OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

New signed malware called Janicab

Published July 15th, 2013 at 2:27 PM EDT , modified July 16th, 2013 at 8:11 PM EDT

e-biohazard

F-Secure announced the discovery today of a new trojan, which they have named Janicab. This malware makes use of a familiar old trick – disguising an application as a document to trick the user into opening it – but applies a couple newer twists. At this time, the built in defenses in Mac OS X will allow this trojan to run without much in the way of warnings, so users are advised to be on their guard.

The first new twist that makes this malware unique in the Mac world is the use of a right-to-left override (RLO) character in the name. What this character does is tell the system that the characters that follow should be displayed right-to-left, instead of left-to-right as is standard for the English language. Otherwise, the character is invisible.

So why does this matter? Because it allows the hacker to hide the fact that the document is actually an application! The file is named “RecentNews.?fdp.app”, where the ‘?’ indicates the presence of the RLO character. This means that the Finder will want to display the name as “RecentNews.ppa.pdf”. In addition, the hackers used the old trick of marking the extension as being hidden, and the system knows the extension is “.app” regardless of how the Finder wants to display the name. Therefore, the name is actually displayed as “RecentNews.pdf”. This, plus the Adobe Acrobat icon given to the application, makes the app look like an innocent PDF file.

(As an interesting side note, I have observed that if I place the file on my desktop, the name gets wrapped in the middle of the “extension” based on my settings. When wrapped like this, the file’s name displays as “RecentNews.fdp”. Perhaps a text encoding expert could explain that one… it seems a bit like voodoo to me! 🙂 )

Janicab first runThe second new twist, only exhibited previously by the recent KitM (aka Hackback) malware, is that the app is signed. Thus, the system will allow it to run unimpeded, as long as you approve it on the first run. Although that’s a fairly serious issue in principle, if the victim is paying attention, he/she will notice something strange is going on, as most of the text in the warning will be backwards! Still, a lot of people are in the habit of just clicking whatever they need to click to make something work without reading the details of what they’re agreeing to. So it’s easily conceivable that someone would click the Open button without ever noticing the discrepancy.

Janicab document

When run, the trojan opens a document to avoid causing further suspicion. The astute observer will notice that the Acrobat icon will remain in the Dock and an additional PDF reader will be opened (Preview for most), which should tip off the user that something’s not right. Again, though, many people aren’t paying that close attention, or may not understand the implications of that. In the meantime, while the document is loading up, it does other nasty things before quitting.

Janicab .t directoryAccording to F-Secure’s post, the app installs a number of components in an invisible folder in the user’s home folder (named “.t”, where the initial period tells the system to hide the folder) and creates a cron job to keep components running. Presumably it uses cron since that is older technology that has been abandoned in favor of launchd. Because other malware has used launchd recently, many users may already be aware of how to check for rogue launch agents and launch daemons, but because of its relative obscurity today, most will probably not know how to check for or disable a cron job.

Once installed, this malware locates its command & control server by searching a few specific places for specific text that contains an IP address. After contacting the C&C server, it begins taking screenshots and recording audio, uploading that to the server and polling the server for other commands to run.

At this time, Janicab is not detected by most anti-virus software, and it slips right past the built-in defenses of Mac OS X in the hands of an unobservant or unsavvy user. This makes it very dangerous. Further, seeing other malware using a signed app is troubling, as it may indicate that Gatekeeper will not offer as much security as had been hoped for.

Removal should be fairly easy. However, you need to take great care. Be sure you have up-to-date backups of all your data, then read the instructions below carefully and follow them precisely!

The following command should be copied and pasted into the Terminal (which is found in the Utilities folder in the Applications folder). Do not try to re-type this command! A simple typo as simple as a space added in the wrong place could have disastrous consequences. Also, note that this will remove all cron jobs. That is the default state in Mountain Lion (Mac OS X 10.8), but much earlier versions of Mac OS X may differ (though I don’t know yet what versions of Mac OS X this malware is capable of infecting), and of course if you have created your own cron jobs, this will disrupt them.

crontab -r;rm -rf ~/.t

Once you have run this command, log out to ensure that all the malicious processes still loaded into memory are terminated. When you log back in, the malware should be gone.

Updates

July 16, 2013: Looks like the developer certificate used to sign this trojan has already been revoked. I just tested it, and trying to open the app now results in only two choices: cancel or move it to the trash.

Tags: , , , ,

11 Comments

  • Brittany says:

    Wow… Thanks for letting us know! I am glad I came to your site today.

  • Sid Cannon says:

    I use both Windows 7 and OSX. The security I have for Windows 7 is Sandboxie and Shadow Defender.

    No matter how much I want to be able to trust OSX security wise, I don’t feel comfortable with it. Maybe that’s because I’ve used Windows for nigh on twenty years, I don’t know.

    But I can’t find security for OSX like Shadow Defender for Windows. With Shadow Defender a simple reboot and my OS drive is squeaky clean.

    Maybe I don’t understand security and OSX, but I feel sort of naked without it.

    • Thomas says:

      There’s nothing, as far as I know, like Shadow Defender for Mac OS X. However, that’s a lot of overhead – which will slow you down considerably – to avoid issues that are quite rare. Although you do want to keep aware of what’s going on and do what you can to protect yourself (see my Mac Malware Guide), you don’t need to worry too much beyond that. Most malware, if you do end up getting infected, is pretty easy to remove as well.

      • Sid Cannon says:

        Thanks for your reply Thomas. I read your Mac Malware Guide some time ago, and I have ClamXav and Dr. Web Light for on demand scans.

        I don’t have any real time protection on OSX but I am considering Avast, even if just for peace of mind.

        The key points I am going to take from your reply are that Mac malware is rare and easy to remove.

        Thanks again for your reply Thomas.

  • Jay says:

    Is this a POC or has it been spotted in the wild already? Haven’t been able to find that bit of info.

    • Thomas says:

      As far as I know, it’s actually in the wild. Usually, if it’s just a PoC (proof-of-concept, meaning just a test to see what’s possible, for those unfamiliar with the term), the source is well documented. Creators of PoCs are generally not looking to keep their work secret. So, since there wasn’t any mention of a source, I’m guessing it’s in the wild, and that F-Secure may not yet know exactly where it came from.

      • Sean Sullivan says:

        In the wild, but being used in targeted attacks is our opinion based on the YouTube video (C&C locater) stats. 500+ views (for both) from Feb 13th to July 13th.

        The binary that Broderick discovered/analyzed yesterday was compiled in April. So the March figures could be some testing, but probably means that there are other variants which were used.

  • Al Varnell says:

    Two questions remain for me:

    – Is RecentNews.ppa.pdf compiled as a Universal Binary or is it a threat to Intel only Macs?

    – I know codesigning has been a feature of OS X Leopard and newer, but what versions of OS X will check the authenticity of an Apple Developer ID when you attempt to launch an app?

    • Thomas says:

      It’s not specific to either processor, as it’s a python app. So I would guess it would have worked on any machine capable of running a python app.

      I’m not sure what versions of OS X will check the signature. Since I know you’ve got a Leopard machine, I’ll send you a copy and we’ll see what happens! 🙂

This post is more than 90 days old and has been locked. No further comments are allowed.