SecureMac, Inc.

The Checklist 75: Mix and Match

February 8, 2018

Spectres, Meltdowns, and an endless parade of patches — 2018’s already off to quite a start, and it can all be just a little overwhelming. This week, we’re pulling back to the bigger picture and reaching into the grab bag for a Mix & Match episode as we cover a slew of stories from this past month!

The Checklist 75: Mix and Match

Spectres, Meltdowns, and an endless parade of patches — 2018’s already off to quite a start, and it can all be just a little overwhelming. This week, we’re pulling back to the bigger picture and reaching into the grab bag for a Mix & Match episode as we cover a slew of stories from this past month!

On our checklist for today:

  1. A bug worthy of Groundhog Day
  2. More Window malware makes its way to macOS
  3. Even video games can have vulnerabilities
  4. Another new piece of Mac malware surfaces
  5. Revelations about the truth behind Fruitfly
  6. Amazon’s lack of transparency

A bug worthy of Groundhog Day

Pranksters are at it again, spreading chaos around with some malicious links. If you haven’t recently updated your iOS device to version 11.2.5 or grabbed the latest version of macOS, be careful about the links you click on when using your Messages app. Around the middle of January, a link appeared on Twitter that, when sent to another user, could be used to cause instability and crashes on macOS and iOS. Apple did issue a patch for the problem, but not before it made quite the splash on Twitter.

The individual who uncovered this flaw notified Apple in advance of publishing his findings publicly, but said he would not wait for a fix to be in place because he hoped to make a point. In this person’s view, Apple was not taking these types of bugs seriously enough — thus his hope that calling public attention to it would spur them to action. Pranksters using this link had some leeway with how they wanted to trick their friends into clicking the bogus link; it began with a GitHub link (an online source code repository), but one could have customized the link’s appearance to trick someone else. Of course, the pranksters could even end up crashing their own Messages app in the process.

This time, there was nothing truly malicious about the exploit. It caused no permanent damage and devices affected could eventually recover. However, that might not always be the case; it’s likely that someone could subsequently craft a malicious message that could cause serious disruption. It’s the type of thing we’ll continue to watch for going into the future.  Apple has frequently issued patches for “maliciously crafted messages” that could trick the system into executing arbitrary code. In the past, some malicious links could have been used to remotely jailbreak a phone and install spyware, as with the Pegasus exploit from back in the day.

If all of this sounds familiar, don’t worry — you aren’t trapped in Groundhog Day, and you haven’t experienced a severe case of deja vu. We’ve seen a few bugs like this in the past, and one of them just recently made our 2017 Apple Security Year in Review. Last time, it was all about freezing up Messages by tricking it with special emojis it lacked the capacity to display. If you’d like to revisit that topic, you’ll find out all about it in Episode 71 of The Checklist.

More Windows malware on macOS: the emergence of MaMi

Next up on our list is what might be the very first new threat for macOS making the rounds in 2018. Uncovered thanks to the efforts of prolific Apple security researcher Patrick Wardle, the first sign that something was amiss came from a forum post where a user was struggling to correct a strange issue. Suspecting that something undetected was at play — the symptoms described by the user didn’t match any malware Wardle knew about — he and other researchers dug deeper. Ultimately, they uncovered malware which has been dubbed MaMi.

Its primary purpose is to “hijack” and change the DNS that your Mac uses to connect to the Internet. DNS stands for domain name service, and you can think of it as sort of a master list of all the possible destinations out there on the Web. Your ISP provides you with access to their DNS servers, and other companies, such as Google, also host free and secure servers. A trustworthy DNS server is essential for the ability to arrive at your intended destination on the Internet.

MaMi hijacks your DNS settings, changing them to point to servers presumably controlled by the hackers behind the malware. It also dumps a new root certificate into your keychain and makes other changes that could allow it to execute a man in the middle-type attack in the future. That’s a type of attack that involves the bad guys getting in between you and the website you want, intercepting your traffic, and potentially phishing for your data, or tricking you into downloading more malware.

At the moment, it appears that MaMi is still in the early stages of being developed.  That doesn’t mean it’s not fully featured, though. Aside from laying the groundwork for future attacks, MaMi also contains a host of other standard malware features, including the ability to take screenshots and to control your mouse clicks. (This is something that could be used for click fraud, a type of advertising scam used to generate revenue illicitly.) The initial infection seems to have occurred through a malvertising pop-up — but so far, the main routes of infection are still shrouded in relative mystery.

