While analyzing the recent OSX.Iservice.B threat I noticed some interesting API calls that were dealing directly with the Mac OS X authorization mechanism. There are plenty of interesting analyses and discussion about Windows UAC, both regarding Vista (Ollie’s post) or the recent Windows 7 UAC.
The authentication mechanism is an important part of the overall OS security, especially when we’re talking about malicious code that tries to hide as real and safe applications in order to fool the end users. Before digging into details, I’d like to stress one fact: it’s not a vulnerability, but simply a feature of the OS that can be used and abused from a social...
Let me introduce you to the new "Trojan kit," which is a member of the "…no, I don't require root privileges…" malicious code targeted toward Mac OS X. A while ago we received a sample of a new Trojan affecting the Apple operating system. OSX.Lamzev.A is the first sample we’ve seen from this threat family. It’s an easily customizable Trojan kit that could be the first of a long list of malicious code clones.
So, what do we mean by Trojan kit and what makes it stand out from the crowd? The only noteworthy feature is the way in which it infects clean applications—what this Trojan does is hijack a common feature that Mac OS X applications use to launch themselves—a smart but simple hack!
Initially, when the Trojan is run, a command prompt will appear, in which the attacker can configure the application that he or she wants to “Trojanize” (figure 1). The Trojan needs to be...
This week, our friends at Trend blogged about a new misleading application for the Mac. We decided to take a look at it as well. The application, named iMunizator, is a variant of the well known rogue antivirus product called Macsweeper, which we have blogged about previously.
When launched, iMunizator performs a full scan of the system and soon after it reports the “problems” that it found. Worryingly, some of the files detected by iMunizator are actually safe system binaries that should never be removed—files with "app" extensions. See the screenshot below:
