CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

The Return of Zuc.A and and Ancient OSX Viruses?

A few weeks ago I caught a tweet from Chris Wysopal (@WeldPond) noticing how the new version of Microsoft Security Essentials had detected the Zuc.A virus on his machine. You might think that's really cool how Microsoft gives away free anti-virus software to its users, and it is, but then you think wait a minute, Zuc.A is a Mac virus, why is it being detected by Microsoft Security Essentials, a Windows anti-virus product? Not only is Zuc.A a Mac virus it's a twenty-two years old! It was first detected in Italy in 1990! (To save you from looking it up that's when Mac System 6.0.5 was shipping.) Why was it added to Microsoft Security Essentials, and why does Chris Wysopal have a copy of it on his Windows machine?

12854_fc4ad8d2-346b-4ff4-8c84-7aeea4e74bd2

 

The second question was easy to answer; I tweeted back at Weld Pond and asked him, "huh?" He mentioned that he keeps a copy of my old Whacked Mac Archives mounted on a back up drive. Now the Whacked Mac Archives is an interesting piece of history as it was the first and largest (at the time) repository of Macintosh Security software. It totaled a whopping 20MB, which was a lot at the time, and one of the things it contained was a collection of about twenty or so live Mac Viruses. So that answered the question of why Chris Wysopal had a twenty-two year old copy of a Mac System 6 virus on his Windows machine, but it didn't answer the first question, why it was being detected by Microsoft Security Essentials.

At the time this happened a few weeks ago I was travelling for work and didn't have time to delve into things very deeply however I received an unusual email from an old close friend who now works at Apple asking me to give them a call. I knew immediately why they wanted me to call. (If you're in the security community you know who it was and since people who work at Apple prefer to stay in the shadows I won't name them.) This person had caught some of the tweets between myself and Weld Pond and wanted to know what we were seeing. So the fact that Microsoft Security Essentials was detecting old Mac viruses seemed to be news to Apple as well.

Unfortunately like I said I was travelling and didn't have time to really look into this but I did have time to think about it, twelve hour plane trips will do that for you. There was of course the obvious reason why any Windows anti-virus product would scan for ancient Mac viruses would be to pad the numbers. By increasing the number of signatures they scan for, even if those signatures are technically irrelevant, they can say "We now have a squirrelzillon signatures in our product". Marketing, pure and simple. Of course the reason that most AV companies will give you for why they scan for viruses that can't possibly hurt your machine is so that you won't unknowingly infect someone else. I have to wonder just how big the installed base of Classic Mac OS or System 6 thru 9 actually is to justify adding these signatures.

But that got me thinking even more (did I mention it was a twelve hour plane ride?) If Microsoft is scanning for old Mac viruses who else is? Is this an isolated case or do all Windows AV packages scan for ancient mac viruses as well??

When I got home, and unpacked and got a little more settled I searched through some of my old boxes for a CD copy of the Whacked Mac Archives. Unlike Weld I don't keep copies of ancient Mac software mounted on my desktop. I fired up an old Mac Mini with OSX I had and a Dell laptop running Windows 7 and got to scanning. This is what I found.

Macintosh

Mac Mini 2GHz Intel Core 2 Duo 4GB RAM OSX 10.6.8

11003_a3c59a82-6806-4593-995b-b36bf17e3303

 

Sophos and Kaspersky Anti-Virus would only detect viruses in their uncompressed state. Which is interesting because Avast (See below) is exactly the opposite.

The Avast results are interesting. It only detected about six of my two dozen samples and only when compressed on the CD. Why only those six? If you're going to detect ancient viruses like this why not detect them all or at least most of them? When I uncompressed the files and left them in a folder on the hard drive Avast did not detect them at all, which is the exact opposite of Sophos (See above). I don't know but I suspect that the signatures that Avast uses are from compressed files and not the raw code.

iAntiVirus, which is a Symantec product, failed to detect any of the known viruses but it did hit on a different file inside the Whacked Mac Archives. It detected both the compressed and expanded versions of 'Invisible Oasis', which was basically a simple keystroke recorder. Its not a virus and it doesn't run on OSX so why detect it?

Just a side note on the different Free AV product I tested. Kaspersky Anti-Virus 2011 for Mac gave me the most problems. It had issues installing and activating. Since the software is set by default to autolauch on boot it would lock up my machine instantly. After about two hours of fighting with it I finally got it to behave nicely but it is definitely not something I would recommend.

 

Windows 7

Dell Latitude D520 Intel Core2 @1.66MGz 3GB RAM Windows 7 SP1 32-bit

10651_93221ed4-37ec-4724-bb54-8e609eea77d3

 

Microsoft Security Essentials was impressive, not only did it detect the highest number of samples it detected both the raw files and the compressed versions. What I did not know and learned about after I shared this with some other members here at SpiderLabs is that Microsoft uses the same engine and signatures from MS Security Essentials in TMG (Threat Management Gateway) and probably for other products as well. It is nice to know that they pretty much detect everything.

Kaspersky's Mac product detects some of these so they definitely have some of the signatures in their library, if they have them why leave them out of the Windows version?

Sophos only detected some of the files and only in their uncompressed state.

Avast! seems to detect more Mac viruses on the Windows side than on the Mac side! It also detected compressed files as well as uncompressed which is a little different than what I found on the Mac side. I'm not sure what to make of that at all. I suspect something in my testing setup may have let some of the signatures slip through; otherwise there is something weird going on at Avast!

 

Conclusion

So what have I actually proven here? Not a whole hell of a lot really. Some anti-virus programs scan for really old Mac viruses and some don't. Personally I don't see any benefit one way or the other. They aren't going to harm your machine, whether you're on a Mac or a Windows box and the odds of you transmitting one of these to an old Mac Classic or System 6 thru 9 user is highly unlikely these days. I suppose there are still some pockets of old Mac users out there, most likely at schools, but how likely are you to share files with them? Either way I thought this was an interesting exercise just to see what the different companies are doing.

1Sophos Anti-Virus 8.0.4
Threat Detection Engine 3.32.0
Threat data 4.78
Protects against 3664367 threats

2ClamXav 2.2.5 (257)
Engine 0.97.4
Known Viruses 1248587

3Avast! 7.0 (37028)
Virus Definitions 12060602

4iAntiVirus 2009
Engine Version 1.0.0.11
Database Version 2.0.51

5Avira 1.0.0.61
VDF: 7.11.26.40
Engine: 8.2.10.28

6Kaspersky Anti-Virus For Mac 2011

7Microsoft Security Essentials
Virus Definitions: 1.127.1493.0

8Kaspersky Internet Security 2012
Signatures 9100345

9Sophos End Point Security and Control 10.0.5
Detection Engine 3.31.20

10McAfee AntiVirus Plus 15.0
Build 15.0.302
DAT 6735
Engine 5400.1158

11Avast! 7.0.1426
Virus Definitions 120607-1

Latest SpiderLabs Blogs

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

UPDATE: Palo Alto Networks confirmed on Tuesday (4/16) that disabling device telemetry is no longer considered an effective mitigation. On Wednesday (4/17), the company released new threat signatures...

Read More