Forgot your password?
typodupeerror
Security Businesses Apple

Fake Codec is Mac OS X Trojan 473

Posted by Zonk
from the search-safely dept.
Kenny A. writes "Multiple news organisations are reporting on an in-the-wild Mac OS X malware attack that uses porn lures to plant phishing Trojans on Mac machines. The attack site attempts to trick users into download a disk image (.dmg) file disguised as a codec that's required for viewing the video. If the Mac machine's browser is set to to open 'Safe' files after downloading, the .dmg gets mounted and the Installer is launched. The target must click through a series of screens to become infected but once the Trojan is installed, it has full control of the machine."
This discussion has been archived. No new comments can be posted.

Fake Codec is Mac OS X Trojan

Comments Filter:
  • It begins (Score:2, Interesting)

    by JohnPnP (1167497)
    Am I the only one to think 'finally'?
    • Re:It begins (Score:5, Interesting)

      by Anonymous Coward on Thursday November 01, 2007 @03:02PM (#21201477)
      And by finally I assume you mean that Apple finally has succeeded in luring the coveted dimwit market to its products.
      • Re:It begins (Score:5, Insightful)

        by ByOhTek (1181381) on Thursday November 01, 2007 @03:04PM (#21201523) Journal
        There are dimwits and every market. If you think otherwise, it's because you are amongst the ranks...
        • But does it matter? (Score:5, Interesting)

          by khasim (1285) <brandioch.conner@gmail.com> on Thursday November 01, 2007 @03:11PM (#21201655)
          Right now you have to convince people to install the trojan.

          Okay, that will give you X% of all the Mac users out there.

          Then what? How do you increase X?

          With Windows, the trojans scan the hard drive for email addresses and send out links to every address it can find. That depends upon unpatched exploits in IE or you having friends who are as dumb as you.

          If the same happens here ... I don't see the growth rate being above the disinfection rate.
          • by Vancorps (746090) on Thursday November 01, 2007 @03:27PM (#21201987)

            Trojans don't rely IE vulnerabilities to get email addresses after infection. They can do the exact same thing they do on Windows on an OS X box once infected.

            It sounds like this trojan comes with a local privilege escalation vulnerability otherwise this also depends on users on Macs having root level access.

            It was only a matter of time before someone would target it. Whether more and more people target it is a completely separate issue.

            As a cross-platform user of all sorts of systems I generally prefer that things aren't targeted at all. I do enjoy the people saying OS X was inherently secure based on absolutely no knowledge of OS X's foundation finally being hit with the clue-by-four. Now they can actually start learning what it is they are spouting about and present intelligent arguments which are always better than empty ones.

            Of course that may just be a tad bit optimistic on my part. No system connected to the outside world is 100% secure, does this in any way change my thoughts on OS X security? Nope, not at all because I always understood this problem as it exists on any platform which lets the user download and run software.

            • by heinousjay (683506) on Thursday November 01, 2007 @03:38PM (#21202177) Journal
              I consider trojans like this to be Darwinian. Anyone who gets hit with it deserves it, basically. If it happens to be one of the loudmouth braying donkeys who scream about how the Mac is immune, all the better.
              • by Aqua OS X (458522) on Thursday November 01, 2007 @03:53PM (#21202413)
                I don't know about you, but if grandmagoldenshowers.com recommends that I download software, I do. If my operating system give me a detailed warning about the software that I downloaded from the porn site, I disregard it. And if I'm forced to authenticate the installation, I do.

                Porn sites have given me hours of free orgasms at my desk, why wouldn't I blindly trust them?

                Oh and I also always give my credit card and social security number to Ebay when they're having problems with my account and they direct me to www.secureauthenticate.ebay.com.
              • by bloobloo (957543) on Thursday November 01, 2007 @04:22PM (#21202877) Homepage
                It's on a Mac. Of course it's Darwinian. [wikipedia.org]
            • by khasim (1285) <brandioch.conner@gmail.com> on Thursday November 01, 2007 @03:52PM (#21202391)

              Trojans don't rely IE vulnerabilities to get email addresses after infection.

