[HN Gopher] 30K Macs are infected with 'Silver Sparrow' virus an...
___________________________________________________________________
30K Macs are infected with 'Silver Sparrow' virus and no one knows
why
Author : CharlesW
Score : 122 points
Date : 2021-02-22 17:50 UTC (5 hours ago)
(HTM) web link (www.macworld.com)
(TXT) w3m dump (www.macworld.com)
| cameronperot wrote:
| Discussion from a couple days ago:
|
| https://news.ycombinator.com/item?id=26204756
| supernova87a wrote:
| Is there an "approved" diagnostic tool that one should use to
| figure out whether your mac has the virus, or is vulnerable to it
| and needs patching?
| klaushardt wrote:
| https://github.com/ronaldstoner/sparrow-detector
| prox wrote:
| I think Malwarebytes was the company first identifying the
| thread. Correction : it was Red Canary working with
| Malwarebytes.
| kennywinker wrote:
| Check for the existence of these files:
|
| ~/Library/._insu (empty file used to signal the malware to
| delete itself)
|
| /tmp/agent.sh (shell script executed for installation callback)
|
| /tmp/version.json (file downloaded from from S3 to determine
| execution flow)
|
| /tmp/version.plist (version.json converted into a property
| list)
|
| https://redcanary.com/blog/clipping-silver-sparrows-wings/
| ttul wrote:
| To me, this looks like a government sponsored trojan. It's
| extremely sophisticated and seems highly targeted.
| jandrese wrote:
| 30,000 computers across virtually every country in the world is
| "highly targeted"?
| saagarjha wrote:
| And it's not that sophisticated, either.
| singlow wrote:
| I suspect the original poster was being sarcastic. But
| maybe not.
| johnklos wrote:
| This is why it's so problematic when people don't make a
| distinction between "virus" and "Trojan".
|
| If we trusted that people, particularly a supposed tech site,
| made the distinction, the article would be MUCH more useful.
|
| A new Trojan out there? I don't care much.
|
| An actual virus that fits the definition of computer virus (that
| is, it infects and spreads without user interaction)? That's a
| huge deal.
|
| Too bad they don't make a distinction.
| jpcosta wrote:
| I don't really think it pays off to make such distinction
| between virus and trojan.
|
| `Trojan` is often used to refer to malware that provides a
| backdoor into your system, and if someone gets to run code on
| your machine it isn't your machine anymore.
| derekp7 wrote:
| The real value is in evaluating your risk, which includes an
| analysis of the infection vector. A virus (or worm) can be
| more risky because it typically exploits a weakness in the
| system. And some trojans are more risky to some demographics
| than others, depending on which social engineering techniques
| they use to trick a user into installing them.
| mike_d wrote:
| If you are making a risk evaluation based on the generic
| term someone else uses to describe a threat, you've already
| lost.
|
| The genie is out of the bottle and there is no putting it
| back - virus, malware, worm, trojan, etc. are all
| interchangeable marketing terms now.
| ginko wrote:
| >that is, it infects and spreads without user interaction
|
| My understanding was that viruses that spread without
| interaction are called worms. Both trojans and worms are
| viruses.
| kazinator wrote:
| False. There were viruses in the PC and Mac world for years,
| long before the 1988 Morris worm incident popularized the
| "worm" term.
|
| Viruses spread via interactions like booting an infected
| floppy disc, or running an infected program copied from
| another user.
|
| A virus is simply a piece of malicious code which attaches
| itself to programs, arranges for itself to be executed when
| those programs to be run, and thereby spreads to more
| programs as programs are copied from system to system by
| unsuspecting users.
|
| A Trojan horse is a malicious program which a user is somehow
| fooled into trusting, installing and running. It doesn't have
| to be a virus at all; for instance, it could be a fake
| authentication dialog that steals their credentials and then
| defers to the real authentication.
|
| A malicious thumb drive deliberately dropped in the parking
| lot of a company is a modern example of a Trojan horse. It
| might not infect anything, just steal information and
| transmit it.
| charonn0 wrote:
| The terminology is based on how the malware spreads. Worms
| actively exploit holes in network programs (e.g. emailing
| themselves to your contacts), trojans disguise themselves as
| something useful (e.g. a pirated game). True viruses spread
| by injecting copies of themselves into innocent files in such
| a way that opening the file triggers the payload.