The good news is that MaMi should be difficult to infect the machines of savvy users since users must agree to download it and must then run the installer. It’s is an unsigned program — meaning macOS will warn you that you might not want to run such software. It’s often a good sign that you should turn back from what you’re doing; always view unsigned software as untrustworthy unless you are 100% certain its origin was trustworthy.

Perhaps most interestingly, it appears that MaMi is not a macOS original — it may have crossed over from Windows after some hacker made an effort to port the code. Analysis shows MaMi reflects several similar design features to a known piece of Windows malware called DNSUnlocker. Both use very similar DNS addresses when altering their infected machine, which seem to indicate the servers reside on the same network. Additionally, their security certificate is identical, lending more credence to the idea. Though DNSUnlocker hit the scene in 2015, it seems likely that this is yet another example of malware authors turning their sights on macOS due to its increased popularity.

How can you tell if you’re already infected? You’ll need to open your System Settings to check your DNS — if you see DNS addresses that include 82.163.142.137 or 82.163.143.135, MaMi has hit your machine. You can also check your keychain for an entry called “Cloudguard.me” which also indicates the presence of an infection. Definitions for this malware and repair methods continue to roll out for anti-malware programs.

While this is the first new Mac malware we’ve seen in 2018, it certainly won’t be the last. We’re likely to see more from MaMi in the coming months, as well, especially if the hackers behind it continue to refine its abilities. Remember to be careful about what you click on and to exercise caution when you choose to download new software — as we saw last year, sometimes even legitimate websites can end up accidentally serving up malware.

Even video games can have vulnerabilities

Typically, we don’t think of video games as a potential source for serious security vulnerabilities. However, a recent incident involving one of the biggest game publishers in the industry shows that’s not entirely true. It all starts with some inventive research by a vulnerability investigator working for Google, Tavis Ormandy, who posted a link to a bug report on his Twitter account. The bug in question concerns a vulnerability present in all the products published by Blizzard Games.

Even if you don’t know Blizzard, you probably know about at least one of their products. As a veteran of the industry, Blizzard has put out some of the biggest titles ever, including Diablo, World of Warcraft, Starcraft, and most recently, Overwatch. Altogether, Blizzard serves up games to roughly half a billion active users each month — which means this bug could have potentially impacted a huge number of gamers. So, what happened?

It all has to do with a small software service that runs in the background of a gamer’s machine called Blizzard Update Agent. Its purpose is simple: to streamline the process for installing or uninstalling Blizzard games, tweaking settings, or downloading and applying patches and updates. Every user who has a Blizzard game installed on their machine has the Update Agent service running. As part of this functionality, it must be able to communicate with your games, and to do so, it has a purpose-built method for authenticating your game client. In other words, it checks to be sure it’s receiving legitimate instructions.

What Tavis uncovered is that despite this authentication effort, Blizzard did not protect against a particular type of attack known as DNS rebinding. This is a method wherein a website creates a DNS name they authorize themselves to communicate with, then make the DNS address point to the localhost — that is, the computer itself. The Blizzard Update Agent allows commands from the localhost without any other authorization.  As a result, any website could potentially send unauthorized commands directly to the Blizzard Update Agent. Both Windows and Mac machines were vulnerable in this situation; console systems, such as Xbox and PlayStation, would likely not have been exposed to risk due to differences between the systems.

While it’s a relief that one of the “good guys” found this bug out, what if a malicious hacker or a nefarious group had found it first? Imagine the potentially catastrophic consequences if a hacker could use a website you visit to force a background service to download and install malware. It was a wide-open door, and Tavis quickly moved to contact Blizzard and communicate about the issue.

However, Blizzard ceased communications when they released a patch for the problem, at which point Tavis posted his bug report publicly to his Twitter, presuming the issue was resolved. As it turns out, though, the patch did not fix the problem after all and there was actually a miscommunication between the two parties. With the story in the wild now, the company had to admit their mistake, saying they were still working on an actual fix. Three days later, a fresh version of the Update Agent hit user machines, solving the problem altogether. While this loophole has closed, it should be a big wake-up call — any kind of software can potentially open a door for a hacker.

Another new piece of Mac malware surfaces

January 2018 had one more new malware threat to reveal, and it was another item of cross-platform malware similar to the way that MaMi seemed to be. In this case, the malware in question has previously targeted both Windows and Linux machines. Called CrossRAT, it was discovered by the Electronic Frontier Foundation (EFF) in connection with Lookout, a security company. This tool seems to be in use by a major digital espionage group known as Dark Caracal.

