Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

OS X remote malware strikes Thunderbolt, hops hard drive swaps
The Register ^ | 4 Aug 2015

Posted on 08/03/2015 10:25:23 PM PDT by Swordmaker

click here to read article


Navigation: use the links below to view more comments.
first 1-2021-34 next last

1 posted on 08/03/2015 10:25:23 PM PDT by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: ~Kim4VRWC's~; 1234; Abundy; Action-America; acoulterfan; AFreeBird; Airwinger; Aliska; altair; ...
THUNDERSTRIKE is back with a vengeance. . . in Thunderstrike 2 and this time it is REMOTE! It can come in as a TROJAN and infect your Mac computer PERMANENTLY and all your Thunderbolt devices! This is serious. This actually probably counts as the first serious breach of Apple OS X. It is not a Virus but a very SERIOUS potential TROJAN! So far, THUNDERSTRIKE 2 is merely a proof of concept but it will infect your Mac permanently with no means of removing it. — PING!

THANKS to DayGloRed for the heads up!


Apple SECURITY IMPORTANT
THUNDERSTRIKE 2
Ping!

If you want on or off the Mac Ping List, Freepmail me.

2 posted on 08/03/2015 10:35:20 PM PDT by Swordmaker ( This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
The good news is it's presently just a proof-of-concept demo. The bad news is it seems it could become a real exploit.

Definitely one to watch out for.

3 posted on 08/03/2015 10:37:58 PM PDT by dayglored (Meditate for twenty minutes every day, unless you are too busy, in which case meditate for an hour.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: dayglored
The good news is it's presently just a proof-of-concept demo. The bad news is it seems it could become a real exploit.

The best news is that although it's a worm, it still requires a TROJAN to deliver it. . . and Apple still warns all users of all the known trojans. It would take an entirely new family of trojans to deliver it, because OS X will recognize all the current families and their variants.

4 posted on 08/03/2015 10:41:46 PM PDT by Swordmaker ( This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 3 | View Replies]

To: dayglored

And of course, do not download anything except from authorized site. Keep Gatekeeper turned on.


5 posted on 08/03/2015 10:44:47 PM PDT by Swordmaker ( This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Swordmaker

this is bad, right?


6 posted on 08/03/2015 10:53:59 PM PDT by grandpa jones (obama delenda est)
[ Post Reply | Private Reply | To 2 | View Replies]

To: grandpa jones; dayglored
this is bad, right?

In a way, yes. . . however, I just went over the video and the article with a fine-tooth comb and I found this:

"Thunderstrike 2 starts with a local root privilege exploit that can load a kernel module to give it access to raw memory [and] can unlock and rewrite the motherboard boot flash," Hudson says.

They don't tell us right out that the Trojan that's required to invade the original "infection" machine has to be running with ROOT privileges. No normal Mac user ever runs with ROOT priveleges. . . not even an Administrator runs with ROOT privileges. That ROOT user is one level above Administrator. . . and is inactive on a normal Mac. The Administrator can reach ROOT commands by use of the SUDO command (SuperUser DO) for single command lines. Or an Administrator can activate a SuperUser by creating a ROOT account—only one is permitted per machine—by creating a Root user Name and password. Then logging in as that ROOT user.

The likelihood of anyone downloading a TROJAN as a ROOT user are somewhere between zero and nil. . . unless the user is industrial strength stupid and then some.

7 posted on 08/03/2015 11:06:04 PM PDT by Swordmaker ( This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Swordmaker
starts with a local root privilege exploit

Using a root privilege exploit means that the victim is running at normal priveleges. The exploit bumps the software up to the root level. The vcitim is not running at root, as you say, nobody does. But it's not impossible to find exploits to get from normal privileges to root, it just adds one more complication to the attack and one more chance for it to fail...

8 posted on 08/04/2015 3:03:41 AM PDT by palmer (Net "neutrality" = Obama turning the internet into FlixNet)
[ Post Reply | Private Reply | To 7 | View Replies]

To: Swordmaker
Here's an example of a privilege escalation bug:

A bug in the latest version of Apple's OS X gives attackers the ability to obtain unfettered root user privileges, a feat that makes it easier to surreptitiously infect Macs with rootkits and other types of persistent malware.

link: http://arstechnica.com/security/2015/07/bug-in-latest-version-of-os-x-gives-attackers-unfettered-root-privileges/

The privilege-escalation bug, which was reported ...

The article about thunderstrike is a little vague. It doesn't come out and say they used a privilege escalation exploit, but it implies that it does.

