Posted by: David Harley | September 13, 2013

Tibet still a target

A few days ago Lysa Myers reported for Intego on a new variant of the family of activist-targeting malicious programs that Intego calls OSX/Tibet (this is called OSX/Tibet.D). Following a conversation with Graham Cluley, who made some useful further observations in his own blog, I was reminded that Lysa put together a nice blog a while back on how malware naming works. Unfortunately, it won’t enable you to make sense of all the variations used by every security company, but it might at least give you some idea of why it’s such a mess.

In fact, I find the whole thing so annoying I’ve devoted a couple of conference papers to the topic in the past:

Oh, you wanted to know about the malware? Lysa’s article goes into plenty of detail. 🙂 And I suspect that Apple will slipstream detection for it into XProtect sooner rather than later. In any case, its actual spread is almost certainly as light as you’d expect from targeted malware. It seems to have crossed the AV radar because of a sample sent to VirusTotal, not as a result of user reports.

By the way, Lysa and I are co-presenting a paper at Virus Bulletin next month on the complicated issue of Mac testing. Yes, the two topics guaranteed to get me into trouble: Apple security and AV product testing. 😉

Come and say hello, if you happen to be there.

David Harley
Small Blue-Green World
ESET Senior Research Fellow


  1. ESET seems to have ignored this variant….already detected by another signature????

    • As of a VT report of 12th September, the sample reported by Intego was detected by ESET products as a probable variant of OSX/Lamadai.B. I don’t know if there’s been a more specific detection since the sample was shared: I don’t work in the lab.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: