Fake Codec is Mac OS X Trojan

Kenny A. writes "Multiple news organisations are reporting on an in-the-wild Mac OS X malware attack that uses porn lures to plant phishing Trojans on Mac machines. The attack site attempts to trick users into download a disk image (.dmg) file disguised as a codec that's required for viewing the video. If the Mac machine's browser is set to to open 'Safe' files after downloading, the .dmg gets mounted and the Installer is launched. The target must click through a series of screens to become infected but once the Trojan is installed, it has full control of the machine."

Nothing to see here...

No one uses the internet for porn, so we're all safe, right?

Lame excuse for a "trojan"

the Mac machine's browser is set to to open 'Safe' files after downloading, the .dmg gets mounted and the Installer is launched. The target must click through a series of screens to become infected

That's like saying that Troy had to put their enemies in the horse, then drag it up to the gate, drag it through and then offer a soft cushy landing spot for warriors coming out of the horse.

Idiocy cannot be prevented

The only cure to stupidity is intelligence.

If someone is stupid enough to download something, run it and give it the admin password, it will obviously be able to take control of the machine. No operating system or security software will stop that.

Steps to get infected

To get infected, you have to:

1) Go to a porn site
2) Download a plugin from the porn site
3) Click "OK" that you are downloading a .DMG file.
4) Mount the .DMG
5) Go back to the Finder
6) Double-click the installer
7) Type in your account password
8) Click next a few times

Calling this, "In the Wild," is laughable. How did the porn site "get infected"? I'll bet anything that the porn site(s) in question know exactly what they are doing...

Re:Steps to get infected

and with windows... 1) Go to a porn site....

Re:Steps to get infected

You are assuming something here: There is no incentive.

Lots of Mac users are looking for the ultimate codec toolkit. Apple's Quicktime comes with a number but there are more out there and many are really hard to find and/or are Windows-specific. I downloaded and installed Divx and the Divx encoder for some things I do. I use Flip4Mac's WMV codec as well as their professional tools (for things like MXF files). And lots of Mac users have as well to get Quicktime to work with .WMV files as Microsoft stopped supporting us with their .WMV player.

So, if one fools one's dupe with the come-on: "It's a codec you need to view these files," it's a pretty good scam. All of the additional clicking and password-entering will be motivated by the same reason why the user downloaded and installed the codecs I mentioned above.

I suppose the moral of this story is that one should not trust anything on a porn site. But in the Mac user environment where Mac users usually struggle to keep up with the proprietary Microsoft stuff, a codec download "to see this" is not too far off-base.

Full Control of the Machine?

Bullshit. It appends the DNS servers to point the user to phishing and porn sites and runs a cron job to make sure the changes are modified. Does it then email everyone in your address book and infect every other machine on your network? No. It can't even install itself without the Admin password. It's a social hack.

Nice Try tho...

Re:You get what you deserve.

> If you're stupid enough to go through all of those steps, you deserve to be infected.

And does everyone else that your zombied machine spams or DDoS's deserve it?

Re:You get what you deserve.

That's an interesting straw man you've drawn up. Personally, I don't know anybody who purchased a Mac because he or she thought it was somehow immune to all forms of malware.

I agree with the parent poster in a sense. OK, they don't really "deserve" to be infected, but there is a fundamental limit to what current computer security models are able to achieve. This infection doesn't occur through the exploit of some flaw in the web browser or OS X, it's pure social engineering. The malware gets installed just like any valid software package would; if the computer's administrator cannot be relied upon to intelligently differentiate between trustworthy and untrustworthy software, then all other technical countermeasures aside, there is absolutely no hope of keeping that system secure.

Re:It begins

And by finally I assume you mean that Apple finally has succeeded in luring the coveted dimwit market to its products.

Re:It begins

There are dimwits and every market. If you think otherwise, it's because you are amongst the ranks...

But does it matter?

Right now you have to convince people to install the trojan.

Okay, that will give you X% of all the Mac users out there.

Then what? How do you increase X?

With Windows, the trojans scan the hard drive for email addresses and send out links to every address it can find. That depends upon unpatched exploits in IE or you having friends who are as dumb as you.

If the same happens here ... I don't see the growth rate being above the disinfection rate.

That's how they spread.

Trojans don't rely IE vulnerabilities to get email addresses after infection.

I did not say that they did. I said that the trojan scanned the hard drive of the infected computer to find anything that looked like an email address so it could send links to those addresses.

If someone clicked on one of those links AND had a version of IE that was exploitable, then they were infected.

That is how X increases in the Windows segment.

They can do the exact same thing they do on Windows on an OS X box once infected.

Yes they can. But they still depend upon a browser vulnerability in that scenario. Microsoft's decisions with IE (ActiveX, "integrating" it into the OS) means that the exploits are worse with IE than with, say, Firefox.

It was only a matter of time before someone would target it. Whether more and more people target it is a completely separate issue.

Targeting it does not matter. What matters is how to increase X%.

If the infection rate is below the disinfection rate, the trojan dies "in the wild".

As a cross-platform user of all sorts of systems I generally prefer that things aren't targeted at all.

Yeah. You go with that.

I do enjoy the people saying OS X was inherently secure based on absolutely no knowledge of OS X's foundation finally being hit with the clue-by-four. Now they can actually start learning what it is they are spouting about and present intelligent arguments which are always better than empty ones.