|
| True viruses are rare these days because the infection vector
| is passive and relatively slow: an infected file must be
| transferred by user action to another computer, for example
| by sharing an infected file via floppy disk.
| sandworm101 wrote:
| >> for example by sharing an infected file via floppy disk.
|
| Or an "excel" file attached to an email or posted in a chat
| group that is execute by the host automatically and inserts
| itself somewhere. Viruses remain alive and well online.
| marcod wrote:
| This has a good breakdown of how it works
| https://redcanary.com/blog/clipping-silver-sparrows-wings/
| sudhirj wrote:
| Why would the malware use S3? Won't AWS just boot them off if
| they recognize malware? And report their payment details to
| the authorities?
| Jtsummers wrote:
| 1. It may not be _their_ bucket. Getting someone 's
| credentials and uploading to S3 means the wrong party would
| be assigned blame/responsibility.
|
| 2. It may be their bucket, but with false credentials.
| Stolen CC and faked contact information.
| smogcutter wrote:
| Right, but if amazon disables the bucket then don't they
| lose contact with all the infected hosts? And anyway, I
| can't imagine expecting a recurring charge like an AWS
| account to last too long on a stolen CC.
|
| Along with the apparent lack of any actual payload, it
| seems to point to this being some kind of proof of
| concept.
| mike_d wrote:
| Bad guys have figured out there are tons of 1-year promo
| offers for AWS and hosting a single file stays well
| within the free tier. They toss a stolen card on the
| account to verify it, which honestly most people won't
| question a $1 charge then refund from Amazon.
|
| They also had a backup hosted on Akamai.
| [deleted]
| Beached wrote:
| most malware infra uses AWS these days. amazon is terrible
| at preventing it, and in my experience make it nearly
| impossible to report.
| adrr wrote:
| You need to host it somewhere. S3 won't set off any
| IDS/Firewall alert. IDS would pick up calls to China or
| Russia. Payment details are probably stolen credit cards or
| credit cards setup with fake/stolen identities. They'll be
| a dead end.
| yarcob wrote:
| The article mentions that using S3 makes it harder to
| block. You can't block Amazon S3 without breaking very many
| things.
|
| Presumably the malware author would open an AWS account
| with a stolen or prepaid credit card. They could probably
| even get away with using AWS's free tier.
|
| Or they could even abuse a random web service that uploads
| data to predictable locations on S3.
| whoopdedo wrote:
| Stolen buckets maybe.
| helsinkiandrew wrote:
| It appears Amazon or the bucket owners have blocked the
| URLs the malware uses (at least those listed on the
| article).
|
| I'm not sure if this means that the malware is no longer a
| thread
| jandrese wrote:
| Usually botnet control systems like this will generate a
| new domain every day using some difficult-to-predict
| algorithm. Maybe seed it off of the previous day Dow
| Jones Index closing figure or something. This makes it a
| race to try to register the domain before the bad guys
| do.
|
| I find it weird how all of the stories about this thing
| have the tone of "oh no, what could it be for, there is
| no payload!?!", when it phones home to a control server
| regularly waiting for payload. Guys, it's a botnet.
| They're just waiting for it to get big enough to be worth
| selling. This isn't some huge mystery. It could be used
| for hundreds of uses from DDOSing, to spamming, to being
| a covert VPN network, to Warez distribution, porn, etc...
| Plus it will probably eventually install a keylogger on
| the system to harvest CC numbers and passwords from the
| infected users, maybe run some crypto-locking ransomware
| if the devs need some bitcoin. All of the typical stuff
| you can expect after a box is rooted by one of these
| botnet operators.
| mike_d wrote:
| Stuxnet for example, didn't really seem to do anything
| useful. Unless you happened to have a very specific
| version of industrial control software installed.
|
| No obvious payload is actually the worst kind of malware
| to deal with, because you have no idea if Matthew in
| accounting had the specific key on his machine that
| installed a second stage that you know nothing about and
| can't detect.
| skybrian wrote:
| Unless I missed something, it doesn't explain how they entice
| people into installing the malware?
