November 8, 2007 5:51 AM PST
Multiplying Mac Trojan not epidemic yet
- Related Stories
-
Apple plugs 25 Mac OS X flaws
April 19, 2007 -
Study: Windows has fewest security holes
March 23, 2007 -
Is Mac OS as safe as ever?
February 27, 2006 - Related Blogs
-
Mac OS malware targets porn surfers
October 31, 2007
Security firm F-Secure has discovered 32 variants of it, but claims about its powers have been wildly overstated, according to experts.
"Looks like the Mac Trojan we posted about last week was not an isolated incident. The gang behind it seems serious about targeting Mac users as well as Windows users. And they keep putting out slightly modified versions of the Trojan for the Mac too," Mikko Hypponen, chief research officer at F-Secure, wrote in his blog this week.
Last week, Mac security software vendor Intego discovered a Trojan designed for Mac OS X being distributed via porn sites.
The Trojan is being disguised as a codec, a device used to decode digital streams. If it is downloaded, it alters a computer's domain name system (DNS) server, redirecting the machine to porn sites of the malware distributor's choice. The prime purpose appears to be to make money when people click on ads served on the sites.
The "payloads" of the 32 variants of the Trojan are the same as the original discovered by Intego. However, F-Secure technical manager Patrik Runald said the Trojan is also on a reconnaissance mission of sorts: it reports its findings back to an IP address in the Ukraine.
"It reports the name of the computer and the operating system version back to another IP address within the Ukraine to keep track of the installs they have," he told ZDNet Australia.
There is also a version for Windows platform users, said Runald, and it was this version that led him to the conclusion the group behind the DNS-changing Mac Trojan is the same group behind the malware released earlier this year known as "zlob."
"Zlob is also about click ads and showing ads on your PC and are also typically distributed through fake codecs," Runald said.
It shows that Macs are "starting to get interesting for the bad guys," he added.
"It's not an isolated incident because it's a professional gang behind it, not some teenagers trying to prove a point," Runald said. "They're actually making money out of it and because of this it's unlikely to end soon."
However, Runald said, the Trojan does not mean Mac platforms are facing a malware epidemic.
Liam Tung of ZDNet Australia reported from Sydney.
See more CNET content tagged:
trojan horse,
F-Secure Corp.,
epidemic,
Ukraine,
malware
Personally, I like Linux much better, but at least a Mac has more clout than a Windowz machine!
(* GRIN *)
Walt
In reality, the software must be downloaded, double-clicked on, the warning clicked away, and then user must type their administrator password into an authentication dialog in order for the software to do its thing on a Mac. While it's certainly possible to trick some people into doing this, this software isn't something that's going to automatically spread like wildfire.
Anyone who would go through all the steps to install this silly program deserves to have their DNS redirected!
a vulnerability in Safari or its WebKit rendering engine?
No?
Then stop using sensational headlines for traffic. This is by no
means an epidemic and doesn't really have a chance to become
one. This trojan not only requires the user to *deliberately
download a file from a shady porn site,* but it also requires the
user to *manually start the installer,* as well as *provide an
admin password to install the software.*
There is no automatic spreading of the trojan.
There is no epidemic.
Just a blatantly cluless or baiting headline for pageviews.
Stop it.
But to get infected with the malware, you have to accept the
invitation to download "new version of codec," open up the .dmg
(disk image) file, click the installer.pkg file, and enter your
administrator's password, according to Intego. Once infected,
the malware changes your DNS settings to hijack Web traffic and
redirect it to phishing sites or ads for porn. And you still won't
get to watch the video.
So! You have to voluntarily download it, mount it, install it, and
supply it with your admin password for it to infect you??
Last time I checked Windows automates all these steps with you
I guess Apple should ship a version of OS X for stupid people in
which your password is not known even to you.
Maybe congress should enact a law stating that all porn
websites along with the under 18 warning should also include a
don't install any software warning.
I think users that came from a windows background are
probably more susceptible to this due to being used to having
install a billion different codecs to make things play.
