Ghostnet Mac OS

Jamyang continues: 'Allow me to play devil's advocate for a moment here: in the short term, moving to a platform that is perhaps less familiar to the attacker provides considerable relief, but it is essentially less difficult to write exploits for Mac OS/Linux than it is for Windows, given the many anti-exploitation mechanisms Microsoft has embedded in the last years, so in the long run, if. The 53-page report, released on Sunday. Describes a network which researchers have called GhostNet, which primarily uses a malicious software program called gh0st RAT (Remote Access Tool) to.

Researchers have uncovered a malware-based espionage campaign that subjects Mac users to the same techniques that have been used for years to surreptitiously siphon confidential data out of Windows machines.

The recently discovered campaign targets Mac-using employees of several pro-Tibetan non-governmental organizations, and employs attacks exploiting already patched vulnerabilities in Microsoft Office and Oracle's Java framework, Jaime Blasco, a security researcher with AlienVault, told Ars. Over the past two weeks, he has identified two separate backdoor trojans that get installed when users open booby-trapped Word documents or website links included in e-mails sent to them. Once installed, the trojans send the computer, user, and domain name associated with the Mac to a server under the control of the attackers and then await further instructions.

'This particular backdoor has a lot of functionalities,' he said of the most recent trojan he found. Victims, he said, 'won't see almost anything.'

Blasco's findings, which are documented in blog posts here and here, are among the first to show that Macs are being subjected to the same types of advanced persistent threats (APTs) that have plagued Windows users for years—not that the shift is particularly unexpected. As companies such as Google increasingly adopt Macs to limit their exposure to Windows-dependent exploits, it was inevitable that the spooks conducting espionage on them would make the switch, too. Cubox mac os.

'What [attackers] have been installing via APT-style, targeted attack campaigns for Windows, they're now starting to do for Macs, too,' said Ivan Macalintal, a security researcher at antivirus provider Trend Micro. Macalintal has documented some of the same exploits and trojans Blasco found.

Another researcher who has confirmed the findings is Alexis Dorais-Joncas, Security Intelligence Team Leader at ESET. In his own blog post, he documented the encryption one of the trojans uses to conceal communications between infected Macs and a command and control server. He also described a series of queries sent to a test machine he infected that he believes were manually typed by a live human at the other end of the server. They invoked Unix commands to rummage through Mac folders that typically store browser cookies, passwords, and software downloads.

'The purpose here clearly is information stealing,' he wrote.

He noted that the backdoor he observed was unable to survive a reboot on Macs that weren't running with administrator privileges. That's because the /Library/Audio/Plug-Ins/AudioServer folder used to stash one of the underlying malware files didn't allow unprivileged users to save data there. A more recent trojan analyzed by AlienVault's Blasco has overcome that shortcoming, by saving the file in the less-restricted /Users/{User}/Library/LaunchAgents/ folder, ensuring it gets launched each time the user's account starts.

The backdoors are installed by exploiting critical holes in two pieces of software that are widely used by Mac users. One of the vulnerabilities, a buffer overflow flaw in Microsoft Office for the Mac, was patched in 2009, while the other, an unspecified bug in Java, was fixed in October. The Java exploit is advanced enough that it reads the user agent of the intended victim's browser, and based on the results unloads a payload that's unique to machines running either Windows or OS X.

Reports of malware that target Macs have risen steadily over the past 36 months. Most of the reported infections rely on the gullibility of users, tricking them into believing their systems are already compromised and can be disinfected by downloading and installing a piece of rogue antivirus software. Others have exploited software weaknesses to install a reference to a huge malware-based spy network uncovered three years ago that infiltrated government and private offices in 103 countries. The Word exploit works by embedding Mac-executable files known as 'Mach-Os' into the booby-trapped document file, Macalintal added.

Seth Hardy, a Senior Security Analyst who has been monitoring espionage attacks on pro-Tibetan groups for an organization called Citizen Lab, said it's too early to know if the recent campaign is related to Gh0stRat. Hardy—whose Citizen Lab was a principal organization for the research and publication of the Tracking Ghostnet and Shadows in the Cloudcyber espionage reports and is based at the Munk School of Global Affairs—went on to say that Macs are likely to play are growing role in future attacks.

