Posts Tagged

Apple’s pretty famous for being difficult to write viruses for. Essentially, for something to get into an Apple device, it has to be so small and so powerless that it’s worthless as a virus. Apple takes pride in this. It’s very rare for a virus to infect so many devices before Apple notices and puts a stop to it!

What Happened?

A virus dubbed “Silver Sparrow” by tech company Red Canary snuck onto devices via “update” download requests. Essentially, it tricked victims into believing that they couldn’t view certain content without updating their flash player. The ad helpfully provided the download so they could update right then and there. This was not a flash update – it was a .pkg file masquerading as one! This is a common trick, but it’s not the only way these ‘updates’ end up on machines. If a box pops up asking you for permission to download something even though you didn’t click anything requesting an update, don’t allow it. Legitimate programs will never do that!

Red Canary also notes that ads and malicious search results may have had a hand in the virus’s extreme reach – unsecured websites can carry viruses in images and ads, so if a hacker figures out a site will host ads for anybody, they can use that as a launch gate.

Besides “how”, Silver Sparrow right now is non-specific malware, an activity cluster. This just means that a set of files contain the code to carry out the attack, but they don’t fall neatly into one category over others. Identification only goes as far as “not adware” right now, but this may change as more is learned about the virus!

Reason to Fear?

It doesn’t actually look like the new virus did anything. Yet. Unfortunately, viruses like these are usually used to set up a wide-scale attack at a later date. The goal is to infect as many computers as possible without firms like Red Canary noticing, and then kill or encrypt the infected all at once. They don’t yet know exactly if this is what Silver Sparrow was going to do, but it certainly seems a little odd that this incredibly quiet virus was installing itself in places just to sit there indefinitely.

Alternatively, this could have been a sort of ‘test run’. Whoever made Silver Sparrow included a self-destruct that should have triggered by itself. It’s possible the creators were looking to gather some numbers before actually launching a more dangerous malware that could deliver a payload. Red Canary currently has an estimate of just under 30,000 Apple devices infected, but the number may grow as new infection indicators are discovered. After all, something with a self-destruct will occasionally manage to get it right!

Once Apple was alerted of the problem, they revoked the certificates Silver Sparrow had been using illegitimately and began developing an action plan to keep viruses like this one out in the future. Revoking those certificates should be enough to keep Silver Sparrow from infecting more devices. Red Canary currently recommends a solid anti-malware tool on top of what Apple’s OS already has to prevent copycat viruses, and boost security.

The virus is still pretty scary, even though it didn’t do much more than sit quietly. It’s compatibility with the M1 chip, evading the Apple MRT, and it’s high infection rate are all reasons to keep an ear to the ground if you’re a Mac owner.

Define “High-Stealth”

The virus had a self-destruct function built in, but it seems like it didn’t actually get to activate it in a lot of cases. The virus was supposed to come into contact with a different part of the library that would contain the code it was looking for to trigger the self-destruct. It’s possible the thing was hiding a little too well, to its own detriment.

Notably, it runs on the M1 chip, something malware’s not supposed to be able to do. That may have contributed to how difficult it was to identify. The chip itself is pretty young, and researchers have determined that the virus may have begun infecting devices as early as three years ago, meaning Silver Sparrow is part of a very exclusive club right now.

No activity that triggered the built in antivirus + self-destruct + small size = high stealth!

What Is MRT?

An MRT, or Malware Removal Tool, is designed to remove threats to the computer in the background without the user noticing. This can create problems with CPU usage, and it means there’s less flexibility in downloading files than Windows gives, but the security the tool gives consumers is worth it. Especially for folks who don’t know computers all that well, and may not understand how to browse the web safely. The MRT has a library of known viruses, and combines that knowledge with programming designed to combat new and unknown ones.

