Archives for 

Mac trojan

An exploit can completely bypasses Mac’s malware Gatekeeper

Gatekeeper is the security feature of Mac OS X that protects users from malicious applications and code execution on their Mac computers. It warns Mac users from installing unsigned apps or the ones downloaded through an unencrypted connection. Gatekeeper does an efficient job of preventing the installation of Trojans and applications with malicious codes. However, Patrick Wardle, director of Synack a security firm has identified a method capable of completely circumventing Gatekeeper and installing malware on the target machine. Wardle has developed a proof of concept to demonstrate the functioning of the method.

Mac Gatekeeper malware

(Image Source: arstechnica.com)

This Mac’s security function checks the digital certification of a downloaded application, and if it is signed by a developer recognized by Apple or downloaded from Apple’s App Store, Gatekeeper lets it through. Once these criteria are met, Gatekeeper exists, and the app can be executed. It does not check whether the authorized app it let through executes another file that results in a malicious behavior. The PoC developed by Wardle explains this vulnerability in Gatekeeper.

Attack Scenario:

The attacker identifies an Apple trusted binary file.

The binary file is packaged inside of an Apple DMG (disk image).

The attacker then manages to place it on the target system.

Since it is a trusted file, Gatekeeper allows its execution.

The Apple trusted binary file then executes another file with the malicious code.

The second file does not any Apple certification to execute and can install malicious codes on the target machine.

According to Wardle, there is an alternate method that allows bypassing Gatekeeper. An attacker can booby-trap malicious plugins into an app installer. The installer will be programmed to open the plugins automatically. Gatekeeper will check the app installer for the digital certification and ignore the plugins. But an attack like it is impractical, and attackers would prefer the first method.

The detected vulnerability in Gatekeeper is alarming since Apple has stated since the introduction of Gatekeeper in 2012 that it is a highly efficient security tool for OS X. A simple technique as demonstrated by Wardle is capable of easily bypassing Gatekeeper. Wardle tested the vulnerability in OS X Yosemite, but the upcoming El Captain could be equally vulnerable. The vulnerability can be easily exploited more sophisticated attackers and hackers backed by larger organizations and countries to target and manipulate computers with sensitive information on them.

The vulnerability is not in the way Gateway operates but is rather in its design. Wardle informed Apple 60 days ago and believes that the company is already working on a remedy. However, it will require more than a simple patch to eliminate the attack possibility. Wardle has suggested few options that can bridge this security gap. These include performing a runtime check libraries load or apps execute to check for any unauthorized file. Another method is to check the dynamic library that is downloaded from the internet.

Share Button

XcodeGhost malware infects Apple’s App Store infecting 100’s of apps,scares security experts

A malware has always been a major threat to devices, data and user accounts; but the threat increase manifold when a malware is more subtle and deep rooted like the one in an app creation tool! Such threats are real and already exist. XcodeGhost is an example of such malware. The counterfeit Xcode, termed as […]
Share Button
Continue reading →

Apple’s AirDrop flaw leaves users vulnerable to exploit

Mark Dowd, the head of Australia based Azimuth security has stated that there is a vulnerability in AirDrop, the file sharing service of Apple which allows unauthorized access to the device that can be used for the installation of malware. A user with an AirDrop configuration allowing file sharing with anyone and not merely their […]
Share Button
Continue reading →

3 Key Take Away’s from RSA Conference 2014 – San Francisco for CISOs and Security Enthusiasts

Author : Arun Hegde , Security Architect @arun25 Here is a quick summary about my experience at RSA Conference 2014 – San Francisco last month  Highlights of RSA 2014 : Some of the highlights at this year at RSA was cloud security, mobile security ( specially for enterprise), more companies providing SIEM solutions  and lot of new […]
Share Button
Continue reading →

Careto/Mask APT cyber-espionage operations running and undetected for 7 long years

Its almost sounded unbelievable when Kaspersky research published a cyber espionage APT campaign MASK (Careto) that’s been running in the wild since 2007, undetected, targeting 31 countries.   The complexity of the tools used for MAST by the attackers are very sophisticated which makes its very special. This includes an extremely sophisticated piece of malware, a […]
Share Button
Continue reading →

GameOver Latest Zeus variant uses Encryption to bypass Detection – Gary

  GameOver Zeus is a notorious malware family that makes fraudulent transactions from your bank accounts from the infected host. A new variant of GameOver Zeus uses encryption to hide itself while propagation which makes it almost impossible to be detected by modern day antivirus. The malware encrypts itself so well that it can pass the […]
Share Button
Continue reading →

iOS 7 release causing Apple DDoS — Well kidding

iOS 7 release was a major news for Apple users. Its unbelievable to see how many users want the cool new Operating system.  This is always the fun part every year when something new comes from Apple. This time its for the new powerful Apple iOS7 release on September 18th. As reported on SANS, the […]
Share Button
Continue reading →

iPhone passcode hack vulnerability – Physical access to the device needed

  Vulnerability Lab researchers have discovered a second version of a vulnerability that lets a hacker slip past a lock screen to access a user’s contact list, voicemails and many more.  In reality this is a flaw but can only be exploited provided the device is with hacker’s hands. This cannot work from remote execution […]
Share Button
Continue reading →

Dr.Web discovers fake-installer Trojan(SMSSend) for Mac OS

  Apple users have had the luxury of lower number of infections so far compared to other platforms. Dr Web, a Russian antivirus company discovers a fake installer trojan.SMSSend. Trojan.SMSSend.3666 is the Mac variant within the Trojan.SMSSend family of fake installers. These kind of Trojans have been infecting Windows users for years. These appear to be legitimate […]
Share Button
Continue reading →