Posted on

Mac malware that went undetected for years spied on everyday users

Enlarge (credit: Tim Malabuyo)

A mysterious piece of malware that gives attackers surreptitious control over webcams, keyboards, and other sensitive resources has been infecting Macs for at least five years. The infections—known to number nearly 400 and possibly much higher—remained undetected until recently and may have been active for almost a decade.

Patrick Wardle, a researcher with security firm Synack, said the malware is a variant of a malicious program that came to light in January after circulating for at least two years. Dubbed Fruitfly by some, both malware samples capture screenshots, keystrokes, webcam images, and information about each infected Mac. Both generations of Fruitfly also collect information about devices connected to the same network. After researchers from security firm Malwarebytes discovered the earlier Fruitfly variant infecting four Macs, Apple updated macOS to automatically detect the malware.

The variant found by Wardle, by contrast, has infected a much larger number of Macs and remained undetected by both macOS and commercial antivirus products. After analyzing the new variant, Wardle was able to decrypt several backup domains that were hardcoded into the malware. To his surprise, the domains remained available. Within two days of registering one of the addresses, close to 400 infected Macs connected to the server, mostly from homes located in the United States. Although Wardle did nothing more than observe the IP address and user names of Macs that connected to his server, he had the ability to use the malware to spy on the users who were unwittingly infected.

Read 6 remaining paragraphs | Comments

Posted on

Mac users installing popular DVD ripper get nasty backdoor instead

(credit: Patrick Wardle)

Hackers compromised a download server for a popular media-encoding software named HandBrake and used it to push stealthy malware that stole victims' password keychains, password vaults, and possibly the master credentials that decrypted them, security researchers said Monday.

Over a four-day period ending Saturday, a download mirror located at download.handbrake.fr delivered a version of the DVD ripping and video conversion software that contained a backdoor known as Proton, HandBrake developers warned over the weekend. At the time that the malware was being distributed to unsuspecting Mac users, none of the 55 most widely used antivirus services detected it. That's according to researcher Patrick Wardle, who reported results here and here from the VirusTotal file-scanning service. When the malicious download was opened, it directed users to enter their Mac administrator password, which was then uploaded in plain text to a server controlled by the attackers. Once installed, the malware sent a variety of sensitive user files to the same server.

In a blog post published Monday morning, Thomas Reed, director of Mac offerings at antivirus provider Malwarebytes, wrote:

Read 5 remaining paragraphs | Comments

Posted on

Buffer overflow exploit can bypass Activation Lock on iPads running iOS 10.1.1

Enlarge / The iPad Air 2 and Mini 4. (credit: Andrew Cunningham)

Apple's Activation Lock feature, introduced in iOS 7 in 2013, deters thieves by associating your iPhone and iPad with your Apple ID. Even if a thief steals your device, puts it into Recovery Mode, and completely resets it, the phone or tablet won't work without the original user's Apple ID and password. This makes stolen iDevices less valuable since they become more difficult to resell, and it has significantly reduced iPhone theft in major cities.

The feature has been difficult to crack, but a new exploit disclosed by Vulnerability Lab security analyst Benjamin Kunz Mejri uses a buffer overflow exploit and some iPad-specific bugs to bypass Activation Lock in iOS 10.1.1.

When you're setting up a freshly-reset iPad with Activation Lock enabled, the first step is to hit "Choose Another Network" when you're asked to connect to Wi-Fi. Select a security type, and then input a very, very long string of characters into both the network name and network password fields (copying and pasting your increasingly long strings of characters can speed this up a bit). These fields were not intended to process overlong strings of characters, and the iPad will gradually slow down and then freeze as the strings become longer. During one of these freezes, rotate the tablet, close its Smart Cover for a moment, and then re-open the cover. The screen will glitch out for a moment before displaying the Home screen for a split second, at which point a well-timed press of the Home button can apparently bypass Activation Lock entirely (but it will have to be extremely well-timed, since the first-time setup screen will pop back up after a second).

Read 2 remaining paragraphs | Comments

Posted on

iPhone hack that threatened emergency 911 system lands teen in jail

Enlarge

Authorities said they arrested an 18-year-old iPhone app developer on charges of felony computer tampering after he unleashed code that threatened to take down emergency 911 systems in a large swath of Arizona and possibly other states.

Meetkumar Hiteshbhai Desai stands accused of publishing Web links that caused iPhones to repeatedly dial 911, according to a release published Thursday by Arizona's Maricopa County Sheriff's Office. On Tuesday night, officials alleged, the 911 system operated by the Surprise, Arizona, police department received more than 100 hang-up calls in a matter of minutes. The volume allegedly put authorities "in immediate danger of losing service to their switches." The emergency systems for the nearby Peoria Police Department and the Maricopa County Sheriff's Office also received a large number of repeated calls. Agencies in California and Texas were also affected, authorities said.

(credit: @meetheindiankid)

The release said the 911-dialing code was hosted on a site with the name "Meet Desai." A link posted on the TheHackSpot YouTube channel and one or more Twitter accounts then encouraged people to click on the link. Authorities said they found evidence it had been clicked 1,849 times. In an e-mail, the operator of the YouTube channel said: "The link does not contain anything harmful, and I am not associated with any type of personal hacking. Just a fun prank that many other big YouTube channels covered as well."

Read 5 remaining paragraphs | Comments