As said before, Apple’s pretty difficult to write viruses for. The MRT certainly contributes, but the OS itself boosts this difficulty to a point that hackers and cyber criminals don’t even try. It’s not impossible, but malware is custom-fitted for Macs. Windows viruses are just easier to make, and there’s more Windows devices than Macs, especially in the business world.

Don’t Click Random Ads – And Don’t Download Things

It’s unfortunate, but if a website’s not supporting ads from a large, trusted vendor like Google, they likely can’t vet every ad they sell space to. Anti-virus should help protect devices against ad intrusions, but what about everything else?

For other issues, like clicking links, the unfortunate answer is that it comes down to ‘street smarts’. It’s something employees and regular computer users need some training on. What looks suspicious to one user may not seem suspicious at all to another! Free-to-play games, for instance, might trick a child, while “recipe.exe” sent forward from chainmail might catch an older adult who doesn’t know what different file extensions mean.

What you can do if you’re struggling to separate good links from bad is listen to your device and carefully review the download. Is it what it says it should be (i.e recipe.pdf instead of recipe.exe)? Does the publisher’s credentials match the site you got it from? And does your computer throw a fit when you try to download it? Or warn you that the file may be from an unverified third party?

When in doubt, you can always Google the alert you’re getting – and err on the side of caution!

Sources:

https://www.sentinelone.com/blog/apples-malware-removal-mrt-tool-update

https://www.businessinsider.in/tech/news/over-30000-apple-macs-have-been-infected-with-a-high-stealth-malware-and-the-company-has-no-idea-why/articleshow/81145708.cms

https://www.cnn.com/2021/02/21/tech/mac-mysterious-malware/index.html

https://www.cnn.com/2020/11/10/tech/apple-silicon-chips-mac/index.html

https://redcanary.com/blog/clipping-silver-sparrows-wings

How To Avoid it in the First Place

There are a few key tips that give away phishing scams. Firstly, is there a sense of urgency? Your utility companies aren’t going to call and say they’ll shut off your water without at least a few mailed reminders that your bill is due! The same goes for your bank. If they demand that you resolve a problem right then, right there, out of the blue, it’s probably a phishing scam (if you’re nervous it’s not a scam, call the alleged company using their number off of their real website). This goes for both phone and email phishers.

 If it’s an email or a text, ask yourself if you were expecting an email or a text from that company. If you get a Fedex text update that you didn’t sign up for, it might be a phishing scam. If you got a notification from Walgreens that your photos have finished printing, and you didn’t print any photos, it might be a phishing scam. They want you to click or tap the links they include to see what’s going on. Spelling errors are also a common tell – it’s not impossible for a company to make spelling errors in their communications with you, but they won’t be littering the page with them! Phishing scams do that to weed out people who know better so they won’t waste time on targets that won’t crack. Note that not every phishing scam comes with typos, even though they are common.

You should also check the sender of the email! Spoofing is a technique that attaches a real name that you might know to an email address or phone number that definitely doesn’t belong to them. Anyone can set their name to George Smith or Big Company Customer Service in Gmail, but they can’t change the email address they’re sending from. If it’s [email protected] and not [email protected], for example, it’s probably a phishing scam.

The same goes for caller ID, although it’s getting harder and harder to tell real calls from fake ones – scammers can set their name to something like “Hospital” or “School” to make it more likely you’ll pick up. Some more sophisticated operations can even make it look like they’re calling from a different number altogether, using VOIP technology to match the area code of the caller to the person being called. Just like in the urgency tip, you should be able to call a legitimate company or organization like a school back from the number they have on their website, or the number you know to reach them at. If they’re really resistant to you hanging up and calling back for reasons that don’t make sense, it might be phishing. Unfortunately, some scam calls are really tough to pick up on, and the FCC can’t do much to stop them if they’re not in the US. Many people today don’t answer their phone unless they were explicitly expecting a call as a result, and phone companies themselves sometimes offer up call and text screening.