              I did not say that they did. I said that the trojan scanned the hard drive of the infected computer to find anything that looked like an email address so it could send links to those addresses.

              If someone clicked on one of those links AND had a version of IE that was exploitable, then they were infected.

              That is how X increases in the Windows segment.

              They can do the exact same thing they do on Windows on an OS X box once infected.

              Yes they can. But they still depend upon a browser vulnerability in that scenario. Microsoft's decisions with IE (ActiveX, "integrating" it into the OS) means that the exploits are worse with IE than with, say, Firefox.

              It was only a matter of time before someone would target it. Whether more and more people target it is a completely separate issue.

              Targeting it does not matter. What matters is how to increase X%.

              If the infection rate is below the disinfection rate, the trojan dies "in the wild".

              As a cross-platform user of all sorts of systems I generally prefer that things aren't targeted at all.

              Yeah. You go with that.

              I do enjoy the people saying OS X was inherently secure based on absolutely no knowledge of OS X's foundation finally being hit with the clue-by-four. Now they can actually start learning what it is they are spouting about and present intelligent arguments which are always better than empty ones.

              Actually, it appears that your argument is the one that is empty.

              Getting ONE person to infect his Mac is not much of an achievement. With enough users, eventually you'll find one dumb enough for fall for any scam.

              What matters is how fast it will spread.

              So far, this trojan has demonstrated that Mac's are extremely secure. The trojan is not spreading.

              Compare that with the Storm Worm.

              Of course that may just be a tad bit optimistic on my part. No system connected to the outside world is 100% secure, does this in any way change my thoughts on OS X security? Nope, not at all because I always understood this problem as it exists on any platform which lets the user download and run software.

              And who is saying that 100% security is needed?

              Security is a PROCESS. Not an end-item.

              All that is needed is for Mac's to have an infection rate that is BELOW the disinfection rate. The the viruses and trojans and worms will all die "in the wild".

              No need to make any claims about "100% secure" or not. It's the infection rate that matters. Does it spread faster than it is removed? If it does not, then it is not a threat. If it is not a threat, then the Mac is still considered "secure" by its user.
              • by Vancorps (746090) on Thursday November 01, 2007 @05:19PM (#21203793)

                Actually you completely missed my point entirely. Congratulations on your poor reading comprehension.

                No matter how secure your browser is you will still find people that download and run malicious software. That was my entire point. It is irrelevant what platform the user is running because it's the same problem whenever a user is allowed to download and run software.

                You just seem eager to write this off trying to rely on OS X being magically secure when it does have its problems. I knew about this problem all along and so did most people that have any kind of security background. If you give the user freedom expect them to screw it up.

                As for the infection rate, that does indeed matter but a trojan on a Mac is just as capable of scanning a Mac for email addresses and propagating further using the same mechanism as it would on a Windows box. There is nothing in OS X that magically protects the user from themselves. I've seen Mac users blindly click and even type passwords when it pops up on their screen. This problem is not unique to Windows users so matter how much you would like to blame Microsoft for this particular fault.

                Furthermore, IE7 and even IE6 don't automatically install software from websites. IE 7 in particular is much improved in regards to security which is why it broke so many web applications. IE 6 you had to manually turn off ActiveX installations but you always had the ability, even in IE 4.

                Last "argument", more of a question really, how in the world do you make the logical leap that this demonstrates that OS X is "extremely secure?" As I said in my post, this has absolutely no baring on how secure OS X is as its a cross-platform problem. It is merely an illustration of the same problem encountered everywhere in every aspect of society. You can be driving the safest car in the world, if you drive like an idiot you will still eventually get into an accident. The two are loosely related so I understand the confusion but I would expect someone commenting on the security of a product to be familiar and demonstrate that familiarity and realize that this problem will continue to exist, that it was always there and has nothing to do with this specific exploit as there are hundreds of other examples which don't propagate on their own. I monitor my network activity and I'm aware of trojans that crop up and over my admittedly not too many years of experience I've seen it on many more than a single occasion on OS X, Windows, and even various Linux distros.

                Until humans stop trusting one another which will be a horrible day this problem will exist. It can be mitigated through education but the risk will always exist.

              • Re: (Score:3, Insightful)

                by drsmithy (35869)

                Yes they can. But they still depend upon a browser vulnerability in that scenario. Microsoft's decisions with IE (ActiveX, "integrating" it into the OS) means that the exploits are worse with IE than with, say, Firefox.

                While the ActiveX part is debatable, IE being "integrated" doesn't make exploiting it inherently any more damaging than Firefox. There's nothing IE can do that Firefox can't (and in many cases it can't do as much, since in some configuration IE runs with decreased privileges by default).

              • by Kaenneth (82978) on Thursday November 01, 2007 @08:10PM (#21205811) Homepage Journal
                Modern Macs may have few viruses, trojans, etc. (a 68000 based Mac is where I first saw a virus myself, but I know OS/X is much better.)

                However, I have also never seen a unicorn with rabies.

                A Mac virus won't spread via the 'net because the odds of a random connection leading to another Mac is much smaller than hitting a PC.

                What I would find interesting is a multi-platform worm/virus (which would be easier with newer Macs being x86 based (are there 64 bit Macs? what's their RAM limit?)) Not something high level, like a Word-macro or Java virus, but something that when executing on a PC, keeps it's Mac payload as data, and vice-versa, maybe even using 'boot-camp' machines to cross bounderies.

                I think IPv6 may do a lot to reduce internet worms; first, by eliminating non-compatible worms, secondly, by making scanning the global IP address space take about 79228162514264337593543950336 times as many probes. But address books and such will still be sources of targets.
                • by mstone (8523) on Friday November 02, 2007 @01:31AM (#21208161)

                  ---- A Mac virus won't spread via the 'net because the odds of a random connection leading to another Mac is much smaller than hitting a PC.

                  Would people please get over the idea that you need an infected Mac to infect another Mac?

                  An exploit is a package of bytes. Period. You can send that packet of bytes from any machine running any OS, to any machine running any OS. My NetBSD servers get any number of probes that could compromise a suitably-(mis)configured Windows box. Botnet managers don't lovingly hand-craft their networks. They send out a huge number of attacks to potential targets, and collect the ones that succeed. If 99.9% of those attacks fail, who cares? It's not like they're paying for the bandwidth, hardware, or electricity.

                  If there was a vulnerability in the Mac OS that could turn the machine into another component of a botnet without requiring user interaction, the people creating botnets would be on it like buzzards on a shit-wagon. There is absolutely no technical limitation which would prevent the Storm Worm botnet from launching an attack against Macs if the chance of getting any returns at all made it worth the effort. So far, the security practices OS X has inherited from its Unix predecessors -- which grew up in an untrusted network environment -- have kept that from happening. The whole dick-measuring thing of comparing installed bases is utterly irrelevant.

            • Re: (Score:3, Interesting)

              by Matey-O (518004)
              FWIW, I discoverd Parallels incudes a demo of Kapersky's virus scanner. Installing it on a lark, it discovered a 'proof of concept bluetooth stack' exploit when scanning the folders that Parallels shares with the guest OS.

              I have no idea where it came from, and it looks like it didn't activate (the vector is, apparently 'you've received an OOBEX file exchange, do you want to accept it?' at which point it infects the system.

              I think our days of blissful ignorance are drawing to a close. That said, I don't beli
            • Re: (Score:3, Informative)

              by krunk7 (748055)

              Trojans don't rely IE vulnerabilities to get email addresses after infection. They can do the exact same thing they do on Windows on an OS X box once infected. It sounds like this trojan comes with a local privilege escalation vulnerability otherwise this also depends on users on Macs having root level access. It was only a matter of time before someone would target it. Whether more and more people target it is a completely separate issue. As a cross-platform user of all sorts of systems I generally pref

    • You are not the only. It's nice to have company.

      The question for me is this: Are Mac Users smarter than Windows users? These Trojans, on both platforms, require the user to click through and actively install it. PC users are so numerous a large portion must be this gullible. History shows us it is true.

