The
recent return of the malware in the news Flashback handed in before the
security issues around the Mac.
But there are other interesting aspects in this
issue: how to operate this type of software, what are the methods used by
publishers to analyze them and how can we explain some variation in the numbers
of reported infections.
Questions were answered Philip Devallois, Senior
Security Analyst at Intego, and as such responsible for their laboratory.
Philippe
Devallois: There basically three types of facilities:
1 - older
versions used a fake installation package posing as Flash, hence the nom.
2 - a
system using two Java flaws, without user intervention and through infected web
pages (for WordPress blogs essentially).
For these
variants, any request of the administrator password is required. The software
is installed in the directory of the current user. Very stealthy! But very
uselessness, because he injected code in all applications or binaries launched
by the user or by launchd in the user session. This is also why as users began
to have doubts, and manifested themselves on the Apple support forums (launchd
is a system startup program that will run daemons - small software running back
-plan - or the user-visible applications, ed). After these crashes, the
criminals have therefore compiled a list of applications that, if present on
the machine, did not allow the installation of malware.
At this
stage it is important to identify the components of this malware: the Java
applet on infected sites is not in the ordinary sense a Trojan. That is to say
he does not go for something else in the eyes of a user. This is what we call a
"drive-by download", it does not require a user intervention. For
example, you visit a website - even quite respectable - that has been
previously infected. In the usual course of trade data and execution of scripts
(Java, Flash, JavaScript ...) between the site and your browser, malicious code
will take advantage of a flaw, either in the browser, or in one of its
plug-ins, and settled quietly on your computer.
This
binary, installed and run by the Java applet is a "backdoor" (a
backdoor, ed). It plugs into the back of the user that is called a control
server (Command & Control, in the jargon). In this case, a software
firewall is useless to detect its presence. Only tools blockages of
communication beyond the computer can detect this activity. Finally, the behavior of the third
component is to be viral, it will dynamically inject its code into other
applications launched by the user.
There are
also various forms of viruses: there is the classic that infects files. Only
OSX / Macarena and OSX / Leap. The (discovered in 2006) responded to this type of
virus that is the best known. Then there is the injector process in memory.
Very discreet, this type of virus is spreading in systems where the code
injection is permitted (Unix ...). Flashback, in its latest version, one of
them. Finally, it was the companion virus which does not combine the infected
binary code, but that is executed at the same time.
3 - The
last mode installation requires the Java numbered famous flaw CVE-2012-0503. It
is operated by the latest versions of Flashback. If the Mac had no network
security utility, or debugging tool Xcode developer as this, an administrator
password was asked to install an injector code in Safari. But even with the
presence of these obstacles, the backdoor code was installed in the Library
folder> LaunchAgents active user.
Which
leads to correct some statements made recently. Once the Java applet launched,
the Mac is infected, even if a tool like VirusBarrier (or Office and Skype as
we have read) is installed. The difference is that in one case a password is
requested using a window-type updates for software, and in the other cases, no.
What is
the point? We wait quietly that security software be disabled by the user to
regain control and continue the installation.
In this
case, the window software update with the request password is a Trojan that
installs a virus (the injector code). But only a Safari virus in the samples I
had. If a security application is installed, no password is requested, and then
the component installed by the Java applet is a simple backdoor, invisible to
the user.
MacMyth:
Once installed on a computer, what does it precisely?
It
depends on the variants. The latest Google forged requests as soon as the user
was browsing a site, in order to artificially increase traffic statistics that
are monetized. Some Web queries were filtered and others were redirected to ad
pages. There was an injection of JavaScript into the pages received by the user
to return to the browser page addresses or websites monetized.
The
authors of this malware have also full control of infected Macs and can install
and run new native OS X code, via the process of updating Flashback. I watched
in one of my virtual boxes (an OS X running in a VMware machine), a binary
shell was installed and a malefactor executed shell commands on this virtual
machine, to fast to notice the deception ( we can see these virtual machines
like goats tied to a stake ..., ed). I think the person at the other end had a
doubt about the infection ... and realized he was right.
