Janicab ushers in cross-platform era as OS X becomes more appealing target.
Researchers have uncovered a family of malware that targets both Windows and OS X. Janicab.A, as the trojan is known, is also unusual because it uses a YouTube page to direct infected machines to command-and-control (C&C) servers and follows a clever trick to conceal itself.
The threat first came to light last week, when researchers from F-Secure and Webroot documented a new trojan threatening Mac users. Like other recently discovered OS X malware, Janicab was digitally signed with a valid Apple Developer ID. It also used a special unicode character known as a right-to-left override to make the infection file appear as a PDF document rather than a potentially dangerous executable file.
On Monday, researchers from Avast published a blog post reporting that Janicab can also infect computers running Windows. The strain exploits a vulnerability Microsoft patched in 2012 to install a malicious Visual Basic script that can remain active even after infected machines are restarted.
Like the Mac versions, Janicab randomly chooses a YouTube link from a hard-coded list to find the C&C server that issues updates and instructions. One such page contained the words “just something i made up for fun, check out my website at 18.104.22.168/cc bye bye.” Researchers presume the IP address may have been the location of one of the C&C servers.
Interestingly, the Windows variant observed by Avast simply awaits instructions from its operator. The Mac version, by contrast, sends captured screenshots and audio to the attackers. The reports don’t say how many machines have been infected by Janicab. Most likely, the malware is in some sort of beta phase as its developers try to gain experience in creating cross-platform threats. With the growing use of OS X, it’s not surprising to see malware that targets that platform. It’s a bit more unusual to see the malware that can also infect Windows. We’re probably at least a few years away from cross-platform malicious software that adds Linux to the list, but it’s certainly within the realm of possibility.
No, OS X *always* warns on opening a file from the internet (as does Windows from what I remember).
The difference is that Gatekeeper has three options:
1. Allow from the Mac App Store only
2. Allow from the MAS and “identified developers” (default)
3. Allow from anywhere
Personally, I think Apple should just change the default to #1. #2 is pretty broken by design – Apple does not vet people who try to get developer keys. The keys can be blacklisted, but since they’re so easy to obtain that’s not a much help. There’s already a warning when running blocked apps with #1 or #2, so power users shouldn’t have much trouble figuring out what’s the problem and switching to a lower security level.
Users should only be able to run software that conforms to the App Store’s terms and conditions by default? These are the terms and conditions that block apps that show comics that Apple deems objectionable, GPL-licensed software, demos, and many more things. Can you imagine the uproar if MS were to do that? Yes, I know there’s a way around the restriction, but many users aren’t savvy enough to figure that out, so developers would be heavily discouraged from developing apps that can’t target those users.
Last edited by Solomonoff’s Secret on Tue Jul 23, 2013 12:12 pm
9687 posts | registered Nov 18, 2007
Solomonoff’s Secret wrote:
What are you talking about? The only thing required to get a valid ID is to pay the $99 fee.
Registering to do something means you ask permission and put yourself in the position to allow the registering authority to place conditions on your registration. The very idea that one must register with a 3rd party to publish software, or else the software won’t run as smoothly as it otherwise would, puts too much power in the hands of one company. Apple in particular has shown a tendancy to abuse that power.
More practically, if one were to write a controvertial app, as the initial version of PGP was at the time, it’s almost certain that the US Gov’t would pressure any company it could to get that software removed or at least to inconvenience users as much as possible (say, removing it from the app store and revoking the certificate). Apple has put itself in the position of being a gatekeeper and has also shown that it will bend to that kind of pressure (see removal of police checkpoint apps from the app store).
Developer registration and Gatekeeper make my computer more secure. As has been stated, Apple can easily revoke offending certificates, at which point my system (on its default settings) will let me know that software may not be legit. (Not that I’m dumb enough to install random crap, but other people sometimes are…)
On the other hand, look at the beauty of Windows’ free—i.e. sans-developer-certificate—system (sarcasm). What’s the first line of defense there—an antivirus application, albeit finally first-party by default. OS X’s frontline defense is inherently more secure because it is a whitelist, not a blacklist.
Also, we have not traded freedom for security on OS X. You can argue what may happen someday, but I’m focusing on the here and now; and here, there’s complete freedom on the developer’s part to not use Apple’s certificates at all. Installing non-signed software is a Google search away (or a phone call to your nephew if you’re one of those people). It’s also bunk that software doesn’t run as smoothly if unsigned. The only thing less smooth is starting it for the first time.