OS X Malware Relies on Open Source Code

Tuesday, October 21, 2014 @ 04:10 PM gHale

As Apple products get more widely accepted in industry, bad guys are creating more ways to infiltrate systems.

One of those packages is malware created for Mac systems that integrates a component for intercepting keystrokes that is available on code sharing websites.

Apple Works to Block Malware
New Trojan for iOS
New OS X Botnet
Mitigations for DDoS Toolkit Attacks

The sample discovered by researchers called Ventir, which apart from keylogging capabilities, it also contains a backdoor and a spying utility.

Bad guys have turned to publicly available code to carry out malicious activities. Malware researchers from Kaspersky Lab detected a modular malware for OS X that relies on LogKext, an open-source software package for capturing user keyboard input.

Detected by the company’s products as “not-a-virus:Monitor.OSX.LogKext.c,” LogKext hooks into the kernel of the operating system to achieve its goal.

The item is a legitimate file abandoned by its original developer and passed to a different maintainer that updated it to work on OS X Mavericks (10.9); it is freely available for download from GitHub.

Mikhail Kuzin of Kaspersky said in a blog post LogKext adds into the compromised computer only if the dropper successfully obtains elevated privileges to the system.

LogKext has three files whose functionality is to intercept the keystrokes (updated.kext), match the key codes to the characters associated with these codes (Keymap.plist), and log the keystrokes along with some system events (EventMonitor agent).

The first thing the malware package does after launching is to check if it has root access. Depending on this, it proceeds to install all the files of the keylogging component it includes, or just the agent that logs the name of the currently active window and the keystrokes; this also determines the installation path of the Trojan files.

The backdoor communicates with the command and control (C&C) server and receive commands. These can be anything from rebooting the computer, removing the malware from the system, downloading updates from the C&C machine and executing commands, to uploading data to the system controlled by the attackers.

Leave a Reply

You must be logged in to post a comment.