Puoi sapere se il tuo computer Mac è infestato da malware proveniente dalla CIA?

1

Il 23 marzo 2017, notizie di la CIA che probabilmente ha infestato computer Mac con malware è stata rilasciata da WikiLeaks .

"DarkSeaSkies" is "an implant that persists in the EFI firmware of an Apple MacBook Air computer" and consists of "DarkMatter", "SeaPea" and "NightSkies", respectively EFI, kernel-space and user-space implants.

Documents on the "Triton" MacOSX malware, its infector "Dark Mallet" and its EFI-persistent version "DerStake" are also included in this release. While the DerStake1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.

Sebbene queste infezioni colpiscano sicuramente pochissime persone, c'è ancora poca documentazione in merito a questo malware, ma mi chiedo se c'è un modo per ispezionare e diagnosticare questo malware (sia con software di ricerca del malware "normale" o attraverso Attività Monitor, Terminale, ecc.)

    
posta MicroMachine 23.03.2017 - 23:49
fonte

1 risposta

1

Kaspery Lab ha pubblicato alcune regole Yara per malware specifici.

rule apt_equation_exploitlib_mutexes { meta:
copyright = “Kaspersky Lab”
description = “Rule to detect Equation group's Exploitation library” version = “1.0”
last_modi ed = “2015-02-16”
reference = “https://securelist.com/blog/”
strings:
$mz=“MZ”
$a1=“prkMtx” wide $a2=“cnFormSyncExFBC” wide $a3=“cnFormVoidFBC” wide $a4=“cnFormSyncExFBC” $a5=“cnFormVoidFBC”
condition:
(($mz at 0) and any of ($a*)) }


rule apt_equation_doublefantasy_genericresource { meta:
copyright = “Kaspersky Lab”
description = “Rule to detect DoubleFantasy encoded con g” version = “1.0”
last_modi ed = “2015-02-16”
reference = “https://securelist.com/blog/”
strings:
$mz=“MZ”
$a1={06 00 42 00 49 00 4E 00 52 00 45 00 53 00} $a2=“yyyyyyyyyyyyyyyy”
$a3=“002”
condition:
(($mz at 0) and all of ($a*)) and  lesize < 500000 }


rule apt_equation_equationlaser_runtimeclasses { meta:
copyright = “Kaspersky Lab”
description = “Rule to detect the EquationLaser malware” version = “1.0”
last_modi ed = “2015-02-16”
reference = “https://securelist.com/blog/”
strings: $a1=“?a73957838_2@@YAXXZ” $a2=“?a84884@@YAXXZ” $a3=“?b823838_9839@@YAXXZ” $a4=“?e747383_94@@YAXXZ” $a5=“?e83834@@YAXXZ” $a6=“?e929348_827@@YAXXZ”
condition: any of them
}

rule apt_equation_cryptotable { meta:
copyright = “Kaspersky Lab”
description = “Rule to detect the crypto library used in Equation group malware”
version = “1.0”
last_modi ed = “2015-02-16”
reference = “https://securelist.com/blog/”
strings:
$a={37 DF E8 B6 C7 9C 0B AE 91 EF F0 3B 90 C6 80 85 5D 19 4B 45 44 12 3C E2 0D 5C 1C 7B C4 FF D6 05 17 14 4F 03 74 1E 41 DA 8F 7D DE 7E 99 F1 35 AC B8 46 93 CE 23 82 07 EB 2B D4 72 71 40 F3 B0 F7 78 D7 4C D1 55 1A 39 83 18 FA E1 9A 56 B1 96 AB A6 30 C5 5F BE 0C 50 C1}
condition: $a
}
    
risposta data 24.03.2017 - 01:09
fonte

Leggi altre domande sui tag