Actually, it appears that your argument is the one that is empty.

Getting ONE person to infect his Mac is not much of an achievement. With enough users, eventually you'll find one dumb enough for fall for any scam.

What matters is how fast it will spread.

So far, this trojan has demonstrated that Mac's are extremely secure. The trojan is not spreading.

Compare that with the Storm Worm.

Of course that may just be a tad bit optimistic on my part. No system connected to the outside world is 100% secure, does this in any way change my thoughts on OS X security? Nope, not at all because I always understood this problem as it exists on any platform which lets the user download and run software.

And who is saying that 100% security is needed?

Security is a PROCESS. Not an end-item.

All that is needed is for Mac's to have an infection rate that is BELOW the disinfection rate. The the viruses and trojans and worms will all die "in the wild".

No need to make any claims about "100% secure" or not. It's the infection rate that matters. Does it spread faster than it is removed? If it does not, then it is not a threat. If it is not a threat, then the Mac is still considered "secure" by its user.

Downloads from porn sites

I don't know about you, but if grandmagoldenshowers.com recommends that I download software, I do. If my operating system give me a detailed warning about the software that I downloaded from the porn site, I disregard it. And if I'm forced to authenticate the installation, I do.

Porn sites have given me hours of free orgasms at my desk, why wouldn't I blindly trust them?

Oh and I also always give my credit card and social security number to Ebay when they're having problems with my account and they direct me to www.secureauthenticate.ebay.com.

Re:Downloads from porn sites

Oh and I also always give my credit card and social security number to Ebay when they're having problems with my account and they direct me to www.secureauthenticate.ebay.com.

Oh man you've been had!!! Every time I give them my SSN and CC it's at www.ebay.secureauthenticate.com. Obviously the site you have listed is a bogus / malware site!!!

Re:But does it matter?

It's on a Mac. Of course it's Darwinian. [wikipedia.org]

What's the sound of a thousand eyes rolling?

Tech Support: "Ahhh, the porn tojan... This one's a doozy."
User: "No, I wasn't looking at porn!"

It begins?

Your subject seems to suggest that you believe that now that there's actual a piece of Mac malware in the wild, things with snowball, and there will be more and more. Is there any logical reason to believe that this is the case? In the latter days of pre-X Mac OS, there was some malware program or other released every year or three, but the rate never seemed to climb.

Any Mac haters gleefully hoping that this is the start of a Mac threat environment similar to the Windows threat environment is probably going to be quite disappointed.

Re:It begins

Not really. Is it a security exploit if the user must type in a password and install the program to make it work?
Sorry but there is nothing that an OS can do to prevent someone with admin rights from installing and running a program.
I am not a Mac User but anybody that installs a codec to view porn that they get from the porn site...
As the Honda motorcycle safty ads put oh so well.
Stupid Hurts.

Re:It begins

Exactly. This isn't a computer virus. It's a social engineering virus.

Anyone that can write a keystroke logger program can also add wording that it's actually a codec for viewing videos. One more level of dishonesty's not going to stop them.

People often criticize Wiki, but seeing as the Wiki definition of a computer virus [wikipedia.org] is "a computer program that can copy itself and infect a computer without permission or knowledge of the user", this is no virus.

Re:fanboys unite

Name an operating system that can't be infected when a user gives an admin password.

Re:Hmm

This is neither a virus or a worm; it's a trojan. A trojan is a program that does or claims to do something useful, which gets you to install it. Once installed, it does something else in addition to or instead of what you installed it for.

No OS is foolproof, and even Mac and Linux users can be fools. Mac and Linux machines can be broken into, can get trojans, theur users can be tricked into giving out passwords, but there are no Mac or Linux viruses in the wold.

Re:Hmm

Looks like the Mac fanbois are abusing the moderating system again. And the terminology is semantics. Mac users have been exclaiming that there Macs are immune or resistant to malware for years now and saying that Macs are better than Windows because Macs don't get infected.

Actually, the only people claiming that Macs are immune to malware, are people like you claiming others are doing so specifically so you can say these mythical people are wrong. This is a case of a program not being what it claims to be, and using social engineering to get someone to install something, make it executable, authenticate as root, and run it. No different than a year or three ago when someone came out with a fake Office for OSX package they shared on the P2P networks which was really a shell script that removed files. Not a virus - this doesn't install itself.

A "virus" with an install procedure which includes "and then become root and run it" isn't going to have legs.

Re:Hmm

Well, let's see...

You find this "movie codec thingy" at a shady pr0n website (alarm #1), and it asks you to specifically download a .dmg file (alarm #2), install it with admin/root permissions (alarm #3) just to play a non-standard codec (alarm #4).

Meanwhile, by comparison, there are a whole host of Windows nasties you can get just by, say, visiting a website with a rigged IFRAME in the page.

QED: It's not a question of fanboys pooh-poohing something because it's their pet OS - it's a question of simple fucking logic.

Come back and tell us about it when OSX (eventually) has an attack vector that doesn't require the user to be a complete and utter dumbass, please.

/P

Re:First Remedy Apple Should Implement

As a result of "Open Safe Files" in this instance, the user has to perform something like six manual steps instead of eight. Anyone gullible enough to go through those six steps would be gullible enough to go through eight, so "Open Safe Files" isn't really making anyone less safe here.