May 19, 2013
New Mac Spyware Program Discovered At Oslo Freedom Forum
redOrbit Staff & Wire Reports - Your Universe Online
Previously unknown malware for Mac OS X that appears to have been signed with a valid Apple Developer ID has reportedly been discovered on the laptop of an African activist at a Norwegian human rights conference.According to CNET´s Topher Kessler, the spyware program is a small application known as macs.app and is being identified as OSX/KitM.A. The program appears to be a backdoor application, he said, and it appears to take screenshots of the infected computer before uploading them to remote servers for an unknown purpose.
“When installed, the application is appended to the current Mac user's log-in items so it runs whenever the affected user account is logged in,” Kessler said. “It then takes regular screenshots that it places in a visible folder in the user's home directory called MacApp. It then tries to upload them to the URLs ℠securitytable.org´ and ℠docsforum.info,´ which either are not working or are issuing ℠public access forbidden´ error messages.”
The malware was discovered on the computer of an Angolan activist by security researcher Jacob Appelbaum at the Oslo Freedom Forum in Norway last week, explained ZDNet´s Liam Tung. Appelbaum reportedly said that the unnamed activist had been victimized by a spearphishing attack, and was tricked into downloading the program by an email that he or she and received.
“This bit of malware is somewhat unique in that it is signed with what appears to be a valid Apple Developer ID associated with the name Rajender Kumar,” Kessler said. “Though not an uncommon name, this may be a reference to the late Bollywood actor of a similar name. Regardless, the use of the ID appears to be an attempt to bypass Apple's Gatekeeper execution prevention technology.”
Apple´s Developer ID program allows software creators to sign the applications they create for Mac with digital certificates that are issued and trusted by the Cupertino, California-based company´s systems, according to Lucian Constantin of IDG News Service.
Those certificates make it so that the programs are not flagged as malicious software by Mac OS X Mountain Lion´s Gatekeeper security feature, he said. Apple claims the program makes it so that Gatekeeper can verify that the programs are safe and not tampered with, and “in theory, that should also allow Apple to specifically revoke the certificate for this app, preventing it from running,” Constantin added.