OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Variant of SMSSend slips past XProtect

Published February 11th, 2013 at 9:47 PM EST , modified February 11th, 2013 at 9:47 PM EST

This weekend, I got my hands on a variant of the SMSSend malware. What I found was very interesting, and very concerning. After examining it, it’s evident that the malware is still evolving and is still an active threat. Worst of all: it seems to be capable of slipping past the current version of the built-in anti-malware security in Mac OS X (aka, XProtect)!

Originally described by Dr. Web, this malware pretended to be an installer for an application called VKMusic. As part of the install process, it requested a cell phone number, and required the user to enter an activation key that would be texted to that number. The process, however, would result in the cell phone being subscribed to a premium text message service, thus generating revenue for the malware.

History of Sochi iconThe current incarnation that I have stumbled across no longer pretends to install VKMusic. Instead, it pretends to be an installer for something called History of Sochi. Opening it launches what looks like an official Apple installer, though there are some oddities. (For example, at one point a message reads, “Wait the Wizard to finalize files check History of Sochi…”)

History of Sochi activationThe installation process culminates in a request for the user to text a particular code to a cell phone number. There is a fairly limited number of countries to choose from: Albania, Armenia, Belorussia, Brazil, Estonia, Germany, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Moldavia, Russia, Ukraine and Vietnam. (Presumably the malware is not likely to be found outside one of those countries, but that could change at any time.)

Alternately, the user can choose a different method of activation. The other choice in the relevant menu is WebMoney, and includes a link to a payment page.

Of course, I was not willing to do what was necessary to get an activation code, so I could not take this any further. I cannot say whether a legitimate app may actually be installed, despite the means, or if more malware might be installed. The app does contain a .zip file that probably contains whatever payload is installed, but it is encrypted with a password, so it cannot be extracted and examined.

None of this is particularly surprising, of course. It is interesting that the name of the app and some methods have changed. However, more worrisome is the fact that I was able to open this installer on Mac OS X 10.8.2. The system was fully up-to-date, and I forced it to update its XProtect definitions prior to making the attempt. When I opened it, I got only the familiar warning that the application had been downloaded from the internet, not the scarier warning that the application will harm the computer that should be given when trying to open a malicious application.

What this means is that this variant of SMSSend is not covered by the signatures for SMSSend that are currently found in XProtect. This is a very serious matter, and I plan to immediately contact Apple about it. Hopefully, the situation will be remedied soon.

It’s important to understand that I am not picking on Apple alone. A number of very prominent anti-virus programs also fail to detect this variant of the malware. Such is the nature of malware detection… it is always a game of catch-up. Besides which, although this variant would slip past XProtect, it is blocked entirely by Gatekeeper in Mountain Lion, unless overridden by the user (as I had to do), as the developer is not registered with Apple.

Tags: , , ,

21 Comments

  • Gerard says:

    How does one force to update XProtect?

    Glad to follow you on Twitter.

    Thanks

    • Thomas says:

      Go to System Preferences -> Security & Privacy and click the lock icon to unlock it. Then click the Advanced button. In the sheet that drops down, uncheck “Automatically update safe downloads list” and click OK. Then click the Advanced button again and re-check that box.

  • aalien says:

    “…it requested a cell phone number, and required the user to enter an activation key that would be texted to that number…”

    I don’t even give my cell phone to google…. lool

    For one reason or for other, this things (at least for me) always shown themselves pretty much stupid. Now, I know Google is Google, and giving my sell phone to recover google account actually may be very good (at some point, at least before they reveal themselves as some form of future tyranny) but apart my 100 digits password (with spaces, Upper and Lower caps, Minus, Underline, special characters and numbers) they will have a hard time to figure it out, and even more with 5 seconds of self destruct clipboard (KeePassX) and file-vault encryption on (native OS X)…

    So if I don’t give my phone number to Google WHY would someone give their phone for (pardon my next language) some st*p*d program? Even more stupid with pretty much a lot of pro applications available plus very very good freeware music apps (in case of last variant)????

    Anyway don’t makes any sense to me…

  • Bill says:

    Presumably you turned off GateKeeper?

  • Al Varnell says:

    XProtect was updated late yesterday to include a signature for “OSX.SMSSend.ii” which I strongly suspect covers it now. Guess somebody must have sent them a sample 😉

  • Pantelis says:

    you can update XProtect using the app below

    http://www.macobserver.com/tmo/article/safe_download_version_adds_manual_definitions_update/

    This app automates the whole update process for you; it notifies you what version your current definitions are and their release date, lets you check for updates, and notifies you if you already have the latest version installed.

  • Liz Dorland says:

    The link provided by Pantelis refers only to a Safe Download version from 2011. How is that helpful??