9 posted on 08/04/2015 3:11:43 AM PDT by palmer (Net "neutrality" = Obama turning the internet into FlixNet)
[ Post Reply | Private Reply | To 7 | View Replies]

To: Swordmaker

...And I thought that Apple had no worries about viruses at one time.


10 posted on 08/04/2015 3:14:32 AM PDT by Biggirl ("One Lord, one faith, one baptism" - Ephesians 4:5)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Bookmark


11 posted on 08/04/2015 3:27:45 AM PDT by samtheman (Trump/Cruz '16)
[ Post Reply | Private Reply | To 1 | View Replies]

To: palmer
Using a root privilege exploit means that the victim is running at normal priveleges. The exploit bumps the software up to the root level.

By default, the root user account on OS X is disabled. You would first have to manually enable it and assign a password.

12 posted on 08/04/2015 4:20:22 AM PDT by Flick Lives (One should not attend even the end of the world without a good breakfast. -- Heinlein)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Swordmaker

Ten + years ago, updating a Notion Ink Adam tablet we would causally root our tablet then flash the ROM to allow us to get updates from a web site called Tablet Roms. We were unconcerned about malicious exploits because no one knew of them. How times changed.


13 posted on 08/04/2015 4:23:37 AM PDT by topspinr
[ Post Reply | Private Reply | To 7 | View Replies]

To: Swordmaker

PC too

http://www.pcworld.com/article/2948092/security/hacking-teams-malware-uses-uefi-rootkit-to-survive-os-reinstalls.html


14 posted on 08/04/2015 4:34:49 AM PDT by samtheman (Trump/Cruz '16)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

You need to read the full details of this hack. Any Mac physically connected to a network can be infected without user interaction. Wired has a much more detailed article on this, but can’t be posted on FR due to copyright issues.


15 posted on 08/04/2015 4:44:16 AM PDT by Woodman
[ Post Reply | Private Reply | To 4 | View Replies]

To: Flick Lives

Another more detailed source I read states that this payload can be delivered by physically plugging into a networ, using a USB drive with the payload or an ssd external. It will install without the user having to interact and does not require the user to be root. It is at the hardware level where no checksums are being used, no virus scan is seeing it, and can’t be wiped without reflashing the component.

This was discovered under Windows and them the researchers decided to try MAC because ether use many community hardware components. 3 or 4 out of 5 worked with Mac as well.


16 posted on 08/04/2015 4:53:19 AM PDT by Woodman
[ Post Reply | Private Reply | To 12 | View Replies]

To: Biggirl

That is never what was claimed.....Apple users are less likely to get viruses and worms and malware (etc etc etc) because of the way the system works.


17 posted on 08/04/2015 5:14:20 AM PDT by Nifster
[ Post Reply | Private Reply | To 10 | View Replies]

To: Flick Lives

That’s only relevant if you are interested in logging into root normally. A privilege escalation bug does not login, does not need the account to be enabled and does not need a password assigned. As a simple example, I can escalate my privilege on MacOS using sudo with my root account locked out and no password assigned (sudo requires my own password). Let’s say hypothetical malware able to sudo without querying the TTY for my password. That would an example of a privilege escalation exploit.


18 posted on 08/04/2015 5:44:02 AM PDT by palmer (Net "neutrality" = Obama turning the internet into FlixNet)
[ Post Reply | Private Reply | To 12 | View Replies]

To: Swordmaker
And of course, do not download anything except from authorized site. Keep Gatekeeper turned on.

Also, and though I note the admin/root distinction you mention below, please please, please people, regardless of what OS you run, create separate accounts for admin and daily use. Never do your daily stuff in and admin account - and only provide the admin user/password when prompted if you fully understand what it is you're about to do.

The easiest attack vector under any computer security model is trying to elicit a mistake from a privileged user.

19 posted on 08/04/2015 7:30:46 AM PDT by kevkrom (I'm not an unreasonable man... well, actually, I am. But hear me out anyway.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: kevkrom

There’s rarely any reason to have an admin account on MacOS. In contrast Windows defaults to an admin account although many actions will trigger UAC. The problem is that the more actions trigger UAC, the more accustomed you will be to pressing ok. Mac is not immune, with its sudo action password popup.


20 posted on 08/04/2015 7:46:30 AM PDT by palmer (Net "neutrality" = Obama turning the internet into FlixNet)
[ Post Reply | Private Reply | To 19 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-34 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson