Fake Codec is Mac OS X Trojan 473
Kenny A. writes "Multiple news organisations are reporting on an in-the-wild Mac OS X malware attack that uses porn lures to plant phishing Trojans on Mac machines. The attack site attempts to trick users into download a disk image (.dmg) file disguised as a codec that's required for viewing the video. If the Mac machine's browser is set to to open 'Safe' files after downloading, the .dmg gets mounted and the Installer is launched. The target must click through a series of screens to become infected but once the Trojan is installed, it has full control of the machine."
Re:Hmm (Score:1, Informative)
DNS (Score:4, Informative)
It could just as easily install a VNC server I suppose.
Full Control? (Score:3, Informative)
Steps to get infected (Score:5, Informative)
1) Go to a porn site
2) Download a plugin from the porn site
3) Click "OK" that you are downloading a
4) Mount the
5) Go back to the Finder
6) Double-click the installer
7) Type in your account password
8) Click next a few times
Calling this, "In the Wild," is laughable. How did the porn site "get infected"? I'll bet anything that the porn site(s) in question know exactly what they are doing...
Re:Hmm (Score:5, Informative)
No OS is foolproof, and even Mac and Linux users can be fools. Mac and Linux machines can be broken into, can get trojans, theur users can be tricked into giving out passwords, but there are no Mac or Linux viruses in the wold.
This is not a virus, it's a "wetware" exploit. (Score:4, Informative)
It's impossible to make a machine fully idiot proof, but in the past couple versions apple has added 3 new "nag" boxes to safari in attempts to warn people.
Anyone who goes through that many screens deserves to have it installed.
I don't install any media player or codec if it asks for root permission.
even flip4mac doesn't require full permissions.
you drop the free component into your home's library folder and it runs in user space when websites call for wmv decoding.
Re:It begins (Score:3, Informative)
Insecure settings (Score:3, Informative)
We're simply talking about social engineering. Windows, OS X, *BSD, Linux (and probably most other operating systems out there) are all vulnerable to this sort of attack, there's just little in the way of motivation to actually do it.
The part where the dmg is automatically opened is the only thing that even resembles a vulnerability as such, though it should actually be filed under "insecure default settings" rather than a vulnerability per se. This said, both linked articles are quite sparse with information regarding the actual installation. From my experience Safari should say something about the archive/disk image containing an application before actually mounting the dmg, and then prompting for an administrator password for the package to be installed. If either of these steps are compromised, you can call this interesting, because there's an exploit at work. If not, then it's a bog standard social engineering attack, to which every platform is vulnerable. The only news here are that you can't browse the web with your Mac in a completely carefree manner anymore, because there are some Bad Things out there targeting you.
Re:Macs... (Score:2, Informative)
mplayer, vlc, and even flip4mac wmv codec do not require root permissions.
the reason this is not required is the way mac apps access libraries.
the codecs in mplayer and vlc (much like the libraries in most other mac apps) are combined into the app, and therefore not shared among all users. each user has his own set (and configuration) and they operate in user space.
quicktime works similarly. While you can drop your components (codecs) into the root library directory, each home folder has one of its own, again allowing each user to customize the codecs used.
Full Control of the Machine? (Score:5, Informative)
Nice Try tho...
Re:Hmm (Score:3, Informative)
Intego at it again (Score:3, Informative)
The news is Intego attempting to scare up business, this is not a Mac virus, especially when you have to do quite a few stupid things along with giving permission to install from an admin. My goodnes...
Re:What goes through the mind of the designer - ? (Score:3, Informative)
"Every conceivable video codec I'd ever need" except the few doozies: wmv, realplayer, and divx. Like it or not these are widely used, and not just for porn.
Looks scary (Score:2, Informative)
Re:It begins (Score:3, Informative)
A "virus" takes advantage of flaws in the OS. A "trojan" takes advantage of flaws in the user of the OS.
You could have the most secure, bug free OS in the world and still a trojan could bring it all down like a house of cards. All it needs to do is fool the user/admin into giving it root access and WHAM, you're system is compromised. It's not the fault of the OS or any inherent flaws in the OS.
Hell, you could have a sheet of paper laying next to computer that itself is a "trojan". All it has to say is "To fix this problem, bring up Terminal, type "sudo rm -rf
So before anyone jumps all over OS X or any OS as being vulnerable, think for a moment.
There is no "finally" to this. This isn't an exploit. This isn't a virus.
Re:First Remedy Apple Should Implement (Score:3, Informative)
If you do not have open safe files, you have to double click the disk image before you can run the installer.
If you have been so thoroughly tricked that you will run the installer, whether "open safe files" is checked is irrelevant.
