As the Mac becomes more popular in schools and the enterprise, nefarious developers will try to create malware designed to steal personal information and infect systems. A new malware, Backdoor.MAC.Eleanor, was recently discovered by Bitfender Labs. This piece of malicious software has been shown to allow full access to an infected Mac's file system, even access to the webcam. This malware was disguised as a simple file converter called “EasyDoc Converter.app,” which offered no real file conversions. Instead, a malicious script is installed giving full control of the system to the attacker. This app was posted on several ad-sponsored download sites that were more popular before the advent of the App Store.
Unlike the malware from earlier this year, this app was not signed by an Apple Developer ID, so systems with Gatekeeper turned on will prevent this app from running. Gatekeeper is the built-in mechanism from Apple designed to prevent malicious apps from running by only allowing apps from the App Store or from developers who have obtained a developer ID directly from Apple. Gatekeeper, however, can be overridden by an admin user thus allowing the app to install. This underscores the importance of utilizing the built-in security controls Apple has in OS X, and the importance to enforce these policies if you are in charge of managing a large number of Macs.
The Casper Suite offers the ability to universally set Gatekeeper settings on client Macs, disable admin rights to prevent apps from being installed outside of trusted sources, and even blacklist specific apps. Using a dedicated Mac management tool will ensure your users won’t be impacted by malware like this.
Just as important as managing security controls is providing users with a trusted source for installing apps. The Casper Suite also includes a Self Service app catalog where IT admins can populate pre-packaged apps. This creates an IT-vetted, and trusted source for app installations for users, while defending against malware attacks.
IT professionals are already discussing this threat on our community forum, JAMF Nation. Join the conversation here: https://jamfnation.jamfsoftware.com/discussion.html?id=20451.