How to Better Protect Your Accounts

Luckily, there are a few tips that can make your information safer in the face of trickier scams! Firstly, don’t re-use passwords. If a password you were using for multiple accounts gets stolen, then multiple accounts are at risk, not just one. We recommend a password manager like BitWarden – it makes it much easier to store and create unique, strong passwords for every site!

Secondly, you’ll be better protected if you use two-factor authentication on every website that has the option to. If you do fall for a phishing scam, the scammer won’t have the code necessary to get in! Of course, some scams are sophisticated enough to think of that beforehand: Craigslist, for example, had a bad rash of scammers a while back who would “text a code” to a seller “to make sure they were a real person”. The seller then gives them the code, and the scammer now has a Google Voice number with the seller’s phone number as the verified number behind it! They just social-engineered their way into bypassing 2FA. This is why you should never give out verification codes – especially if you didn’t request them. Instead, it might be time to reset the password of the account that verification email came from. Just don’t click any links in those verification emails, either: go straight to the home page of the site instead to log in. The verification email might be a phishing attempt all by itself, hoping you’ll click a fake link to the website!

A browser cookie is a little snippet of data that the browser stores while the user is browsing. Websites use cookies for their ‘remember me’ functions, for example – if you tick the box under your log in and ask the website to remember you, it will, using a cookie.

The same goes for online shopping – when you’re logged in, the website remembers what you have in your cart by saving that information elsewhere. However, even when you’re not logged in, the page remembers what you’ve added to the cart, sometimes (depending on your browser and the website’s settings) even after you’ve left the page, closed the browser, and shut down the computer. Coming back a day later, the website will still have those items in your cart even though you’re still not logged in. That’s the convenience of a cookie!

It may not be immediately apparent, but this actually has quite a few security implications.

The Good

Websites use cookies to figure out if they should show you certain pages. If you’ve logged out in one tab, switch to another, and keep trying to shop, the website will put a hold on things before checkout (as long as checkout’s a separate page. It is on most websites).

The Bad

The downside to having cookies that keep you logged in is that if someone else gets their hands on your device, they can access everything that the browser has stored password cookies for. Example: You don’t log out of Facebook, but you close the browser. You let a friend use your computer to look something up real quick, but they notice Facebook pops up in the web bar. Suddenly they have access to your Facebook.

Or, logging in to Amazon on a friend’s device to order something, and then leaving without logging out, makes it possible for that friend to buy something on your account completely accidentally!!

Additionally, cookies can be ‘read’ by hackers and public WiFi providers like Starbucks or McDonald’s, but that security issue isn’t exclusive to cookies.  Tracking cookies and other such shenanigans are usually used for advertising purposes, but that can be a security concern too, if privacy is a part of your security considerations.

These aren’t all the security risks of cookies, but they’re the most obvious, and the most likely to trip up a user.

Mixed Considerations

Cookies have more functions than simply recording logins. Some can take your device’s diagnostic data, some can recall settings you set the last time you visited a webpage, and some can track you. Tracking cookies are exactly what they sound like: cookies that track you as you travel along the web. These cookies can be used to form a long-term record of a user’s browsing history, which is obviously a concern – most people would be creeped out by someone following them through the mall, watching what stores they go into and what items they come out with. The same goes for cookies. Why does CarMods.com want to see what I’m buying for my tropical fish?

Any website that has something to gain from knowing what websites you visit, your potential interests, what kind of recipes you save, what kind of sports you watch or political sites you follow – they can use that to sell you something, and that something can be ideas.

Blocking Them

Cookies aren’t an enemy, and many just set out to make your life easier.

However, if you’re interested in keeping cookies from following you, for good or for bad, there are many options on the market. Some browser extensions like adblockers will also block cookies, and there are many third-party extensions built exclusively to keep websites from tracking the end user (you should always research the company you’re downloading from beforehand). Simply browsing in incognito mode or regularly erasing cookies along with your browsing history don’t require you to touch anything third-party if you don’t want to, as well!