[資訊]Pint-Sized Backdoor for OS X Discovered

看板MAC (蘋果Mac)作者hihieveryone (逐浪人)時間13年前 (2013/02/21 12:05)推噓0(0推 0噓 2→)

留言2則, 2人參與討論串1/1

Pint-Sized Backdoor for OS X Discovered Posted on February 18th, 2013 by Lysa Myers A new backdoor which affects OS X has been announced to an AV industry mailing list. Details are fairly limited right now, and the components we have indicate a fairly small, simplistic but efficient threat. It’s believed that this was a targeted attack, perhaps dropped by an exploit. At the time of writing, all of the network components have been sinkholed so it’s unable to receive commands. From what we’ve seen, this threat likely starts with an exploit to get it past Gatekeeper. Once on a system, it sets up a reverse shell. That is to say, rather than announcing to the controller that the machine is infected (because the machine has been targeted and they already know where it is), the controller periodically contacts the infected machine to perform commands. Initiating the contact from outside the affected machine potentially helps it get past firewalls. This part of the threat is comprised of clear text Perl scripts, which means it’s fairly easy to spot if someone knows what to look for. So that’s where the second part of this threat comes in. The binary component uses a modified version of existing tools (namely OpenSSH 6.0p1) for creating a secure connection to encrypt the traffic so that it is much better hidden. The tool is further hidden by placing the file in a directory that is usually used for printing, so that if anyone sees a list of processes contacting the network, it will appear as if the affected machine is simply printing from a networked printer. This version of the tool also has been modified so that it will not save a log of its command histories. The threat encrypts traffic with the command and control channel by use of an RSA key. The filenames as they were reported are: com.apple.cocoa.plist cupsd (Mach-O binary) com.apple.cupsd.plist com.apple.cups.plist com.apple.env.plist One of the (sinkholed) network addresses that the threat contacts is “ corp-aapl.com.” It’s been noted that this is a misspelling of Apple, but it is the stock symbol for Apple. http://goo.gl/0JNvs 訊息來的太快請審慎評估.. 我的感覺是當年win上的手法又都搬到mac上來了下一步應該就是手機系統. 也有人問UBNTU上是否會有同樣的問題目前尚未被證實還煩請各位mac使用者多留心電腦的使用習慣... 以上 thx -- 嗨嗨每個人我的專長:迅速解毒當機處理資料救援取回帳號系統規劃資訊整合系統規劃:經濟,高效能,低污染,節約能源,(降低噪音震動,電磁波,廢熱,積塵,輻射) 省空間,使用舒適感佳,溫暖的鍵盤與滑鼠 (抗手冰冷) 鄉民說收卡是為了培養EQ -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 219.70.172.157