'While APT-for-Mac (iAPT?) isn't exactly new, it does seem like the attackers are catching on that many of these organizations use Macs more than the general public,' he wrote in an e-mail. 'It's also interesting that the attackers are developing multi-platform attacks: we've seen the Mac malware bundled with similar Windows malware, and the delivery system will identify the user's operating system and run the appropriate program.'

Ghostnet Mac Os 11

Ghostnet Mac Os Catalina

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms.^[1][2][3] This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter,^[4] and it can infect other devices on the same local network.^[5]Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.^[6][7][8]

Infection

Koobface ultimately attempts, upon successful infection, to gather login information for FTP sites, Facebook, Skype, and other social media platforms, and any sensitive financial data as well.^[9] It then uses compromised computers to build a peer-to-peer botnet. A compromised computer contacts other compromised computers to receive commands in a peer-to-peer fashion. The botnet is used to install additional pay-per-install malware on the compromised computer and hijack search queries to display advertisements. Its peer-to-peer topology is also used to show fake messages to other users for the purpose of expanding the botnet.^[10]It was first detected in December 2008 and a more potent version appeared in March 2009.^[11] A study by the Information Warfare Monitor, a joint collaboration from SecDev Group and the Citizen Lab in the Munk School of Global Affairs at the University of Toronto, has revealed that the operators of this scheme have generated over $2 million in revenue from June 2009 to June 2010.^[9]

Koobface originally spread by delivering Facebook messages to people who are 'friends' of a Facebook user whose computer had already been infected. Upon receipt, the message directs the recipients to a third-party website (or another Koobface infected PC), where they are prompted to download what is purported to be an update of the Adobe Flash player. If they download and execute the file, Koobface can infect their system. It can then commandeer the computer's search engine use and direct it to contaminated websites. A new world mac os. There can also be links to the third-party website on the Facebook wall of the friend the message came from sometimes having comments like LOL or YOUTUBE. If the link is opened the trojan virus will infect the computer and the PC will become a Zombie or Host Computer.

Among the components downloaded by Koobface are a DNS filter program that blocks access to well known security websites and a proxy tool that enables the attackers to abuse the infected PC. At one time the Koobface gang also used Limbo, a password stealing program.

Several variants of the worm have been identified:

• Worm:Win32/Koobface.gen!F^[12]
• Net-Worm.Win32.Koobface.a, which attacks MySpace
• Net-Worm.Win32.Koobface.b, which attacks Facebook^[13]
• WORM_KOOBFACE.DC, which attacks Twitter^[14]
• W32/Koobfa-Gen, which attacks Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo and fubar^[15][16]
• W32.Koobface.D^[17]
• OSX/Koobface.A, a Mac version which spreads via social networks such as Facebook, MySpace and Twitter.^[18]

In January 2012, the New York Times reported^[19] that Facebook was planning to share information about the Koobface gang, and name those it believed were responsible. Investigations by German researcher Jan Droemer^[20] and the University of Alabama at Birmingham's Center for Information Assurance and Joint Forensics Research^[21] were said to have helped uncover the identities of those responsible.

Facebook finally revealed the names of the suspects behind the worm on January 17, 2012. They include Stanislav Avdeyko (leDed), Alexander Koltyshev (Floppy), Anton Korotchenko (KrotReal), Roman P. Koturbach (PoMuc), Svyatoslav E. Polichuck (PsViat and PsycoMan). They are based in St. Petersburg, Russia. The group is sometimes referred to as Ali Baba & 4 with Stanislav Avdeyko as the leader.^[22] The investigation also connected Avdeyko with CoolWebSearch spyware.^[20]

Ghostnet Mac Os Download

Hoax warnings

The Koobface threat is also the subject of many hoax warnings designed to trick social networking users into spreading misinformation across the Internet. Various anti-scam websites such as Snopes.com and ThatsNonsense.com have recorded many instances where alarmist messages designed to fool and panic Facebook users have begun to circulate prolifically using the widely publicized Koobface threat as bait.^[23][24] The 'Barack Obama-Clinton Scandal' hoax which was popular in 2010 is an example.

