April 19, 2014

New digitally signed malware targets Mac users

os x mavericks desktopA new piece of digitally signed malware that targets Mac users has been discovered. The new malware, which has been dubbed OSX/LaoShu-A by Sophos and is considered as bot, is being used in an “undelivered courier item” email campaign which tries to trick users into downloading the malware as they try to see the description of an alleged undelivered parcel.

In this particular case the email explains that the undelivered item contained some documents which have been scanned and are waiting for the user to inspect them. A link is provided which takes the unsuspecting user to a fake courier website (often a clone of a real courier website like FedEx or DHL) and then proceeds to download an attachment. If the malicious website detects that the web browser is running on Windows then a piece of malware called Mal/VBCheMan-C is downloaded.

However for Mac users a .zip file is downloaded containing an application that looks like a PDF document. OS X will automatically unzip the file and leave the application in the Downloads folder. The app icon has been intentionally given the PDF icon to trick users into thinking it is a PDF document. However when clicked it will install the malware. Because the application is digitally signed OS X won’t produce a warning about the application coming from an unknown source, but rather it will only warn the user that it has been downloaded from the Internet. Although the warning does actually say “application” rather than “document” the dialog offers the user two possibilities to Cancel or to Open. The use  of the word Open by Apple rather than Run can leave the user with the impression that they are opening a document.

According to Sophos OSX/LaoShu-A is a bot and takes commands from a C&C server, however its main function appear to be data stealing as it will search for files with extensions such as DOC, DOCX, XLS, XLSX, PPT and PPTX and try to upload them to the C&C server. However it can also download new program files and execute shell commands which means it will basically be able to do whatever the attackers tell it to do.

In conclusion, don’t click on random links in unsolicited emails especially those with good link bait like the undelivered courier item emails.

Multiple critical vulnerabilities found and almost fixed in Sophos Antivirus

(LiveHacking.Com) – Tavis Ormandy has published a paper, called “Sophail: Applied attacks against Sophos Antivirus” which describes realistic attacks against Sophos Antivirus. Buried not too deep in the analysis is a working pre-authentication remote root exploit that does not require any user interaction. Tavis expects that this exploit could be wormed within the next few days.

As a result of the disclosure, Sophos has published a response outlining a schedule for fixing the vulnerabilities  Many of the holes have been patched already in updates published by Sophos on October 22. Further patches were released yesterday and on 28 November 2012 Sophos plans to release patches for bugs found by Tavis which cause the anti-virus engine to halt when parsing certain malformed files.

In each case Sophos are keen to point out that there is no evidence of these vulnerabilities being exploited in the wild.

Ormandy’s publication is his second paper in a series on Sophos internals. It puts into practice the results previously found in the first paper. It is intended for a technical audience and describes the process a sophisticated attacker would take when targeting Sophos users.

“By design, antivirus products introduce a vast attack surface to a hostile environment. The vendors of these  products have a responsibility to uphold the highest secure development standards possible to minimize the potential for harm caused by their software”, wrote Tavis in his paper.

Tavis did follow a responsible disclosure practice with these vulnerabilities. He informed Sophos in September about the problems and the anti-virus heavy weight requested two months to look into the bugs. However as he points out, “Sophos did allocate some resources to resolve the issues discussed, however they were clearly ill-equipped to handle the output of one co-operative, non-adversarial security researcher. A sophisticated state-sponsored or highly motivated attacker could devastate the entire Sophos user base with ease.”

There will be a third paper in the series which Tavis is working on now. It will be announced at a future date.