• Cluley, Graham. "Press Releases." First ever virus for Mac OS X discovered. 16 Feb. 2006. Sophos. 27 Apr. 2014 <http://www.sophos.com/en-us/press-office/press-releases/2006/02/macosxleap.aspx>.
• Cohen, Peter. "Sophos warns against iMunizator 'scareware' | Macworld." Macworld. 2 Apr. 2008. Macworld. 27 Apr. 2014 <http://www.macworld.com/article/1132800/imunizator.html>.
• Cortes, Santiago. "OSX.Kitmos." Technical Details. 16 May 2013. Symantec. 27 Apr. 2014 <http://www.symantec.com/security_response/writeup.jsp?docid=2013-051616-5911-99&tabid=2>.
• Leyden, John. "Scareware scammers target Mac users." • The Register. 15 Jan. 2008. The Register. 27 Apr. 2014 <http://www.theregister.co.uk/2008/01/15/mac_scareware_scam/>.
• Li, Yi. "OSX.Hackback." Technical Details. 20 May 2013. Symantec. 27 Apr. 2014 <http://www.symantec.com/security_response/writeup.jsp?docid=2013-052003-5213-99&tabid=2>.
• Liu, Yana. "OSX.Apptite.A." Technical Details. 13 Mar. 2014. Symantec. 27 Apr. 2014 <http://www.symantec.com/security_response/writeup.jsp?docid=2014-021723-5609-99&tabid=2>.
• "Mac Malware Facts." Mac Malware Facts. ESET. 27 Apr. 2014 <http://www.eset.com/int/mac-malware-facts/>.
• Niemela, Jarno, and Gergely Erdelyi. "Worm:OSX/Inqtana.A." Worm:OSX/Inqtana.A. 22 Feb. 2006. F-Secure. 27 Apr. 2014 <http://www.f-secure.com/v-descs/inqtana_a.shtml>.
References• "OSX/HackBack [Threat Name] go to Threat." OSX/HackBack.A. ESET. 27 Apr. 2014
<http://www.virusradar.com/en/OSX_HackBack.A/description>.• "OSX/HackBack-A." Detailed Analysis. 19 June 2013. Sophos. 27 Apr. 2014
<http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~HackBack-A/detailed-analysis.aspx>.
• "OSX/Icefog-A." Detailed Analysis. 27 Sept. 2013. Sophos. 27 Apr. 2014 <http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~Icefog-A/detailed-analysis.aspx>.
• "OSX/Kitm [Threat Name] go to Threat." OSX/Kitm.A. ESET. 27 Apr. 2014 <http://www.virusradar.com/en/OSX_Kitm.A/description>.
• "OSX/StealBit-B." Detailed Analysis. 20 Feb. 2014. Sophos. 27 Apr. 2014 <http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OSX~StealBit-B/detailed-analysis.aspx>.
• "Press Releases." Mac OS X MP3 Trojan horse threat overhyped, says Sophos. 13 Apr. 2004. Sophos. 27 Apr. 2014 <http://www.sophos.com/en-us/press-office/press-releases/2004/04/va_macmp3.aspx>.
• "Threat Encyclopedia." OSX_CARETO.A. TrendMicro. 27 Apr. 2014 <http://about-threats.trendmicro.com/us/malware/osx_careto.a>.
• "Trojan-Downloader:OSX/Jahlav.A." Trojan-Downloader:OSX/Jahlav.A. F-Secure. 27 Apr. 2014 <http://www.f-secure.com/v-descs/trojan-downloader_osx_jahlav_a.shtml>.