New “Ventir” malware
Published October 19th, 2014 at 8:54 AM EDT , modified October 20th, 2014 at 11:43 AM EDT
On Thursday of last week, Kaspersky announced their discovery of a new piece of Mac malware, which they are calling Ventir. I have held off writing anything about this until I could get some independent confirmation, as I tend to be skeptical of Kaspersky these days. (See Misinformation about “acoustical infections” and Kaspersky reveals “The Mask”.) However, I have tested my own copy of the malware at this point, and found that Kaspersky’s analysis seems to be fairly accurate in this case.
Kaspersky does not say how the malware gets installed, other than to call it a “trojan.” The sample I have is just a Unix executable file, which may have been part of an application or installer package, or which may have been intended to be used in targeted attacks with physical access to the Mac being targeted. Either way, executing this file in the Terminal infects the system.
The Kaspersky report points to a difference in behavior depending on whether “root” access is available (ie, whether or not the user has provided and admin password to the malicious app). If this were part of a malicious app or installer, the user would have been asked for an admin password, and if the user refused to enter that password, the malware would simply install itself in a different way. If it were part of an attack requiring physical access, it would work whether the attacker knew the admin password or not.
When executed with “sudo” in the Terminal, which gives it root access, the dropper creates a folder named “.local” in the /Library folder, and installs a number of files inside it. (Because the “.local” folder’s name begins with a period, it is hidden from the user.) It also installs a file named “com.updated.launchagent.plist” in the /Library/LaunchDaemons folder, which keeps the “updated” executable file running at all times.
If root access is not available, it installs the “.local” folder in the user’s Library folder (~/Library) instead, without the kext.tar and Keymap.plist files. In this case, the com.updated.launchagent.plist file is created in the ~/Library/LaunchAgents folder.
Apple has not yet blocked Ventir with XProtect, but I provided them with the malicious executable file this morning, so hopefully they will update it shortly. Although an XProtect update will protect against Ventir in trojan form, it’s important to understand that if this is being used by an attacker with physical access to the computer, the attacker could bypass XProtect.
To identify whether you are infected or not, look in the following folders for the com.updated.launchagent.plist file:
~/Library/LaunchAgents/ /Library/LaunchDaemons/
(If you’re not sure how to find those folders, see Locating files from paths.)
If you find that file in either of those folders, you’re infected with Ventir.
Unfortunately, because this malware includes a backdoor that could be used to install additional components or make malicious changes to your system, removal is not as simple as just removing the malicious files described in Kaspersky’s report. If you are infected, you need to erase your hard drive, reinstall the system and apps from scratch and restore data only (no settings files, apps, etc) from a backup. See:
How to reinstall Mac OS X from scratch
Tags: Kaspersky, malware, trojan, Ventir
43 Comments
This post is more than 90 days old and has been locked. No further comments are allowed.
Thank you for this information, and for reporting this to Apple. Your efforts are appreciated 🙂
Since it’s not yet known how the malware is installed, I could end up erasing my HD on a weekly basis. Plus, since I’m running snow leopard (which I’m at home with and am too stubborn to give up) Apple won’t include me in whatever fix they come up with. Screwed?
You don’t need to erase your hard drive unless you’re infected with this malware. If you don’t have the files described in this article, you’re not infected, so there’d be no point in erasing the hard drive. On the other hand, if you’re getting infected with malware on a weekly basis, you probably need to give some serious thought to what you’re downloading!
I wasn’t being literal. I was kind of talking in the subjunctive. My point was if you don’t know where something is coming from and the only people who can fix it, won’t, then erasing your hard drive is a poor if necessary substitute. By the way, thanks for your excellent site.
I really don’t understand your comment. I’m not talking about a need to erase your hard drive just because you don’t know where something has come from. If you get infected with backdoor malware, regardless of the system you are running, then you MUST erase the hard drive. Period. The reason is that the hackers behind the malware may have done any number of undetectable things to your system, so it must be considered compromised.
