In association with heise online

17 May 2013, 15:42

Mac spyware takes screenshots

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

KITM in action
Zoom The malware is remarkably visible, dumping screenshots in a "MacApp" directory in the user's own home folder.
Source: F-Secure
At a workshop at the Oslo Freedom Forum, a previously unknown item of malware was found on an African activist's Mac by Jacob Appelbaum. The anti-virus vendor F-Secure examined the malware and has released details of it. Dubbed "OSX/KitM.A" by F-Secure, the malware is an undisguised application with the name "macs" at the top level of the user directory and is present in the Login items.

The malware was, Appelbaum says, planted on the Angolan activist's Mac by means of "spear phishing" emails. Appelbaum has the emails and updated versions of the payload and will be publishing further details after discussing it with the activist "as their life is likely in danger".

The application, when running, regularly takes screenshots which it stores in a folder labelled "MacApp". The pest apparently tried to make contact with two command-and-control servers, but one didn't resolve and the other appears to be out of action, forbidding access to its pages.

The oddest part of this conspicuous malware is that the directory was digitally signed by its author. Apple added Gatekeeper to Mac OS X 10.8 – this meant that applications had to be signed with their creator's Apple Developer ID to run and if they were not Gatekeeper would present the user with a warning. The malware's maker appears to have decided to sign the screenshot-taking app with what could be their or a third party's signature to avoid that warning popping up. It is possible that the creator of this malware could be remarkably easy to track down.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit