Slashdot Log In
Fake Codec is Mac OS X Trojan
Posted by
Zonk
on Thu Nov 01, 2007 02:54 PM
from the search-safely dept.
from the search-safely dept.
Kenny A. writes "Multiple news organisations are reporting on an in-the-wild Mac OS X malware attack that uses porn lures to plant phishing Trojans on Mac machines. The attack site attempts to trick users into download a disk image (.dmg) file disguised as a codec that's required for viewing the video. If the Mac machine's browser is set to to open 'Safe' files after downloading, the .dmg gets mounted and the Installer is launched. The target must click through a series of screens to become infected but once the Trojan is installed, it has full control of the machine."
Related Stories
Submission: Fake Codec is Mac OS X Trojan by Anonymous Coward
[+]
Hardware: iPhone Trojan Sign of Things to Come? 151 comments
climber writes "Just days after the first scareware for OSX, researchers are pondering the problems of an iPhone exploit that could lead to larger issues. The Trojan pulls legitimate apps off the phone if you try to remove it, but it only infects iPhones that have 'been modified or opened through a security hole in the system.' Though this worm is more of an annoyance than anything else, it could be a proof of concept for a more serious attack. 'The fear is hackers may be experimenting and gathering research that will increase the dangers of a more malicious attack in the near future. It is clear at least one writer -- the author of this piece at Web Worker Daily -- thinks that the iPhone should be left on the dresser in the morning. She offers several reasons that the device isn't a good corporate tool.'"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Keyloggers? (Score:4, Funny)
Nothing to see here... (Score:5, Funny)
Lame excuse for a "trojan" (Score:5, Funny)
That's like saying that Troy had to put their enemies in the horse, then drag it up to the gate, drag it through and then offer a soft cushy landing spot for warriors coming out of the horse.
Parent
Idiocy cannot be prevented (Score:5, Insightful)
If someone is stupid enough to download something, run it and give it the admin password, it will obviously be able to take control of the machine. No operating system or security software will stop that.
DNS (Score:4, Informative)
It could just as easily install a VNC server I suppose.
Full Control? (Score:3, Informative)
Steps to get infected (Score:5, Informative)
1) Go to a porn site
2) Download a plugin from the porn site
3) Click "OK" that you are downloading a
4) Mount the
5) Go back to the Finder
6) Double-click the installer
7) Type in your account password
8) Click next a few times
Calling this, "In the Wild," is laughable. How did the porn site "get infected"? I'll bet anything that the porn site(s) in question know exactly what they are doing...
Re:Steps to get infected (Score:5, Insightful)
Parent
Re:Steps to get infected (Score:5, Insightful)
You are assuming something here: There is no incentive.
Lots of Mac users are looking for the ultimate codec toolkit. Apple's Quicktime comes with a number but there are more out there and many are really hard to find and/or are Windows-specific. I downloaded and installed Divx and the Divx encoder for some things I do. I use Flip4Mac's WMV codec as well as their professional tools (for things like MXF files). And lots of Mac users have as well to get Quicktime to work with .WMV files as Microsoft stopped supporting us with their .WMV player.
So, if one fools one's dupe with the come-on: "It's a codec you need to view these files," it's a pretty good scam. All of the additional clicking and password-entering will be motivated by the same reason why the user downloaded and installed the codecs I mentioned above.
I suppose the moral of this story is that one should not trust anything on a porn site. But in the Mac user environment where Mac users usually struggle to keep up with the proprietary Microsoft stuff, a codec download "to see this" is not too far off-base.
Parent
Re:Steps to get infected (Score:5, Informative)
Arguably, Apple should pre-install both of these packages - or variants thereof.
Now to get back onto the main topic..
One could also argue that the Apple-provided Quicktime player sucks ass big-time - and of course that is very true - but that's easily fixed by installing NicePlayer [sourceforge.net] (also FOSS) - the other route is to ignore all the Quicktime-based solutions, and use something like VLC [videolan.org].
None of the above will stop an uneducated and/or unsuspecting user from clicking their way through an installer (and giving up an administrator password) believing it to install something great/fun/useful. If you try too hard to protect the naive and/or foolish from their own actions when administering the system then you end up taking the route Microsoft have with Vista (and their earlier Windows, each to a lesser extent) -- Are you sure? Are you really sure? Are you really really certain? Can i get a password with that? -- Ah.. Mac users are getting used to giving passwords during installs - bummer. (Mind you, they don't do it as quickly as the average Windows user/administrator can click Ok, Ok, Ok, Ok)
Being honest though, i don't think naivety or foolishness really enter into the equation - after all, it's a social engineering trick driven by the simple male quest for boobies - a somewhat unstoppable force!
Parent
First Remedy Apple Should Implement (Score:4, Insightful)
Re:First Remedy Apple Should Implement (Score:5, Insightful)
Parent
This is not a virus, it's a "wetware" exploit. (Score:4, Informative)
It's impossible to make a machine fully idiot proof, but in the past couple versions apple has added 3 new "nag" boxes to safari in attempts to warn people.
Anyone who goes through that many screens deserves to have it installed.
I don't install any media player or codec if it asks for root permission.
even flip4mac doesn't require full permissions.
you drop the free component into your home's library folder and it runs in user space when websites call for wmv decoding.
Insecure settings (Score:3, Informative)
We're simply talking about social engineering. Windows, OS X, *BSD, Linux (and probably most other operating systems out there) are all vulnerable to this sort of attack, there's just little in the way of motivation to actually do it.
The part where the dmg is automatically opened is the only thing that even resembles a vulnerability as such, though it should actually be filed under "insecure default settings" rather than a vulnerability per se. This said, both linked articles are quite sparse with information regarding the actual installation. From my experience Safari should say something about the archive/disk image containing an application before actually mounting the dmg, and then prompting for an administrator password for the package to be installed. If either of these steps are compromised, you can call this interesting, because there's an exploit at work. If not, then it's a bog standard social engineering attack, to which every platform is vulnerable. The only news here are that you can't browse the web with your Mac in a completely carefree manner anymore, because there are some Bad Things out there targeting you.
Full Control of the Machine? (Score:5, Informative)
Nice Try tho...
Click through... (Score:4, Funny)
And engage in a specific pattern of toe-tapping and handwaving.
Mac users watch porn? (Score:4, Funny)
Re:You get what you deserve. (Score:4, Funny)
Parent
Re:You get what you deserve. (Score:5, Insightful)
And does everyone else that your zombied machine spams or DDoS's deserve it?
Parent
Re:You get what you deserve. (Score:5, Insightful)
That's an interesting straw man you've drawn up. Personally, I don't know anybody who purchased a Mac because he or she thought it was somehow immune to all forms of malware.
I agree with the parent poster in a sense. OK, they don't really "deserve" to be infected, but there is a fundamental limit to what current computer security models are able to achieve. This infection doesn't occur through the exploit of some flaw in the web browser or OS X, it's pure social engineering. The malware gets installed just like any valid software package would; if the computer's administrator cannot be relied upon to intelligently differentiate between trustworthy and untrustworthy software, then all other technical countermeasures aside, there is absolutely no hope of keeping that system secure.
Parent
What do you mean by default? (Score:5, Insightful)
This is an *insecure* default setting.
What is? BY DEFAULT Safari prompts you to allow downloading things like disk images from a remote website. Then BY DEFAULT it asks you if you trust an application from wherever it came from - even allowing you at any time to revisit the web page it was downloaded from! Then after all than, if you choose to run the file in the disk image you are further prompted BY DEFAULT for an admin password.
What exactly is the DEFAULT behavior that is wrong here? Should all ability for the user to download and install applications be removed?
This is not a NEW "exploit", I remember hearing about this same exploit in a different form at least a year and a half ago. Apple had plenty of time to disable this feature
What, the ability to download an run applications?
I don't see what your complaint is on this one. Apple has made the system as secure as they can make it, at some point the rest has to be left to the user.
Parent
Re:It begins (Score:5, Interesting)
Parent
Re:It begins (Score:5, Insightful)
Parent
But does it matter? (Score:5, Interesting)
Okay, that will give you X% of all the Mac users out there.
Then what? How do you increase X?
With Windows, the trojans scan the hard drive for email addresses and send out links to every address it can find. That depends upon unpatched exploits in IE or you having friends who are as dumb as you.
If the same happens here
Parent
Re:But does it matter? (Score:4, Insightful)
Trojans don't rely IE vulnerabilities to get email addresses after infection. They can do the exact same thing they do on Windows on an OS X box once infected.
It sounds like this trojan comes with a local privilege escalation vulnerability otherwise this also depends on users on Macs having root level access.
It was only a matter of time before someone would target it. Whether more and more people target it is a completely separate issue.
As a cross-platform user of all sorts of systems I generally prefer that things aren't targeted at all. I do enjoy the people saying OS X was inherently secure based on absolutely no knowledge of OS X's foundation finally being hit with the clue-by-four. Now they can actually start learning what it is they are spouting about and present intelligent arguments which are always better than empty ones.
Of course that may just be a tad bit optimistic on my part. No system connected to the outside world is 100% secure, does this in any way change my thoughts on OS X security? Nope, not at all because I always understood this problem as it exists on any platform which lets the user download and run software.
Parent
Re:But does it matter? (Score:4, Insightful)
Parent
Downloads from porn sites (Score:5, Funny)
Porn sites have given me hours of free orgasms at my desk, why wouldn't I blindly trust them?
Oh and I also always give my credit card and social security number to Ebay when they're having problems with my account and they direct me to www.secureauthenticate.ebay.com.
Parent
Re:Downloads from porn sites (Score:5, Funny)
Oh man you've been had!!! Every time I give them my SSN and CC it's at www.ebay.secureauthenticate.com. Obviously the site you have listed is a bogus / malware site!!!
Parent
Re:Downloads from porn sites (Score:4, Funny)
Intended or not, that was the best play on words in this thread
-b
Parent
Re:But does it matter? (Score:5, Funny)
Parent
Re:But does it matter? (Score:5, Informative)
Parent
That's how they spread. (Score:5, Insightful)
I did not say that they did. I said that the trojan scanned the hard drive of the infected computer to find anything that looked like an email address so it could send links to those addresses.
If someone clicked on one of those links AND had a version of IE that was exploitable, then they were infected.
That is how X increases in the Windows segment.
Yes they can. But they still depend upon a browser vulnerability in that scenario. Microsoft's decisions with IE (ActiveX, "integrating" it into the OS) means that the exploits are worse with IE than with, say, Firefox.
Targeting it does not matter. What matters is how to increase X%.
If the infection rate is below the disinfection rate, the trojan dies "in the wild".
Yeah. You go with that.
Actually, it appears that your argument is the one that is empty.
Getting ONE person to infect his Mac is not much of an achievement. With enough users, eventually you'll find one dumb enough for fall for any scam.
What matters is how fast it will spread.
So far, this trojan has demonstrated that Mac's are extremely secure. The trojan is not spreading.
Compare that with the Storm Worm.
And who is saying that 100% security is needed?
Security is a PROCESS. Not an end-item.
All that is needed is for Mac's to have an infection rate that is BELOW the disinfection rate. The the viruses and trojans and worms will all die "in the wild".
No need to make any claims about "100% secure" or not. It's the infection rate that matters. Does it spread faster than it is removed? If it does not, then it is not a threat. If it is not a threat, then the Mac is still considered "secure" by its user.
Parent
Re:That's how they spread. (Score:4, Insightful)
Actually you completely missed my point entirely. Congratulations on your poor reading comprehension.
No matter how secure your browser is you will still find people that download and run malicious software. That was my entire point. It is irrelevant what platform the user is running because it's the same problem whenever a user is allowed to download and run software.
You just seem eager to write this off trying to rely on OS X being magically secure when it does have its problems. I knew about this problem all along and so did most people that have any kind of security background. If you give the user freedom expect them to screw it up.
As for the infection rate, that does indeed matter but a trojan on a Mac is just as capable of scanning a Mac for email addresses and propagating further using the same mechanism as it would on a Windows box. There is nothing in OS X that magically protects the user from themselves. I've seen Mac users blindly click and even type passwords when it pops up on their screen. This problem is not unique to Windows users so matter how much you would like to blame Microsoft for this particular fault.
Furthermore, IE7 and even IE6 don't automatically install software from websites. IE 7 in particular is much improved in regards to security which is why it broke so many web applications. IE 6 you had to manually turn off ActiveX installations but you always had the ability, even in IE 4.
Last "argument", more of a question really, how in the world do you make the logical leap that this demonstrates that OS X is "extremely secure?" As I said in my post, this has absolutely no baring on how secure OS X is as its a cross-platform problem. It is merely an illustration of the same problem encountered everywhere in every aspect of society. You can be driving the safest car in the world, if you drive like an idiot you will still eventually get into an accident. The two are loosely related so I understand the confusion but I would expect someone commenting on the security of a product to be familiar and demonstrate that familiarity and realize that this problem will continue to exist, that it was always there and has nothing to do with this specific exploit as there are hundreds of other examples which don't propagate on their own. I monitor my network activity and I'm aware of trojans that crop up and over my admittedly not too many years of experience I've seen it on many more than a single occasion on OS X, Windows, and even various Linux distros.
Until humans stop trusting one another which will be a horrible day this problem will exist. It can be mitigated through education but the risk will always exist.
Parent
Macintosh vs. Unicorns. (Score:5, Interesting)
However, I have also never seen a unicorn with rabies.
A Mac virus won't spread via the 'net because the odds of a random connection leading to another Mac is much smaller than hitting a PC.
What I would find interesting is a multi-platform worm/virus (which would be easier with newer Macs being x86 based (are there 64 bit Macs? what's their RAM limit?)) Not something high level, like a Word-macro or Java virus, but something that when executing on a PC, keeps it's Mac payload as data, and vice-versa, maybe even using 'boot-camp' machines to cross bounderies.
I think IPv6 may do a lot to reduce internet worms; first, by eliminating non-compatible worms, secondly, by making scanning the global IP address space take about 79228162514264337593543950336 times as many probes. But address books and such will still be sources of targets.
Parent
Re:Macintosh vs. Unicorns. (Score:4, Insightful)
---- A Mac virus won't spread via the 'net because the odds of a random connection leading to another Mac is much smaller than hitting a PC.
Would people please get over the idea that you need an infected Mac to infect another Mac?
An exploit is a package of bytes. Period. You can send that packet of bytes from any machine running any OS, to any machine running any OS. My NetBSD servers get any number of probes that could compromise a suitably-(mis)configured Windows box. Botnet managers don't lovingly hand-craft their networks. They send out a huge number of attacks to potential targets, and collect the ones that succeed. If 99.9% of those attacks fail, who cares? It's not like they're paying for the bandwidth, hardware, or electricity.
If there was a vulnerability in the Mac OS that could turn the machine into another component of a botnet without requiring user interaction, the people creating botnets would be on it like buzzards on a shit-wagon. There is absolutely no technical limitation which would prevent the Storm Worm botnet from launching an attack against Macs if the chance of getting any returns at all made it worth the effort. So far, the security practices OS X has inherited from its Unix predecessors -- which grew up in an untrusted network environment -- have kept that from happening. The whole dick-measuring thing of comparing installed bases is utterly irrelevant.
Parent
Re:That's how they spread. (Score:4, Insightful)
THIS Trojan does nothing to show a weakness in Mac OS X (compared to other systems in large scale use).
Of course, we're only talking about this one - which is really an social engineering issue (the user is tricked into installing it - the OS doesn't install it, the user even has to type the admin password!) a different attack could be quite different. Thus far we've not seen that on Mac OS X, that's not to say we won't - just hasn't happened yet. That happening is no more or less likely today than it was yesterday. There have been flaws in Mac OS X that could have allowed that, but the ones **we** (I mean us, not people inside Apple or people working to find such flaws in OS X for "fun or profit") know about have been patched. Is this different to Windows? Possibly only in terms of scale, that is there **may** have been fewer such flaws (you know the really nasty ones that can allow something nasty to happen on a "normal" box) or there **might** be fewer people seeking "fun or profit" on Mac OS X. Personally I think both are true, and that might explain a lot. I'm perhaps a little less inclined to think Apple fix these things **much** faster than Microsoft. Never the less the Mac is my "weapon of choice" (most of the time).
Parent
What's the sound of a thousand eyes rolling? (Score:5, Funny)
User: "No, I wasn't looking at porn!"
Parent
Re:What's the sound of a thousand eyes rolling? (Score:4, Funny)
Jeez, I don't know, but it probably sounds pretty damn disgusting. Gross!
Parent
It begins? (Score:5, Interesting)
Any Mac haters gleefully hoping that this is the start of a Mac threat environment similar to the Windows threat environment is probably going to be quite disappointed.
Parent
Re: (Score:3, Informative)
Re:It begins (Score:5, Insightful)
Sorry but there is nothing that an OS can do to prevent someone with admin rights from installing and running a program.