I find on my mac I no longer have to install codecs and if it
doesn't automatically play then i just don't want to see it that
bad.
Intego, OTOH... well, they're no-name fools, and two months from now no one will remember who they were.
If the folks behind are professionals then of course they're going to explore all options. It'll be fun to watch them become slowly disappointed that the Macs aren't giving them the ill-gotten gains that certain other OSes have for 'em.
/P
1. It comes into the forum as a spam post.
2. They are disguised as YouTube videos, and are NOT necessarily porn. In our case it was disguised as some sort of music video.
3. If you have Safari set to Safe mode, clicking the fake YouTube video will take you to a website and will AUTOMATICALLY begin downloading this fake codec, and ask you if you want to install it. It is at this point that users are most vulnerable.
4. If you type in your admin password, the dmg file will install.
Now, some key points:
1. The media needs to alert people to be watchful of these fake YouTube videos.
2. This does require the user to do an install, but inexperienced users can easily be fooled by this thing.
3. This is not an exploit OSX, yet. Perhaps it may morph into that, but as of now you are okay if you don't do the install. They are certainly trying though to exploit YouTube and many users. The technique is not being well explained by most of the media. If you manage forums or blogs, the
fake YouTube links, at least the one I had, was
obvious to me, but to most users I suspect many
can easily fall for this trap.
4. Check your /Library/Internet Plugins folder. If you find a file named "plugins.settings" you are infected.
5. Be careful out there. Whoever is behind this
is very clever and scary.
Macworld has a detailed article on how to manually make sure your OSX system is clean:
http://www.macworld.com/2007/10/firstlooks/trojanhorse/index.php
Imagine: A mac user using a mac version of an antivirus program and a pc version, made by the same company.
Funnier still is that anyone on a Mac would be infected by this, for criesakes you have to give an administration password after clicking yes a few times just to install this crap.
I'm no fan of Mac, but still, I couldn't imagine getting infected with any form of malicious wares through the "you need this codec" method.
1) I'd go find the codec from a trusted source, or find out if its even really a codec that exists.
2) I'd go find porn that didn't require me to jump through hoops to view.
Windows users, yeah I can see how it would happen, sorry, but you are on windows, not much can be done to save you from the wolves.
some form of malware.
This news is hardly surprising and has been bound to happen for a
long while.
how to program in one architecture or the other. Most of this
malware would be written in C or another high-level
programming language. The same code (if it's written properly
i.e. endianness issues) will be able to run on either architecture
quite easily.
The only time architecture would matter is if it was done in
assembly, which this would not have to be. These malware apps
are not the work of "hackers" in the true sense - they are rather
quickly programmed apps by malware authors wanting to make
money (look at what this thing does). Assembly would not be
worth the effort.
- So the steps you'd have to go through to install this are...
-
by grandmasterdibbler
November 9, 2007 6:48 PM PST
- Right, if this is actuall going to affect a Mac user they'd need to:
-
Reply to this comment
-
-
See all 65 Comments >>1) Download it (Safari will warn them they are downloading an application)
2)Open it, requiring administrator password
3)Run it, and the OS will warn you that you've not opened it before.
That's at least 3 warnings people get that they're getting an executable file, and the fact that they would have to put in their Admin password to run it should ring alarm bells.
This isn't a weakness of OS X (there are more steps in the way of people running this kind of executable than there are on XP) it is a fault of the end user.
As for the 'stupid people buy Macs' said stupid people will almost definitely have owned a PC before hand, something which many of you are keen to forget.
This is social engineering pure and simple, most of the not computer-savvy people I know are sufficiently paranoid about what they're doing to ask before doing stuff like this, a by-product of years using Windows.
This is nothing like the huge worldwide Windows malware like Blaster that made it through requiring little (any?) user interaction whatsoever. When Macs can be attacked without the User knowing what's going on, that is when the PC guys can finally tell Mac users to suck it, this is just a well done social engineering mechanism.