Mac OS X: Undetected malware and plain text passwords
The Internet Storm Center reports that the RST.B Linux backdoor is now also in circulation in a PPC version for Mac OS X. RST.B infects binaries and connects to an IRC server from which it accepts further commands. While a simple bot for the Mac is unexpected since the backdoor can be translated for the PPC with little effort, Mac users should be more alarmed that in tests conducted by the ISC with the Virustotal online scanner, not one vendor's scanner detected the backdoor. According to the ISC, 24 out of 32 scanners did sound the alarm on the Linux version, and a FreeBSD version of RST.B was still detected by 23 out of 32.
The ISC speculates that the antivirus programs tested are unable to handle Mach-O binaries. Whether this is a general problem remains to be seen. While there are special antivirus programs for Apple computers which do handle Mach-O binaries correctly, these are rarely used at corporate network perimeters to exclude malware using mail scanners and web filters. Windows and Linux based security programs are vastly more common at the gateway.
According to F-Secure, the virus scanners are not alone in which struggling with recognising Mac OS X malware: it seems that staff at Apple also have a blind spot in this field. In a blog, the Finnish vendor reports the experience of a user who was nearly infected with the trojan OSX.RSPlug.A, which masquerades as a video codec and appeared towards the end of last year.
The trojan, also known as DNSChanger, alters the machine's DNS settings. Fortunately, the user had previously installed a demo version of Intego's VirusBarrier, which prevented infection. However, the user misinterpreted the program's warnings and contacted F-Secure and Apple's support team. While F-Secure was able to help, Apple support staff claimed they were unaware of any malware for Mac OS X. Only after doing some internet research during their conversation did they believe the customer's descriptions.
Jacob Appelbaum, one of the authors of the "Cold Boot Attack" document, has reported another Mac OS X vulnerability. The screen saver neglects to delete login passwords entered by the user, and that the passwords remain in memory in plain text. The sectoin of code responsible is said to be almost two decades old. While root privileges are necessary to access
loginwindow.app memory, Appelbaum considers this a good chance for both forensic experts and data thieves to obtain passwords.
Apple has been informed about the problem and is working on a solution. However, the vendor appears to have been aware of the problem for some time. Appelbaum's report was assigned problem ID 5726694 and was immediately flagged as a duplicate of problem 3250780 and closed. According to Appelbaum, errors are processed in sequence, so there are 2,475,914 apparently more important problems in the queue.
- Linux, FreeBSD and Mac (!) bot, ISC report
- Mac Case, F-Secure blog entry
- Loginwindow.app and Mac OS X, report by Jacob Applebaum