| harikb wrote:
| If the only vulnerability that was exploited was an
| unsuspecting user installing a software they thought was clean,
| it should just be classified as "30K macs have compromised
| software installed on them"
| kerng wrote:
| This definition of virus is actually referred to as worm.
|
| A virus just attaches iself to a host (binary, document,...) to
| spread, like 30 years ago viruses spread via floppy disk which
| required a lot of manual doing.
|
| A worm is what activley spreads by itself.
|
| Both viruses or worms (malware so to speak) can be introduced
| to environments as trojans.
|
| I think when someone says virus these days, including news,
| they just mean any kind of malware and it seems okay to me.
|
| The important part is to start talking more about malware on
| macOS, as it seems a blind spot for many organizations.
| sandworm101 wrote:
| >> to start talking more about malware on macOS
|
| We had this debate in my office today. Imho malware is any
| software that the user/owner of a system doesn't want
| running. Others were of the opinion that "malware" doesn't
| include software for which _someone_ , perhaps other than the
| user, has a legitimate use. So surveillance software isn't
| malware because it can be installed on a target device
| legitimately. So too most bloatware, stuff I call malware but
| many large corporations do not.
| Toutouxc wrote:
| > talking more about malware on macOS
|
| That's also why it's important to make the distinction
| between the "naked-cheerleaders.jpg.exe" kind of malware, the
| "visited a website" or "opened a PDF" kind and finally the
| "had a machine online" kind. Because AFAIK the second kind of
| malware is very rare on macOS and the third kind is literally
| nonexistent. And some people rely on that (including me).
| saurik wrote:
| So, I appreciate you might consider this separate, but I
| would for most purposes include the various iMessage
| exploits in that last category (so: rare, but not unheard
| of).
| ogre_codes wrote:
| Terminology descriptions aside (I believe what you are
| describing is a worm, not a virus), knowing how something
| spreads is important.
|
| Obsessing over motivations of the developers without providing
| useful mitigation steps or any kind of even vague description
| of who is at risk by this is frustrating.
| soheil wrote:
| So which is it in this case? Is this the really bad kind or the
| one we shouldn't care about?
| dec0dedab0de wrote:
| I think technically a virus infects other files, but a worm is
| it's own file(s) that spread one way or another. A Trojan is
| just one means of spreading, and can be used by viruses, worms,
| or other malware. Though there really is no point in be
| pedantic about the definitions because all the lines have been
| blurred for decades.
| swiley wrote:
| Is there an easy way to see if you're infected?
| klaushardt wrote:
| https://github.com/ronaldstoner/sparrow-detector
| beervirus wrote:
| What a silly title. It may not have some active payload right
| now, but that doesn't mean it won't tomorrow. Seems like a
| reasonable strategy to spread the malware as wide as possible,
| then push an update to trigger whatever behavior you want. And
| yes, it does check for updates.
|
| > Every hour, the persistence LaunchAgent tells launchd to
| execute a shell script that downloads a JSON file to disk,
| converts it into a plist, and uses its properties to determine
| further actions.
|
| https://redcanary.com/blog/clipping-silver-sparrows-wings
| 0x008 wrote:
| > In short, it doesn't do anything. That's not all that
| reassuring, given that tens of thousands of Macs could have
| potentially been infected, but based on the findings and
| investigations of multiple strains, the virus was "positioned
| to deliver a potentially impactful payload at a moment's
| notice."
|
| Was the article changed after your comment?
| Wowfunhappy wrote:
| But no one knows what the payload will do. I thought the title
| was fine.
| ASalazarMX wrote:
| A more honest title would have ended with "no one knows what
| for".
| beervirus wrote:
| I guess that's right. I was reading the title as "no one know
| why they bothered infecting these computers with a virus that
| doesn't do anything."
| trollied wrote:
| Apple has revoked the dev certificates to stop further infection:
| https://www.macrumors.com/2021/02/22/apple-revokes-silver-sp...
| tamaharbor wrote:
| So what are they doing about previously infected computers?
| j0hnml wrote:
| If I had to guess, I'd say they will probably roll out new
| XProtect signatures [1] soon, assuming they haven't done so
| already for these samples.
|
| [1] https://support.apple.com/guide/security/protecting-
| against-...
___________________________________________________________________
(page generated 2021-02-22 23:00 UTC)