Scareware Signed With Apple Cert Targets OS X Machines (threatpost.com) 39
msm1267 writes: A unique scareware campaign targeting Mac OS X machines has been discovered, and it's likely the developer behind the malware has been at it a while since the installer that drops the scareware is signed with a legitimate Apple developer certificate.
"Sadly, this particular developer certificate (assigned to a Maksim Noskov) has been used for probably two years in similar attacks," said Johannes Ullrich, dean of research of the SANS Institute's Internet Storm Center, which on Thursday publicly disclosed the campaign. "So far, it apparently hasn't been revoked by Apple."
"Sadly, this particular developer certificate (assigned to a Maksim Noskov) has been used for probably two years in similar attacks," said Johannes Ullrich, dean of research of the SANS Institute's Internet Storm Center, which on Thursday publicly disclosed the campaign. "So far, it apparently hasn't been revoked by Apple."
Flash again. (Score:3)
Turns out that it does install an updated version of Flash. Now that is scareware.
Re: (Score:3)
Outdated versions of Flash are a primary avenue for malware to infect computers.
Here, you made a typo...let me fix that for you....
"All versions of Flash are a primary avenue for malware to infect computers."
Re: (Score:2)
Hi there, APK!
Still butthurt over getting all your excess punctuation filtered out?
Re:Flash again. (Score:4, Funny)
Turns out that it does install an updated version of Flash. Now that is scareware.
Holy shit, couldn't they just irreversibly encrypt all my files and delete the backups? I'd take that over a Flash infection any day.
Re: (Score:2)
Definitely APK. Lo, how the mighty have fallen!
Revoke it (Score:1)
So far, it apparently hasn't been revoked by Apple.
Why the fuck not? It's not like this Maksim guy has legit software sitting on millions of Macs and revoking his cert would cause massive headaches for anyone. There's no excuse to let a known compromised certificate remain active for 2 years.
Re: (Score:3)
Which tells you just how completely worthless certificates are.
No, it tells you how worthless Apple are. This is not a certificate failing, it is a management failing. Certificates themselves have all sorts of issues, but this is purely an Apple problem.
Re: (Score:2)
And Apple probably wants proof that it is malware. The whole reason for the certificates is so developers don't have to go through the Apple Mac App Store review - for whatever reason. Which can include shady but perfectly legal apps. Apple may reject it in the MAS, but they probably want extraordinary proof that the ap
Re: Revoke it (Score:1)
Except that Apple has been rejecting apps in the app store and delaying apps for simply competing against their apps.
So something clearly isn't right here. They have enough resources to screw over legitimate developers, but not to verify this crap?
Re: (Score:2)
That's only for for developers who submit apps through the app store. Using the signed certificate means you don't have to get your app approved, and you can do whatever the heck you want. It's why it exists - it allows for apps to be developed outside of Apple's
Re: (Score:3)
I agree that they may not immediately suspend/revoke it immediately, but they should have opened an investigation. And in *two whole years*, they should have been able to establish that it was validating malware. That by itself should have been enough to revoke a developer cert, even if he also signed legit software too with it too.
OR (if the cert was somehow compromised) they could have issued a new cert to the developer for his legit software and cancelled the old one. The developer would need to let
Re: (Score:2)
And in *two whole years*, they should have been able to establish that it was validating malware.
Is the app in question actually malware, according to Apple's definition of the term?
Or to put it another way, how evil does an application have to be before it should be labelled as malware? Is there a formal policy on this posted anywhere?
Re: (Score:2)
So the developer has written malware for two years. How many times has Apple ran across it? None? Just because an app's been signed for two years and does bad things doesn't mean
Re: (Score:2)
Re: (Score:3)
Signing software prevents it from being surreptitiously tampered with by a third party. Other platforms do not require you to purchase a developer certificate from them - this is specific to Apple and it's walled garden (or other closed stores and platforms). Don't conflate whatever issues you have with closed ecosystems and the security benefits of signed software in general! That's as flawed as blaming encryption because bad actors might use it to avoid being snooped on by law enforcement.
Re: (Score:2)
You are not forced to sign Apps on Macs either.
My Apps run quite fine without signing. I only can not sell them via the App-Store, which I could not anyway as my Apps are all written in Java.
Local revocation? (Score:2)
If Apple doesn't revoke it, shouldn't it be possible to configure individual machines to revoke such certificates once they're known? Or is that secured against lest someone start putting out malware that installs local revocations of others' certificates, such as one's competitors or anti-malware developers' certificates?
Block all adverts... (Score:5, Insightful)
Use a good browser plugin or some good backend rules, but block every single advert out there. That stops the "OHHH YOU GOTTA INSTALL THIS" vector that fools clueless visitors into downloading and running the trojan.
Good people install adblocking on every single computer they touch. Bad people allow ad's from websites.
Dear web admins.... WAHH. If you cant vet and host your ads yourself to make sure they are safe, you dont DESERVE your ad's to make it through.
friend's computer hit by this (Score:5, Interesting)
i have a friend who called me to say that their computer had had the default browser search settings changed to some adware. so i checked the instructions on how to remove it, only to find that the settings shown in the screen-shots *weren't there*. turns out that inspection of the timestamps on the filesystem, the phishing-malware had *replaced* legitimate system libraries, which enabled them to disguise the malware and prevent its own removal. it was necessary for us to go round some friend's houses, drop the macbook into single-user mode and copy over replacement files from an identical copy of macosx.
now, this is the first time i've ever dealt with macosx viruses, but i was surprised that it was so easy for my non-technical friend to be fooled by a phishing attempt which scared her with the "you have 2,500 viruses do you want us to fix it?" tactic. as a purely software-libre end-user for the past 20 years, all i can say is, "welcome to the monoculture world, apple. your false sense of security myth is well and truly over, and you have a hell of a lot of catching up to do".
Re: (Score:1)
Not a virus; trojan horse.
Re: (Score:2)
Either zero the drive or drop it off a balcony. There is no third option.
Re: (Score:1)
El Capitan does not allow replacement of system libraries at all, even with root access; was your friend running an older OS X?
I say this NOT as an Apple fan (Score:2)
Perhaps I've missed some items that would give me a different opinion, but it seems to me that the ubiquitous "Timothy" loves stories that screw Apple almost as much as he loves stories alleging Windows 10 isn't as much of a privacy nightmare as sensible people know it is.