      But what about Mac peoples? They often look down on us lowly MS folks, this will finally test to see if they are, in fact, superior...
      • Re: (Score:3, Insightful)

        by superbus1929 (1069292)
        I don't think one or the other is "superior", but what worries me about Mac users is that they're so unused to stuff like this - security through obscurity, if you will - that they start to think they're invincible. Your average Macintosh luser is more likely to get hammered than your average Windows luser if you take into account a set control number of malware infections that require user interactivity; if you get the same trojan on both OSes, the average luser on Mac is more likely to go through the step
    • by conner_bw (120497) on Thursday November 01, 2007 @03:07PM (#21201575) Homepage Journal
      Tech Support: "Ahhh, the porn tojan... This one's a doozy."
      User: "No, I wasn't looking at porn!"
    • It begins? (Score:5, Interesting)

      by znu (31198) <znu.public@gmail.com> on Thursday November 01, 2007 @03:07PM (#21201581)
      Your subject seems to suggest that you believe that now that there's actual a piece of Mac malware in the wild, things with snowball, and there will be more and more. Is there any logical reason to believe that this is the case? In the latter days of pre-X Mac OS, there was some malware program or other released every year or three, but the rate never seemed to climb.

      Any Mac haters gleefully hoping that this is the start of a Mac threat environment similar to the Windows threat environment is probably going to be quite disappointed.
    • Re: (Score:3, Informative)

      by cromar (1103585)
      Actually, there was the "MacMag" [symantec.com] HyperCard trojan from way back in 1988...
    • Re:It begins (Score:5, Insightful)

      by LWATCDR (28044) on Thursday November 01, 2007 @03:22PM (#21201887) Homepage Journal
      Not really. Is it a security exploit if the user must type in a password and install the program to make it work?
      Sorry but there is nothing that an OS can do to prevent someone with admin rights from installing and running a program.
      I am not a Mac User but anybody that installs a codec to view porn that they get from the porn site...
      As the Honda motorcycle safty ads put oh so well.
      Stupid Hurts.

      • Re:It begins (Score:5, Insightful)

        by jackpot777 (1159971) on Thursday November 01, 2007 @03:36PM (#21202127)
        Exactly. This isn't a computer virus. It's a social engineering virus.

        Anyone that can write a keystroke logger program can also add wording that it's actually a codec for viewing videos. One more level of dishonesty's not going to stop them.

        People often criticize Wiki, but seeing as the Wiki definition of a computer virus [wikipedia.org] is "a computer program that can copy itself and infect a computer without permission or knowledge of the user", this is no virus.

      • Re: (Score:3, Interesting)

        by prockcore (543967)
        The thing is, if it weren't for the DNS modifications, this wouldn't need a password.

        Here's a basic outline of what could be a very nasty trojan for OSX:

        A simple program that actually does something handy.. like fix the dock in Leopard. When you run it it also replaces Safari with a hacked version that sends all SSL traffic unencrypted to a 3rd party.

        Any program you run on OSX can modify the apps in your /Applications directory *without* requiring a password.
    • Suffering a little Mac envy? This trojan requires some serious effort to install. Yes you have to install it. The Mac OS is doing exactly what its supposed to do, requiring you to authorize the installation of a piece of software, its software not a codec you are installing. Its easier to install Vista on a PC than this trojan is on a Mac. It depends more on ignorance of users not Mac security short comings. If this is the best theyve been able to do after all these years I feel better about OSX not worse.
    • Re: (Score:3, Informative)

      by sgant (178166)
      "finally"....what? That a trojan is on an OS? Every OS can have a trojan on it.

      A "virus" takes advantage of flaws in the OS. A "trojan" takes advantage of flaws in the user of the OS.

      You could have the most secure, bug free OS in the world and still a trojan could bring it all down like a house of cards. All it needs to do is fool the user/admin into giving it root access and WHAM, you're system is compromised. It's not the fault of the OS or any inherent flaws in the OS.

