Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malwarebytes Discovers 'First Mac Malware of 2017' (securityweek.com)

Posted by BeauHD on from the first-of-its-kind dept.

wiredmikey writes: Security researchers have a uncovered a Mac OS based espionage malware they have named "Quimitchin." The malware is what they consider to be "the first Mac malware of 2017," which appears to be a classic espionage tool. While it has some old code and appears to have existed undetected for some time, it works. It was discovered when an IT admin noticed unusual traffic coming from a particular Mac, and has been seen infecting Macs at biomedical facilities. From SecurityWeek.com: "Quimitchin comprises just two files: a .plist file that simply keeps the .client running at all times, and the .client file containing the payload. The latter is a 'minified and obfuscated' perl script that is more novel in design. It combines three components, Thomas Reed, director of Mac offerings at Malwarebytes and author of the blog post told SecurityWeek: 'a Mac binary, another perl script and a Java class tacked on at the end in the __DATA__ section of the main perl script. The script extracts these, writes them to /tmp/ and executes them.' Its primary purpose seems to be screen captures and webcam access, making it a classic espionage tool. Somewhat surprisingly the code uses antique system calls. 'These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days,' he wrote in the blog post. 'In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.' The script also contains Linux shell commands. Running the malware on a Linux machine, Malwarebytes 'found that -- with the exception of the Mach-O binary -- everything ran just fine.' It is possible that there is a specific Linux variant of the malware in existence -- but the researchers have not been able to find one. It did find two Windows executable files, courtesy of VirusTotal, that communicated with the same CC server. One of them even used the same libjpeg library, which hasn't been updated since 1998, as that used by Quimitchin."

12 of 60 comments (clear)

  1. Quim Itchin' by Zaelath · · Score: 3, Insightful

    Seriously?

  2. Mac OS based espionage malware by khz6955 · · Score: 2, Informative

    'Security researchers have a uncovered a Mac OS based espionage malware they have named "Quimitchin." .. an IT admin noticed unusual traffic coming from a particular Mac, and has been seen infecting Macs at biomedical facilities.'

    How exactly does the malware get onto the Mac without the end user downloading and installing the malware and providing it with the admin password?

    1. Re:Mac OS based espionage malware by Anonymous Coward · · Score: 2, Informative

      From TFA it apparently runs in userspace not as root

    2. Re:Mac OS based espionage malware by ahabswhale · · Score: 3, Informative

      It doesn't. Someone has to authorize it with the admin password.

      --
      Are agnostics skeptical of unicorns too?
    3. Re:Mac OS based espionage malware by Gadget_Guy · · Score: 2

      It doesn't. Someone has to authorize it with the admin password.

      Is this based on anything, or are you just guessing? If you read the comment section of the article someone asked how it spread, and "Does running as a standard user as opposed to an admin account prevent its installation?"

      To which the malwarebytes.com blogger said:

      We still don't know how it gets installed. All samples so far have been observed installed in user space, so running in a standard user account will not protect against this.

      That seems to contradict what you have claimed.

    4. Re:Mac OS based espionage malware by tlambert · · Score: 4, Insightful

      It doesn't. Someone has to authorize it with the admin password.

      Is this based on anything, or are you just guessing?

      The article makes it clear that in order to extract and run the malware, you have to extract and install other malware named "Java".

      This "Java" is apparently malware developed by a large database company in order to install security holes in otherwise secure computers, and is so named to trick tired programmers into believing that they are installing coffee.

    5. Re:Mac OS based espionage malware by TheRaven64 · · Score: 3, Informative

      It's also probably difficult to get a user to accidentally install it. Java used to be installed by default on MacOS X, then there was a thing where, on first use, it would prompt the user and ask them if they wanted it. Now there's a thing saying 'you need Java to do this, go to this web page and download and install it, then try again'. Most casual users will say 'that looks hard, I can't be bothered'.

      --
      I am TheRaven on Soylent News
  3. antique system calls by phantomfive · · Score: 3, Informative

    This 'security researcher' may be surprised to find that most of the software he uses on a Mac calls some 'antique system calls' that existed before OSX.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:antique system calls by mmell · · Score: 3, Interesting

      Correct me if I'm wrong - aren't most system calls antique, in the sense that they weren't invented recently? The aforementioned system calls may or may not have recently been updated, but if developers have done their job correctly the intended functions continue to work exactly as they did before, given valid inputs. As an example, I'm pretty sure gethostbyname() is still in there. It's almost certainly been updated over the years, but it's still called the same way and returns the same thing.

  4. Obfuscated perl script by Anonymous Coward · · Score: 3, Funny

    Brought to you by the department of redundancy department.

  5. Re:Executale /tmp? by phantomfive · · Score: 2

    Yes, OSX has an executable /tmp by default.
    I just checked.

    --
    "First they came for the slanderers and i said nothing."
  6. Re:Yawn, I should be a security researcher by Gadget_Guy · · Score: 3, Interesting

    Are you seriously trying to claim that he is some sort of alarmist? From the link that you provided, it concludes:

    Adwind is, overall, a fairly weak effort on the Mac.

    And where did the blogger claim the perpetrator of this malware was the boogeyman-du-jour? All I could find was things like:

    Although there is no evidence at this point linking this malware to a specific group, the fact that it's been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage.

    This could also signify that the hackers behind it really don't know the Mac very well and were relying on old documentation.

    That doesn't paint the picture of an uber-hacker! At no point was it claimed that this was going to affect us all. In fact, it was said that this has already been fixed by Apple:

    Apple calls this malware Fruitfly and has released an update that will be automatically downloaded behind the scenes to protect against future infections.

    If he is trying to "get some limelight" then aren't you also doing the same thing by posting here? Just talking about something is not the same as getting some limelight. This was just another post about the latest malware to be investigated by them. At no point was it hyped as anything new. It discussed the parts of the malware that seemed to be ancient code, as well as the parts that were new. However, I will admit that the headline of "the first Mac malware of 2017" is pretty inflammatory considering that it seems to have been deployed for a while. I think it would have been better said as the first malware of 2017 that he had looked at.