A few days ago Lysa Myers reported for Intego on a new variant of the family of activist-targeting malicious programs that Intego calls OSX/Tibet (this is called OSX/Tibet.D). Following a conversation with Graham Cluley, who made some useful further observations in his own blog, I was reminded that Lysa put together a nice blog a while back on how malware naming works. Unfortunately, it won’t enable you to make sense of all the variations used by every security company, but it might at least give you some idea of why it’s such a mess.
In fact, I find the whole thing so annoying I’ve devoted a couple of conference papers to the topic in the past:
- The Game of the Name: Malware Naming, Shape Shifters and Sympathetic Magic
- A Dose By Any Other Name (with Pierre-Marc Bureau, my colleague at ESET Canada)
Oh, you wanted to know about the malware? Lysa’s article goes into plenty of detail. 🙂 And I suspect that Apple will slipstream detection for it into XProtect sooner rather than later. In any case, its actual spread is almost certainly as light as you’d expect from targeted malware. It seems to have crossed the AV radar because of a sample sent to VirusTotal, not as a result of user reports.
By the way, Lysa and I are co-presenting a paper at Virus Bulletin next month on the complicated issue of Mac testing. Yes, the two topics guaranteed to get me into trouble: Apple security and AV product testing. 😉
Come and say hello, if you happen to be there.
David Harley
Small Blue-Green World
ESET Senior Research Fellow
ESET seems to have ignored this variant….already detected by another signature????
By: Jack Williamson on September 15, 2013
at 04:27
As of a VT report of 12th September, the sample reported by Intego was detected by ESET products as a probable variant of OSX/Lamadai.B. I don’t know if there’s been a more specific detection since the sample was shared: I don’t work in the lab.
By: David Harley on September 15, 2013
at 08:57