{"id":66247,"date":"2017-05-10T14:10:42","date_gmt":"2017-05-10T21:10:42","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=66247"},"modified":"2018-04-25T11:44:52","modified_gmt":"2018-04-25T18:44:52","slug":"snake-malware-ported-from-windows-to-mac","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/snake-malware-ported-from-windows-to-mac\/","title":{"rendered":"Snake Malware Ported from Windows to Mac"},"content":{"rendered":"

\"Snake<\/p>\n

Fox IT discovered<\/a> a macOS version of “Snake” malware, a nearly decade old Windows malware,\u00a0also known as Turla, Uroburos and Agent.BTZ, and\u00a0said to be a complex framework used for targeted attacks. Ported from Windows to Mac, Snake malware is\u00a0a trojan horse presented as a Flash Player update installer; if installed, Snake opens a backdoor on the infected Mac.<\/p>\n

Intego VirusBarrier<\/a> identifies and eradicates this trojan horse malware as OSX\/Snake<\/strong>.<\/p>\n

The Windows malware variant includes the ability to detect analysis tools like\u00a0wireshark and tcpdump, and it will not run if processes are active. On the Mac, this detection evasion system is not present.<\/p>\n

Trojans are used by malware authors so as\u00a0to create a backdoor\u00a0on\u00a0an infected system, typically to exfiltrate data from the infected machine. With\u00a0Snake for macOS, we can assume data is copied from the system, but whether this means files with a certain extension, screenshots, microphone or camera data is unclear at this time.<\/p>\n

What is the infection vector?<\/h3>\n

Infection vector is\u00a0currently unknown, however, phishing and spear phishing attacks are the most likely distribution methods. Snake’s Windows counterpart have been found in government institutions, military and large corporations, in the past. These are very specific targets, so running into this on a random website is unlikely at this time. That said, the macOS version of Snake is believed to be so new that it may not have been actively used yet. The author may continue\u00a0focus on the same high profile targets or could just let loose on the Web, making BitTorrent sites<\/a> a likely candidate as fake Flash Player pop-ups are the norm there.<\/p>\n

At the time the installer was signed with a valid Developer ID, under the name Addy Symonds<\/b>. This ID has since been revoked by Apple.<\/p>\n

How and where does Snake install?<\/h3>\n

The malware ends up on a system in the form of a zip file, named “Install Adobe Flash Player.app.zip.” When opened, a Flash Player installer application will appear. Upon opening the application, the user will be\u00a0immediately presented with the request for an administrator password.<\/p>\n

\"\"<\/p>\n

Once the password is provided, the installation will begin and the process will look\u00a0similar to\u00a0the real thing.<\/p>\n

\"\"<\/p>\n

This is because, in part, it is the real thing. Flash Player is actually installed on the system, but not before the following files are dropped on the now infected Mac:<\/p>\n

\/Library\/Scripts\/queue\r\n\/Library\/Scripts\/installdp\r\n\/Library\/Scripts\/installd.sh\r\n\/Library\/LaunchDaemons\/com.adobe.update.plist<\/pre>\n
The process “installdp” provides the backdoor to those on the other end of the Command & Control (C&C) server. Flash Player itself does not appear to be tampered with, but the usual vulnerabilities can be expected of it.<\/p>\n
Several invisible files are installed as well, detailed below.<\/p>\n
Should Mac users be concerned about Snake?<\/h3>\n
B aware of the way in which Snake\u00a0infects a system. It uses a real looking installer and is carefully crafted code. We recently saw SilverInstaller<\/a>\u00a0utilizing\u00a0the Mac malware and also employed\u00a0new techniques<\/a>.\u00a0For years, Intego has speculated\u00a0Mac malware would\u00a0steadily evolve and become more sophisticated.\u00a0And now with malware authors having\u00a0porting tried and true, sophisticated Windows malware over to the Mac, we believe this evolution process is sped up significantly.<\/p>\n
macOS is currently able to thwart malware in ways that do not allow it\u00a0to reach their full potential, but malware authors will likely find ways to deal with this. Snake runs on OS X 10.10 Yosemite, 10.11 El Capitan and macOS 10.12 Sierra.<\/p>\n
\"\"<\/p>\n
How to tell if your Mac is infected (and removal instructions)<\/h3>\n
As mentioned previously, these files are placed on the system during installation:<\/p>\n
\/Library\/Scripts\/queue\r\n\/Library\/Scripts\/installdp\r\n\/Library\/Scripts\/installd.sh\r\n\/Library\/LaunchDaemons\/com.adobe.update.plist<\/pre>\n
If these files are present, delete them and restart your Mac.<\/p>\n
The following files are also placed:<\/p>\n
\/var\/tmp\/.ur-*\r\n\/tmp\/.gdm-socket\r\n\/tmp\/.gdm-selinux<\/pre>\n
The .gdm- files are sockets and facilitate the communication between different processes. To gain access to the \/var and \/tmp folders, you’ll have to make them visible first as macOS hides them by default. Making invisible folders visible has the added advantage of being able to see the socket files as well, because those too are hidden with the period preceding their name.<\/p>\n
In macOS Sierra this can quickly be done with the following key combination:<\/p>\n
Command-Shift-. (period)<\/p><\/blockquote>\n
For older OS X versions this can be done by typing the following commands in the Terminal app:<\/p>\n
$ defaults write com.apple.Finder AppleShowAllFiles true
\n$ killall Finder<\/p><\/blockquote>\n
If present, delete the files and restart your Mac. When done, enter the same commands but change “true” to “false.”<\/p>\n
For Intego VirusBarrier<\/a> customers\u00a0with up-to-date\u00a0virus definitions, the antivirus software will\u00a0detect and remove all Snake files, identified\u00a0as OSX\/Snake.A<\/b>.<\/p>\n
How to protect yourself from Snake<\/h3>\n
Anything involving Flash Player should throw up a big red flag these days. There are just too many\u00a0fake Flash Player installers out there, and these\u00a0trojan horse scams may trick you into installing malware.<\/p>\n
Be vigilant when opening email attachments or with clicking on any pop-ups asking you to install something, which you may see while browsing the Web. If it is software you happen to be interested in, get it straight from the source instead of from that third-party popup window.<\/p>\n","protected":false},"excerpt":{"rendered":"
Fox IT discovered a macOS version of “Snake” malware, a nearly decade old Windows malware,\u00a0also known as Turla, Uroburos and Agent.BTZ, and\u00a0said to be a complex framework used for targeted attacks. Ported from Windows to Mac, Snake malware is\u00a0a trojan horse presented as a Flash Player update installer; if installed, Snake opens a backdoor on […]<\/p>\n","protected":false},"author":79,"featured_media":8763,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190],"tags":[174,3502,4099,4102,149],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\n