BlackHole RAT 2 Trojan Horse for Mac OS X Discovered

BlackHole RAT 2 Trojan Horse for Mac OS X Discovered

As predicted by the SecureMac team, the new version of BlackHole RAT 2 was officially released on a hacker message board this weekend, with some slight differences from the earlier version analyzed by SecureMac. The trojan horse, once installed, disguises itself as a Java Updater. In addition, the author is now referring to the trojan as Freeze RAT, but it contains much of the same code as BlackHole Rat 2.0a. The new version has a more complicated installation process that requires physical access to the computer, so SecureMac continues to rate this as a low threat.

April 3, 2011 • 3 min read
Vulnerability Found in Mac OS X 10.5

Vulnerability Found in Mac OS X 10.5

Core Security has discovered a vulnerability in Mac OS X 10.5 which could be used by a remote attacker to execute arbitrary code by getting the user to download a PDF document containing a embedded malicious CFF font. The advisory shows a communication timeline with Apple as well.

November 10, 2010 • 1 min read
Boonana Trojan Horse trojan.osx.boonana.a

Boonana Trojan Horse trojan.osx.boonana.a

Visit the Boonana advisory page for more details about the Trojan horse trojan.osx.boonana.a including initial analysis and removal instructions or download Boonana Trojan Horse Removal Tool directly.

October 28, 2010 • 3 min read
Trojan Horse Alert: HellRaiser (aka OSX/HellRTS.D)

Trojan Horse Alert: HellRaiser (aka OSX/HellRTS.D)

Trojan Horse Alert: Intego recently alerted users to the presence of a new variant of the HellRaiser Trojan Horse, which they identify as OSX/HellRTS.D. SecureMac has analyzed this new variant and it is detected in the latest MacScan spyware definitions update (Spyware Definitions Version 2010006) as HellRaiser Trojan Horse 4.2. MacScan has detected previous variants of this trojan horse since 2005.

HellRaiser is a trojan horse that allows complete control of a computer by a remote attacker, giving the attacker the ability to transfer files to and from the infected computer, pop up chat messages on the infected system, display pictures, speak messages, and even remotely restart or shut down the infected machine.

The attacker can search through the files on the infected computer, choosing exactly what they want to steal, view the contents of the clipboard, or even watch the user’s actions on the infected computer.

In order to become infected, a user must run the server component of the trojan horse, which can be disguised as an innocent file. The attacker then uses the client component of the trojan horse to take control of the infected system.

Read more about HellRaiser Trojan Horse aka OSX/HellRTS.D

April 16, 2010 • 2 min read
Mac OS X Security Update

Mac OS X Security Update

Mac OS X security update (2010-001) has been posted by Apple fixing several security issues including a Adobe Flash. Other security fixes include CoreAudio, cupsd printing scheduler, issues with DMGs,TIFFs, SSL and TSL. To update your system access the software update icon within the System Preferences and check for updates.

More information at Apple KB Article.

January 18, 2010 • 1 min read
Safari Vulnerability

Safari Vulnerability

SecureMac Advisory

Posted: June 9th, 2009

Security Risk: Critical

Safari prior to version 4 (released June 8th, 2009) may permit malicious web pages to steal files from the local system simply by accessing a web page without further interaction. This vulnerability is present in both Mac OS X and Windows Safari. The attack is accomplished by mounting an XXE attack against the parsing of the XSL XML.

Chris Evans has documented this vulnerability in his advisory on his website http://scary.beasts.org/security/CESA-2009-006.html

Safari 4 is now available for download for both Windows and Macintosh systems. Suggested to …

June 7, 2009 • 1 min read
DNS Changer 2.0e Trojan Horse

DNS Changer 2.0e Trojan Horse

SecureMac Advisory

Posted: March 17th, 2009

Security Risk: Critical

Just after the DNSChanger 2.0d variant was identified, another new variant of the DNSChanger Trojan Horse, DNSChanger 2.0e, has been discovered in the wild. The trojan horse arrives in a disk image (some samples are called serial_Avid.Xpress.Pro.5.7.2.dmg), and is again disguised as an installer for “MacCinema,” just like the 2.0d variant. Once installed, the trojan horse behaves in a similar manner to past variants.