      Hell, you could have a sheet of pape
  • Keyloggers? (Score:4, Funny)

    by C0rinthian (770164) on Thursday November 01, 2007 @02:58PM (#21201393)
    In my Macintosh? It's more likely than you think.
  • by conner_bw (120497) on Thursday November 01, 2007 @02:58PM (#21201395) Homepage Journal
    No one uses the internet for porn, so we're all safe, right?

    • by monkeyboythom (796957) on Thursday November 01, 2007 @03:03PM (#21201495)

      the Mac machine's browser is set to to open 'Safe' files after downloading, the .dmg gets mounted and the Installer is launched. The target must click through a series of screens to become infected

      That's like saying that Troy had to put their enemies in the horse, then drag it up to the gate, drag it through and then offer a soft cushy landing spot for warriors coming out of the horse.

    • by FSWKU (551325)

      No one uses the internet for porn, so we're all safe, right?

      "Why you think the net was born?" _________________

      Five points for finishing the line, an extra 10 for naming the reference (and no, a certain MMORPG does NOT count).
  • If you're stupid enough to go through all of those steps, you deserve to be infected.
    • by C0rinthian (770164) on Thursday November 01, 2007 @03:00PM (#21201443)
      Or smart enough. Stupid people wouldn't make it through the install process. "Next" buttons are hard.
    • by FauxPasIII (75900) on Thursday November 01, 2007 @03:01PM (#21201467)
      > If you're stupid enough to go through all of those steps, you deserve to be infected.

      And does everyone else that your zombied machine spams or DDoS's deserve it?
  • by jeffasselin (566598) <[moc.liamg] [ta] [ednilocamroc]> on Thursday November 01, 2007 @02:59PM (#21201421) Journal
    The only cure to stupidity is intelligence.

    If someone is stupid enough to download something, run it and give it the admin password, it will obviously be able to take control of the machine. No operating system or security software will stop that.
  • I don't know anything about the Mac OS X but is all the extra steps the article points out. Are they normally needed to install lets say a normal codec? Vista reminds me of the same thing that while it may actually be more secure then previous versions users are still going to think that after seeing these screen after many times while trying to install other "normal" programs they will not take it as a caution any more but just enter in their information as soon as the login screen pop-up.
    • by aliquis (678370)
      Normal apps doesn't require a rootuser (thought I find it's weird and probably more insecure that they don't.)

      Somehing like a codec or system utility does. Or well, actually I don't know what apps does or not, but a few does ;D
      • Re: (Score:2, Informative)

        by plasmacutter (901737)
        not quite, the only player i've come across which needs root access for install was real player (assumably for the DRM)

        mplayer, vlc, and even flip4mac wmv codec do not require root permissions.

        the reason this is not required is the way mac apps access libraries.

        the codecs in mplayer and vlc (much like the libraries in most other mac apps) are combined into the app, and therefore not shared among all users. each user has his own set (and configuration) and they operate in user space.

        quicktime works similarl
    • by Shivetya (243324) on Thursday November 01, 2007 @03:21PM (#21201869) Homepage Journal
      One thing I noticed was that the more times a user has to enter their security password the more likely they become complacent and assume that any install is going to require it and any install that occurs is going to be safe.

      Basically what sunk later attempts by Microsoft to patch security. As soon as they added "warnings" (aka popups) people got into the habit of clicking yes and thereby undoing any chance the programmers had at protecting users from being stupid. You can even blame this behavior on EULA's which require click through - people do this automatically.

      As the Mac gains in popularity the numbers of careless people will go up and infections like this will occur more often. The key is finding a way to train the user that its WRONG. That or finding a way to have the OS run objects installed in some form of "safe mode" for a time without letting the user in on it.
  • Tagging (Score:2, Funny)

    by Anonymous Coward
    Where is the "haha" tag for this post? WHERE?!
  • DNS (Score:4, Informative)

    by Anonymous Coward on Thursday November 01, 2007 @03:01PM (#21201461)
    The summary is misleading, it does not give full control of the computer to the attacker, but changes the DNS server for phishing.
    It could just as easily install a VNC server I suppose.
    • by emj (15659)
      You can do an awfull lot when you change someones DNS, it's not like people notice that they aren't using HHTPS. So they might not control the machine but they control everything the user does on the net.
    • by Poppler (822173)
      VNC? Nah. If the attacker wanted control, they'd just replace the ssh server with one that gives them a backdoor.
  • Full Control? (Score:3, Informative)

    by yroJJory (559141) <.me. .at. .jory.org.> on Thursday November 01, 2007 @03:03PM (#21201491) Homepage
    Full control of DNS, yes. As far as I've seen, it's not a remote root exploit or anything. It just installs global DNS servers that cannot be easily removed or even noticed.

  • by giminy (94188) on Thursday November 01, 2007 @03:05PM (#21201543) Homepage Journal
    To get infected, you have to:

    1) Go to a porn site
    2) Download a plugin from the porn site
    3) Click "OK" that you are downloading a .DMG file.
    4) Mount the .DMG
    5) Go back to the Finder
    6) Double-click the installer
    7) Type in your account password
    8) Click next a few times

    Calling this, "In the Wild," is laughable. How did the porn site "get infected"? I'll bet anything that the porn site(s) in question know exactly what they are doing...
    • by QuantumG (50515)

      How did the porn site "get infected"? I'll bet anything that the porn site(s) in question know exactly what they are doing...
      Uhhh, no shit.

      What were you thinking?

    • by advocate_one (662832) on Thursday November 01, 2007 @03:13PM (#21201717)
      and with windows... 1) Go to a porn site....
    • Re: (Score:3, Interesting)

      by Rob T Firefly (844560)

      3) Click "OK" that you are downloading a .DMG file.
      But I thought Macs had no step 3!!
    • by mhollis (727905) on Thursday November 01, 2007 @03:19PM (#21201819) Journal

      You are assuming something here: There is no incentive.

      Lots of Mac users are looking for the ultimate codec toolkit. Apple's Quicktime comes with a number but there are more out there and many are really hard to find and/or are Windows-specific. I downloaded and installed Divx and the Divx encoder for some things I do. I use Flip4Mac's WMV codec as well as their professional tools (for things like MXF files). And lots of Mac users have as well to get Quicktime to work with .WMV files as Microsoft stopped supporting us with their .WMV player.

      So, if one fools one's dupe with the come-on: "It's a codec you need to view these files," it's a pretty good scam. All of the additional clicking and password-entering will be motivated by the same reason why the user downloaded and installed the codecs I mentioned above.

      I suppose the moral of this story is that one should not trust anything on a porn site. But in the Mac user environment where Mac users usually struggle to keep up with the proprietary Microsoft stuff, a codec download "to see this" is not too far off-base.

      • by Frogg (27033) on Thursday November 01, 2007 @04:50PM (#21203365)
        On a Mac, i believe you can get the Quicktime engine to have all the codecs you'll ever need by installing the free open source package Perian [perian.org] and the free (closed source) Flip4Mac WMV [macupdate.com], which covers the last few.

        Arguably, Apple should pre-install both of these packages - or variants thereof.

        Now to get back onto the main topic..

        One could also argue that the Apple-provided Quicktime player sucks ass big-time - and of course that is very true - but that's easily fixed by installing NicePlayer [sourceforge.net] (also FOSS) - the other route is to ignore all the Quicktime-based solutions, and use something like VLC [videolan.org].

        None of the above will stop an uneducated and/or unsuspecting user from clicking their way through an installer (and giving up an administrator password) believing it to install something great/fun/useful. If you try too hard to protect the naive and/or foolish from their own actions when administering the system then you end up taking the route Microsoft have with Vista (and their earlier Windows, each to a lesser extent) -- Are you sure? Are you really sure? Are you really really certain? Can i get a password with that? -- Ah.. Mac users are getting used to giving passwords during installs - bummer. (Mind you, they don't do it as quickly as the average Windows user/administrator can click Ok, Ok, Ok, Ok)

        Being honest though, i don't think naivety or foolishness really enter into the equation - after all, it's a social engineering trick driven by the simple male quest for boobies - a somewhat unstoppable force!
    • "In the Wild," is laughable. How did the porn site "get infected"?

