Share

David Harley

Job title:
CEO, Small Blue-Green World, and independent author

Areas of expertise:
Apple security, malware, anti-malware testing, psychosocial aspects of security, user education, email management, social media, medical informatics

Biography:
The Apple Security Blog, by David Harley David Harley, CITP, FBCS, CISSP, is an IT security researcher, author and consultant living in the UK. He has worked in IT (largely in medical informatics) since the 1980s, increasingly focused on security and anti-malware research since 1989. Between 2001 and 2006 he managed the UK National Health Service’s Threat Assessment Centre, and since 2006 he has provided authoring and consultancy services to the anti-virus industry. Since 2009 he has been a director of the Anti-Malware Testing Standards Organization (AMTSO). He runs the Mac Virus website and AVIEN (the Anti-Virus Information Exchange Network), and is a Fellow of the British Computer Society (now the BCS Institute). He was principle author and technical editor of “The AVIEN Malware Defense Guide for the Enterprise” and co-authored “Viruses Revealed”, as well as contributing to many other books including “OS X Exploits and Defense”. He has a daunting back-catalog of research papers and articles, and also blogs for Mac Virus, AVIEN, ESET (where he holds the title Senior Research Fellow), (ISC)², and numerous other websites.

Tag Cloud

Bloggers

Blog

OS X Malware: A Steady Trickle

I’m guessing that the myth of OS X invulnerability to malware is pretty much busted by now: at any rate, there has been wave after wave of OS X-related malware reports in the past week or two. Sophos were the latest big name to weigh in on the OSX/Imuler malware that DrWeb, Intego, ESET and your humble scribe have already commented on, though Sophos calls it Imuler-B and both Intego and ESET call it Imuler.C. There’s no particular significance in that: there’s no guarantee that variant designations will be the same across all vendors for all malware. In fact, they often aren’t, and that’s inevitable since in general, detection names tend to derive from malware family classifications and individual detection algorithms rather than the names picked up by the media: once upon a time, much  malware could be neatly compartmentalized into a vendor-agnostic variant listing, but those days are long gone. It’s an unfortunate artefact of the 21st century glut-ridden threat scene.

At any rate, it looks like everyone is using the same graphic from the same .ZIP, called “FHM Feb Cover Girl Irina Shayk H-Res Pics.zip”. There’s another recent example called  Nangdrol.app in “Pictures and the Ariticle of Renzin Dorjee.zip” which I think only Intego has mentioned, but  I guess topless models are a bigger draw than Tibetan activists, for security bloggers as well as for malware social engineering.
Strangely enough, however, it’s been suggested that there might be a connection between Imuler and the direct attacks on Tibetan activists using different malware as I mentioned at Mac Virus. The only connection I can see is the mention of Tibet, though: OSX/Olyx.B is a very different kettle of (spear)phish. The reports by SecureMac on Tibetan NGOs (non-governmental organizations) are in line with other attacks assumed to originate in China, whether or not they’re government-sponsored. As is often the case with spearphishing and APTs (let’s not get into the quagmire of definitions), those particular attacks, which are directed against PC and Mac users, are based on a mixture of social engineering and a specific software vulnerability.
The attacks are launched by a web-hosted malicious Java applet exploiting CVE-2011-3544 (an already-patched vulnerability in Java) to download and install a persistent backdoor Trojan with botnet-like C&C (command-and-control) capability. A comprehensive analysis of the Windows version of the malware has already been published by AlienVaults, which has a particular interest in the case, since the spearphishing emails points to a copy of AlienVaults’ own report on Targeted Attacks against Tibetan organizations but located on assyra.com (to which shenhuawg.com also points) and booby-trapped with Javascript.
The Java attack has also been linked to bot-generated Twitter spam targeting Tibetan activist conversations by including hashtags like “#Tibet” and “#freetibet”, presumably in order to drown out political dissent.
Meanerwhile, you may want to take a look at F-Secure's comprehensive analysis of OSX/Flashback here, though it has no particular link to the other malware mentioned above.

Posted 26/03/2012 by David Harley

Tagged under: David Harley , Intego , SecureMac , F-Secure , Sophos , ESET , DrWeb , Imuler , OSX , Flashback , Twitter , Tibet , Renzin Dorjee , Irina Shayk

RE: OS X Malware: A Steady Trickle
Posted 27/03/2012 by john walker
Excellent article, well written, factual, and a bit of a wakeup call from some original research, with aligned value add of respected expertise.

Comment on this blog

You must be registered and logged in to leave a comment about this blog.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×