Reports of Apple’s urgent promises to fix a bug that allows intruders to spy on financial, email, and other personal data in OSX have been in the media since last week. Now researchers have identified the Pony Trojan, which, as coincidence would have it, is known to have spied on financial, email and other personal data via web forms. In the process, Pony heisted more than 700,000 online account credentials, as well as stealing $220,000 from online cryptocoin wallets.
notice: please note that the vulnerability does not apply to PC and phone based client wallets but to online wallets. CCN has a link to Trustwave’s Wallet Checker at the bottom of this article.
While the exact attack vector is not yet known, it is plausible that the specific target of Pony may have been the same vulnerability currently being patched by Apple.
Pony and CoinThief – same trojan?
On February 9th, SecureMac published details of a trojan, dubbed OSX/CoinThief. The trojan infiltrated OS X via compromised versions of Bitcoin Ticker TTM and Litecoin Ticker. According to SecureMac, the trojan disguises it’s subversive activity as follows:
…the malware program unpacks and installs its payload (the background process and web browser plugins), then moves the correct app binary for Bitcoin Ticker TTM/Litecoin Ticker back into place, and removes the LSUIElement entry from the app’s Info.plist file. It then launches the original Bitcoin Ticker TTM/Litecoin Ticker app, which is now back in the correct path for the app bundle, and the user is none the wiser that a piece of malware just installed itself on their system.
The OSX/CoinThief method of installing as a browser plugin and then sending user-typed login credentials back to a central server fits the profile of the Pony Trojan very closely. McAfee has determined that Pony operated by logging keystrokes and delivering it’s harvested payload (of login credentials) to a botnet:
Using a system of compromised computers, hackers were able to capture login credentials for a variety of accounts from social networking sites such as Facebook, Twitter, and LinkedIn, email providers Google and Yahoo, and payroll provider ADP.
The SSL/TLS encryption bug currently being patched by Apple, essentially allows for OS X and iOS users’ data to be compromised in transit between the browser and certain websites.
ArsTechnica details the specifics of the bug as follows:
The flaw, according to researchers, causes most iOS and Mac applications to skip a crucial verification check that’s supposed to happen when many transport layer security (TLS) and secure sockets layer (SSL) connections are being negotiated. Specifically, affected apps fail to check that the ephemeral public key presented by servers offering Diffie Hellman-supported encryption is actually signed by the site’s private key. Attackers with the ability to monitor the connection between the end-user and the server can exploit this failure to completely decrypt and manipulate the traffic by presenting the app with a counterfeit key.
SecureMac reports that “variants of OSX/CoinThief are being actively distributed through CNET’s Download.com”, and they go on to say that “The two variants seen by SecureMac share the same name and developer information as two apps found in Apple’s Mac App Store”. Additional sources of the malware were, until recently, available via MacUpdate.com, says SecureMac:
The same apps were being distributed on MacUpdate.com, also since early December, but the download links are currently not working since they point at the inactive OSX/CoinThief server. According to the MacUpdate download stats, the malware was downloaded 365 times.
The fact that we have two different trojans, going by two different names (CoinThief and Pony), but having the same method, indicates that perhaps they are, in fact, the same beast.
Apple providing security fixes for an SSL/TLS vulnerability bug at the same time as this trojan’s ability to spoof Apple Store validation has been discovered implies that the CoinThief/Pony trojan specifically targeted the SSL/TLS vulnerability in iOS and OS X. Firstly, to pass itself off as an officially sanctioned application on download sited and, secondly, to install a browser plugin to further exploit those encryption vulnerabilities and harvest usernames and passwords in the process.
Link to Trustwave Wallet Checker at the bottom of this article.
whilst the implied link has not been confirmed via official sources, CCN will keep readers up to date with this story and its implications for Apple’s operating systems.