      I don't think "in the wild" means that the porn site accidentally got infected. "In the wild" means that it is not within a controlled experiment or was not created specifically to be used within a controlled environment. The opposite would be a "proof of concept" trojan that someone might use to demonstrate at a computer security conference.

      If it's possible for a Mac to get infected without the user's knowledge, then that qualifies as "in

    • If it barely spreads then the security model is relatively successful. If it spreads like wildfire, creating a 50 million machine monster supercomputer at the hands of international criminal cartels, then the security model could be said to have been less than successful.

       
    • by aberkvam (109205)

      To get infected, you have to:

      1) Go to a porn site
      2) Download a plugin from the porn site
      3) Click "OK" that you are downloading a .DMG file.
      4) Mount the .DMG
      5) Go back to the Finder
      6) Double-click the installer
      7) Type in your account password
      8) Click next a few times

      Calling this, "In the Wild," is laughable. How did the porn site "get infected"? I'll bet anything that the porn site(s) in question know exactly what they are doing...

      If the user is using Safari with the default settings, steps 4-6 aren't needed

      • Re: (Score:3, Insightful)

        by Llywelyn (531070)
        Does the installer launch automatically when the DMG is mounted? If not then all that is removed is step 4.
    • No it isn't (Score:3, Insightful)

      by Sycraft-fu (314770)
      I hate this ignorant attitude that unless something happens automatically it won't happen. Sorry, but most trojans go in the front door, not the back one (hence the name "trojan"). Better than 90% of the infected computers I encounter are infected with something the user had to take an active hand in installing.

      One of my all time favourites was an e-mail virus. This happened after we installed our spam filter, which is also a virus scanner, so it was a surprise to us since installing it had dropped the occu
  • by Apple Acolyte (517892) on Thursday November 01, 2007 @03:06PM (#21201553)
    If Apple really wants to continue to provide users with the "Open Safe Files" option in Safari, it would make a whole lot of sense to associate that feature with a white list of approved domain names like apple.com, adobe.com, etc.
    • by znu (31198) <znu.public@gmail.com> on Thursday November 01, 2007 @03:15PM (#21201769)
      As a result of "Open Safe Files" in this instance, the user has to perform something like six manual steps instead of eight. Anyone gullible enough to go through those six steps would be gullible enough to go through eight, so "Open Safe Files" isn't really making anyone less safe here.
    • Re: (Score:3, Informative)

      by Llywelyn (531070)
      If you have open safe files, it mounts the disk image and then you have to run the installer.

      If you do not have open safe files, you have to double click the disk image before you can run the installer.

      If you have been so thoroughly tricked that you will run the installer, whether "open safe files" is checked is irrelevant.
  • by plasmacutter (901737) on Thursday November 01, 2007 @03:08PM (#21201605)
    Malware does not equal virus, iit does not "break" into a machine through security holes, it hacks the wetware between the monitor and the seat, convincing them to consent to the install.
    It's impossible to make a machine fully idiot proof, but in the past couple versions apple has added 3 new "nag" boxes to safari in attempts to warn people.
    Anyone who goes through that many screens deserves to have it installed.

    I don't install any media player or codec if it asks for root permission.

    even flip4mac doesn't require full permissions.

    you drop the free component into your home's library folder and it runs in user space when websites call for wmv decoding.

    • Re: (Score:3, Informative)

      by eli pabst (948845)

      Malware does not equal virus, iit does not "break" into a machine through security holes

      Actually a worm is the only type of malware that exploits are security hole. Trojans and viruses really only differ in that a virus is a file infecter, ie it's going to append its code to legitimate executable file(s) existing on the system. A trojan is just malware pretending to be something it's not, much like the real trojan horse. Granted, much of the malware today are blended threats with some aspects of each, so

  • Insecure settings (Score:3, Informative)

    by xouumalperxe (815707) on Thursday November 01, 2007 @03:13PM (#21201715)

    We're simply talking about social engineering. Windows, OS X, *BSD, Linux (and probably most other operating systems out there) are all vulnerable to this sort of attack, there's just little in the way of motivation to actually do it.

    The part where the dmg is automatically opened is the only thing that even resembles a vulnerability as such, though it should actually be filed under "insecure default settings" rather than a vulnerability per se. This said, both linked articles are quite sparse with information regarding the actual installation. From my experience Safari should say something about the archive/disk image containing an application before actually mounting the dmg, and then prompting for an administrator password for the package to be installed. If either of these steps are compromised, you can call this interesting, because there's an exploit at work. If not, then it's a bog standard social engineering attack, to which every platform is vulnerable. The only news here are that you can't browse the web with your Mac in a completely carefree manner anymore, because there are some Bad Things out there targeting you.

  • Intego (Score:2, Redundant)

    by eclectic4 (665330)
    Yes, but hasn't Intego tried to scare Mac users into purchasing their virus protection before? In fact, they've done this quite a bit. Check out their report and pay close attention to the "Means of protection" paragraph at the end of the article.

    The news is Intego attempting to scare up business, this is not a Mac virus, especially when you have to do quite a few stupid things along with giving permission to install from an admin. My goodnes...
  • by His Shadow (689816) on Thursday November 01, 2007 @03:24PM (#21201925) Homepage Journal
    Bullshit. It appends the DNS servers to point the user to phishing and porn sites and runs a cron job to make sure the changes are modified. Does it then email everyone in your address book and infect every other machine on your network? No. It can't even install itself without the Admin password. It's a social hack.

    Nice Try tho...

  • Intego at it again (Score:3, Informative)

    by eclectic4 (665330) on Thursday November 01, 2007 @03:26PM (#21201971)
    Yes, but hasn't Intego tried to scare Mac users [daringfireball.net] into purchasing their virus protection before? In fact, they've done this quite a bit. Check out their report [intego.com] and pay close attention to the "Means of protection" paragraph at the end of the article.

    The news is Intego attempting to scare up business, this is not a Mac virus, especially when you have to do quite a few stupid things along with giving permission to install from an admin. My goodnes...
  • by CheeseburgerBrown (553703) on Thursday November 01, 2007 @03:32PM (#21202063) Homepage Journal
    No more shall we endure your taunts of being too obscure a minority to content with! Even the Russian Mafia thinks we're worth taking notice of now.

    ...Now we too shall now the bane of being pestered by colleagues and neighbours to help them score pirate software and to undo the embarrassing things they do their machines.

  • by digitaldc (879047) * on Thursday November 01, 2007 @03:32PM (#21202067)
    The attack site attempts to trick users into download a disk image (.dmg) file disguised as a codec

    I always knew there was something phishy about a .damage file. They should have never named it .dmg, it just begs to be used to .damage something!

    the .dmg gets mounted and the Installer is launched. The target must click through a series of screens to become infected but once the Trojan is installed

    Lesson learned - NEVER mount a .damaged Trojan, or you may become infected.
  • by SteeldrivingJon (842919) on Thursday November 01, 2007 @04:30PM (#21203001) Homepage Journal
    "The target must click through a series of screens"

    And engage in a specific pattern of toe-tapping and handwaving.
  • by r_jensen11 (598210) on Thursday November 01, 2007 @04:32PM (#21203037)
    I thought that, given their hip status, that they'd be having sex instead of watching porn. Does this make them as pathetic as Windows users, yet?
  • s-s-sudo (Score:3, Funny)

    by ElephanTS (624421) on Thursday November 01, 2007 @04:56PM (#21203455)
    I've found a great way of getting free pr0n and warez on Mac OSX. Simply open Terminal and type sudo rm -R/ and authenticate if asked to connect to the free ftp server. Works like a charm for me.

    There, can someone write a story about this now.
  • Removal (Score:3, Informative)

    by mkiwi (585287) on Thursday November 01, 2007 @05:33PM (#21203993)
    So how do we remove the Trojan if it gets stuck inside the Mac?*


    *Take in any context you like.

The typical page layout program is nothing more than an electronic light table for cutting and pasting documents.

Working...