ALERT: Fruitfly/Quimitchin malware for Mac in the Wild

darkreading malware for mac article

Mac users, particularly in academia or the biomedical or academic field. Be aware of the Fruitfly/Quimitchin malware. It includes a keystroke logger, accesses your cam, takes screenshots of your desktop frequently which are then  uploaded, and more. What to do:

  1. Learn about Quimitchin malware at https://www.darkreading.com/partner-perspectives/malwarebytes/meet-fruitfly–mac-malware-targeting-biomedical-research-centers/a/d-id/1327953
  2. Put a sticker over your camera when not in use. I am a member of EFF and put one of their stickers over your camera.
  3. Install an antivirus like Avira Antivirus for Mac (only from official site or app store). If you can afford it, support them by buying their products.
  4. Install Malwarebytes or a similar anti-malware program (only from official site or app store)
  5. Use different passwords on different sites. Variations on a password like “Smoking Chair Hat5!” is far better than “zds9bhy4@”. It’s just statistics, you won’t use the second one because you can’t remember it. Just change the first one a bit every time for each site. Password crackers can’t “partially” crack a password. Plus we use Rainbow tables anyway.
    1. Remember, if you have a keystroke logger installed, then how complex your password is, well, irrelevant. Therefore first clean the computer. Don’t think Macs or Linux can’t be infected – they can and frequently ARE.
  6. Use common sense and DON’T CLICK THAT LINK IN YOUR EMAIL.

Stay alert folks. Because they really are out to get you. That’s not paranoia, it’s just reality unfortunately.

 

don’t use .local as an internal TLD

As this VMWare security advisory reminds us, buy a valid top level domain name for use as your internal DNS name resolution to avoid a future TLD being issued which might allow MITM or DNS poisoning attacks. Examples to definitely not use are .dev and .local which directly contradicts years of best practices. Although .localhost seems to still be OK

Via https://isc.sans.edu/ which links to https://isc.sans.edu/forums/diary/Stop+Using+internal+Top+Level+Domain+Names/21095/ . Note the VMWare advisory isn’t zero day technically but it was released today May 25 2016 if you are unsure of the relevance and ongoing threat.

So what is the best practice for internal network routing? Reasonably I suspect .priv .localhost and .local may be safe for a while but they are not best practice. From wikipedia:

https://en.wikipedia.org/wiki/.local

We recommend that you register DNS names for the top-most internal and external DNS namespaces with an Internet registrar.

Major take away – subscribe or at least check the Internet Storm Center’s site on a regular basis. https://isc.sans.edu/

Lastly note the anemic list of reserved TLDs from the RFC.  https://tools.ietf.org/html/rfc2606

                   .test
                .example
                .invalid
              .localhost

Note that none of those make sense to any experienced devops or a client. So you’d have to map them to a valid TLD regardless as a client can’t grok that .test will be remapped to .com on golive. Just one more thing about the Internet that is broken IMHO.