Scareware Signed With Apple Cert Targets OS X Machines (threatpost.com)

← Back to Stories (view on slashdot.org)

Scareware Signed With Apple Cert Targets OS X Machines (threatpost.com)

Posted by yaelk on Friday February 5, 2016 @10:06AM from the scareware-attack dept.

msm1267 writes: A unique scareware campaign targeting Mac OS X machines has been discovered, and it's likely the developer behind the malware has been at it a while since the installer that drops the scareware is signed with a legitimate Apple developer certificate.

"Sadly, this particular developer certificate (assigned to a Maksim Noskov) has been used for probably two years in similar attacks," said Johannes Ullrich, dean of research of the SANS Institute's Internet Storm Center, which on Thursday publicly disclosed the campaign. "So far, it apparently hasn't been revoked by Apple."

39 comments

Min score:

Reason:

Sort:

Flash again. by ColdWetDog · 2016-02-05 10:19 · Score: 2

Turns out that it does install an updated version of Flash. Now that is scareware.

--
Faster! Faster! Faster would be better!
1. Re:Flash again. by Anonymous Coward · 2016-02-05 10:31 · Score: 0
  
  Huh? Isn't that a good thing? Outdated versions of Flash are a primary avenue for malware to infect computers. Anything that updates it to a newer, less bug ridden version is an improvement. The only better thing would be something that removes it completely.
2. Re:Flash again. by Anonymous Coward · 2016-02-05 10:37 · Score: 0
  
  a newer, less bug ridden version.
  Unfortunately, there is no such thing. Adobe is so completely incompetent that no amount of patching and updating ever results in a version of Flash that isn't a massive piece of shit.
3. Re:Flash again. by JustAnotherOldGuy · 2016-02-05 11:05 · Score: 3, Funny
  
  Turns out that it does install an updated version of Flash. Now that is scareware.
  Holy shit, couldn't they just irreversibly encrypt all my files and delete the backups? I'd take that over a Flash infection any day.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
4. Re:Flash again. by JustAnotherOldGuy · 2016-02-05 11:06 · Score: 2
  
  Outdated versions of Flash are a primary avenue for malware to infect computers.
  Here, you made a typo...let me fix that for you....
  "All versions of Flash are a primary avenue for malware to infect computers."
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
5. Re:Flash again. by Anonymous Coward · 2016-02-05 11:09 · Score: 0
  
  I don't install Flash in Safari. Only allow Flash to run in Chrome. Its a little bit safer and Flash runs like crap anyway in Safari 9 El Capitan.
6. Re:Flash again. by Zontar+The+Mindless · 2016-02-05 22:19 · Score: 1
  
  Hi there, APK!
  Still butthurt over getting all your excess punctuation filtered out?
  
  --
  Il n'y a pas de Planet B.
7. Re:Flash again. by Zontar+The+Mindless · 2016-02-05 22:21 · Score: 1
  
  Definitely APK. Lo, how the mighty have fallen!
  
  --
  Il n'y a pas de Planet B.
Revoke it by Anonymous Coward · 2016-02-05 10:26 · Score: 1

So far, it apparently hasn't been revoked by Apple.
Why the fuck not? It's not like this Maksim guy has legit software sitting on millions of Macs and revoking his cert would cause massive headaches for anyone. There's no excuse to let a known compromised certificate remain active for 2 years.
1. Re:Revoke it by Anonymous Coward · 2016-02-05 10:33 · Score: 0
  
  Which tells you just how completely worthless certificates are.
2. Re:Revoke it by bloodhawk · 2016-02-05 10:38 · Score: 2
  
  Which tells you just how completely worthless certificates are.
  No, it tells you how worthless Apple are. This is not a certificate failing, it is a management failing. Certificates themselves have all sorts of issues, but this is purely an Apple problem.
3. Re:Revoke it by tlhIngan · 2016-02-05 11:02 · Score: 1
  
  No, it tells you how worthless Apple are. This is not a certificate failing, it is a management failing. Certificates themselves have all sorts of issues, but this is purely an Apple problem.
  And Apple probably wants proof that it is malware. The whole reason for the certificates is so developers don't have to go through the Apple Mac App Store review - for whatever reason. Which can include shady but perfectly legal apps. Apple may reject it in the MAS, but they probably want extraordinary proof that the app is malicious over just revoking the certificate because they're not supposed to be reviewing signed apps. Otherwise it turns into a Mac App Store review by proxy.
  It's likely this developer is smart and only infects a small subset of Macs so Apple doesn't have a sufficiently big sample to verify that it's bad.
  There has to be a balance - and the design of gatekeeper is such that developers don't have to have their apps approved by Apple for whatever reason, but at the same time, Apple should take great care in which certificates they revoke.
4. Re: Revoke it by Anonymous Coward · 2016-02-05 11:11 · Score: 1
  
