[HN Gopher] 30K Macs are infected with 'Silver Sparrow' virus an... ___________________________________________________________________ 30K Macs are infected with 'Silver Sparrow' virus and no one knows why Author : CharlesW Score : 122 points Date : 2021-02-22 17:50 UTC (5 hours ago) (HTM) web link (www.macworld.com) (TXT) w3m dump (www.macworld.com) | cameronperot wrote: | Discussion from a couple days ago: | | https://news.ycombinator.com/item?id=26204756 | supernova87a wrote: | Is there an "approved" diagnostic tool that one should use to | figure out whether your mac has the virus, or is vulnerable to it | and needs patching? | klaushardt wrote: | https://github.com/ronaldstoner/sparrow-detector | prox wrote: | I think Malwarebytes was the company first identifying the | thread. Correction : it was Red Canary working with | Malwarebytes. | kennywinker wrote: | Check for the existence of these files: | | ~/Library/._insu (empty file used to signal the malware to | delete itself) | | /tmp/agent.sh (shell script executed for installation callback) | | /tmp/version.json (file downloaded from from S3 to determine | execution flow) | | /tmp/version.plist (version.json converted into a property | list) | | https://redcanary.com/blog/clipping-silver-sparrows-wings/ | ttul wrote: | To me, this looks like a government sponsored trojan. It's | extremely sophisticated and seems highly targeted. | jandrese wrote: | 30,000 computers across virtually every country in the world is | "highly targeted"? | saagarjha wrote: | And it's not that sophisticated, either. | singlow wrote: | I suspect the original poster was being sarcastic. But | maybe not. | johnklos wrote: | This is why it's so problematic when people don't make a | distinction between "virus" and "Trojan". | | If we trusted that people, particularly a supposed tech site, | made the distinction, the article would be MUCH more useful. | | A new Trojan out there? I don't care much. | | An actual virus that fits the definition of computer virus (that | is, it infects and spreads without user interaction)? That's a | huge deal. | | Too bad they don't make a distinction. | jpcosta wrote: | I don't really think it pays off to make such distinction | between virus and trojan. | | `Trojan` is often used to refer to malware that provides a | backdoor into your system, and if someone gets to run code on | your machine it isn't your machine anymore. | derekp7 wrote: | The real value is in evaluating your risk, which includes an | analysis of the infection vector. A virus (or worm) can be | more risky because it typically exploits a weakness in the | system. And some trojans are more risky to some demographics | than others, depending on which social engineering techniques | they use to trick a user into installing them. | mike_d wrote: | If you are making a risk evaluation based on the generic | term someone else uses to describe a threat, you've already | lost. | | The genie is out of the bottle and there is no putting it | back - virus, malware, worm, trojan, etc. are all | interchangeable marketing terms now. | ginko wrote: | >that is, it infects and spreads without user interaction | | My understanding was that viruses that spread without | interaction are called worms. Both trojans and worms are | viruses. | kazinator wrote: | False. There were viruses in the PC and Mac world for years, | long before the 1988 Morris worm incident popularized the | "worm" term. | | Viruses spread via interactions like booting an infected | floppy disc, or running an infected program copied from | another user. | | A virus is simply a piece of malicious code which attaches | itself to programs, arranges for itself to be executed when | those programs to be run, and thereby spreads to more | programs as programs are copied from system to system by | unsuspecting users. | | A Trojan horse is a malicious program which a user is somehow | fooled into trusting, installing and running. It doesn't have | to be a virus at all; for instance, it could be a fake | authentication dialog that steals their credentials and then | defers to the real authentication. | | A malicious thumb drive deliberately dropped in the parking | lot of a company is a modern example of a Trojan horse. It | might not infect anything, just steal information and | transmit it. | charonn0 wrote: | The terminology is based on how the malware spreads. Worms | actively exploit holes in network programs (e.g. emailing | themselves to your contacts), trojans disguise themselves as | something useful (e.g. a pirated game). True viruses spread | by injecting copies of themselves into innocent files in such | a way that opening