Unix and macOS malware

Yesterday a blog post on “The Linux Mint Blog” caught our attention. Apparently criminals managed to compromise a vulnerable instance of Wordpress which the project used to run their website. The attackers modified download links pointing to backdoored ISO files of Linux Mint 17.3 Cinnamon edition.

Recently we came across a new family of cross-platform backdoors for desktop environments. First we got the Linux variant, and with information extracted from its binary, we were able to find the variant for Windows desktops, too. Not only that, but the Windows version was additionally equipped with a valid code signing signature. Let´s have a look at both of them.

In December 2014 we discovered a very interesting vulnerability in the Darwin kernel. Using it attackers can send just one incorrect network packet to the victim and the victim’s system (OS X 10.10 or iOS 8) will crash.

In 2013 we registered a sudden surge in the number of attacks targeting users’ financial information and money. In 2014, the situation changed considerably: the number of attacks and attacked users significantly decreased, as did the amount of financial phishing.

In November 2014, an interesting malicious sample was uploaded to a multiscanner service. This immediately triggered our interest because it appears to represent a previously unknown piece of a larger puzzle.

This section of the report forms part of the Kaspersky Security Bulletin 2014 and is based on data obtained and processed using Kaspersky Security Network (KSN). Kaspersky Lab products detected and neutralized a total of 6,167,233,068 threats during the reported period.

Next year Kaspersky Lab experts anticipate high-stakes targeted cyber-attacks pinpointing the banks. We expect fraudsters will try to develop new malware that can take cash directly from ATMs. 2015 is also likely to bring even more privacy concerns, security worries about Apple devices and renewed fears about connected devices.

Recently, news appeared about an interesting attack where cybercriminals infect iPhones and Mac OSX users with a rather peculiar malware dubbed WireLurker. Yesterday, our friend Jaime Blasco from Alienvault discovered a Win32 malicious tool that appears to be related.

We got an interesting file for analysis a short while ago. It turned out to be a sample of modular malware for MacOS X.

A couple weeks ago, my colleague Mikhail K posted on the analysis of several bots, including a bot implementing some extraordinary DNS amplification DDoS functionality. Let’s explore some additional offensive details of this crew’s activity, and details of the overall situation, in the past week.

It described a Trojan with sufficiently versatile DDoS functionality. The capability that we found the most interesting was the Trojan’s ability to conduct DNS Amplification-type attacks.

A Trojan encrypter for Mac OS X is something we haven’t yet seen, but is, it seems, totally realistic.

Absolutely all of the latest versions of Microsoft Word and some versions of Internet Explorer maintain critical vulnerabilities enabling remote code execution. Today, Microsoft releases two critical patches to close multiple vulnerabilities with each. Two important updates are released to address a batch file handling issue and another RCE hole in Microsoft Publisher. All of

A few days ago the personal blog and Reddit account of MTgox CEO, Mark Karpeles, were hacked. Attackers used them to post a file, MtGox2014Leak.zip, which they claim contains valuable database dumps and specialized software for remote access to MtGox data.

In response to numerous requests for comments and clarifications after our presentation at the Kaspersky Security Analyst Summit 2014, we have created this FAQ.