www.thesafemac.com
Open in
urlscan Pro
173.236.144.204
Public Scan
Submitted URL: http://www.thesafemac.com/new-signed-malware-called-janicab/
Effective URL: https://www.thesafemac.com/new-signed-malware-called-janicab/
Submission: On February 02 via api from IN — Scanned from DE
Effective URL: https://www.thesafemac.com/new-signed-malware-called-janicab/
Submission: On February 02 via api from IN — Scanned from DE
Form analysis 2 forms found in the DOM
GET https://www.thesafemac.com/
<form role="search" method="get" id="searchform" class="searchform" action="https://www.thesafemac.com/">
<div>
<label class="screen-reader-text" for="s">Search for:</label>
<input type="text" value="" name="s" id="s">
<input type="submit" id="searchsubmit" value="Search">
</div>
</form>GET https://www.thesafemac.com/
<form role="search" method="get" id="searchform" class="searchform" action="https://www.thesafemac.com/">
<div>
<label class="screen-reader-text" for="s">Search for:</label>
<input type="text" value="" name="s" id="s">
<input type="submit" id="searchsubmit" value="Search">
</div>
</form>Text Content
OFFICIAL SECURITY BLOG
Tech News News Favorites Adware Medic Tech Guides + About Us
Tech News News Favorites Adware Medic Tech Guides About Us
Search for:
Mac Malware GuideAdware Removal GuideMac Performance Guide
Search for:
We’ve moved! You can now read the latest and greatest on Mac adware and malware
at Malwarebytes.
NEW SIGNED MALWARE CALLED JANICAB
Published July 15th, 2013 at 2:27 PM EDT , modified July 16th, 2013 at 8:11 PM
EDT
F-Secure announced the discovery today of a new trojan, which they have named
Janicab. This malware makes use of a familiar old trick – disguising an
application as a document to trick the user into opening it – but applies a
couple newer twists. At this time, the built in defenses in Mac OS X will allow
this trojan to run without much in the way of warnings, so users are advised to
be on their guard.
The first new twist that makes this malware unique in the Mac world is the use
of a right-to-left override (RLO) character in the name. What this character
does is tell the system that the characters that follow should be displayed
right-to-left, instead of left-to-right as is standard for the English language.
Otherwise, the character is invisible.
So why does this matter? Because it allows the hacker to hide the fact that the
document is actually an application! The file is named “RecentNews.?fdp.app”,
where the ‘?’ indicates the presence of the RLO character. This means that the
Finder will want to display the name as “RecentNews.ppa.pdf”. In addition, the
hackers used the old trick of marking the extension as being hidden, and the
system knows the extension is “.app” regardless of how the Finder wants to
display the name. Therefore, the name is actually displayed as “RecentNews.pdf”.
This, plus the Adobe Acrobat icon given to the application, makes the app look
like an innocent PDF file.
(As an interesting side note, I have observed that if I place the file on my
desktop, the name gets wrapped in the middle of the “extension” based on my
settings. When wrapped like this, the file’s name displays as “RecentNews.fdp”.
Perhaps a text encoding expert could explain that one… it seems a bit like
voodoo to me! 🙂 )
The second new twist, only exhibited previously by the recent KitM (aka
Hackback) malware, is that the app is signed. Thus, the system will allow it to
run unimpeded, as long as you approve it on the first run. Although that’s a
fairly serious issue in principle, if the victim is paying attention, he/she
will notice something strange is going on, as most of the text in the warning
will be backwards! Still, a lot of people are in the habit of just clicking
whatever they need to click to make something work without reading the details
of what they’re agreeing to. So it’s easily conceivable that someone would click
the Open button without ever noticing the discrepancy.
When run, the trojan opens a document to avoid causing further suspicion. The
astute observer will notice that the Acrobat icon will remain in the Dock and an
additional PDF reader will be opened (Preview for most), which should tip off
the user that something’s not right. Again, though, many people aren’t paying
that close attention, or may not understand the implications of that. In the
meantime, while the document is loading up, it does other nasty things before
quitting.
According to F-Secure’s post, the app installs a number of components in an
invisible folder in the user’s home folder (named “.t”, where the initial period
tells the system to hide the folder) and creates a cron job to keep components
running. Presumably it uses cron since that is older technology that has been
abandoned in favor of launchd. Because other malware has used launchd recently,
many users may already be aware of how to check for rogue launch agents and
launch daemons, but because of its relative obscurity today, most will probably
not know how to check for or disable a cron job.
Once installed, this malware locates its command & control server by searching a
few specific places for specific text that contains an IP address. After
contacting the C&C server, it begins taking screenshots and recording audio,
uploading that to the server and polling the server for other commands to run.
At this time, Janicab is not detected by most anti-virus software, and it slips
right past the built-in defenses of Mac OS X in the hands of an unobservant or
unsavvy user. This makes it very dangerous. Further, seeing other malware using
a signed app is troubling, as it may indicate that Gatekeeper will not offer as
much security as had been hoped for.
Removal should be fairly easy. However, you need to take great care. Be sure you
have up-to-date backups of all your data, then read the instructions below
carefully and follow them precisely!
The following command should be copied and pasted into the Terminal (which is
found in the Utilities folder in the Applications folder). Do not try to re-type
this command! A simple typo as simple as a space added in the wrong place could
have disastrous consequences. Also, note that this will remove all cron jobs.
That is the default state in Mountain Lion (Mac OS X 10.8), but much earlier
versions of Mac OS X may differ (though I don’t know yet what versions of Mac OS
X this malware is capable of infecting), and of course if you have created your
own cron jobs, this will disrupt them.
crontab -r;rm -rf ~/.t
Once you have run this command, log out to ensure that all the malicious
processes still loaded into memory are terminated. When you log back in, the
malware should be gone.
UPDATES
July 16, 2013: Looks like the developer certificate used to sign this trojan has
already been revoked. I just tested it, and trying to open the app now results
in only two choices: cancel or move it to the trash.
Tags: Gatekeeper, Janicab, Mac OS X, malware, trojan
11 COMMENTS
* Brittany says:
July 15, 2013 at 2:33 pm
Wow… Thanks for letting us know! I am glad I came to your site today.
* Thomas says:
July 15, 2013 at 2:39 pm
You can always follow The Safe Mac on Twitter to be kept alerted to these
things, without having to check in here to see what’s new. I tweet a link
to every post. 🙂
* Sid Cannon says:
July 15, 2013 at 5:15 pm
I use both Windows 7 and OSX. The security I have for Windows 7 is Sandboxie
and Shadow Defender.
No matter how much I want to be able to trust OSX security wise, I don’t feel
comfortable with it. Maybe that’s because I’ve used Windows for nigh on
twenty years, I don’t know.
But I can’t find security for OSX like Shadow Defender for Windows. With
Shadow Defender a simple reboot and my OS drive is squeaky clean.
Maybe I don’t understand security and OSX, but I feel sort of naked without
it.
* Thomas says:
July 15, 2013 at 7:34 pm
There’s nothing, as far as I know, like Shadow Defender for Mac OS X.
However, that’s a lot of overhead – which will slow you down considerably –
to avoid issues that are quite rare. Although you do want to keep aware of
what’s going on and do what you can to protect yourself (see my Mac Malware
Guide), you don’t need to worry too much beyond that. Most malware, if you
do end up getting infected, is pretty easy to remove as well.
* Sid Cannon says:
July 16, 2013 at 11:46 am
Thanks for your reply Thomas. I read your Mac Malware Guide some time
ago, and I have ClamXav and Dr. Web Light for on demand scans.
I don’t have any real time protection on OSX but I am considering Avast,
even if just for peace of mind.
The key points I am going to take from your reply are that Mac malware is
rare and easy to remove.
Thanks again for your reply Thomas.
* Jay says:
July 15, 2013 at 6:24 pm
Is this a POC or has it been spotted in the wild already? Haven’t been able
to find that bit of info.
* Thomas says:
July 15, 2013 at 7:36 pm
As far as I know, it’s actually in the wild. Usually, if it’s just a PoC
(proof-of-concept, meaning just a test to see what’s possible, for those
unfamiliar with the term), the source is well documented. Creators of PoCs
are generally not looking to keep their work secret. So, since there wasn’t
any mention of a source, I’m guessing it’s in the wild, and that F-Secure
may not yet know exactly where it came from.
* Sean Sullivan says:
July 16, 2013 at 12:48 am
In the wild, but being used in targeted attacks is our opinion based on
the YouTube video (C&C locater) stats. 500+ views (for both) from Feb
13th to July 13th.
The binary that Broderick discovered/analyzed yesterday was compiled in
April. So the March figures could be some testing, but probably means
that there are other variants which were used.
* Thomas says:
July 16, 2013 at 7:47 am
Thanks for the additional info!
* Al Varnell says:
July 21, 2013 at 5:04 pm
Two questions remain for me:
– Is RecentNews.ppa.pdf compiled as a Universal Binary or is it a threat to
Intel only Macs?
– I know codesigning has been a feature of OS X Leopard and newer, but what
versions of OS X will check the authenticity of an Apple Developer ID when
you attempt to launch an app?
* Thomas says:
July 21, 2013 at 9:44 pm
It’s not specific to either processor, as it’s a python app. So I would
guess it would have worked on any machine capable of running a python app.
I’m not sure what versions of OS X will check the signature. Since I know
you’ve got a Leopard machine, I’ll send you a copy and we’ll see what
happens! 🙂
This post is more than 90 days old and has been locked. No further comments are
allowed.