the file triggers the payload. | | True viruses are rare these days because the infection vector | is passive and relatively slow: an infected file must be | transferred by user action to another computer, for example | by sharing an infected file via floppy disk. | sandworm101 wrote: | >> for example by sharing an infected file via floppy disk. | | Or an "excel" file attached to an email or posted in a chat | group that is execute by the host automatically and inserts | itself somewhere. Viruses remain alive and well online. | marcod wrote: | This has a good breakdown of how it works | https://redcanary.com/blog/clipping-silver-sparrows-wings/ | sudhirj wrote: | Why would the malware use S3? Won't AWS just boot them off if | they recognize malware? And report their payment details to | the authorities? | Jtsummers wrote: | 1. It may not be _their_ bucket. Getting someone 's | credentials and uploading to S3 means the wrong party would | be assigned blame/responsibility. | | 2. It may be their bucket, but with false credentials. | Stolen CC and faked contact information. | smogcutter wrote: | Right, but if amazon disables the bucket then don't they | lose contact with all the infected hosts? And anyway, I | can't imagine expecting a recurring charge like an AWS | account to last too long on a stolen CC. | | Along with the apparent lack of any actual payload, it | seems to point to this being some kind of proof of | concept. | mike_d wrote: | Bad guys have figured out there are tons of 1-year promo | offers for AWS and hosting a single file stays well | within the free tier. They toss a stolen card on the | account to verify it, which honestly most people won't | question a $1 charge then refund from Amazon. | | They also had a backup hosted on Akamai. | [deleted] | Beached wrote: | most malware infra uses AWS these days. amazon is terrible | at preventing it, and in my experience make it nearly | impossible to report. | adrr wrote: | You need to host it somewhere. S3 won't set off any | IDS/Firewall alert. IDS would pick up calls to China or | Russia. Payment details are probably stolen credit cards or | credit cards setup with fake/stolen identities. They'll be | a dead end. | yarcob wrote: | The article mentions that using S3 makes it harder to | block. You can't block Amazon S3 without breaking very many | things. | | Presumably the malware author would open an AWS account | with a stolen or prepaid credit card. They could probably | even get away with using AWS's free tier. | | Or they could even abuse a random web service that uploads | data to predictable locations on S3. | whoopdedo wrote: | Stolen buckets maybe. | helsinkiandrew wrote: | It appears Amazon or the bucket owners have blocked the | URLs the malware uses (at least those listed on the | article). | | I'm not sure if this means that the malware is no longer a | thread | jandrese wrote: | Usually botnet control systems like this will generate a | new domain every day using some difficult-to-predict | algorithm. Maybe seed it off of the previous day Dow | Jones Index closing figure or something. This makes it a | race to try to register the domain before the bad guys | do. | | I find it weird how all of the stories about this thing | have the tone of "oh no, what could it be for, there is | no payload!?!", when it phones home to a control server | regularly waiting for payload. Guys, it's a botnet. | They're just waiting for it to get big enough to be worth | selling. This isn't some huge mystery. It could be used | for hundreds of uses from DDOSing, to spamming, to being | a covert VPN network, to Warez distribution, porn, etc... | Plus it will probably eventually install a keylogger on | the system to harvest CC numbers and passwords from the | infected users, maybe run some crypto-locking ransomware | if the devs need some bitcoin. All of the typical stuff | you can expect after a box is rooted by one of these | botnet operators. | mike_d wrote: | Stuxnet for example, didn't really seem to do anything | useful. Unless you happened to have a very specific | version of industrial control software installed. | | No obvious payload is actually the worst kind of malware | to deal with, because you have no idea if Matthew in | accounting had the specific key on his machine that | installed a second stage that you know nothing about and | can't detect. | skybrian wrote: | Unless I missed something, it doesn't explain how they entice | people into installing the malware? | harikb wrote: | If the only vulnerability that was exploited was an | unsuspecting user installing a software they thought was clean, | it should just be classified as "30K macs have compromised | software installed on them" | kerng wrote: | This definition of virus is actually referred to as worm. | | A virus just attaches iself to a host (binary, document,...) to | spread, like 30 years ago viruses spread via floppy disk which | required a lot of manual doing. | | A worm is what activley spreads by itself. | | Both viruses or worms (malware so to speak) can be introduced | to environments as trojans. | | I think when someone says virus these days, including news, | they just mean any kind of malware and it seems okay to me. | | The important part is to start talking more about malware on | macOS, as it seems a blind spot for many organizations. | sandworm101 wrote: | >> to start talking more about malware on macOS | | We had this debate in my office today. Imho malware is any | software that the user/owner of a system doesn't want | running. Others were of the opinion that "malware" doesn't | include software for which _someone_ , perhaps other than the | user, has a legitimate use. So surveillance software isn't | malware because it can be installed on a target device | legitimately. So too most bloatware, stuff I call malware but | many large corporations do not. | Toutouxc wrote: | > talking more about malware on macOS | | That's also why it's important to make the distinction | between the "naked-cheerleaders.jpg.exe" kind of malware, the | "visited a website" or "opened a PDF" kind and finally the | "had a machine online" kind. Because AFAIK the second kind of | malware is very rare on macOS and the third kind is literally | nonexistent. And some people rely on that (including me). | saurik wrote: | So, I appreciate you might consider this separate, but I | would for most purposes include the various iMessage | exploits in that last category (so: rare, but not unheard | of). | ogre_codes wrote: | Terminology descriptions aside (I believe what you are | describing is a worm, not a virus), knowing how something | spreads is important. | | Obsessing over motivations of the developers without providing | useful mitigation steps or any kind of even vague description | of who is at risk by this is frustrating. | soheil wrote: | So which is it in this case? Is this the really bad kind or the | one we shouldn't care about? | dec0dedab0de wrote: | I think technically a virus infects other files, but a worm is | it's own file(s) that spread one way or another. A Trojan is | just one means of spreading, and can be used by viruses, worms, | or other malware. Though there really is no point in be | pedantic about the definitions because all the lines have been | blurred for decades. | swiley wrote: | Is there an easy way to see if you're infected? | klaushardt wrote: | https://github.com/ronaldstoner/sparrow-detector | beervirus wrote: | What a silly title. It may not have some active payload right | now, but that doesn't mean it won't tomorrow. Seems like a | reasonable strategy to spread the malware as wide as possible, | then push an update to trigger whatever behavior you want. And | yes, it does check for updates. | | > Every hour, the persistence LaunchAgent tells launchd to | execute a shell script that downloads a JSON file to disk, | converts it into a plist, and uses its properties to determine | further actions. | | https://redcanary.com/blog/clipping-silver-sparrows-wings | 0x008 wrote: | > In short, it doesn't do anything. That's not all that | reassuring, given that tens of thousands of Macs could have | potentially been infected, but based on the findings and | investigations of multiple strains, the virus was "positioned | to deliver a potentially impactful payload at a moment's | notice." | | Was the article changed after your comment? | Wowfunhappy wrote: | But no one knows what the payload will do. I thought the title | was fine. | ASalazarMX wrote: | A more honest title would have ended with "no one knows what | for". | beervirus wrote: | I guess that's right. I was reading the title as "no one know | why they bothered infecting these computers with a virus that | doesn't do anything." | trollied wrote: | Apple has revoked the dev certificates to stop further infection: | https://www.macrumors.com/2021/02/22/apple-revokes-silver-sp... | tamaharbor wrote: | So what are they doing about previously infected computers? | j0hnml wrote: | If I had to guess, I'd say they will probably roll out new | XProtect signatures [1] soon, assuming they haven't done so | already for these samples. | | [1] https://support.apple.com/guide/security/protecting- | against-... ___________________________________________________________________ (page generated 2021-02-22 23:00 UTC)