I am not a Mac User but anybody that installs a codec to view porn that they get from the porn site...
As the Honda motorcycle safty ads put oh so well.
Stupid Hurts.
Parent
Re:It begins (Score:5, Insightful)
Anyone that can write a keystroke logger program can also add wording that it's actually a codec for viewing videos. One more level of dishonesty's not going to stop them.
People often criticize Wiki, but seeing as the Wiki definition of a computer virus [wikipedia.org] is "a computer program that can copy itself and infect a computer without permission or knowledge of the user", this is no virus.
Parent
Re:fanboys unite (Score:5, Insightful)
Parent
Re: (Score:3, Insightful)
The type of people who will be infected by this will be similar to the types that get caught up in the 419 [419eater.com] scam.
The only real reason this is news is because it's the first occurrence of an OSX trojan in the wild. Much like Crispus Attucks [wikipedia.org], it's only getting exposure because it's the fi
Re:Hmm (Score:5, Informative)
No OS is foolproof, and even Mac and Linux users can be fools. Mac and Linux machines can be broken into, can get trojans, theur users can be tricked into giving out passwords, but there are no Mac or Linux viruses in the wold.
Parent
Re:Hmm (Score:5, Insightful)
Actually, the only people claiming that Macs are immune to malware, are people like you claiming others are doing so specifically so you can say these mythical people are wrong. This is a case of a program not being what it claims to be, and using social engineering to get someone to install something, make it executable, authenticate as root, and run it. No different than a year or three ago when someone came out with a fake Office for OSX package they shared on the P2P networks which was really a shell script that removed files. Not a virus - this doesn't install itself.
A "virus" with an install procedure which includes "and then become root and run it" isn't going to have legs.
Parent
Re:Hmm (Score:5, Informative)
And i quote "850 new threats were detected against Windows. Zero for Mac."
Yes, it admits it's possible, it doesn't however, admit there are any.
Wow, that's an astonishingly blatant use of creative quoting without context. Lets read the whole paragraph, unedited, shall we?
By the end of 2005, there were 114,000 known viruses for PCs. In March 2006 alone, 850 new threats were detected against Windows. Zero for Mac. While no computer connected to the Internet will ever be 100% immune from attack, Mac OS X has helped the Mac keep its clean bill of health with a superior UNIX foundation and security features that go above and beyond the norm for PCs. When you get a Mac, only your enthusiasm is contagious.
A bit different than your out of context snippet this way, isn't it.
How do the facts then agree with your claim that "it doesn't however, admit there are any."? Says right there "While no computer connected to the Internet will ever be 100% immune from attack,". Sheesh. It's almost like you figured nobody would check your claim to see how blantantly you misrepresented it.
Parent
Re:Hmm (Score:5, Insightful)
You find this "movie codec thingy" at a shady pr0n website (alarm #1), and it asks you to specifically download a .dmg file (alarm #2), install it with admin/root permissions (alarm #3) just to play a non-standard codec (alarm #4).
Meanwhile, by comparison, there are a whole host of Windows nasties you can get just by, say, visiting a website with a rigged IFRAME in the page.
QED: It's not a question of fanboys pooh-poohing something because it's their pet OS - it's a question of simple fucking logic.
Come back and tell us about it when OSX (eventually) has an attack vector that doesn't require the user to be a complete and utter dumbass, please.
Parent
Re:It's about CRITICAL MASS... (Score:4, Insightful)
Your argument isn't as original as you'd like. It's also flawed. Just compare Apache to IIS. Apache has much greater market share, but IIS get exploited like Swiss cheese. How do you explain that?
Another counter argument: Although Linux has a much smaller installed base than Windows, a cracker could stand to gain much more by exploiting Linux. Imagine the wealth of sensitive data hosted on Linux servers.
Parent
Too much security can breed complacency (Score:4, Insightful)
Basically what sunk later attempts by Microsoft to patch security. As soon as they added "warnings" (aka popups) people got into the habit of clicking yes and thereby undoing any chance the programmers had at protecting users from being stupid. You can even blame this behavior on EULA's which require click through - people do this automatically.
As the Mac gains in popularity the numbers of careless people will go up and infections like this will occur more often. The key is finding a way to train the user that its WRONG. That or finding a way to have the OS run objects installed in some form of "safe mode" for a time without letting the user in on it.
Parent