Macs seized by porn Trojan

muckshifter

I'm not weird, I'm a limited edition.
Moderator
Joined
Mar 5, 2002
Messages
25,751
Reaction score
1,210
Source: http://www.theregister.co.uk/2007/10/31/in_the_wild_osx_trojan/

"Miscreantshave released a sophisticated Trojan into the wild that targets Mac users, according to Intego, a company that markets security software that runs on OS X.

The malicious Trojan, dubbed OSX.RSPlug.A, is making the rounds on several porn websites. When Mac users try to view some videos, the site feeds them a page that says QuickTime is unable to play the file unless a special codec is installed first. If the user proceeds, a form of DNSChanger is installed that hijacks some web requests sent to eBay, PayPal and some banking websites, according to this write-up <
http://www.intego.com/news/ism0705.asp> from Intego.</FONT> "The noteworthy part is that someone is targeting the [Mac] OS," said Randy Abrams, a security researcher at antivirus software provider Eset. "This may mean that the OS is beginning to gain enough users to be attractive to attackers."

TheTrojan installs a root crontrab that makes minute-by-minute queries to check that the doctored DNS server is still active. The websites offer different versions of the malware, most likely to tailor web spoofing to the victim's particular country. There is no way for victims running 10.4 to see the changed DNS server in the OS X GUI. In 10.5, the DNS server is visible in the Advanced Network preferences, but the added servers are dimmed and can't be removed manually.

ApplePR representatives didn't respond to an email seeking comment for this story.

A barrage of spam posted to Mac forums invites readers to visit the malicious websites. The Trojan requires victims to enter the administrative password for their machine, a factor that is likely to mitigate the risk somewhat. Then again, Windows users have for years been tricked into installing malware <
http://www.theregister.com/2007/10/19/return_of_trojan_bayrob/> that can wreak havoc on their PCs. We see no evidence that Mac users are any less resilient to social-engineering attacks."</FONT>
:user:
 
This new Mac trojan? Well, it’s actually fairly important news.

I don't mean to sound breathless about it. As far as we know, it's not widespread. But this is the first targeted, real attack on Mac users by a professional malware group.

As one of our security researchers put it:


“This is pretty groundbreaking, actually. Not from the standpoint of ‘malware can exist on Mac too’ (everybody who's not a moron knew that), but really from the fact that this actual malware created by real malware groups, not one of those useless proof-of-concept of ‘malware can exist on Mac too’.”


Yet the chorus of yawns from the security space is deafening:


While security experts agree that such a piece of malware would pose a very serious threat to users, it remains unclear just how far the reported trojan has spread.

Representatives for McAfee, Symantec, and Trend Micro all told vnunet.com that their researchers had been unable to find the trojan in the wild or obtain a sample from Intego. A spokesperson for Symantec noted that Intego "has a tendency to overhype things. "
Well, putting aside the fact that it took us under 3 minutes to find the Trojan simply by doing a simple Google search, this shouldn’t be viewed as overhype (although one part of the article certainly is overhype: “the tool allows the attackers to redirect web traffic. Users attempting to visit Paypal, Ebay or certain banking sites for instance will be directed to a phishing website instead.” Nah.)

I don’t know much about Intego, a Mac antivirus company. But when I showed our resident Mac guru this Trojan, his reaction was real surprise. In his words, “I’ve been using Macs since 1989. This is the first time I’ve seen something like this.”

This is a good story.

Again, I’m not trying to overhype. Mac users, hungry for pr0n, really do have to go through a few hoops to get this thing loaded. But we now have millions of new Mac devices out there, between the Touch and IPhone, running OSX.

The sole driving force behind malware these days is money. And this is simply a new market for these bad guys.

Let’s not ourselves in the security space get complacent.
http://sunbeltblog.blogspot.com/2007/10/mac-trojan-overhype-you-tell-me.html

:user:
 
couple of articles have come out that provide some counterpoint on the “Is the Mac no longer secure because of this new Trojan, bla bla?” question. Mac apologist Carl Howe writes a slightly misinformed article on Mac security, where he (sort of) confuses vulnerabilities with this new Trojan and generally bashes Windows.
Ok, just to make it clear: This Trojan is not a vulnerability in OS X, does not use a vulnerability in OS X, is not an exploit and I wish it would stop being referred to in these wildly incorrect terms.

David Harley writes a more reasoned essay, where he points out the Big Critical Piece of Information that Some People Aren’t Getting: The majority of malware attacks are done through social engineering, and this Trojan is installed through social engineering, and that this piece of malware comes from the same group that’s making a lot of money off of Windows users. This Trojan is quite widespread on Windows (fake codecs are always at the top on our threat center, which tracks in real-time what is actually being removed by CounterSpy users). It requires user confirmation to run, so what makes Mac users think that they are immune to this type of social engineering?

There was even one respected security researcher who implied that Mac users were generally smarter than Windows users and thus weren’t as likely to install the Trojan. Well, this comment on my blog should answer that question:
I am new to the mac life! I just bought a video camera and hooked it up to my new macbook and the video didn't work so I downloaded whatever popped up!!! I had no idea why my video didn't work and i figured that mac's are suppose to be soooooo user friendly that I needed to download it. NOW WHAT DO I DO? HOW DO I KNOW IF I GOT THIS DARN TROJAN OR NOT???? EEK please help?

QED.
Mac users are human beings, like all the rest of us, and can be fooled like all the rest of us. This Trojan is very deceiving, and its existence is simply a wake-up call that the professional, for-profit malware authors have moved into the Mac world, and now Mac users simply need to be more vigilant.

Alex Eckelberry

:user:
 
Back
Top