back to article ⌘+c malware smacks Macs, drains keychains, pours over Tor

More malware capable of pilfering Mac keychain passwords and shipping them over Tor has been turned up, less than a day after a similar rare trojan was disclosed. Dubbed Keydnap, the malware is delivered as a compressed Mach-O file with a txt or jpg extension, with a hidden space character which causes it to launch in terminal …

  1. Nick Pettefar

    What is a Mach O file?

    1. HelpfulJohn

      "What is a Mach O file?"

      https://en.wikipedia.org/wiki/Mach-O

  2. Nifty Silver badge

    Always avoided using Keychain with any Apple branded stuff. Was I right?

    1. J__M__M

      No, you were premature (that's what she said).

      "Always avoided using Keychain with any Apple branded stuff. Was I right?"

      "Keydnap isn't exploiting OS X-level bugs, and default Macs are protected by security settings"

    2. Anonymous Coward
      Anonymous Coward

      Always avoided using Keychain with any Apple branded stuff. Was I right?

      I suspect you're talking about the Cloudy shared thing, yes, that's worth avoiding. But I doubt that you've avoided the local OSX keychain (which would also be somewhat pointless IMHO, but your needs may differ from mine).

  3. David Lawton

    Now i see why Apple have removed the run apps from 'Anywhere' option in Mac OS Sierra. I don't know why you would run with that option turned on unless the user has been told to by an idiot. Keep Gate Keeper set to App Store and Identified Developers only, if you need an app from else where and absolutely trust them just right click on the app and select Open, then an extra open option appears instead of being blocked with only an OK box. Simple and no need to compromise part of the security.

    1. Anonymous Coward
      Anonymous Coward

      I could name one of those idiots

      "I don't know why you would run with that option turned on unless the user has been told to by an idiot."

      A university lecturer on Coursera had a video showing how to do that.

      It did get dropped for the next run of the course, but I saw no apology.

    2. JLV

      Yeah, but there are legitimate reasons to accept run-this-even-though-it-was-downloaded apps at least on demand, as you yourself just explained how to do. Since the article specifically said the infection entry context wasn't known, Gatekeeper need not have been blanket disabled. What about, for example, a compromised but previously benign 3rd party app that needs an install exception? I install little - every new proggie is a risk - but not much of what I need is on the Apple app store.

      Let's be careful and not just smugly trust that Apple's security is foolproof.

  4. AndyTempo

    Running unsigned code

    I have gatekeeper set to app store and identified developers however I can compile and run executables without signatures. How does that work?

    ---------

    [orion:~/asm] andy% cat hw.c

    #include <stdio.h>

    int main(int argc, char **argv)

    {

    printf("Hello, World\n");

    }

    [orion:~/asm] andy% gcc -o hw hw.c

    [orion:~/asm] andy% ./hw

    Hello, World

    [orion:~/asm] andy%

    1. stephanh

      Re: Running unsigned code

      Gatekeeper works by setting a special file attribute ("com.apple.quarantine") on files downloaded from the Internet. (Actually, it relies on your browser doing that.)

      Your hw binary didn't have the attribute so Gatekeeper was not triggered.

  5. Crazy Operations Guy

    " reads securityd’s memory "

    What kind of OS doesn't throw an exception when reading the memory space of a privileged process? Any secure OS would crash itself immediately if any non-kernel process attempted to read the memory space of any security-related process. Fir process-to-process communications for application that require access to the security database, it should be done through a process that is completely non-privileged except the ability to read a very small, public chunk of securityd's memory space.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like