Sneaky Mac Malware Went Undetected By AV Providers For Four Month (arstechnica.com) 28
Four months after a mysterious group was outed for a digital espionage operation that used novel techniques to target Mac users, its macOS malware samples continued to go undetected by most antivirus providers, a security researcher reported on Thursday. Ars Technica reports: Windshift is what researchers refer to as an APT -- short for "advanced persistent threat" -- that surveils individuals in the Middle East. The group operated in the shadows for two years until August, when Taha Karim, a researcher at security firm DarkMatter, profiled it at the Hack in the Box conference in Singapore. Slides, a brief description, and a report from Forbes are here, here and here, respectively.
On Thursday, Mac security expert Patrick Wardle published an analysis of Meeting_Agenda.zip, a file Karim had said installed the rare Mac malware. To Wardle's surprise, results from VirusTotal at the time showed that only two antivirus providers -- Kaspersky and ZoneAlarm -- detected the file as malicious. Wardle then used a feature that searched VirusTotal for related malicious files and found four more. Three of them weren't detected by any AV providers, while one was detected by only two providers. The reason the findings were so surprising is that Apple had already revoked the cryptographic certificate the developers used to digitally sign their malware. That meant Apple knew of the malware. In fairness, the control servers the malware contacts are no longer available on the Internet. That means any infected computers aren't in danger of being surveilled. Also in fairness, the number of detections has slowly risen in the day since Wardle published his analysis.
On Thursday, Mac security expert Patrick Wardle published an analysis of Meeting_Agenda.zip, a file Karim had said installed the rare Mac malware. To Wardle's surprise, results from VirusTotal at the time showed that only two antivirus providers -- Kaspersky and ZoneAlarm -- detected the file as malicious. Wardle then used a feature that searched VirusTotal for related malicious files and found four more. Three of them weren't detected by any AV providers, while one was detected by only two providers. The reason the findings were so surprising is that Apple had already revoked the cryptographic certificate the developers used to digitally sign their malware. That meant Apple knew of the malware. In fairness, the control servers the malware contacts are no longer available on the Internet. That means any infected computers aren't in danger of being surveilled. Also in fairness, the number of detections has slowly risen in the day since Wardle published his analysis.
AV works best with...sigs (Score:4, Informative)
Re: (Score:1)
I've caught a grand total of 3 with heuristics in 25 years. Sasser I believe was one of those, Nod32 IIRC. Back when that was a realistic thing, heuristics lol. Now? Heuristics would just uninstall Windows 10 and say "fuck you"
Re: (Score:3)
Which makes this story even weirder. It's like where are the staff that are meant to be monitoring competitors and running competitors software. What the hell happened, to "hey guys, our competitors software is blocking this malware and our's isn't", and then they fix that within the next hour. Just ignore the failure of your software for four months, kinds of makes you think they were forced to ignore it because of who it belong to or well, they are just shite companies, selling a shite product and they si
Re: (Score:2)
Most Mac AV software is an aftertought, after the moneymaking server AV/security suites for Windows Servers and Linux servers (redundancy intended) and the Windows Corporate Desktop AV. All management focus and resources are on the money makers, and the Mac AV gets the scraps. Is there just for "portfolio completness" sake.
So in the mac antivirus front is more crappy versus less crappy AV, not good versus bad.
Re: (Score:2)
"the signing certificate(s) of all the samples are revoked"
"... this certificateand thus surely this malware as well."
From the linked https://objective-see.com/blog... [objective-see.com]
Re: (Score:3)
From the linked https://objective-see.com/blog... [objective-see.com]
""First, good news, Objective-See’s tools such as BlockBlock and KnockKnock are able to both detect and block this malware with no a priori knowledge"
Re: (Score:3)
That's incorrect..
If you look at Watchguard and other advanced router vendors such these days, they send unknown samples of files to a fake windows computer in the cloud, run them and analyse them.
Whilst it won't detect everything, if everyone ran such sandbox based AV systems things would work much better.
The big issue with OSX, is that Apple DECEIVED people into believing OSX couldn't get viruses, so everyone let their guard down.
Don't be surprised if there is a lot more OSX malware out there than people
Re: (Score:2)
There's a lot out there. Except that by default. OS X will not run unsigned applications (either signed with an Apple-provided certificate, or signed by the Mac App Store). And that's why the revoked certificate is important, because it means the malware will not run by default.
As a final check, O
How is this possible? (Score:1)
According to Mac zealots, only Windows machines can get malware or viruses.
Re: (Score:2)
Okay Sat-Nad, just because Windows is a virus magnet doesn't mean others need be as well.
Re: You go home now (Score:1)
You can check out any time you like, but you can never leave.
-Roach Motel California.