  Except that Apple has been rejecting apps in the app store and delaying apps for simply competing against their apps.
  So something clearly isn't right here. They have enough resources to screw over legitimate developers, but not to verify this crap?
5. Re:Revoke it by Anonymous Coward · 2016-02-05 11:17 · Score: 0
  
  If you are providing signing certs then the onus is on you to manage that process. Apple should at a minimum require all signed apps to be submitted so they can be checked if they need to. This is most definitely an Apple management problem, issuing signing certs with no overarching control is a complete failure.
6. Re:Revoke it by tnk1 · 2016-02-05 11:40 · Score: 2
  
  I agree that they may not immediately suspend/revoke it immediately, but they should have opened an investigation. And in *two whole years*, they should have been able to establish that it was validating malware. That by itself should have been enough to revoke a developer cert, even if he also signed legit software too with it too.
  OR (if the cert was somehow compromised) they could have issued a new cert to the developer for his legit software and cancelled the old one. The developer would need to let everyone know to upgrade to the newest version, but that's his problem since he got his certificate pinched.
7. Re:Revoke it by jrumney · 2016-02-05 13:58 · Score: 1
  
  You mistakenly believe that signed software is promoted by the large software companies for reasons of security. It is not, it is so they can act as gatekeepers and extract a tithe from the peasantry.
8. Re:Revoke it by Jeremi · 2016-02-05 14:37 · Score: 1
  
  And in *two whole years*, they should have been able to establish that it was validating malware.
  
  Is the app in question actually malware, according to Apple's definition of the term?
  Or to put it another way, how evil does an application have to be before it should be labelled as malware? Is there a formal policy on this posted anywhere?
  
  --
  
  I don't care if it's 90,000 hectares. That lake was not my doing.
9. Re:Revoke it by Dutch+Gun · 2016-02-05 15:31 · Score: 2
  
  Signing software prevents it from being surreptitiously tampered with by a third party. Other platforms do not require you to purchase a developer certificate from them - this is specific to Apple and it's walled garden (or other closed stores and platforms). Don't conflate whatever issues you have with closed ecosystems and the security benefits of signed software in general! That's as flawed as blaming encryption because bad actors might use it to avoid being snooped on by law enforcement.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
10. Re: Revoke it by tlhIngan · 2016-02-05 19:18 · Score: 1
  
  Except that Apple has been rejecting apps in the app store and delaying apps for simply competing against their apps.
  So something clearly isn't right here. They have enough resources to screw over legitimate developers, but not to verify this crap?
  That's only for for developers who submit apps through the app store. Using the signed certificate means you don't have to get your app approved, and you can do whatever the heck you want. It's why it exists - it allows for apps to be developed outside of Apple's reviews.
  Apple could revoke the certificate, but they shouldn't use it as a way to impose an app store review by proxy.
  And this app isn't distributed through the app store - it's distributed by the developer - Apple doesn't enforce that developers who buy a cert actually use some sort of store or other mechanism to distribute their software. A developer buys a certificate and is free to sign whatever the hell they want and distribute it the way they want.
  So no, Apple can't review the app if it doesn't attract their attention.
11. Re:Revoke it by tlhIngan · 2016-02-05 19:24 · Score: 1
  
  I agree that they may not immediately suspend/revoke it immediately, but they should have opened an investigation. And in *two whole years*, they should have been able to establish that it was validating malware. That by itself should have been enough to revoke a developer cert, even if he also signed legit software too with it too.
  So the developer has written malware for two years. How many times has Apple ran across it? None? Just because an app's been signed for two years and does bad things doesn't mean it's even on Apple's radar. Perhaps it only tickled security researcher's Macs and Apple hasn't run across it in the wild.
  These certificates are used to sign apps for the developer to distribute in some way. They could be open-source apps, for commercial apps, they could be sold in stores, or given away for free online. Apple doesn't get a copy of every app signed with every certificate so there are plenty of apps Apple doesn't know about. Heck, there are probably thousands of Mac apps that users use all the time that Apple doesn't know about.
12. Re:Revoke it by angel'o'sphere · 2016-02-05 21:58 · Score: 1
  
  You are not forced to sign Apps on Macs either.
  My Apps run quite fine without signing. I only can not sell them via the App-Store, which I could not anyway as my Apps are all written in Java.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Now? Argh.... by Anonymous Coward · 2016-02-05 10:36 · Score: 0

So? Did thy arrested him or not?? I just wanna know if he is a dead guy or a cool guy, since he has a beard now.
Hey, did You know that is easy to find drug smugglers in UK? :D
Local revocation? by HTH+NE1 · 2016-02-05 10:38 · Score: 1

If Apple doesn't revoke it, shouldn't it be possible to configure individual machines to revoke such certificates once they're known? Or is that secured against lest someone start putting out malware that installs local revocations of others' certificates, such as one's competitors or anti-malware developers' certificates?