Re:Not really (Score:3, Informative)
Second off, I assume you mean software from small independent vendors, I'm curious why this type software isn't "proper software".
Lastly, you rarely "install" applications in OS X, it isn't Windows. You can run them from your own Applications folder which requires only your own rights. The apps that do require admin rights, are modifying the system in some way, and those do require you to give the administrator password. Since this dialog is rare, people do pay special attention when it pops up. There's only so much an OS designer can do.
Re:Hmm (Score:5, Informative)
And i quote "850 new threats were detected against Windows. Zero for Mac."
Yes, it admits it's possible, it doesn't however, admit there are any.
Wow, that's an astonishingly blatant use of creative quoting without context. Lets read the whole paragraph, unedited, shall we?
By the end of 2005, there were 114,000 known viruses for PCs. In March 2006 alone, 850 new threats were detected against Windows. Zero for Mac. While no computer connected to the Internet will ever be 100% immune from attack, Mac OS X has helped the Mac keep its clean bill of health with a superior UNIX foundation and security features that go above and beyond the norm for PCs. When you get a Mac, only your enthusiasm is contagious.
A bit different than your out of context snippet this way, isn't it.
How do the facts then agree with your claim that "it doesn't however, admit there are any."? Says right there "While no computer connected to the Internet will ever be 100% immune from attack,". Sheesh. It's almost like you figured nobody would check your claim to see how blantantly you misrepresented it.
Re:fanboys unite (Score:3, Informative)
Actually it used to be worse. Safari used to have a hidden pref that allowed you to open any file you downloaded, not just "safe" ones. All it took was editing some XML prefs to add file types you wanted to auto open when downloaded. I used this to write a file browser that let me open various files after I downloaded them (like PSD's in Photoshop, basically stuff I actually found useful). A few years ago Apple cut that part out and restricted it to only files they deem as safe, which is a pretty small subset of file types.
That said, I don't mind the option (rather like it actually) but it should be turned off by default.
Re:Steps to get infected (Score:5, Informative)
Arguably, Apple should pre-install both of these packages - or variants thereof.
Now to get back onto the main topic..
One could also argue that the Apple-provided Quicktime player sucks ass big-time - and of course that is very true - but that's easily fixed by installing NicePlayer [sourceforge.net] (also FOSS) - the other route is to ignore all the Quicktime-based solutions, and use something like VLC [videolan.org].
None of the above will stop an uneducated and/or unsuspecting user from clicking their way through an installer (and giving up an administrator password) believing it to install something great/fun/useful. If you try too hard to protect the naive and/or foolish from their own actions when administering the system then you end up taking the route Microsoft have with Vista (and their earlier Windows, each to a lesser extent) -- Are you sure? Are you really sure? Are you really really certain? Can i get a password with that? -- Ah.. Mac users are getting used to giving passwords during installs - bummer. (Mind you, they don't do it as quickly as the average Windows user/administrator can click Ok, Ok, Ok, Ok)
Being honest though, i don't think naivety or foolishness really enter into the equation - after all, it's a social engineering trick driven by the simple male quest for boobies - a somewhat unstoppable force!
Re:This is not a virus, it's a "wetware" exploit. (Score:3, Informative)
Re:fanboys unite (Score:3, Informative)
(I know nothing about kernel programming, please don't lynch me)
Removal (Score:3, Informative)
*Take in any context you like.
Re:But does it matter? (Score:5, Informative)
Re:But does it matter? (Score:3, Informative)
The GP:
Stare argumentum; this executable in question makes no use of an exploit, the OS behaves exactly as the user commands.
Not just interactive logins, logins period. There is no process you can undertake by which you will be recognized as real user 0 without setuid(), thus you already need to be euid 0, and thus you must be either a sudoer and recently authenticated or running a binary owned by root. I think the distinction is semantic and doesn't advance on the original point the poster made. "Users" on Macs don't have root-level access, they only have the privilege of running a program with euid of root, given they enter their password. That's very different from the implied "they all run in admin mode" of the parent.
Re:But does it matter? (Score:3, Informative)
Let me clarify: There is no OS ever made that is immune to user stupidity. I could have an installer for any *nix based OS authenticate then run rm -rf /* or "take over a system". This is a given. It's not a security flaw, it's a user stupidity flaw. When windows is appropriately bashed for its poor security record, it is due to unavoidable holes and exploits that allow escalation of privileges. IE has had a particularly horrid record in this area. Further, remote exploits impact on windows systems are aggravated by having said services enabled by default ready and willing for any network probe from an infected computer.
I suppose we could go