New OS X Spyware Discovered at Oslo Freedom Forum
During the 2013 Oslo Freedom Forum, an annual conference focused on human rights, a new piece of spyware was discovered on an attendee's Mac. The spyware, which was discovered by security researcher Jacob Appelbaum, is currently being analyzed by F-Secure to fully understand what it does.
Appelbaum discovered the backdoor during a workshop in which freedom of speech activists could learn how to protect their devices from government monitoring. An interesting property of the spyware is that it’s actually signed with an Apple Developer ID. The use of Developer IDs for signing software is meant to prevent users from installing known malicious software, but isn't effective against newly discovered malware. Fortunately, now that the malware is known, Apple should be able to block installation of the malware by more users, and may have already done so.
What is known so far about the spyware is that it will add itself to the list of applications that are launched when the user logs in, ensuring it runs every time the victim logs in to their computer. While running, the spyware takes periodic screenshots and stores them in a directory called MacApp that is created in the user’s home directory. Information was also uncovered about two C&C (command-and-control) servers apparently used by the spyware to upload captured screenshots. C&C servers can also allow for malicious software to receive instructions from the spyware’s author(s).
While the full impact of the spyware is not currently known, hopefully its reach is restricted by security features introduced with Gatekeeper. And with Apple's ability to block further installations of the spyware, the risk to other users should soon be mitigated. Users can easily check for the presence of the spyware on their own system by checking for the MacApp folder in their home directory.