Researchers have identified the Mac malware that infected employees of Apple, Facebook, and Twitter, and say it may have been used to compromise machines in other US organizations, including auto manufacturers, government agencies, and a leading candy maker, according to a published report. Pintsized.A is a new family of Mac malware that uses an exploit to bypass Gatekeeper, an OS X protection that allows end users to tightly control which sources are permitted to install apps , according to an article published Monday by The Security Ledger. Mac antivirus provider Intego says the trojan masquerades on infected machines as Linux printing software known as cupsd, although it runs from a different location than the legitimate title. It’s unclear exactly how the malware gets around Gatekeeper. Once installed, Pintsized establishes a reverse shell to a command and control server controlled by the attackers. It uses a modified version of the OpenSSH utility to encrypt traffic, a measure that can help it remain undetected on infected networks. One of the domain names that hosted such a server was corp-aapl.com. It caught the attention of members of Facebook’s security team, tipping them off that there was an infected machine inside their network . When they later took control of the domain, they discovered multiple other companies were also compromised by the same attackers. Around the same time, Apple , Twitter , and Microsoft were also hit with attacks that meet the same pattern. Read 1 remaining paragraphs | Comments
Link:
Mac malware that infected Facebook bypassed OS X Gatekeeper protection
Aurich Lawson Early on Halloween morning, members of Facebook’s Computer Emergency Response Team received an urgent e-mail from an FBI special agent who regularly briefs them on security matters. The e-mail contained a Facebook link to a PHP script that appeared to give anyone who knew its location unfettered access to the site’s front-end system. It also referenced a suspicious IP address that suggested criminal hackers in Beijing were involved. “Sorry for the early e-mail but I am at the airport about to fly home,” the e-mail started. It was 7:01am. “Based on what I know of the group it could be ugly. Not sure if you can see it anywhere or if it’s even yours.” The e-mail reporting a simulated hack into Facebook’s network. It touched off a major drill designed to test the company’s ability to respond to security crises. Facebook Facebook employees immediately dug into the mysterious code. What they found only heightened suspicions that something was terribly wrong. Facebook procedures require all code posted to the site to be handled by two members of its development team, and yet this script somehow evaded those measures. At 10:45am, the incident received a classification known as “unbreak now,” the Facebook equivalent of the US military’s emergency DEFCON 1 rating. At 11:04am, after identifying the account used to publish the code, the team learned the engineer the account belonged to knew nothing about the script. One minute later, they issued a takedown to remove the code from their servers. Read 31 remaining paragraphs | Comments 