--
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
1. Re:Local revocation? by Anonymous Coward · 2016-02-05 20:45 · Score: 0
  
  yes, you can disable any certificate through keychain. You probably have to install the certificate before you can disable it, though.
Block all adverts... by Lumpy · 2016-02-05 10:51 · Score: 5, Insightful

Use a good browser plugin or some good backend rules, but block every single advert out there. That stops the "OHHH YOU GOTTA INSTALL THIS" vector that fools clueless visitors into downloading and running the trojan.
Good people install adblocking on every single computer they touch. Bad people allow ad's from websites.
Dear web admins.... WAHH. If you cant vet and host your ads yourself to make sure they are safe, you dont DESERVE your ad's to make it through.

--
Do not look at laser with remaining good eye.
friend's computer hit by this by lkcl · 2016-02-05 13:01 · Score: 5, Interesting

i have a friend who called me to say that their computer had had the default browser search settings changed to some adware. so i checked the instructions on how to remove it, only to find that the settings shown in the screen-shots *weren't there*. turns out that inspection of the timestamps on the filesystem, the phishing-malware had *replaced* legitimate system libraries, which enabled them to disguise the malware and prevent its own removal. it was necessary for us to go round some friend's houses, drop the macbook into single-user mode and copy over replacement files from an identical copy of macosx.
now, this is the first time i've ever dealt with macosx viruses, but i was surprised that it was so easy for my non-technical friend to be fooled by a phishing attempt which scared her with the "you have 2,500 viruses do you want us to fix it?" tactic. as a purely software-libre end-user for the past 20 years, all i can say is, "welcome to the monoculture world, apple. your false sense of security myth is well and truly over, and you have a hell of a lot of catching up to do".
1. Re:friend's computer hit by this by Anonymous Coward · 2016-02-05 13:58 · Score: 1
  
  Not a virus; trojan horse.
2. Re:friend's computer hit by this by Anonymous Coward · 2016-02-05 16:25 · Score: 0
  
  For some reason I read your malware removal technique as "it was necessary to go round some friend's house, drop the macbook off the single story balcony and copy over replacement files from an identical copy of OSX" lol.
  On topic though, people should be on guard for malware no matter what their operating system is.
3. Re:friend's computer hit by this by Bongo · 2016-02-05 20:09 · Score: 1
  
  Either zero the drive or drop it off a balcony. There is no third option.
4. Re: friend's computer hit by this by Anonymous Coward · 2016-02-06 01:14 · Score: 0
  
  How is this Apple's fault?
5. Re: friend's computer hit by this by Anonymous Coward · 2016-02-06 05:55 · Score: 0
  
  This again? Their Advertisements had constantly spewed that they don't get any sort of bad malware.
6. Re:friend's computer hit by this by Anonymous Coward · 2016-02-06 06:02 · Score: 1
  
  El Capitan does not allow replacement of system libraries at all, even with root access; was your friend running an older OS X?
7. Re: friend's computer hit by this by Anonymous Coward · 2016-02-06 07:33 · Score: 0
  
  What? Fanboys brag about not having viruses/malware. apple as a company doesn't pride itself on that. It prides itself on being easy to use.
Apples! by Anonymous Coward · 2016-02-05 13:12 · Score: 0

Modern Apple Applers know that only Apple can Apple Apples, so it's their own fault for using LUDDITE certificates!
Apples!
I say this NOT as an Apple fan by hyades1 · 2016-02-05 13:20 · Score: 1

Perhaps I've missed some items that would give me a different opinion, but it seems to me that the ubiquitous "Timothy" loves stories that screw Apple almost as much as he loves stories alleging Windows 10 isn't as much of a privacy nightmare as sensible people know it is.

--
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Sans by Anonymous Coward · 2016-02-05 14:51 · Score: 0

You're gonna have a bad time!
"Reported" two days ago by Anonymous Coward · 2016-02-06 05:59 · Score: 0

As TFA notes, it was "reported" by the security researcher two days ago - and the link goes to the researcher's blog where he discusses it but doesn't mention actually reporting it to Apple (which isn't to say he didn't, but we don't know). So Apple may have had two days to investigate this threat, or zero days to investigate this threat.
TFA also claims this cert has been used for malware for two years, but shows us no evidence of that (the evidence on the researcher's blog is that this malware has been around three weeks).