Print 45 comment(s) - last by matty123.. on Nov 7 at 8:49 PM

It just works -- except when you're infected

Apple, Inc. (AAPL) has long maligned the Windows PC as being virus laden, while promoting its own Mac computers as being immune to such evils.  But despite this "It just works" publicity campaign, recent OS X malware [1][2][3][4] has forced Apple onto the defensive, silently rolling out tools to remove malicious programs from users' computers.

I. Malware Enslaves Unwitting Mac Users' GPUs

Now another piece of malware has struck unsuspecting Mac owners.  The new multiplatform trojan, reported in the wild by security firms Sophos Security and Intego, is much more sophisticated than most of the past malware to hit the Mac platform.

The malicious program installs as part of infected torrent downloads from sites such as The Pirate Bay.  Thus far the malware has been primarily found to be piggybacking on pirated copies of the image editing app GraphicConverter version 7.4 (whose authors are not involved in the screen and do not approve of the pirating in the first place).  The onboard malware is officially known in security circles as OSX/Miner-D, and is nicknamed the "DevilRobber".

Mac torrent client
Mac torrenters may find themselves the victim of a clever new trojan -- as usual Apple remains silent on the issue. [Source: iQuid]

Once installed on the victim's machine, the malware opens a back-door to the OS X system, allow remote command-and-control.  It also monitors your computer, attempting to steal personal information like credit cards.  

OS X miner installed
The malware targets multiple platforms -- including the Mac. [Source: Intego]

To do this it takes screenshots.  It also periodically dumps confidential information from various applications -- such as truecrypt data, Vidalia (TOR plugin for Firefox), your Safari browsing history, and .bash_history -- into the creatively named file dump.txt.  It also records your username and passwords via monitoring using a proxy server (on port 34522 in the most common variant, but likely to change).

But its biggest target is the crypto-currency "bitcoins".
malware code
The DevilRobber trojan uses screen captures to steal your password and private information. [Source: Sophos]

Bitcoins are a nation agnostic cyber-currency, beloved by hackers, internet aficionados, and libertarians (among others).  In order to seed the initial distribution of "wealth" on the market, people can use computing resources to "mine" Bitcoins, via clients.

The key part of DevilRobber is a Bitcoin mining Java program which the core trojan executes.  The trojan enslaves the target's GPU to harvest Bitcoins.  Due to the hard-to-trace nature of the cryptocurrency, the malware's authors can successfully obfuscate their identity and safeguard their profits.

The mining program is often how the infection is first noticed, as it makes the system respond sluggishly, given the load it places on the GPU.

As a secondary tactic, the core trojan also attempts to access any unencrypted Bitcoin wallets it can find.  It is unknown whether it contains code to access encrypted wallets, but it is reasonable to assume that future updates could deliver the ability to "crack" weakly encrypted wallet files.  Compromised wallets transfer their Bitcoin riches to the attacker.

Curiously, the trojan also deletes any files leading pthc.  This acronym is associated in internet forums with the phrase "pre-teen hardcore pornograph", aka child porn.  It almost appears that the trojan writers have attempted to do a bit of good amid all the evil they have created.

II. Lessons Learned

The new attack illustrates some of the issues surrounding both Apple computers and Bitcoins.

Bitcoin ButtonBitcoin badges
[Sources: Bitcoin Forum (left); Nerd Merit Badges (right)]

For Apple, it's yet another indication that company's public effort to feign ignorance on malware is harming customers.  While tech-savvy Mac users understand their platforms are just as susceptible to infections as PCs, in theory if not in practice, less tech-savvy users often believe their Mac is magically immune to infection.  This belief is perpetuated by Apple's advertisements and the company's technicians, which were revealed to be under orders to lie to customers -- feigning ignorance of infections.  This approach has led to at least some of Apple's customers being victimized by the hacking community. 

This situation is only likely to get worse, as Apple refuses to publicly acknowledge the danger, as Microsoft has, for risk of losing its "it just works" public image.  But currently in third place in computer sales by vendor, and with what some hackers say are weaker protections than Windows 7, interest in malicious Mac hacking is trending upwards.

As for Bitcoins, the cryptocurrency holds great promise, as it is formulated to prevent local government corruption, double spending, inflation, and ineffectual government monetary regulation.  However, the Bitcoin market has been dealt a series of setbacks, both via the entrance of cybercriminals as large-scale miners, and from account breaches.  

With Bitcoin's largest exchange recently hacked, the currency's proponents have raced to safeguard their brainchild.  More work clearly needs to be done to exclude cybercriminal miners, or Bitcoin risks being intimately associated with illegality.

