Crisis for Mac

A new Macintosh malware is making the rounds.

For the first half of 2012, we have seen an increase in the number of Mac-based threats: variant OSX.Flashback.K appeared, newly discovered OSX.Sabpab, and OSX.Macontrol with a new variant.

As we begin the second half of 2012, we would like to introduce you to a new instance of Mac malware: OSX.Crisis.

OSX.Crisis is a Trojan that installs a back door on compromised OSX systems. At the time of writing, we are not seeing this threat in the wild. We believe that the infection vector may rely primarily on social engineering to be installed and at this point in time there is no reason to believe there is a vulnerability being used in conjunction with the threat. One possible method of installation is through brand recognition like popular trademarks to compel users to install the malware.

When this back door is installed, it can monitor the following programs:

  • Adium
  • Mozilla Firefox
  • MSN Messenger (for Mac)
  • Skype

 

Figure 1. Adium monitoring example

 

Figure 2. Mozilla Firefox monitoring example

 

Figure 3. Skype monitoring example

 

Figure 4. Keylogging functionality

 

The malware can perform the following actions:

  • Record traffic on MSN Messenger (for Mac) and Adium
  • Record Internet usage on Safari or Mozilla Firefox
  • Capture or record Skype sessions
  • Send confidential information to a command-and-control (C&C) server through a back door (176.58.100.3x) and receive commands

It also creates the following directories and files:

  • /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/MacOS/com.apple.mdworker_server
  • /System/Library/Frameworks/Foundation.framework/XPCServices/com.apple.mdworker_server.xpc/Contents/Resources/
  • /Library/ScriptingAdditions/appleHID/Contents/Resources/appleOsax.r

It definitely appears to be an advanced threat in function but, because we do not see the infection vector in the wild at the time of this blog, the spread is low at the moment. Symantec has protection in place for OSX.Crisis with Norton 360 Everywhere, Norton One, and Norton Internet Security for Mac. Our Symantec Endpoint Protection and Symantec Endpoint Protection Small Business Edition products also offer the necessary protection. Users of our Norton AV products are encouraged to update their definitions.

Thanks to Intego who shared these samples with us.

DefCon 20 Badges, the Big Reveal: A Secret Society, Crypto Challenges and Easter Eggs

Air Traffic Controllers Pick the Wrong Week to Quit Using Radar

Photo Yuichi Kosio/ Flickr

LAS VEGAS — It’s a Twilight Zone episode waiting to happen. A commercial pilot at 30,000 feet gets sudden instructions from air traffic control on the ground that another plane is headed his way.

The pilot diverts as directed but then controllers tell him a third plane is now in his path, and then a fourth and fifth. Yet when the pilot looks out his window, he sees nothing in the sky.

This is the kind of spoofing attack that could become possible, according to security researcher Andrei Costin, who spoke at the Black Hat security conference on Wednesday about serious vulnerabilities in a new air traffic control system that is currently being deployed in the U.S. and elsewhere.

The system, known as Automated Dependent Surveillance-Broadcast, or ADS-B, uses radio frequencies for communication between one plane and another and between planes and the ground. It’s already widely used in Australia, where planes are required to be ADS-B compliant by 2013, and is expected to replace radar for air traffic control of commercial planes by 2020.

But according to Costin, a doctoral candidate at Eurecom, a graduate school and research institute in France, ADS-B is marred by serious security vulnerabilities that would make it possible for someone to spoof a plane and inject false messages into the system, leading air traffic controllers to “see” planes where none exist.

The problems with ADS-B are identical to many other types of critical infrastructure systems that lack encryption and authentication of communications. The communication that occurs between planes and ground systems is transmitted in cleartext and doesn’t require the source of a transmission to be authorized, thereby allowing an attacker on the ground to intercept, read and change messages being transmitted or to inject wholly fake messages into the communication stream that the system accepts as genuine.

An attacker can also conduct a replay attack by intercepting and recording packets from the air, storing them and then continuously replaying them back to the system when he wants, using relatively inexpensive equipment.

“It’s not very hard to mount this [attack],” says Costin. “It’s basically an open opportunity … for any attacker having medium technical knowledge.”

Air traffic controllers facing the sudden and unexpected appearance of planes would still have backup sources to verify the information – they could cross check flight plans, for example, to see if there’s any record of a plane scheduled to fly on that path. They could also consult backup radar signals. But doing so would consume time and energy in the case of even just a few phantom planes, and would become prohibitively time-consuming in the case of hundreds of such false transmissions, essentially creating what Costin calls a “human resources denial of service.”

The Federal Aviation Administration, when asked about the vulnerabilities by Forbes prior to the conference, said that it had “a thorough process in place to identify and mitigate possible risks to ADS-B, such as intentional jamming” and that it “conducts ongoing assessments of ADS-B signal vulnerabilities…. An FAA ADS-B security action plan identified and mitigated risks and monitors the progress of corrective action. These risks are security sensitive and are not publicly available.”