23/02/2021 at 5:46 PM #26064Anonymous UserParticipant
Silver Sparrow: What Apple is doing against the mysterious malware and how to track it down
The existence of a new type of malware has now been proven on around 30,000 Macs in more than 150 countries. The number of unreported cases of “Silver Sparrow” installations is likely to be significantly higher. Both computers with Intel processors and the three new computers from Cupertino in which Apple’s own M1 chip works are affected. In this message, we explain how the malware could get onto the Mac, what countermeasures Apple has taken and how you can track down the malware on your own computer.
What is Silver Sparrow and how does it get on the Mac?
“Silver Sparrow” is a Trojan, which does not initially contain any malicious code. This could be reloaded from the Internet at an unknown later time. According to the security experts at Red Canarywho discovered the pest, this has so far never happened. The malware is distributed in the form of signed installation packages called “updater.pkg” (Intel-Macs, Developer-ID: Saotia Seay, 5834W6MYX3) and “update.pkg” (Universal Binary, Developer-ID: Julie Willey, MSZ3ZH74RK ) carry. These must be carried out by the Mac user so that “Silver Sparrow” can be active on the computer. The exact distribution channels are still unclear, presumably the malware is advertised as regular Mac software with more or less well-known names outside of the Mac App Store.
What countermeasures has Apple taken?
The distributed copies of “Silver Sparrow” are signed with legitimate developer certificates. Apple has now withdrawn the certificates according to its own information, the reports MacRumors. With this measure, the Californian company prevents the malware from infecting other Macs. In addition, “Silver Sparrow” is no longer run on computers that have already been infected, since since the beginning of February this year only apps certified by Apple have been running on all systems from macOS High Sierra, which are provided with a valid notarization. This is always checked when an app is started.
How do you detect an infestation with “Silver Sparrow”?
Apple’s anti-malware tool XProtect, which is included in macOS, does not indicate “Silver Sparrow” as far as we know. Manual measures are therefore required to track down an infection with the malware. The malware stores some files on the system SSD or hard drive that indicate its existence. With both versions of “Silver Sparrow” these are the following files:
With the Intel variant, the following three files are added:
The Universal Binary for Intel and M1 Macs writes these files to the data carrier:
The presence of the telltale files can be determined with the following terminal commands:
ls -l ~ / Library /._ except
ls -l ~/tmp/
ls -l ~/Library/”Application Support”/agent_updater/agent.sh
ls -l ~/Library/Launchagents/agent.plist
ls -l ~/Library/Launchagents/init_agent.plist
ls -l ~/Library/”Application Support”/verx_updater/verx.sh
ls -l ~/Library/Launchagents/verx.plist
ls -l ~/Library/Launchagents/init_verx.plist
The Tilde (~, N) stands for the personal user folder. Alternatively, you can use the Finder to look for the files in the corresponding directories: G, then enter the name of the folder, for example “~ / Library / Launchagents”.
What to do if the malware is on the computer?
If the Mac is infected by “Silver Sparrow”, you can try to remove the malware with an antivirus software. However, there is a risk that residues will remain and the pest will reactivate. A safer approach is that experts have always strongly recommended for all compromised systems: Set up the Mac again, i.e. install macOS from scratch, and then import a virus-free Time Machine backup.
- You must be logged in to reply to this topic.