MacMyth:
Does Flashback hit 600,000 machines as stated Dr.Web from his extrapolations?
I'm sure not, for example the UUID (universally unique identifiers) of some VMware virtual machines is used to test infections were included in the stats of Dr.Web.
MacMyth: But how can we explain other figures, such as Symantec this week showed an increase in the number of infected machines. He bases this projection on its pool of machines that are used as bait. Within 24 hours we pass an evaluation of 600 000-380 000 machines - this is before the tools are common antiFlashback - with decreases much slower once Apple has responded.
The analysis that I do is a personal interpretation: the malware is a query on the domain calculated the day; it will be for example "iwuyrvtylnojde" which he adds is. Com,. Info,. Net or. Kz and dug at random from a predetermined list. It is from these addresses that the malware will seek if a server able to provide instructions.Symantec has purchased the domain names ". Info" for the next 15 days. But another company has purchased the side of his. "Com". The malware starts sending its encrypted query on "iwuyrvtylnojde" with the ending chosen randomly. If the server responds correctly, it ends there. Otherwise, it makes a request on another field or random iwuyrvtylnojde.com. Info or. Net or. Kz.Donc if the "honeypot" drawn primarily responds well and that's it. Com, Symantec will ever see requests from infected Macs. I think this is what happened between 9 and 10 April.
With two jars of honey, the odds are normally divided by 2, or going from 600K to 380K, roughly half ... Another "sinkholer" appears tomorrow in Russia - is that of Kaspersky or DrWeb - (the interview was conducted over the week, ed), so that there should divide their results statistically by 3. This method called "sinkhole" is good, but when you're all alone to use it.
We must also consider the "freshness" of malware samples you work with. This April 19 I got one in my virtual box that contacts a domain name that is not the one announced at Symantec. We can conclude that they have ancient samples, and not the latest, which will consequently affect the estimated number of infected computers.
MacMyth: What is the relationship between Apple and publishers specializing in security software? D.Web eg alleged that they operate in isolation, contrary to Microsoft where the interlocutors are clearly identified.
I am in constant contact with the group of Security Products from Apple. Besides, this is what they are asking all vendors of security. So things are moving forward for all users.
Frankly, I find them very efficient from the moment they have the right information. They have quality processes that take time, but who can blame them? That said, they worked so impressive when they took samples Flashback hands.
To give an idea of the difficulty of the task, the latest variant amounted strings in the code with the UUID of the infected Mac. This binary could not be deciphered if we had this ID. On the other hand, stepping through the binary in a debugging tool does not work either for the same reason. So the exchange of samples between traditional antivirus vendors no longer sufficient.
It took also share information UUID to analyze the functioning of the many variants produced in a few weeks. Everyone did not have to really help Apple in recent months and yet to develop a component repair, we must be sure we have all varieties ... We all work in a hurry, but with very thorough testing procedures. Without our linked interventions, this threat would have done much more damage.
I'm sure not, for example the UUID (universally unique identifiers) of some VMware virtual machines is used to test infections were included in the stats of Dr.Web.
MacMyth: But how can we explain other figures, such as Symantec this week showed an increase in the number of infected machines. He bases this projection on its pool of machines that are used as bait. Within 24 hours we pass an evaluation of 600 000-380 000 machines - this is before the tools are common antiFlashback - with decreases much slower once Apple has responded.
The analysis that I do is a personal interpretation: the malware is a query on the domain calculated the day; it will be for example "iwuyrvtylnojde" which he adds is. Com,. Info,. Net or. Kz and dug at random from a predetermined list. It is from these addresses that the malware will seek if a server able to provide instructions.Symantec has purchased the domain names ". Info" for the next 15 days. But another company has purchased the side of his. "Com". The malware starts sending its encrypted query on "iwuyrvtylnojde" with the ending chosen randomly. If the server responds correctly, it ends there. Otherwise, it makes a request on another field or random iwuyrvtylnojde.com. Info or. Net or. Kz.Donc if the "honeypot" drawn primarily responds well and that's it. Com, Symantec will ever see requests from infected Macs. I think this is what happened between 9 and 10 April.
With two jars of honey, the odds are normally divided by 2, or going from 600K to 380K, roughly half ... Another "sinkholer" appears tomorrow in Russia - is that of Kaspersky or DrWeb - (the interview was conducted over the week, ed), so that there should divide their results statistically by 3. This method called "sinkhole" is good, but when you're all alone to use it.
We must also consider the "freshness" of malware samples you work with. This April 19 I got one in my virtual box that contacts a domain name that is not the one announced at Symantec. We can conclude that they have ancient samples, and not the latest, which will consequently affect the estimated number of infected computers.
MacMyth: What is the relationship between Apple and publishers specializing in security software? D.Web eg alleged that they operate in isolation, contrary to Microsoft where the interlocutors are clearly identified.
I am in constant contact with the group of Security Products from Apple. Besides, this is what they are asking all vendors of security. So things are moving forward for all users.
Frankly, I find them very efficient from the moment they have the right information. They have quality processes that take time, but who can blame them? That said, they worked so impressive when they took samples Flashback hands.
To give an idea of the difficulty of the task, the latest variant amounted strings in the code with the UUID of the infected Mac. This binary could not be deciphered if we had this ID. On the other hand, stepping through the binary in a debugging tool does not work either for the same reason. So the exchange of samples between traditional antivirus vendors no longer sufficient.
It took also share information UUID to analyze the functioning of the many variants produced in a few weeks. Everyone did not have to really help Apple in recent months and yet to develop a component repair, we must be sure we have all varieties ... We all work in a hurry, but with very thorough testing procedures. Without our linked interventions, this threat would have done much more damage.
MacMyth: How is it that Russian publishers are so cutting edge in this case? How
is it also that the domain name as the publisher Kaspersky found in the code
and he bought Flashback to analyze the communications of the malware was
available for sale?
Intego not trying to make news on all threats, especially those which are redundant as Flashback in one form or another for over a year. This does not mean that threats are not taken into account in defense products. For Flashback, VirusBarrier has always had a head start on the alternatives and has always recognized at least one component of the new variants, which helped block the installation and communication with the control server. These detections are made by the dynamic behavior of malware.
For these domain names of sites that have been purchased, the French law is very restrictive. Buy a domain name that is used by malware may be considered objectionable. In the East, perhaps it is tolerated for the fight against crime?
Flashback uses a different domain name per day, so you can get infected machines, in case the main control server is unavailable. There is also, as has been written, a process of regaining control via Twitter. The malware will seek instructions on Twitter to see what to do. However it will not question a particular Twitter account (which can be identified and closed), but keywords (hashtags) that consist of sequences of benign figures.
Kaspersky and Dr.Web (since others have also) bought the domain names of several days to see how they got connections with infected machines, then they used a set of methods for observing activity of this malware:
- Macs constantly switched on during this test period, no spyware to block communications without filtering their Internet providers;
- The Mac OS X virtual, a process used by all antivirus vendors;
- Researchers who tested manually or automatically using tools;
- And what is being discussed: the presence of Windows machines in these stats. I refute something, there is that Mac. Flashback purposely put in his packet of fake HTTP headers UserAgent Windows.
Anyway I think that their method can only give a trend, not specific numbers of infection. And as we grilled by servers Flashback to each infection, one is obliged to conduct further tests to make a new couple IP address / ID of the machine. How much is it mean in the stats related to Flashback? I do not know the words. If Dr.Web and Kaspersky had given us the basis, we could eliminate a lot of false positives from our machines at Intego.
MacMyth: If you step back on the malware detected since put a year, is that they were mostly functional and in operation, or are we still in the stage or their authors are hand with the Mac platform?
They are already very complicated and sophisticated, code injection is technically difficult to master. Exploiting loopholes Java (and now Word for OSX / SabPab) is also a difficult exercise.
