New versions of spyware found for OS X

Security experts have identified numerous examples of recently discovered spy KitM for Mac OS X, one of which is aimed at German-speaking dated December 2012 users. KitM (Kumar in the Mac), also known as HackBack, is a backdoor, which makes unauthorized screenshots and upload them to a remote server. It also provides access to the shell, enabling the invader to execute commands on the infected computer.

Originally malware it was found on the MacBook Angolan activists who attend the human rights conference in Oslo Freedom Forum. The most interesting KitM that he signed a valid Apple Developer ID, a certificate issued by Apple on some Rajinder Kumar. Applications signed by Apple Developer ID, passed the Gatekeeper, built-in security system OS X, which verifies the origin of the file to determine its possible threat to the system.

The first two samples KitM, found last week were connected to servers in the Netherlands and Romania. On Wednesday, the experts F-Secure received more KitM samples from the researcher from Germany. These samples were used for the targeted attacks during the period from December to February, and distributed through phishing emails containing zip-files with names both Christmas_Card.app.zip, Content_for_Article.app.zip, Interview_Venue_and_Questions.zip, Content_of_article_for_ [NAME REMOVED] .app.zip and Lebenslauf_fur_Praktitkum.zip.

Contained in these archives installers KitM is an executable file in the Mach-O format, whose icons have been replaced with icons images, videos, PDF and Microsoft Word documents. Such a trick is often used to distribute malware on Windows.

All samples were found KitM signed by the same certificate Rajinder Kumar, which Apple He recalled last week, immediately after KitM detection, but it will not help those who have already infected.

«Gatekeeper keeps a file in quarantine until such time as he is first performed," - said Bogdan Botezatu, a senior analyst at antivirus company Bitdefender. "If the file has been checked at the first start, it will start and continue, as Gatekeeper will not conduct re-examination. Therefore, malware that has been started once using the correct certificate will continue to operate and after its withdrawal. "

Apple may use a different protective feature called XProtect, to add to the black list of known KitM files. However, not found before then modify "spy" will continue to function.

The only way Mac users can prevent the execution of any of the signed malware on your computer is to change the settings Gatekeeper so that was allowed to run only those applications that have been installed from the Mac App Store, say F-Secure experts.

However, for enterprise users, this configuration is simply impossible, because It makes it impossible to use virtually any office Software, and especially - of their own enterprise applications are developed for internal use and not laid out in the Mac App Store.

(via)