This variant is being distributed on websites offering “cracked” or pirated copies of software, and is initially disguised as a serial …

March 2, 2009 • 3 min read
Security Alert: Trojan found in Pirated copies of Apple’s iWorks 09

Security Alert: Trojan found in Pirated copies of Apple’s iWorks 09

Security Alert: A trojan is being distributed with pirated copies of Apple’s iWorks 09.

Pirated copies of iWorks 09 are being distributed with a trojan bundled in the installer package. Intego has released a warning recommending that users should not download iWorks 09 from pirate software sites.

The malicious software is installed in the startup items folders ( /System/Library/StartupItems/iWorkServices ) where it has full root privilege rights. Once installed the trojan connects to a remote server notifying it of the infected computers location on the net awaiting further instruction including the ability …

January 22, 2009 • 1 min read
DNS Changer Trojan Horse – SecureMac Removal Instructions and Anniversary Followup

DNS Changer Trojan Horse – SecureMac Removal Instructions and Anniversary Followup

SecureMac Security Bulletin

Posted: December 17th, 2008

Security Risk: Critical

Halloween marked the one-year anniversary since the DNSChanger Trojan Horse was discovered in the wild, and in that time it has grown to become the single most widespread piece of malware on OS X. In order to promote safe web browsing, SecureMac has issued a bulletin on the DNSChanger Trojan Horse, with information on common symptoms of infection, ways to check for and remove the Trojan, and a list of safe practices when surfing the web.

Symptoms of Infection by DNSChanger Trojan Horse

    Website …

December 17, 2008 • 3 min read
Mac OS X Security Issue: FileVault Leaves Unencrypted Data Behind

Mac OS X Security Issue: FileVault Leaves Unencrypted Data Behind

Mac OS X FileVault Security Advisory
Advisory Title: FileVault Leaves Unencrypted Home Data Behind
Release Date: 2003 November 6
Fix Date: Mac OS X 10.4 (May 2005)
Affected Product: Mac OS X 10.3 Build 7B85
Impact: Unencrypted Data Left Behind
Where: Local System
Author: CodeSamurai (codesamurai@mac.com)

Update (Mac OS X 10.4): With the release of Mac OS X 10.4 (Tiger), Apple has included a fix for this in the FileVault enabling process. When the user goes to enable FileVault on their user account in System Preferences, one of the sheets will now have a “Use secure erase” checkbox. …

November 6, 2003 • 3 min read
Mac OS X Security Issue – USB Keyboard Root Access – Mac OS X 10.2.7 and Prior

Mac OS X Security Issue – USB Keyboard Root Access – Mac OS X 10.2.7 and Prior

Advisory Title: USB Keyboard Init Crash -> Root Access
Release Date: 2003 October 31
Affected Products: Mac OS X 10.2.7 and prior (possibly 10.2.8)
Severity: Moderate
Impact: Root Access
Where: Local System
Author: Jason Storm (jms@lasergun.org)

VULNERABILITY

With access to a USB Keyboard connected to the computer running Mac OS X 10.2.7 and prior (and possibly 10.2.8) the user can hold down control-c during startup to be dropped to the administrative full controlling root shell prompt due to init crashing.

init will crash within three minutes into the booting process and will drop you into a root shell. With …

October 11, 2003 • 2 min read
Mac OS X Security Issue: Screen Lock Security Bypass Mac OS X 10.3 Panther

Mac OS X Security Issue: Screen Lock Security Bypass Mac OS X 10.3 Panther

Affected Product: Mac OS X 10.3 Build 7B85
Severity: Low
Impact: Security Bypass
Where: Local System
Author: CodeSamurai (codesamurai@mac.com)

VULNERABILITY

With access to the keyboard, an unauthorized user can access the currently active screen-locked user environment. However, there is only a relatively small opening in the period of time in which the keys events get through; completing complicated operations at the keyboard have shown to be highly tedious in actual practice thus far.

EXPLOIT

With the screen effect active, keys pressed before the authentication window appears will be sent to the general user environment.

PRACTICAL TESTS

Tested Examples:

 An open word …

October 4, 2003 • 2 min read