A newly identified Trojan horse targeting Macs was responsible for the recent hacks into Apple, Facebook, Microsoft, Twitter and other companies, an investigative security news site has discovered.
The Trojan, called Pintsized, got past Mac OS X's built-in Gatekeeper security software through an undisclosed exploit and then disguised itself as a common printing file, The Security Ledger said.
Pintsized was first detected and identified in mid-February by anti-virus software makers. During its successful intrusions into company networks in January, the malware was effectively a "zero-day" exploit, or one unknown to defenders.
It was dropped on Macs by a different zero-day, a Java-based browser exploit that was embedded on compromised websites frequented by mobile-app developers as part of a "watering hole" attack.
Broad range of targets
However, The Security Ledger's sources, not all of whom were willing to go on the record, said many websites besides those of interest to app developers were used to distribute malware through the Java exploit.
"The breadth of types of services and entities targeted does not reflect a targeted attack on a single tech or industry sector," Facebook Chief of Security Joe Sullivan told The Security Ledger.
The initial infection stage was able to determine whether the targeted Web browser was running on a PC or a Mac, and accordingly chose the malware to be delivered.
Furthermore, not every machine that visited the corrupted websites was infected.
"We're still investigating why only certain users were affected, whether there was a pattern and how many may have been targeted," said Ian Sefferman of iPhoneDevSDK.com, one of the corrupted sites.
Evading the guards
Gatekeeper was trumpeted by Apple as a major security addition to Mac OS X when it was introduced with OS X 10.8 Mountain Lion last July, and was retroactively added to OS X 10.7 Lion with an October software update.
Gatekeeper controls which applications can be installed on Mac OS X; its highest setting allows only applications downloaded directly from the Mac App Store.
However, the default setting also allows applications from any source, as long as they're digitally signed by Apple developers. The lowest setting allows all applications.
It's not clear whether Pintsized uses a stolen or forged developer signature to get past Gatekeeper, or if it somehow tweaks Gatekeeper's settings to allow all installations.
What is clear is that Apple's built-in defenses for Mac OS X aren't enough. Mac owners, like their PC counterparts, need to install and run decent third-party anti-virus software to increase their odds against infection.