Sophisticated OS X Backdoor Discovered (opens in new tab)

My guess would be that they figured out how to compile QT statically (hence 14MB file size)... Other then that it seems to be a common RAT

I agree, the terminology Kaspersky Labs is using is incorrect and misleading. The further poster is right that this should be labeled as "rootkit."

Backdoors can be installed after the fact. The vendor putting in a back door is only one way for it to be present.

This would be malware inserting a back door for further exploitation.

BackOriface was called a "backdoor" back in the day, so I think the term is fine.

I don't like the use of backdoor for malicious cracks, as it confuses the argument between malware and bad security practices. Though technically, backdoor is the correct term.

Backdoor is probably the correct term, I guess we just got used to vendor placed backdoors.

Although I also assumed at first that it was vendor placed, even though I was familiar with backdoors from the past (Back Orifice, Sub7 etc)

Perhaps some would enjoy some related humor while we're on the topic of backdoors:

https://www.youtube.com/watch?v=cuYQ4qUEfEI

This isn't a virus, it's a payload. Once an attacker exploits a vulnerability to gain RCE, this is the kind of thing they might install (if their goal isn't to immediately trash the machine).

Many commenters are pointing out that one possible definition of a rootkit is something that elevates privilege, but does not necessarily have network communications functions or a command and control server. But in recent times, almost all modern rootkits seen in the wild have some form of network control functionality.

I've heard the term "backdoor" used for a long time before "rootkit" or "advanced persistent threat", so it may be a generational thing.

From https://en.wikipedia.org/wiki/Rootkit:

> The modified compiler would detect attempts to compile the Unix login command and generate altered code that would accept not only the user's correct password, but an additional "backdoor" password known to the attacker...This exploit was equivalent to a rootkit.

From https://en.wikipedia.org/wiki/Advanced_persistent_threat:

> Establish Foothold – plant remote administration software in victim's network, create net backdoors and tunnels allowing stealth access to its infrastructure.

From https://en.wikipedia.org/wiki/Backdoor_(computing):

> A backdoor is a method, often secret, of bypassing normal authentication in a product, computer system, cryptosystem or algorithm etc. Backdoors are often used for securing unauthorized remote access to a computer, or obtaining access to plaintext in cryptographic systems.

I read all of that as a backdoor being an umbrella term, of which one type is a rootkit, and APTs create backdoors, perhaps of a type other than rootkit (e.g. net backdoor).

Nope, wrong. Backdoor has been in use for this since long before the silly "APT" acronym was coined.

Not misleading, incorrect.

Qt makes that easy, thats why they are using it.

A lot of cross platform software that attempts audio/video (e.g. Skype etc) would be considered malware by some. Usually people who've had to use it at least once.

> After its first execution, the binary checks its own file path and ...

From the article it seems to be via executable. That's why the terminology is important in this case. It's a executable rootkit that opens a backdoor, not a OS remote execution exploit. And this article relates to the OS X variant of a cross-platform package (so this affects Windows and Linux systems as well).

did you see last weeks post about bikeshedding? this is exactly what bikeshedding is.

Same thing. All comments are about backdoor vs rootkit vs malware vs etc, as if it was important. Hey guys, you really want me to go through a link and read that article myself? Where is the discussion? Where is tl;dr comment upvoted to the top?

Install Kaspersky Endpoint Protection, friend! ;)

In all seriousness, when a company releases a malware write-up, they typically imply that their software would have prevented it or will prevent it.

Enable Gatekeeper on Mac (or just don't disable it, I think it's enabled by default).

It's a payload not an attack vector or virus.

I suggest "sophisticated malware backdoor payload for OSX discovered." Then it's clear it's not a part of the OSX itself and that it's something that has to be somehow installed by some third party (e.g. using any malware installation method or a real spy).

I whipped up https://gist.github.com/atdt/e84483c70c078a72f5e08ead365c69f... based on the information in the report.

> Is there any diagnostic tool out there to determine if you've been infected?

From what I can tell, they posted the SHA256 of the offending binary under the IOCs section of that web page. So you should be able to do this in the root of your home directory to detect if such a file exists:

# find . -type f -print0 | xargs -0 shasum -a 256 | grep 664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c

I assume this has been added to Kaspersky's anti-virus suite considering it is their blog post.

Apple keeps gatekeeper and another process up to date, effectively scanning for this kind of stuff is built into the OS.

The aim is to look legitimate, but not clobber applications - merely to look like something the user shouldn't delete.

It was definitely possible a couple years back - https://jscholarship.library.jhu.edu/handle/1774.2/36569

We describe how to disable the LED on a class of Apple internal iSight webcams used in some versions of MacBook laptops and iMac desktops. This enables video to be captured without any visual indication to the user and can be accomplished entirely in user space by an unprivileged (non- root) application.

I don't know that it's possible on recent Apple hardware. I remember reading somewhere that the green LED is triggered by the camera power line, or something along those lines.

IDK about current gen Apple hardware, but it was possible to do so on a 2008 MacBook, at least (academic paper and PoC app):

https://jscholarship.library.jhu.edu/bitstream/handle/1774.2...

Interestingly, on my battered, el cheapo Asus 12" netbook (2011 Intel Atom), this problem is solved very well: the on/off webcam switch physically blocks the webcam lens in the off state.

The article only includes the word "Video" once in the summary, but then mentioned screen captures every 30 seconds.

I'm guessing that is what the summary is referring to when it says "video capture", because there is no other reference to video or camera.

I'm going to dig into this and find out, I've wanted to know for ages.

If the LED == LED_TORCH, then it looks like it may be possible:

https://github.com/patjak/bcwc_pcie/blob/8cc44d67f3c924f30a8...

Either way, I'm planning on buying some spare parts to actually test and possibly PoC this.

Apparently this malware doesn't take webcam screenshots (as law inforcement illegally does). It just takes screenshots, possibly to match keystrokes to the window, to be able to match password entries to the application or url. And then exploit that furtheron. I wonder why it takes audio captures though? Just for the thrill? Or is it the government?

Be safe and do as Mark Zuckerberg does -- stick a Post-It™ over the camera lens.

An extension or something you're using is causing that. Mouseover should show social media icon links on the left side of the pictures.

I think Mr. Robot is art imitating life. Life, if course, being exploits like these.

How so? This isn't an exploit it's a piece of malware

By that level of standard, nothing is secure. Linux has vulnerabilities. Windows has vulnerabilities. I have a deadbolt on my door and the package read "Keep your home secure!" but someone could still get through if they really wanted to.

"Secure by design" doesn't mean 100% secure no matter what. Part of that design is the update/patch process that addresses vulnerabilities quickly, and mitigating controls like lower default permissions and application signing.

The fact that you're so quick to call everyone an astroturfer because you made a ridiculous statement just proves that your only interest is trolling.

Everyone makes that claim.

https://channel9.msdn.com/Events/Ignite/2015/BRK3309

If your IT team decides to enable Apple's controls, there will be no way to install this on your machine.

I think that myth got shot down years ago. Along with magical and courageous marketing terms.