IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User

Welcome to IWETHEY!

New Most likely unrelated, but you did say "new".
A previously undetected piece of malware found on almost 30,000 Macs worldwide is generating intrigue in security circles, and security researchers are still trying to understand precisely what it does and what purpose its self-destruct capability serves.

Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute. So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.

Also curious, the malware comes with a mechanism to completely remove itself, a capability that’s typically reserved for high-stealth operations. So far, though, there are no signs the self-destruct feature has been used, raising the question of why the mechanism exists.

Besides those questions, the malware is notable for a version that runs natively on the M1 chip that Apple introduced in November, making it only the second known piece of macOS malware to do so. The malicious binary is more mysterious still because it uses the macOS Installer JavaScript API to execute commands. That makes it hard to analyze installation package contents or the way that package uses the JavaScript commands.

The malware has been found in 153 countries with detections concentrated in the US, UK, Canada, France, and Germany. Its use of Amazon Web Services and the Akamai content delivery network ensures the command infrastructure works reliably and also makes blocking the servers harder. Researchers from Red Canary, the security firm that discovered the malware, are calling the malware Silver Sparrow.


It's mourning in America again.
New Saw that, but…
Ashton is actually convinced—on what does not appear to me compelling evidence—that the bad guys compromised his machine via a used iPhone beginning five years ago.

I made a house call to A’s rustic cottage in the wine country over the weekend in hopes of resolving his real or fancied security issues. I came away persuaded, if not certain, that his concerns are largely misplaced; he in turn was genially unconvinced by my assurances. I was, I think, able to demonstrate that at least some of the symptoms he believed to be evidence of hacking were no such thing, and stemmed from misconceptions about the Mac UI, and particularly about the way the “Dock” works, in one instance invoking on my own unconnected MBP a piece of visual feedback he’d considered damning evidence of outside interference.

There were other issues. His password recording hygiene (my own is not flawless) could be better. It took us a few attempts, where successful, to go places we needed to go. In other instances, we came a-cropper. His supposed iCloud password, revealed in Keychain Access, was a string of gibberish, and not the familiar characters he recalled. The string of gibberish, carefully entered (on the new machine, using my phone as a WiFi hot spot), was not recognized. Easy-peasy: enter the phone number associated with this account and Apple will help you reset the password via that device. Er, the phone was believed compromised, as mentioned above, and so the service was cancelled. Got a sort of Gordian knot thing going here.

Ashton believes that he is being hacked via AirDrop. Research suggests that AirDrop has an effective range of about ten meters, so unless the one neighbor within that distance is the author of his grief, this seems as implausible as his earlier Bluetooth model. He also asserted that the new iMac had also been infected, and that a dodgy icon for “GoToAssist”* (which I was able to remove from the old unit) had appeared in its dock. It was not there when we turned on the machine; nor could I find any evidence that the software had ever been in residence.

I append here a snippet from the Terminal app that, saith A, appeared unbidden on his screen the other day, although it appears to be a record from a month ago. It alarmed him deeply, and he takes it to mean that the baddies have been changing his passwords (I saw no evidence of this in Keychain Access). I’ve screenshotted and redacted it:


I see another house call in my future, because we’d left some issues unresolved, including the cabling configuration for his television/internet setup, by the time Lina, her errands in nearby Sonoma discharged, arrived to retrieve me. I’m particularly keen to determine which of the two “xfinity” wireless networks detectable from the premises is his: my money is on the unsecured one.


*My understanding of this tech is, to put it mildly, imperfect, but if some external bad actor were actually fucking with A, GoToAssist, which some techie apparently installed on a consultation years ago, would seem a likelier channel than some of his other candidates.
New Bummer.
It's good of you to try to help. Here's hoping it gets resolved soon. Ashton must be quite stressed about it. :-(

(I'm not seeing your avatar picture nor the "terminal" image in your post - just broken link graphics. I don't think drook's avatar picture shows up either.)

New Images
Odd…they show up from here. Try the link:


New OT: broken images
That is happening because the forum pages are now https and most modern browsers now won't show embedded images that are http.

New Ah. Thanks.
     FFS Ashton - (rcareaga) - (21)
         buy a $9 crap usb keyboard problem solved -NT - (boxley)
         There's insufficient brains on the keyboard to do it - (pwhysall)
         Process IDs - (scoenye) - (12)
             I’ll pass this on to him - (rcareaga) - (11)
                 This reminds me of - (crazy) - (9)
                     Yes and no - (drook) - (1)
                         No idea. 20 plus years ago -NT - (crazy)
                     Similarly, ... - (Another Scott) - (6)
                         very normal -NT - (boxley) - (2)
                             Yeah. - (Another Scott)
                             Yeah we both reacted like that - (crazy)
                         It's almost as if... - (pwhysall) - (2)
                             That goes under the heading of : holy s*** - (crazy)
                             Yah. NetBIOS has a reputation for being very chatty. -NT - (static)
                 End users should never look at system log files - (pwhysall)
         Most likely unrelated, but you did say "new". - (mmoffitt) - (5)
             Saw that, but… - (rcareaga) - (4)
                 Bummer. - (Another Scott) - (3)
                     Images - (rcareaga)
                     OT: broken images - (static) - (1)
                         Ah. Thanks. -NT - (Another Scott)

Do not meddle in the affairs of wizards, for they are subtle and quick to anger.
81 ms