Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scareware Signed With Apple Cert Targets OS X Machines (threatpost.com)

Posted by yaelk on from the scareware-attack dept.

msm1267 writes: A unique scareware campaign targeting Mac OS X machines has been discovered, and it's likely the developer behind the malware has been at it a while since the installer that drops the scareware is signed with a legitimate Apple developer certificate.

"Sadly, this particular developer certificate (assigned to a Maksim Noskov) has been used for probably two years in similar attacks," said Johannes Ullrich, dean of research of the SANS Institute's Internet Storm Center, which on Thursday publicly disclosed the campaign. "So far, it apparently hasn't been revoked by Apple."

8 of 39 comments (clear)

  1. Flash again. by ColdWetDog · · Score: 2

    Turns out that it does install an updated version of Flash. Now that is scareware.

    --
    Faster! Faster! Faster would be better!
    1. Re:Flash again. by JustAnotherOldGuy · · Score: 3, Funny

      Turns out that it does install an updated version of Flash. Now that is scareware.

      Holy shit, couldn't they just irreversibly encrypt all my files and delete the backups? I'd take that over a Flash infection any day.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    2. Re:Flash again. by JustAnotherOldGuy · · Score: 2

      Outdated versions of Flash are a primary avenue for malware to infect computers.

      Here, you made a typo...let me fix that for you....

      "All versions of Flash are a primary avenue for malware to infect computers."

      --
      Just cruising through this digital world at 33 1/3 rpm...
  2. Re:Revoke it by bloodhawk · · Score: 2

    Which tells you just how completely worthless certificates are.

    No, it tells you how worthless Apple are. This is not a certificate failing, it is a management failing. Certificates themselves have all sorts of issues, but this is purely an Apple problem.

  3. Block all adverts... by Lumpy · · Score: 5, Insightful

    Use a good browser plugin or some good backend rules, but block every single advert out there. That stops the "OHHH YOU GOTTA INSTALL THIS" vector that fools clueless visitors into downloading and running the trojan.

    Good people install adblocking on every single computer they touch. Bad people allow ad's from websites.

    Dear web admins.... WAHH. If you cant vet and host your ads yourself to make sure they are safe, you dont DESERVE your ad's to make it through.

    --
    Do not look at laser with remaining good eye.
  4. Re:Revoke it by tnk1 · · Score: 2

    I agree that they may not immediately suspend/revoke it immediately, but they should have opened an investigation. And in *two whole years*, they should have been able to establish that it was validating malware. That by itself should have been enough to revoke a developer cert, even if he also signed legit software too with it too.

    OR (if the cert was somehow compromised) they could have issued a new cert to the developer for his legit software and cancelled the old one. The developer would need to let everyone know to upgrade to the newest version, but that's his problem since he got his certificate pinched.

  5. friend's computer hit by this by lkcl · · Score: 5, Interesting

    i have a friend who called me to say that their computer had had the default browser search settings changed to some adware. so i checked the instructions on how to remove it, only to find that the settings shown in the screen-shots *weren't there*. turns out that inspection of the timestamps on the filesystem, the phishing-malware had *replaced* legitimate system libraries, which enabled them to disguise the malware and prevent its own removal. it was necessary for us to go round some friend's houses, drop the macbook into single-user mode and copy over replacement files from an identical copy of macosx.

    now, this is the first time i've ever dealt with macosx viruses, but i was surprised that it was so easy for my non-technical friend to be fooled by a phishing attempt which scared her with the "you have 2,500 viruses do you want us to fix it?" tactic. as a purely software-libre end-user for the past 20 years, all i can say is, "welcome to the monoculture world, apple. your false sense of security myth is well and truly over, and you have a hell of a lot of catching up to do".

  6. Re:Revoke it by Dutch+Gun · · Score: 2

    Signing software prevents it from being surreptitiously tampered with by a third party. Other platforms do not require you to purchase a developer certificate from them - this is specific to Apple and it's walled garden (or other closed stores and platforms). Don't conflate whatever issues you have with closed ecosystems and the security benefits of signed software in general! That's as flawed as blaming encryption because bad actors might use it to avoid being snooped on by law enforcement.

    --
    Irony: Agile development has too much intertia to be abandoned now.