Sources: Intego, Sophos Security

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Same old...
By messele on 11/1/2011 11:32:39 AM , Rating: -1
If you KNOWINGLY install a piece of software from KNOWINGLY dubious sources it is neither:

A) Something that ANY computing platform could ever be immune from without specialist monitoring software and even then there is no guarantee. To trick the user is not a downfall of the platform, especially when that user is likely breaking the law anyway.

B) Something that Apple EVER claimed they are immune from as they specifically boasted that viral infections were unheard of (which is pretty much true at the time and essentially remains true today).

It really is a bit sad that you go to all this effort on a daily basis to throw crap about the place when the specific fact that counters your argument can generally be found as early as the first paragraph.

In this instance the change in terminology from "Trojan" in the headline to "virus" in the first paragraph is your undoing. You are comparing Apples *ahem* with oranges.

Full of shit. As usual.

RE: Same old...
By kattanna on 11/1/11, Rating: -1
RE: Same old...
By borismkv on 11/1/2011 12:12:50 PM , Rating: 2
People are always the weak link. There are two general rules involving system security:
1. You can control the system, but all you can do is train people.
2. If an unauthorized user gains physical access, you're screwed.
What I wish I could append to those rules:
3. If an idiot gains physical access and screws things up, apply a hammer directly to their forehead.

RE: Same old...
By kleinma on 11/1/2011 11:49:21 AM , Rating: 2
fanboy much?

RE: Same old...
By MistaP on 11/1/2011 11:59:28 AM , Rating: 5
I don't get the need to defend Apple so blindly. Do people make money off of defending Apple so fanatically? If so where do I sign up?

The article basically states that, "Hey there is a new flaw found in Apple systems being exploited and here is what it does." It also touches on how this is a growing occurance as the systems become more and more mainstream, and then points out the company's less than honest tactics to not acknowledge this and keep the image they have previously marketed.

Nothing fictional there so we start splitting hairs over wording?

One word. Fanatical.

RE: Same old...
By Helbore on 11/1/2011 1:39:19 PM , Rating: 2
You'd think Apple customers would be pleased that this information is getting reported, wouldn't you? I mean, otherwise they would remain ignorant of potential infections to their computers. Surely it is of benefit to the consumer to know of risks in products they use.

Some Apple fans are so blinkered, tohugh that it would seem they would rather run a machine covered in trojans that steal their personal data and withdraw money from their bank accounts, than admit that Apple don't make magic boxes.

Still, they buy Apple products, so I suppose they're used to being ripped off. (note to Apple fans, this is called a joke. Please do not take it as a personal attack on your virility. No personal insult is intended.)

RE: Same old...
By borismkv on 11/1/2011 12:09:29 PM , Rating: 3
Actually, there are very very few traditional Viruses running in the wild these days (using the definition of a self-replicating piece of software). The vast majority of security breaches involve Trojans and the like. But since you're complaining about terminology, Apple fanbois like to point out that there are *MILLIONS* of "Viruses" on PCs. In this sense they are using Virus as an all encompassing term for any type of malware, trojans, rootkits, spyware, etc. But when the same all encompassing term is applied to Apples, we get the opposite.

If you KNOWINGLY install a piece of software from KNOWINGLY dubious sources it is neither:

Using this statement, there is no reason to believe that the OS is at fault for *any* type of malicious software download. Because there are precious few viruses (using the all encompassing form of the word) that are distributed through legitimate means.

RE: Same old...
By SoCalBoomer on 11/1/2011 2:14:42 PM , Rating: 1
If you KNOWINGLY install a piece of software from KNOWINGLY dubious sources it is neither:

Except that this is NOT installed this way - it's installed via an infected torrent file. Read the article and the report from Sophos.

RE: Same old...
By Fritzr on 11/1/2011 6:06:30 PM , Rating: 2
Trojan: Malware disguised as a benign or beneficial program. Often included as an undocumented "Bonus Feature" of an otherwise useful program.

This attack is being distributed as part of a popular image editor. True the acquisition of the unlicensed torrent is illegal, but the downloader KNOWINGLY installs the image editor with it's "Bonus Feature" and KNOWINGLY obtains it from a dubious source. (Torrents are indexes and do not normally do malware detection before adding a torrent)

It is installed in exactly the way the quote describes. True the installer is unaware of the "Bonus Feature" but that is the reason for the Trojan label. Troy was not notified in advance that the gift horse would include a delegation from the besieging army :D

RE: Same old...
By Tony Swash on 11/2/11, Rating: -1
"Folks that want porn can buy an Android phone." -- Steve Jobs

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki