Hackers Exploit MacKeeper Flaw To Spread OS X Malware

An anonymous reader writes: Controversial OS X 'clean-up utility' MacKeeper is being exploited by cybercriminals to diffuse Mac malware OSX/Agent-ANTU, according to the BAE cyber security unit. A single line of JavaScript on a malicious web-page is enough to hand over control of the user's system via MacKeeper. Lead security researcher Sergei Shevchenko said 'attackers might simply be 'spraying' their targets with the phishing emails hoping that some of them will have MacKeeper installed, thus allowing the malware to be delivered to their computers and executed,' The malware enables remote control over commands, uploads and downloads, and the setting of execution permissions, as well as granting access to details of VPN connections, user names, and lists of processes and statuses.

BAE caught me slippin...

[wardrich86]

Slippin' malware into OSX, that is.

Huh?

[jomama717]

I thought MacKeeper was already malware. If you get suckered into installing it in the first place then anything goes.

Re:Huh?

[Penguinisto]

Exactly.

Unlike Windows, the *nix-like nature of OSX keeps it pretty damned clean. Aside from the rare "Repair Permissions" run in Disk Utility to fix something that opens funny, you shouldn't have to do anything on a Mac for OS maintenance. Hell, I had a dual G5 PowerMac that ran 10.3 for years on end w/o any kind of OS-level maintenance, yet it never slowed down.

Stupid Registry BS...

Re: Huh?

[guruevi]

The problem with Windows is that it auto-installs a lot of viruses or allows the user to install something without prompting for elevated privileges. They then changed it so that everything is asking for elevated privileges so now users just type it in regardless.

Re:Huh?

[ADRA]

To be honest, I haven't had to touch the registry since begrudgedly getting Windows 7 for gaming. Even using it for pretty much day to day tasks, there isn't much reason to dig into the registry unless you can't find off the shelf util's to do it for you. Ex. I WOULD use it to make windows look like Windows 2000, but thankfully all of those lovely settings (and lots new code) exposed through Windows Classic Shell. In order to make my ideal desktop functional without haivng to dig around in obscure systems file settings, I get an out of box experience which is straightforward and expressive enough. Looking waaay back, Windows Power tools would've been a similar example.

Re:Huh?

[RyuuzakiTetsuya]

You're already at +5. I wish there was +6, Jesus I Need a Drink

Re: Huh?

> The problem with Windows is that it auto-installs a lot of viruses

In what way? And if you say autorun.inf I'll reach through the screen and punch you, this isn't pre-XP SP2.

Re:Huh?

[meerling]

I've worked in the middle of a bunch of IOS techs for years. They have all the problems that windows users have, just with some different names, and a few variations of specifics, this includes malware. The main reason there are so many less infectors is because they are a much smaller priority for the scum making the malware because there are a lot less IOS boxes than there are Windows boxes. They are looking for quantity, whether it's part of a scam to get money, or to score points for destroying someones data, and targeting IOS is automatically limiting your maximum targets.

Hate windows all you want, but don't ever mistake obscurity for any kind of real security.

Re:Huh?

[phishybongwaters]

Thank you for the first non flaming fanboy post. 100% accurate, we're seeing more mac infections and malware now not because of more exploits, it's because the market share is getting large enough to make them useful targets. This was not the case for some time. This "mac is safer" BS is the same as "linux is safer" no, it's not at all safer. Linux has so many flavors and variations it's not really feasible to blanket attack them. Moreover, most linux users have a better understanding of the OS than windows users (I use all 3, win, ios,linux, lest ye think I'm fanboying) and I'm fairly confident that we can NOT say the same thing about the average Mac user, the AVERAGE (I said average) Mac user is the average windows user with a different skin on the OS, they know not of the things that lie beneath the gui. Most average mac users wouldn't even know their MAC as a BASH terminal built in. We are seeing more ios attacks because they are getting sloppy at the same time they are gaining popularity. I can't go a single day without seeing a Macbook somewhere and I bet you dollars to doughnuts that if I asked them ,they would happily tell me how much more secure their Mac is. Mac users have a false sense of security, linux users have a false sense of superiority, and windows users like to click popups to get 100 free emoticons. And I am still LOLing over "you shouldn't have to do anything on a Mac for OS maintenance". That's the exact crap I'm talking about, that's why it's ridiculously expensive to get your Mac cert to.... wait for it..... REPAIR AND MAINTAIN MACS. That's why apple has "geniuses" to help you with your Mac problems, because there are no problems. We've always been at war with Eurasia.

Re:Huh?

[NatasRevol]

not sure if you're talking about Cisco devices or iPhones...

Re:Huh?

[tw2k]

IOS as in Cisco routers? or iOS as the OS that runs on iPhone & iPad? or OS X which runs on desktops?

Re:Huh?

[oldmac31310]

IOS boxes? I think you may be talking out your arse.

Re:Huh?

This. It used to be ok before it got bought up a while back. The promised claims don't pan out and it's just plain annoying.

IceClean is a much better alternative and uses the UNIX programs baked into OSX to do it's job.

Re:Huh?

[Penguinisto]

there isn't much reason to dig into the registry unless you can't find off the shelf util's to do it for you.

That's the thing... I don't even have to do/use that. No need for CCleaner or any such utility. Sure, OSX has OS-level utilities (see also the old Onyx utility), but nearly all of them are either for performance-tweaking or Hackintoshing, not day-to-day cleanup/maintenance.

Re:Huh?

[Penguinisto]

Err, waitaminute... assuming you're not talking about Cisco IOS, there is no such thing as an "iOS" box from Apple. There is an iOS emulation environment within OSX (comes with XTools), but that's a totally different thing.

Second, the number of iOS devices out there number in the hundreds of millions - iPhones, iPads, now the iWatch thingy... so, well, what do you mean "a lot less"?

Also consider that any development box, of any OS brand or type, is going to need periodic cleanups, because the typical developer is banging out code in the thing. This is (depending on the languages used) oftentimes a very messy process, mostly due to the shit-ton of custom/devel libraries, packages, builds that fail spectacularly, and a whole host of other elements that introduce instability.

Re: Huh?

That is how I read his post: Windows used to allow the user to install software without notification which spread a lot of viruses and other malware. But Microsoft changed this behavior and now Windows asks for elevated privileges so often and for the most simple things that many users simply started to click 'yes' on every window to get the job done.

Re: Huh?

What does Windows have anything to do with this article?

Re:Huh?

So you can hose all your personal documents but still have a working computer.

That's so useful!

Sorta similar idea: https://xkcd.com/1200/

Re:Huh?

There is one difference between the MS (and to a lesser extent Android) versus Linux, OS X, and other platforms. In general, Linux and OS X devs tend not to shit where they sleep. They know that malware will hurt their platform. iOS isn't really an issue because if someone does try to do malware, they get tossed off, and it is a lot harder (and more expensive) to be a dev on that platform than others, especially because Apple controls the app mechanism completely (with only a small door open for devs and enterprises.)

Because Windows is so popular, there isn't that attitude to keep the cage clean... some feel that they can do what they feel like, because no matter how blackened the platform's name gets due to malware, people will still use it.

Re: Huh?

In this thread: People that base all their opinions of Microsoft on 15 year old OS versions or short-lived OS behavior that was fixed quickly.

Re:Huh?

No need for CCleaner or any such utility

The only people that need crap like CCleaner are people that download and install (and never uninstall) every useless utility/app/extension/toolbar on the internet.

Your entire argument about OSX needing less maintenance than Windows is based on comparing a reasonably savy user (yourself) to a tech-illiterate running Windows. It is not a legitimate comparison.

Re: Huh?

[mjwx]

The problem with Windows is that it auto-installs a lot of viruses or allows the user to install something without prompting for elevated privileges. They then changed it so that everything is asking for elevated privileges so now users just type it in regardless.

2001 called, it wants it incorrect argument back.

For a long time, even pre-SP2 XP malware relied upon social engineering to be installed. Even the dumbest users didn't open an email attachment without a reason in the 90's unless it said something like "Denise Richards naked with hot grits". Social engineering has always been and still remains the number one infection vector for malware and since the mid 2000's it's been the vector for 99% of Windows malware.

Re:Huh?

[macs4all]

I've worked in the middle of a bunch of IOS techs for years. They have all the problems that windows users have, just with some different names, and a few variations of specifics, this includes malware. The main reason there are so many less infectors is because they are a much smaller priority for the scum making the malware because there are a lot less IOS boxes than there are Windows boxes. They are looking for quantity, whether it's part of a scam to get money, or to score points for destroying someones data, and targeting IOS is automatically limiting your maximum targets. Hate windows all you want, but don't ever mistake obscurity for any kind of real security.

You are truly an idiot.

WTF is an "IOS[sic] box"???

Not even a nice try.

Re:Huh?

[Ol+Olsoc]

I thought MacKeeper was already malware.

Damn straight - Stay well away from that shit.

Re:Huh?

Binary encoded PLists sprinkled around /System/ is about as *nix-like as the windows registry is. ...not to start another systemd war or anything...

You don't say?

A crapware "product" to "solve" a usually non-existent "problem", most heavily promoted by deceptive pop-ups on porn sites, turns out not to be entirely trustworthy? I'm shocked, shocked, I tell you!

Re:You don't say?

[JustAnotherOldGuy]

I was clutching my pearls so hard that I barely made it my fainting couch!

MacKeeper itself is malware

It tricks people into installing it with sleazy ads, does nothing useful (and often stuff that is harmful) while slowing down the victim's system. I've yet to meet someone running it that wanted it on their computer.

And now yet another reason to avoid it.

I wish Apple would revoke their dev certificate so the low-info users could at least be protected from this shit by Gatekeeper.

Re:MacKeeper itself is malware

It tricks people into installing it with sleazy ads

You're gettin' confused dude. It ain't the ads that are sleazy. It's the sites you visit where you see those ads ...

Big deal...

[Ecuador]

If you have the MacKeeper malware on your Mac, it means you are already installing any malware/crapware/virus etc on your system by yourself. This added attack vector is not even needed...

Not likely

to ever happen to anyone anywhere is this malarkey.

Wait, wait....

[JustAnotherOldGuy]

But all the Mac fanbois tell me that Apple products never get viruses....

Re:Wait, wait....

[MobileTatsu-NJG]

But all the Mac fanbois tell me that Apple products never get viruses....

Bet you don't see the irony of that statement.

Re:Wait, wait....

[macs4all]

But all the Mac fanbois tell me that Apple products never get viruses....

This is a Trojan. Every OS will ultimately allow $StupidUser to defeat $SECURITY_FEATURE to install ANYTHING from ANYBODY from ANYWHERE. But, without going into details, OS X has several redundant features that both make the $StupidUser far less likely to just casually click-install their way into slavery, and to attempt to minimize the damage that can be wrought by $MALICIOUS_CODE.

Nothing is ever foolproof; but OS X is pretty damned secure; to the point that AV apps are still unnecessary.

Re:Wait, wait....

If Trojans are called viruses on Windows they can be called viruses on OS X.

Re:Wait, wait....

[macs4all]

If Trojans are called viruses on Windows they can be called viruses on OS X.

No.

Windows used to (maybe still does) have examples of true, self-replicating malware. Those are legitimately called "viruses".

OS X has never had a virus. Only Trojans. BIG difference, since ANY OS that allows the installation of software can fall prey to a USER-INSTALLED Trojan; but only non-secure OSes can support virus propagation.

Nice try, but repeating an error is not a justification for committing the error in the first place. Or, as my Mom used to say "Two wrongs don't make a right."

Re:Wait, wait....

[Plumpaquatsch]

Just one recent example: https://news.drweb.com/show/?i=9310&lng=en

Win32.Rmnet.12 is a complex multi-component file infector, consisting of several modules. This program is capable of self-replication.

Malware

You can spread any type of malware you want with this flaw.

wow, the joke is not really a joke

[sribe]

So the first thought I had on reading the title was the predictable joke about MacKeeper being malware. But from reading the article, it sounds to me like MacKeeper installs a custom URL handler, which directs to a process that they installed which parses a command script from the URL and executes it. So, a component which allows any web site to run code outside your browser. That's malware, not in the sarcastic "less-than-useless" sense, but in the literal "actively installs attack vectors" sense.

Re:wow, the joke is not really a joke

[gstoddart]

If it isn't malware, it's massively badly written code by a bunch of idiots.

Once again, companies take shortcuts, and add in security holes.

I'm not entirely sure I know anything about MacKeeper, what with me not having used a Mac in a very long time ... but this sounds idiotic.

Re:wow, the joke is not really a joke

I'm not entirely sure I know anything about MacKeeper, what with me not having used a Mac in a very long time ... but this sounds idiotic.

Using AV on OSX is (still) worse than not using it. More worse than usual in this case.

Re:Jesus Christ. JavaScript needs to go.

[guruevi]

Why? If you don't like JS, turn it off. JavaScript is an okay scripting language. This is talking about JS interacting with an already installed malware plugin. Off course once your computer has been compromised, you can do whatever you want. You could make it into a clapper (clap on/clap off), not that hard to do.

Thanks, Slashdot!

[pLnCrZy]

Meanwhile, on this very comment page for this very article about how MacKeeper is spreading malware... there are two ads on this page pushed by Slashdot for.... wait for it... MacKeeper.

Re:Thanks, Slashdot!

[Dupple]

Interesting, I'm using a Mac and I see and Ad for Azure and another for Catchpoint. Maybe because I'm in the UK

Re:Thanks, Slashdot!

[phishybongwaters]

slashdot sells ad space to advertisers like every other webpage out there, they have very little control over the ads, mostly control after the fact once people complain. Bitch all you want, just bitch at the right people. It is, however, ironic. Much like the capchas were

127.0.0.1 in my host file for MacKeeper.com

And I do the same on friends' machines when performing maintenance.

More Micro$oft FUD

Macs don't get viruses.

Not a flaw.

[Mike+Van+Pelt]

Working exactly as designed, I suspect.

CRAZY TALK!

[fluffernutter]

Apple just works! Even when badly written by a bunch of idiots!

Re:CRAZY TALK!

[Anubis+IV]

The only idiot here is the one who apparently doesn't realize that MacKeeper has as much to do with Apple as Flash has to do with Microsoft.

Re:CRAZY TALK!

[jo_ham]

Apple just works! Even when badly written by a bunch of idiots!

Pssssst! Mackeeper is not code written by Apple! Keep it under your hat!

Just thought I should let you know before you make yourself look like a fool.... oh, sorry. I was delayed in traffic. If only I'd made it here sooner!

Never mind.

Re:CRAZY TALK!

Reality distortion field: activated.

We're seeing a slow backing-away from the ideal:
- Mac doesn't get viruses.
- Mac doesn't get viruses if you use trusted software and mainstream web pages.
- Mac doesn't get viruses if you use Apple software and the Apple website.
- Mac doesn't get viruses if you don't use it.
- Mac gets viruses.

We'd all come off more honest if we just agreed that Mac gets viruses.

For the nit picky, the second-to-last in that list seems ridiculous, but it isn't. Non-user-initiated infections are possible if it's a bug in the network stack or system services and it requires no user interaction to cause the infection. This is why XP machines get infected within 15 minutes *even if you don't do anything* (and especially if you don't patch it like a rabid maniac jabbing the Windows Update button). You can claim this is impossible on a Mac if you like but I won't believe you.

Re:CRAZY TALK!

Speaking of idiots ... nice rant, shame about your own stupid.

Re:CRAZY TALK!

[jo_ham]

Reality distortion field: activated.

We're seeing a slow backing-away from the ideal:
- Mac doesn't get viruses.
- Mac doesn't get viruses if you use trusted software and mainstream web pages.
- Mac doesn't get viruses if you use Apple software and the Apple website.
- Mac doesn't get viruses if you don't use it.
- Mac gets viruses.

We'd all come off more honest if we just agreed that Mac gets viruses.

For the nit picky, the second-to-last in that list seems ridiculous, but it isn't. Non-user-initiated infections are possible if it's a bug in the network stack or system services and it requires no user interaction to cause the infection. This is why XP machines get infected within 15 minutes *even if you don't do anything* (and especially if you don't patch it like a rabid maniac jabbing the Windows Update button). You can claim this is impossible on a Mac if you like but I won't believe you.

What reality distortion field? I'm not sure what part of my comment would result in that, given that I was replying with a factual statement to a comment that seemed to think that Mackeeper was software written by Apple, or that somehow Apple devices were immune to bad code. Or is that just your go to attempt at an insult? Pretty weak either way.

You're arguing from a position that does not really exist - the whole "Macs don't get viruses" thing (let's ignore that this is a trojan and not a virus, but whatever) hasn't been the current talking point officially or otherwise for a very long time, and it was never actually Apple's official advertising (because it wasn't literally true - they talked a lot about how it was more secure than Windows but never said immune).

What Apple bashers like to keep stating is that that's what they believe Apple fans are all saying, when it really isn't. OS X is as secure as any Unix system - that is, pretty good, but not immune.

What we have here is a trojan, which is a problem common to all operating systems that run on computers. But of course, that doesn't fit the narrative you're trying to push.

No one is claiming that infections are "impossible" on a Mac - but you can claim that that's what Apple fans are claiming if you like.

For the record, there aren't any actual viruses for OS X in the wild. DISCLAIMER: THIS DOES NOT MEAN I THINK OS X IS IMMUNE /END DISCLAIMER, but there are plenty of trojans and other malware. The Microsoft Office trojan torrent being one of the most famous. I'm surprised you haven't heard of it. A torrent that claimed to be a pirate copy of Office that was a trojan. Got a lot of people that one.

So, from what I can see, you're the only one claiming that people are claiming that Macs don't get viruses. Perhaps this is the source of your confusion.

Re:CRAZY TALK!

Mac gets viruses.

OK, name just one real world virus (not a trojan such as this) that has infected OSX?

dem haxx0rz are h1pst3rs nao

usin maxxb00xx

Has slashdot come to this ..

How did it come to this, that a once great tech mag is reduced to spamming the Internet with slashvertisments for the MICROS~1 corporation. Currently on the main page: 11 mentions of Windows and 05 mentions of Microsoft.

Macs.

And because 99.999% of mac users are complete morons who think simply running the OS makes them immune to all hacking this is going to be extra effective. Good job, crapple marketing team. You've raised a whole generation of users are are completely unprepared for what's coming.

Re:Macs.

[macs4all]

And because 99.999% of mac users are complete morons who think simply running the OS makes them immune to all hacking this is going to be extra effective. Good job, crapple marketing team. You've raised a whole generation of users are are completely unprepared for what's coming.

No.

Most of the people who are swelling the Mac's marketshare are coming from Windows; and a good percentage of them can't even imagine a platform essentially without malware, and so the INSIST on running AV.

Plus, OS X has some (very) basic AV capabilities of its own, too.