The Dark Caracal group is a mysterious team that has been waging a campaign of espionage against global targets, including governments, banks, manufacturers, defense contractors, the military, and even basic utility companies. We’ve seen attacks hit everywhere from North America and Europe into the Middle East and Asia, and CrossRAT is one of the tools they use to look for data to steal.

This spyware uses Java as its base coding language, making it highly adaptable for running on different platforms. Like most other RATs (remote access tool), it can take screenshots, run arbitrary code of its own, open your files, and even engage in manipulation of the file system itself. Once infected with CrossRAT, Dark Caracal can use it to mine a user’s data. Based on research by the EFF and Lookout, Dark Caracal relies heavily on phishing to trick victims into infecting themselves with CrossRAT. However, sometimes it has been physically loaded onto target machines!

There is good news, though. Most Mac users will be immune to CrossRAT by default, as macOS no longer ships with Java installed from the start. The average user doesn’t need to keep the entire Java framework installed, and CrossRAT cannot function without it.

The truth about Fruitfly

Now, this is a threat we’ve talked about here on The Checklist before — in fact; it’s come up a few times in the past. We first touched on Fruitfly in an episode in March of 2017, and we most recently covered it again during our 2017 year in review — for full details about what we knew back then, check out the show notes for those episodes in our archives. But let’s do a quick recap as to what Fruitfly is before we start dissecting the latest news.

Fruitfly is a powerful yet quirky piece of malware that opens a backdoor onto the Macs it infects and allows its controller to exercise a lot of control over your machine. It enables all kinds of creepy behavior, such as letting the controller watch what you type, take pictures, and record audio through your webcam, and much more. Discovered on a machine in a sensitive corporate environment initially, many researchers believed it was a tool for corporate espionage.

We also knew that it had likely gone undetected for some time based on the appearance of antiquated code from very old versions of Apple’s operating systems. After the news broke last year, Apple was quick to close the loopholes exploited by Fruitfly and antimalware definitions went out far and wide to ensure no one else could end up with infected computers.

So, while we knew Fruitfly had been around the block a few times, we didn’t know much else about it — now, we’re getting a look behind the curtain, as the alleged author of Fruitfly is now in custody after the conclusion of an FBI investigation. As it turns out, the truth is far more disturbing than mere corporate espionage.

The accused is a man named Philip Durachinsky, a 28-year-old programmer who hails from Ohio. In early January, he was arrested and charged with a variety of computer crimes and other serious offenses related to his use of Fruitfly. Authorities say that he operated the malware for more than 13 years in total — and that offers an immediate explanation as to why the software contained so many old and outdated system calls. It’s also an opportunity to do some math — if he’s 28 now and Fruitfly was spying on people for 13 years, that means Durachinsky wrote and deployed Fruitfly for the first time when he was just 15.

We can’t think of any 15-year-olds who start out aiming to spy on major corporations, but regardless of Durachinsky’s motivations, what he did was reprehensible. From recording conversations taking place in the same room as a victim’s computers to logging their every keystroke and even receiving alerts when they typed adult search terms into Google, it seems he left no stone unturned.

Beyond simple spying, he also allegedly stole tons of personal information, including sensitive conversations, tax records, bank statements, and even private medical records. We don’t yet know whether he ever intended to use these items for blackmail, or if he used them for private financial gain. However, it seems likely that if he had threatened victims, Fruitfly would have been discovered much sooner. Therefore, it seems he was a passive observer in many cases. The exact infection method is still unclear as well — but we know Fruitfly eventually ended up in some high places, including police departments, hospitals, and even a secured government computer. For now, details remain limited to what the FBI and prosecutors have released. More information may become known as the court case unfolds. Durachinsky could face years in jail if convicted.

It’s not often we get such a direct look at the face behind a piece of malware, nor do we frequently get answers as clear about where it originated. It’s a telling glimpse into what hackers are doing and what they can achieve when they gain a foothold on your machine through an infection. It’s not just the potential for financial damage, either — the sheer fact that a third party lurked on so many computers is creepy enough!

This example should serve as an important reminder to all of us to stay safe and up to date. Running anti-malware scans and reporting suspicious behavior you notice to security companies can help to keep you safe. Of course, we have a wealth of information on how to do that waiting for you in our archives!

Amazon’s worrying lack of transparency

Let’s turn our attention now to something else that relates to your personal data, but which doesn’t have anything to do with your typical hacker or even malware. How often do you think about all the data you generate just by using products and services? All those Google searches, the silly questions you ask Siri, the products you purchase on Amazon — all that is information that, when combined, can tell someone a lot about you. That’s why that information is so valuable to companies — and so coveted by law enforcement and the government.