Other misconceptions have spread regarding the Koobface threat, including the false assertion that accepting 'hackers' as Facebook friends will infect a victim's computer with Koobface, or that Facebook applications are themselves Koobface threats. These claims are untrue. Other rumours assert that Koobface is much more dangerous than other examples of malware and has the ability to delete all of your computer files and 'burn your hard disk.' However, these rumours are inspired by earlier fake virus warning hoaxes and remain false.^[23]

See also

• Computing Trojan horse

References

1. ^Lucian Constantin (28 October 2010). 'New Koobface Variant Infects Linux Systems'. softpedia. Retrieved 3 February 2015.
2. ^Lucian Constantin (30 October 2010). 'Linux Java-Based Trojan Might Have Been an Accident'. softpedia. Retrieved 3 February 2015.
3. ^'More Information About the Koobface Trojan Horse for Mac'. The Mac Security Blog. 29 October 2010. Retrieved 20 January 2012.
4. ^'US-CERT Malicious Code Targeting Social Networking Site Users, added March 4, 2009, at 11:53 am'. Archived from the original on 12 May 2009. Retrieved 18 June 2009.
5. ^'Twitter Status - Koobface malware attack'. twitter.com. Retrieved 3 February 2015.
6. ^Marks, Ellen (7 June 2015). 'Fake tech support warning targets Apple users'. Albuquerque Journal.
7. ^Ricca, Aaron (6 April 2016). 'Warnings are out there, but people keep falling for scams'. The Kingman Daily Miner. Archived from the original on 9 April 2016.
8. ^Jensen, Dreama (26 February 2016). 'Woman almost falls for computer scam'. South Bend Tribune.
9. ^ ^abKoobface: Inside a Crimeware NetworkArchived 2012-09-14 at the Wayback Machine
10. ^'W32.Koobface'. symantec.com. Retrieved 3 February 2015.
11. ^Keizer, Gregg (2 March 2009). 'Koobface worm to users: Be my Facebook friend'. Computerworld. Retrieved 31 August 2009.
12. ^'Worm:Win32/Koobface.gen!F'. microsoft.com. Microsoft. Retrieved 3 February 2015.
13. ^'Koobface malware distribution technique - automatic user account creation on FaceBook, Twitter, BlogSpot and others'. Archived from the original on 28 March 2010. Retrieved 12 August 2009.
14. ^'WORM_KOOBFACE'. trendmicro.com. Retrieved 3 February 2015.
15. ^'Sophos stops new version of Koobface social networking worm'. Naked Security. Retrieved 3 February 2015.
16. ^The Allure of Social Networking, describes Win32/Koobface affecting multiple social networks as described on CA's Security Advisor Research blogArchived 2011-07-22 at the Wayback Machine
17. ^'W32.Koobface.D'. symantec.com. Retrieved 3 February 2015.
18. ^'Intego Security Memo: Trojan Horse OSX/Koobface.A Affects Mac OS X Mac – Koobface Variant Spreads via Facebook, Twitter and More - The Mac Security Blog'. The Mac Security Blog. Retrieved 3 February 2015.
19. ^Web Gang Operating in the Open
20. ^ ^ab'The Koobface malware gang – exposed! - Naked Security'. Naked Security. Retrieved 3 February 2015.
21. ^'Facebook credits UAB with stopping international cyber criminals, donates $250,000 to school'. AL.com. Retrieved 3 February 2015.
22. ^Protalinski, Emil (17 January 2012). 'Facebook exposes hackers behind Koobface worm'. ZDNet. Retrieved 20 January 2012.
23. ^ ^abKoobface - What is it Really? article at ThatsNonsense.com, Retrieved on 26 January 2011
24. ^Koobface article at snopes.com website, Retrieved on 30 December 2010

External links

• The Koobface malware gang - exposed!, research by Jan Droemer and Dirk Kollberg.
• The Real Face of KOOBFACE, analysis by Trend Micro.
• Researchers Take Down Koobface Servers, Slashdot article.

Ghostnet Mac Os X