You’re right, you don’t understand what I’m getting at. I won’t bother you again.
Apple has continued to update XProtect for Snow Leopard users even though they have not been providing any additional Security Updates to OS X, so unless they decide to stop with this one, you should be covered as soon as they are able to deploy the next update.
Did not know this. Are you aware of any other possible Apple updates other than XProtect that might still be available for this version? Thanks for the info.
Nothing that would not be listed in your Software Update.
Eset had signatures for OSX/Ventir.A on Sept. 16, 2014, is this the same trojan?
Yes, it is.
It’s disappointing how does Apple’s XProtect team are working. There are not much malware for OS X and it’s not hard to response to it right after it’s being discovered. Ventir was known since beginning of september, but XProtect is going to be updated only when you sent samples to Apple in the middle of october.
Not sure where you got an early September date. Kaspersky didn’t publish their findings until Oct 16 and the first upload to VirusTotal appears to have been Oct 17.
Apple XProtect normally deal with detecting the initial installer. It cannot scan your hard drive for something that has already been installed, so it’s essential that the method of installation be discovered, so that they can properly deal with it.
Ventir dropper have been uploaded to VT first time on 9th September : https://www.virustotal.com/ru/file/59539ff9af82c0e4e73809a954cf2776636774e6c42c281f3b0e5f1656e93679/analysis/
Having the dropper executable isn’t quite the same as knowing how that dropper gets executed on the user’s system. This may be the executable file from an application package, in which case the application in question would be a trojan. However, it may also be something delivered in a different manner, such as with physical access to the machine, through some kind of remote access or through some unknown vulnerability.
If it’s the executable part of an app, I would hope that Apple would be able to block it in XProtect without actually having the entire app. However, time will tell. Their product security team has the dropper and complete instructions on what happens when you run it, so the ball is in their court now.
I see that Thomas thinks it’s the dropper, but at the moment I’m not convinced. Several scanners, including ClamAV identify it as a keystroke logger that makes use of an open source software package freely available from GitHub, called LogKext. ClamAV added the definition on Feb 11, 2014 based on a previous VirusTotal sample. It appears that it is now a component of Ventir.
Thanks for the update. I’m clean!
I find it a bit weird that Intego doesn’t mention Ventir at all. As it’s not in their interest to ignore a new Mac malware, I tend to be a little skeptical about the reality of this threat. Thanks for your work anyway, Thomas!
I can assure you, the threat exists. The question still unanswered is how it’s getting on people’s computers.
Regardless of how it’s getting installed, though, it’s still something that anti-virus software and XProtect should be detecting. I just checked with an old copy of VirusBarrier Express, and it didn’t identify any of the Ventir files as malware. Although VirusBarrier Express has been discontinued, Intego said that they will continue providing updates to the malware signatures… so, either they’ve stopped doing that now, or they aren’t detecting Ventir at all.
I doubt any of Intego’s products detect Ventir. I can’t see any reason why they wouldn’t advertise it on their blog. But they may have one… or simply consider it a non-threat, right or wrong.
Detecting malware does not take much time (in general), but performing detailed analysis, that is required for publishing news on AV blogs, could take pretty long time. So you should not make decissions about does it detect malware or not basing on their news blog.
Intego claims that VirusBarrier detects it as OSX/Ventir as well as previous definitions for older components OSX/logKext.E and OSX/logKext.D.
Right, Al, but it wasn’t the case at the time of my writing.
Today checked for Xprotect update 07:45 p.m. GWT + 1 hour
( /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/ )
Corresponding files:
Xprotect.meta.plist and:
Xprotect.plist
Nothing yet.
Is it confirmed that Ventir is actually a trojan, or is it a virus as well? In other words, can it only be spread by physical access (i.e. downloading executables and remote/physical access), or can it be spread like a virus (i.e. it will infect you regardless of physical accessibility)?