Concerns about government surveillance of the Internet and our activity on the web have been around for many years. Since 2010, increasing interest in understanding how the government interacts with our digital data led many of the tech giants to begin creating “transparency reports” — documents that reveal how many and what type of government requests they’ve received, be they subpoenas, search warrants, or other requests for information. Google was the first to take the lead on this front, and since then, many others have followed, including Facebook and Apple. In fact, Apple provides a quite detailed breakdown of the requests they receive globally.

These reports are necessary not because they can help someone avoid detection of illicit activity, but because they inform us about how the government requests and uses user data. Not only does it allow us to make more informed choices about who we do business with, but it can also offer a spotlight on prevent abuses. Overuse of official requests for information, or a particularly targeted series of requests, would show up in these reports and potentially trigger a public backlash. Thus, they play an essential informational role along with a part in a delicate balancing act.

So, what about Amazon? The gargantuan company doesn’t just sell us products — Amazon powers the web with their cloud servers and has entered millions of our homes with the advent of the Alexa digital assistant and the Echo line of hardware. The Echo especially is a potential privacy concern, given that it’s always listening for key phrases — and that means it could potentially overhear things you’d rather not have repeated. Think of all the data that Amazon might hoard on an individual user and it’s easy to see why it, too, would be a target for surveillance. So how does Amazon handle those requests?

Well, we don’t really know. While Amazon does release transparency reports of its own, they are by far the least helpful documents provided by any of the major tech giants. Not only are they as vague as possible, but they contain very little of substance otherwise. Amazon only chooses to report the total number of data requests they receive; alongside how many they decided to approve or reject. Other than that, we get nothing — no breakdown of requests by service or by type, no geographical information, and certainly nothing as detailed as what Apple releases. We don’t even know how many people those data requests might have involved.

The result: a tech company that claims to be transparent but remains very opaque. While we’re not saying that Amazon cavalierly hands over your information to the government, we have no way to know the real situation. So far, Amazon doesn’t seem too concerned with making changes. That’s worrying on its own, and more so when we consider the increasing popularity of digital personal assistants and smart home features. Apple, for its part, has already pledged to anonymize all the data produced by their upcoming HomePod, meaning they will not be able to supply personally identifiable information even when requested. Otherwise, the idea of a device the government could tap to listen in directly to a suspect’s home is still feasible — and one worth our concern and activism.

Unless something changes, public pressure on Amazon from consumers and businesses seems the best way to push for greater transparency. We all have a right to know how and when our data is exposed, even and especially if it’s the police or the government asking to look. Transparency reports aren’t transparent if they don’t tell us anything of value. Hopefully, this is a lesson Amazon will soon learn and take to heart.

An update on Apple’s Spectre & Meltdown fixes

Finally, for today, we’d like to take just a quick moment to pivot back around to Spectre & Meltdown. Check out Episode 73 for our full breakdown of what’s up with these flaws, but the important news this week is that Apple has finally taken further steps to mitigate these severe issues on older platforms.

When the first round of fixes came out, some older versions of macOS and OS X were left unprotected, with conflicting statements about whether any were forthcoming. With the release of macOS Sierra 10.12.6 and El Capitan 10.11.6, Apple closes these loopholes for two more of their recent operating systems. Remember to upgrade right away if you continue to use one of these older operating systems — while we haven’t detected malware leveraging these problems yet; it’s likely only a matter of time.

If you’re still hanging around on a version that predates El Capitan, it’s time to get with the times! Apple has introduced a host of new features, security and otherwise, that you can take advantage of alongside the fixes for Spectre & Meltdown. While there may be further tweaks made in the future, it seems unlikely Apple will continue to roll out patches for legacy systems used today by only a fraction of users.

That’s everything we have to cover for you today. With Fruitfly shut down for good, we can rest a little easier — but with the emergence of MaMi and a Mac malware scene that grows more complex every day, this is not the time for complacency. Meanwhile, it’s always worth asking how the companies you do business with use your data — and it’s worth considering whether we should demand greater accountability when we turn over our information.

We welcome your feedback, comments, questions, and even topics for future episodes! You can send us an email at Checklist@SecureMac.com to let us know what’s on your mind. Want to check out some of our past episodes to catch up, learn more, and improve your security knowledge? All our show notes are available right here, going all the way back to Episode 1. While you’re at it, tell a friend to tune in and share the wealth of knowledge with them.

Get the latest security news and deals