Jamf Nation Community

rderewianko · ‎05-16-2013

New Mac spyware was discovered earlier this week on a computer at the Oslo Freedom Forum, an annual human rights conference. Located by computer security researcher Jacob Appelbaum, the malware, which has been deemed OSX/KitM.A, is currently being investigated by anti-virus company F-Secure, reports CNET.

The malware is a backdoor application called "macs.app," which launches automatically upon login and captures screenshots that it then sends to a MacApp folder in the user's home directory. Two command-and-control servers, located at securitytable.org and docsforum.info, are associated with the malware, but one does not function and the other gives a "public access forbidden" message.

http://www.macrumors.com/2013/05/16/newly-discovered-mac-malware-captures-and-stores-screenshots/

mm2270 · ‎05-16-2013

So did you read the whole article? 'Cause this thing doesn't sound much like malware to me. Its more like a joke. It makes no attempt to hide itself, complete with creating a visible folder in the user's home folder with the screenshots? Like, really?
Sounds pretty amateurish to me. I don't write malware nor would I ever and I'm pretty certain I could write up something that would be much harder to detect than this. :)

File this one in the 'not concerned' bucket.

rderewianko · ‎05-16-2013

Yes, I did read the article. However still felt it was worth sharing.

franton · ‎05-16-2013

It'll be in Xprotect by tomorrow, assuming it's a real threat.

dpertschi · ‎05-17-2013

I'd like to think this is something Xprotect would quickly address, but, if we wanted to take action faster; I imagine adding a Restricted Software Process 'macs.app', check all the boxes and maybe message the user to cover their camera and call IT, yes?

I don't use the feature, but for argument sake, with the info provided in that link, we don't know what the process name would be, but is macs.app the best guess?

CasperSally · ‎05-17-2013

Sophos will be detecting for Macs.app in the next update due in a few hours.

mm2270 · ‎05-17-2013

Just a heads up to anyone looking to set up a Restricted Software item for this. Be careful. 'macs.app' is a pretty generic name and in our environment, because of how overzealous Restricted Software is in its regex matching, it accidentally caught and removed emacs.app and aquamacs.app, editors that some of our technical users use.
It wasn't a huge deal since it only applies to a small segment of our Mac users, and we stopped it shortly after someone reported their emacs.app disappearing (whoops!), but thought I'd mention it in case anyone would be in a similar situation.

i should also mention that on a whim we discovered a way to keep the Restrcited Software item and also exclude those other apps from getting caught by it. Apparently the way it matches, it sees a full path to the app, something like /Applications/macs.app. So, in our Restricted Software item for this we entered "/macs.app", yes, WITH the leading slash. That prevents it from seeing anything like /path/to/emacs.app or /path/to/aquamacs.app since the regex of "/macs.app" doesn't exist for those. I just confirmed this in testing with a mock app named macs.app run from my Desktop. It stops that but will allow anything else with "macs" in it to run as long as "macs" doesn't come right after a slash path delimiter. Thought that might be a useful tidbit for anyone looking to do something similar.

JPDyson · ‎05-17-2013

Where the heck is the "Like" button? Mike, that's a great find.

mm2270 · ‎05-17-2013

@JPDyson, thanks! I thought that was pretty interesting too. I honestly didn't know that it would work, so it was a pleasant surprise.

I immediately thought back to the case of folks needing to block Tor.app and getting Automator.app being blocked by accident. I guess this trick would help in that case. :)

Jamf Nation Community

Newly Discovered Mac Malware Captures and Stores Screenshots