FIRST ever' Linux, Mac OS X-only password sniffing Trojan spotted

[billybob linux]

http://www.theregister.co.uk/2012/08...ux_mac_trojan/

Quote:

The program also grabs passwords submitted to Opera, Firefox, Chrome and Chromium web browsers, and credentials stored by applications including email client Thunderbird, web suite SeaMonkey, and chat app Pidgin. The malware then attempts to upload the gathered data to a server hosted in the Netherlands.

Just a heads up on this, but it sounds nasty

[GoinEasy9]

It only says "Once installed on a compromised machine". So, it's FUD until they explain how it gets installed.

[Dutchy]

Go Netherlands woohoo!
But seriously, it is unfortunate that it isn't yet clear how it spreads but I guess that it theoretically could be a payload of the current Windows/Mac OSx/Linux Java vulnerebility

Quote:

Oracle Java Runtime Environment (JRE) 1.7 contains a vulnerability that may allow an applet to call setSecurityManager in a way that allows setting of arbitrary permissions.

Let's hope a patched OpenJDK hits the repos soon, till then it is best to disable any java plugins.

[bigflopper2]

Never rly had a look at the installed firefox-plugins, only addons

I just have the following plugins on firefox installed:
divx webplayer (necessary?)
IcedTea-web-plugin (executes java applets) (THIS should be disabled, I guess)
itunes application detector (pfff, delete that one)
quick-time
shockwave-flash
vlc multimedia plugin (comp. totem)
windows media player plugin 10 (compatible totem)

There might be a couple of plugins I can delete I guess?

[BBQdave]

Quote:

Originally Posted by billybob linux

http://www.theregister.co.uk/2012/08...ux_mac_trojan/

Once installed on a compromised machine, Wirenet-1 opens a backdoor to a remote command server, and logs key presses to capture passwords and sensitive information typed by victims.

So going on this little bit of information, one needs to first install this piece of crapware to be compromised

Why would you install it? And it's not in the Repos right?

[bigflopper2]

Quote:

Originally Posted by BBQdave

So going on this little bit of information, one needs to first install this piece of crapware to be compromised

Why would you install it? And it's not in the Repos right?

Yup, thought so. Like GoinEasy9 said, it's FUD.

Quote:

Originally Posted by Dutchy

Let's hope a patched OpenJDK hits the repos soon, till then it is best to disable any java plugins.

Update today:

Quote:

java-1.7.0-openjdk x86_64 1:1.7.0.6-2.3.fc17.2

[billybob linux]

Quote:

Yup, thought so. Like GoinEasy9 said, it's FUD.

Yes it could be FUD but .I have done a little bit of research on it and it is being reported in quite a few Russian tech journals (as Backdoor wirenet1). But they are not saying anything new , apart from one that is. With the wonders of Google Translate i found this:

http://open-club.net/

They have a short article about it :

Quote:

Из приложений, в которые троянское ПО способно внедрятся и перехватывать пароли отмечаются Opera, Firefox, Chrome, Chromium, Thunderbird, SeaMonkey и Pidgin (подробности не сообщаются, но, судя по всему, троян внедряется под видом плагина). При активации вредоносное ПО размещает свою копию в поддиректории WIFIADAPT в домашнем каталоге пользователя (в Mac OS X - WIFIADAPT.app.app). Для передачи перехваченных паролей BackDoor.Wirenet.1 использует сетевое соединение с удаленным командным центром, которое шифруется с использованием стандарта AES. Механизм распространения троянского ПО пока находится на стадии изучения и не афишируется

Translated as:

Quote:

Of applications that are able to implement the Trojan software and intercept passwords marked Opera, Firefox, Chrome, Chromium, Thunderbird, SeaMonkey, and Pidgin (details were not disclosed, but, apparently, the Trojan is being introduced under the guise of the plugin). When activated malware places his copy WIFIADAPT subdirectory in your home directory (in Mac OS X - WIFIADAPT.app.app). To transmit the intercepted passwords BackDoor.Wirenet.1 uses a network connection to a remote command center, which is encrypted using standard AES. Trojan software distribution mechanism is still under study and is not advertised

They use the word "plugin" now I don't know if that's a translation issue, or a known fact or an assumption, or a wild guess, however as it is still "under study" who knows ? But that's what I found so far .