Malware

New OS X Malware: Another Tibet Variant Found

Posted on September 10th, 2013 by

Things have been relatively quiet lately from the authors of the Tibet family of malware, but another variant was found last night on the Virus Total website, which is a site used by security researchers to share malware samples. Before last night, the last variant was found just over a year ago, and was already detected by Intego VirusBarrier's existing virus definitions as OSX/Tibet.C.

This time, the attack arrives via a Java applet on a web site. This drops a Java archive with the backdoor and launches it without user interaction, by way of a Java vulnerability. When installed, it creates a backdoor to the affected computer, which allows an attacker to view and access files on the computer as well as running commands. The malware uses recently patched Java vulnerabilities CVE-2013-2465 and CVE-2013-2471. If you've not yet updated, now would be a great time to do so.

The archive file has the following contents:

TibetD

The new Tibet malware variant creates the following files when installed:

  • /Library/Audio/Plug-Ins/Components/AudioService
  • /Library/LaunchAgents/com.apple.AudioService.plist

The LaunchAgent enables the malware to start after reboot. The backdoor itself is what's copied as "AudioService." It contacts a C&C server in China (mail.tbnewspaper.com) to receive commands.

Intego VirusBarrier with current malware definitions protects Mac users against this malware as OSX/Tibet.D. This is considered to be a low-risk threat at this time as it’s not known to be affecting users.

  • Karmic Spirit

    Can you explain how this approach was not blocked by Gatekeeper? Gatekeeper would block an unsigned app from launching as a LaunchAgent. Thanks.

    • LysaMyers

      GateKeeper blocks applications that are downloaded from the Internet. With Java exploits, those backdoor applications are not downloaded, strictly speaking. With the help of the Java exploit, the files are created on the Mac, locally – that is to say, they’re written to the user’s disk byte by byte.

      LaunchAgents created by those backdoors are not blocked, as they don’t have quarantine bit set. And if there’s no quarantine bit, no blocking by Gatekeeper.

      Here’s some additional info from Apple’s support site:
      http://support.apple.com/kb/HT5290
      “Important: Developer ID signature applies to apps downloaded from the Internet. Apps from other sources, such as file servers, external drives, or optical discs are exempt, unless the apps were originally downloaded from the Internet.”

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}