Thanks for the information about Ventir. I greatly appreciate your site.
It’s definitely not a virus. It cannot spread on its own.
I got a XProect update (version 2051) yesterday, not sure what was updated (plug ins are the same)
Unfortunately, it just updated the minimum allowed versions of Flash. No new Ventir definitions. 🙁
I got an Xprotect definition update today (3:45 a.m. PST); can’t tell what it updated. Is it Ventir defintions? Anyone know?
What the hell is the matter with Apple? This:
Busy with Yosemite,
Cosy talks with the automotive industry (Tesla) http://www.sfgate.com/news/article/Apple-exploring-cars-medical-devices-to-reignite-5239850.php
Watches (I have a watch, btw)
Marketing throw away computers (the new Macmini)
But updating Xprotect to ‘annihilate’ a since October, 10 ongoing serious malware threat? What company am I dealing with? Computers for the rest of us, or a fashion institute? Really I am loosing faith im my favourite computerbrand.
> ‘annihilate’ a since October, 10 ongoing serious malware threat?
Is it? I still haven’t seen any signs of an infected user. All we really have is the Kaspersky report repeated by other A-V software vendors. I have no doubt that it exists somewhere, but why has it not shown up anywhere other than in malware channels as a sample?
And yes, Apple Security has been busy lately with bash, Poodle and now yet another Flash Player issue but I’m still confident that if they considered this to be at the same threat level they would have dealt with it already.
My Safari has been taken over by “policewebadult.com” I cannot get past it when I use Safari except to bypass and leave the app. Is there any Apple program that will remove it? If not, how do I restore Safari. I’m not that cyber trained.
That is not due to malware. See:
http://www.adwaremedic.com/kb/scampopups.php
You don’t have to wipe your hard drive clean. Call Apple support and they will walk you through the removal in 5 minutes for free. I just did it.
Apple’s support techs are not security experts. It’s unlikely that most of them actually know how to remove the installed Ventir components. Further, as the article already says, because Ventir includes a backdoor, that opens the possibility that other malicious things were installed on your system at some point following infection.
It is, of course, your choice what to do… but my advice, as already stated, is to wipe the hard drive clean.
It’s on my computers and iPad plist files it can be seen if you go into root directory highlight files there and show it will show where they are hiding
Ventir does not infect iOS devices, so I’m not sure what you mean when you say it’s on your “iPad plist files.” Ventir also doesn’t install stuff in the root directory. So I’m not at all sure what you’re talking about.
I’ve been reading your wonderful site after my computer wouldn’t close Safari yesterday without my installing a new flash player upgrade with no option to refuse. I googled the name (sorry I’m a pensioner and not computer literate) it was mac something.com and it brought me to your site as you talked someone else through getting back control without clicking on the malware. I’ve worked through all your malware checks since and was clean until this one and I’ve found the following in my Library through “Finder” Library/LaunchAgents.
com.adobe.AAM.Updater-1.0.plist
com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
com.apple.CSConfigDotMacCert-laurielevi@me.com-SharedServices.Agent.plist
com.google.keystone.agent.plist
should I be worried. Sorry to be a pain but without people like you willing to help thick newbies I would never want to use my Apple MacBook Pro again.
PS sorry I should have said that I actually used my phone to google the exact name of the file which locked my Computer.
None of those files are malicious, and none of this sounds like it has anything to do with Ventir. It sounds like you may have simply stumbled across a scam pop-up on some untrustworthy or hacked website. See:
http://www.adwaremedic.com/kb/scampopups.php
Thank you so much for answering… I really was worried… you have put my mind at rest. I shall be a lot more careful what I click on in future.
Here’s a question. Is there a reason I don’t have either of those folders in my user library? i.e. I have /Library/LaunchDaemons/ and /Library/LaunchAgents/ but not ~/Library/LaunchAgents/ or ~/Library/LaunchDaemons/. I have OS X 10.9.5 if that helps.
Those folders do not exist by default.