  • Al Varnell says:

    There is no reason to use that app as Thomas’ instructions work just as well and there is no danger of loosing your login keychain which happened to a handful of users when it came out.

  • Pantelis says:

    Hi Liz

    The app automates the process for you and it’s up to date (2011 was only the example of when it was initially used)

    • Thomas says:

      You really don’t need an app to automate a process that is already automated. The only reason I forced the update was that I was using a test system that hadn’t been run in a while and wanted to be absolutely sure that I had the latest XProtect right then, at that moment. On a day-to-day basis, this app is not useful.

  • Someone says:

    Gatekeeper will catch SMSSend, right?

    • Thomas says:

      Yes, Gatekeeper will keep it from opening unless you either turn it off or perform a one-time bypass of Gatekeeper (by control-clicking the app and choosing Open).

  • Someone says:

    If I have a computer running 10.8, am I protected from all known malware? Assuming I update?

    • Thomas says:

      At this time, if you have a computer running 10.8.2 with all updates installed, third-party software (particularly Java, Flash and Microsoft Office) properly up-to-date and security settings left at their defaults, there is no malware that can infect it. However, keep in mind the topic of this post! Things can change very quickly.

  • Someone says:

    Okay, thanks, Thomas! Thankfully, my computer came with 10.8 on it (upgraded to 10.8.2 this morning), so I don’t have Java. I also don’t have Microsoft Office on my computer, so that’s safe. My only concern is Flash. I use Google Chrome primarily, which you said had Flash built in, so does that mean I’m vulnerable to Flash-related malware issues?

  • Colstan says:

    Chrome uses a special sandbox to isolate Flash. Do a search for “Pepper Flash” and you’ll get more details. This is more secure than using the old plugin architecture that dates back to the Netscape days, which is used by most other browsers. Also, Chrome auto-updates Flash without user interaction.

    Even with these additional protections, you are potentially vulnerable to Flash exploits. It’s still the same code that is provided by Adobe and contains the same security issues. That’s why Google updates Chrome at the same time that Adobe does. A zero-day exploit may be able to get past the Chrome sandbox. It really depends on the exploit. If you are required to use Flash, then it is hypothetically more secure to run it in Chrome. Note however that some users have had stuttering issues with Pepper Flash while viewing videos, so your mileage may vary.

    I personally do not have Chrome installed, nor do I have Flash installed. Safari defaults to HTML5 when viewing YouTube or other video sites and I have no need to play Flash games or use Flash sites. This protects me from all Flash vulnerabilities as well as encourages the adoption of alternative technologies that replace Flash. Most YouTube videos play fine in Safari with HTML5, the handful that don’t are those that usually require advertisements to be displayed.

    While I understand that everyone has their own needs and requirements, I do not have any products from Microsoft, Adobe or Oracle on my Mac. The fewer programs that you install on your computer reduces the attack surface and Java, Flash, Adobe Reader, Office and such are the worst offenders.

    If you need these technologies, then I fully understand, but for those who don’t, I think it’s best to uninstall them or, even better, never install them to begin with. Also, by using alternatives, you encourage developers to use more open standards that may replace these insecure technologies.

  • Someone says:

    Thanks, Colstan. I don’t use Flash much, except for YouTube, and I would use Safari for this, except I happen to prefer Chrome to Safari for various reasons.

  • Colstan says:

    I can fully understand the desire to use your preferred browser. Fortunately, the Flash plugin can be easily disabled and re-enabled on most major browsers without much difficulty, as other posters have stated on this site. I prefer Safari, but I would likely use Chrome if I needed a second browser. Choice is a good thing and the days of everyone being forced to use Internet Explorer are long over. Hopefully, the same can be said of Flash.

    While I haven’t tried it in some time, you can also use HTML5 to view video content on YouTube through Chrome. I would suggest joining the “YouTube HTML5 player” program to try it out on YouTube’s website. It may cut down on the necessity of using Flash with YouTube. You may also see a performance boost as well. I haven’t tried this with Chrome in some time, so your mileage may vary, but I think it is worth a try, especially if you primarily use Flash just for video.

  • Someone says:

    How do you join this program? I want to keep my {brand-new} computer as safe as possible…

  • Colstan says:

    Sorry for the slow reply, here is the link:

    https://www.youtube.com/html5

    You can try disabling the Flash plugin within Chrome, or whichever browser you may wish to use. Then try out YouTube and other sites to see if the majority of videos are supported. All this does is set a cookie on your browser to use HTML5 with YouTube. If you clear your cookies, you’ll need to rejoin the program. Safari uses the more widely used H.264 format for HTML5, while Chrome uses Google’s own WebM format, so support may be different depending on the browser used.

This post is more than 90 days old and has been locked. No further comments are allowed.