Ultimately, they have a good knowledge of OS X and adapt very quickly to gates that are placed in their way. We must in our laboratories to be very dynamic and a little more work than 35h to anticipate their attacks ...
From the moment you publish a security alert, accompanied by a range of broad-spectrum vaccines generic in our scanners, the Apple community, very reactive, becomes very suspicious. Our users send us their samples detected by generic, one only has to confirm. It was a stroke ahead of the malware variants. The authors of this malware have to adapt very quickly or give up.
MacMyth: What are the motivations of perpetrators of such malware?
Intego not trying to make news on all threats, especially those which are redundant as Flashback in one form or another for over a year. This does not mean that threats are not taken into account in defense products. For Flashback, VirusBarrier has always had a head start on the alternatives and has always recognized at least one component of the new variants, which helped block the installation and communication with the control server. These detections are made by the dynamic behavior of malware.
For these domain names of sites that have been purchased, the French law is very restrictive. Buy a domain name that is used by malware may be considered objectionable. In the East, perhaps it is tolerated for the fight against crime?
Flashback uses a different domain name per day, so you can get infected machines, in case the main control server is unavailable. There is also, as has been written, a process of regaining control via Twitter. The malware will seek instructions on Twitter to see what to do. However it will not question a particular Twitter account (which can be identified and closed), but keywords (hashtags) that consist of sequences of benign figures.
Kaspersky and Dr.Web (since others have also) bought the domain names of several days to see how they got connections with infected machines, then they used a set of methods for observing activity of this malware:
- Macs constantly switched on during this test period, no spyware to block communications without filtering their Internet providers;
- The Mac OS X virtual, a process used by all antivirus vendors;
- Researchers who tested manually or automatically using tools;
- And what is being discussed: the presence of Windows machines in these stats. I refute something, there is that Mac. Flashback purposely put in his packet of fake HTTP headers UserAgent Windows.
Anyway I think that their method can only give a trend, not specific numbers of infection. And as we grilled by servers Flashback to each infection, one is obliged to conduct further tests to make a new couple IP address / ID of the machine. How much is it mean in the stats related to Flashback? I do not know the words. If Dr.Web and Kaspersky had given us the basis, we could eliminate a lot of false positives from our machines at Intego.
MacMyth: If you step back on the malware detected since put a year, is that they were mostly functional and in operation, or are we still in the stage or their authors are hand with the Mac platform?
They are already very complicated and sophisticated, code injection is technically difficult to master. Exploiting loopholes Java (and now Word for OSX / SabPab) is also a difficult exercise.
Ultimately, they have a good knowledge of OS X and adapt very quickly to gates that are placed in their way. We must in our laboratories to be very dynamic and a little more work than 35h to anticipate their attacks ...
From the moment you publish a security alert, accompanied by a range of broad-spectrum vaccines generic in our scanners, the Apple community, very reactive, becomes very suspicious. Our users send us their samples detected by generic, one only has to confirm. It was a stroke ahead of the malware variants. The authors of this malware have to adapt very quickly or give up.
MacMyth: What are the motivations of perpetrators of such malware?
We often
speak of opportunity to steal files from one hard drive, but is it that there
is not much more discrete activities, simpler and that can making money
quickly. There was talk of this artificial creation of visits to sites to
withdraw money from these passages.
These gangsters do not do this for fun or for the hacker spirit. There are necessarily several motivations: money that can be obtained by sending users to sites with infected machines, there is also the ability to have a network of computers controlled to conduct Denial of service attacks against sites it is blocking, controlling the sending of spam from the infected computers, and then of course espionage personal information (or business) with the aim of monetizing .
These gangsters do not do this for fun or for the hacker spirit. There are necessarily several motivations: money that can be obtained by sending users to sites with infected machines, there is also the ability to have a network of computers controlled to conduct Denial of service attacks against sites it is blocking, controlling the sending of spam from the infected computers, and then of course espionage personal information (or business) with the aim of monetizing .
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.