Fake Codec is Mac OS X Trojan

Kenny A. writes "Multiple news organisations are reporting on an in-the-wild Mac OS X malware attack that uses porn lures to plant phishing Trojans on Mac machines. The attack site attempts to trick users into download a disk image (.dmg) file disguised as a codec that's required for viewing the video. If the Mac machine's browser is set to to open 'Safe' files after downloading, the .dmg gets mounted and the Installer is launched. The target must click through a series of screens to become infected but once the Trojan is installed, it has full control of the machine."

You get what you deserve.

[Pahroza]

If you're stupid enough to go through all of those steps, you deserve to be infected.

Idiocy cannot be prevented

[jeffasselin]

The only cure to stupidity is intelligence.

If someone is stupid enough to download something, run it and give it the admin password, it will obviously be able to take control of the machine. No operating system or security software will stop that.

Re:You get what you deserve.

[FauxPasIII]

> If you're stupid enough to go through all of those steps, you deserve to be infected.

And does everyone else that your zombied machine spams or DDoS's deserve it?

Re:It begins

[ByOhTek]

There are dimwits and every market. If you think otherwise, it's because you are amongst the ranks...

Re:fanboys unite

[Anonymous Coward]

Name an operating system that can't be infected when a user gives an admin password.

First Remedy Apple Should Implement

[Apple Acolyte]

If Apple really wants to continue to provide users with the "Open Safe Files" option in Safari, it would make a whole lot of sense to associate that feature with a white list of approved domain names like apple.com, adobe.com, etc.

Re:Hmm

[djh101010]

Looks like the Mac fanbois are abusing the moderating system again. And the terminology is semantics. Mac users have been exclaiming that there Macs are immune or resistant to malware for years now and saying that Macs are better than Windows because Macs don't get infected.

Actually, the only people claiming that Macs are immune to malware, are people like you claiming others are doing so specifically so you can say these mythical people are wrong. This is a case of a program not being what it claims to be, and using social engineering to get someone to install something, make it executable, authenticate as root, and run it. No different than a year or three ago when someone came out with a fake Office for OSX package they shared on the P2P networks which was really a shell script that removed files. Not a virus - this doesn't install itself.

A "virus" with an install procedure which includes "and then become root and run it" isn't going to have legs.

Re:It begins

[Anonymous Coward]

finally what?

Are you suggesting that this puts Mac OSX in the same league as Windows? Think again. This requires a lot of help from the luser behind the keyboard to get installed.

Having spent the entire weekend cleaning up my girlfriend's computer as the result of a drive-by download from a questionable web-site (IE and XP) that didn't even hint that anything was downloading, then downloaded and installed a whole bunch of its spyware buddies, again with no hint that anything was downloading or installing, I still have to think that OSX is much, much better than the steaming pile of feces that is Windows.

Re:Steps to get infected

[advocate_one]

and with windows... 1) Go to a porn site....

Re:Hmm

[Penguinisto]

Well, let's see...

You find this "movie codec thingy" at a shady pr0n website (alarm #1), and it asks you to specifically download a .dmg file (alarm #2), install it with admin/root permissions (alarm #3) just to play a non-standard codec (alarm #4).

Meanwhile, by comparison, there are a whole host of Windows nasties you can get just by, say, visiting a website with a rigged IFRAME in the page.

QED: It's not a question of fanboys pooh-poohing something because it's their pet OS - it's a question of simple fucking logic.

Come back and tell us about it when OSX (eventually) has an attack vector that doesn't require the user to be a complete and utter dumbass, please.

/P

Re:fanboys unite

[MyDixieWrecked]

I've seen this story on several Apple/Mac related news sites yet, and the majority of the comments consisted of Apple apologists telling each other "nothing to worry about, because you still have to enter your admin password".

The type of people who will be infected by this will be similar to the types that get caught up in the 419 [419eater.com] scam.

The only real reason this is news is because it's the first occurrence of an OSX trojan in the wild. Much like Crispus Attucks [wikipedia.org], it's only getting exposure because it's the first.

This really isn't any different than someone creating an applescript called FreePr0n.app that erases a user's harddrive, and as other commentors have pointed out, it requires a bit of user interaction to actually get itself installed. Although I'm sure people who jumped ship to OSX thinking that the mac is virusproof are going to run anything and everything they come across on the internet thinking their safe.

Good thing Leopard adds an extra layer of protection.

and why does safari have the Open "safe" files on by default, again? I don't get that.

Re:First Remedy Apple Should Implement

[znu]

As a result of "Open Safe Files" in this instance, the user has to perform something like six manual steps instead of eight. Anyone gullible enough to go through those six steps would be gullible enough to go through eight, so "Open Safe Files" isn't really making anyone less safe here.

Re:Steps to get infected

[mhollis]

You are assuming something here: There is no incentive.

Lots of Mac users are looking for the ultimate codec toolkit. Apple's Quicktime comes with a number but there are more out there and many are really hard to find and/or are Windows-specific. I downloaded and installed Divx and the Divx encoder for some things I do. I use Flip4Mac's WMV codec as well as their professional tools (for things like MXF files). And lots of Mac users have as well to get Quicktime to work with .WMV files as Microsoft stopped supporting us with their .WMV player.

So, if one fools one's dupe with the come-on: "It's a codec you need to view these files," it's a pretty good scam. All of the additional clicking and password-entering will be motivated by the same reason why the user downloaded and installed the codecs I mentioned above.

I suppose the moral of this story is that one should not trust anything on a porn site. But in the Mac user environment where Mac users usually struggle to keep up with the proprietary Microsoft stuff, a codec download "to see this" is not too far off-base.

Too much security can breed complacency

[Shivetya]

One thing I noticed was that the more times a user has to enter their security password the more likely they become complacent and assume that any install is going to require it and any install that occurs is going to be safe.

Basically what sunk later attempts by Microsoft to patch security. As soon as they added "warnings" (aka popups) people got into the habit of clicking yes and thereby undoing any chance the programmers had at protecting users from being stupid. You can even blame this behavior on EULA's which require click through - people do this automatically.

As the Mac gains in popularity the numbers of careless people will go up and infections like this will occur more often. The key is finding a way to train the user that its WRONG. That or finding a way to have the OS run objects installed in some form of "safe mode" for a time without letting the user in on it.

You're an idiot.

[Americano]

If you're stupid enough to go through all of those steps, you deserve to be infected.

One more time. You're an idiot.

1. This is an *insecure* default setting. I don't care if it asks you for an admin password, automatically running things downloaded from the internet shouldn't ever be a "default".
2. This is not a NEW "exploit", I remember hearing about this same exploit in a different form at least a year and a half ago. Apple had plenty of time to disable this feature (or at least turn it off so people would HAVE to do the "dumb" thing and re-enable it) and they have not.
3. The asshats who write these trojans cost EVERYBODY time, money, and effort. If it were limited in effect to the dumb user, a la "oops, I deleted some files I didn't want to delete!", it would be *slightly* better. But identity theft, break-ins, DDoS attacks, spam, etc. are all costly effects of these "dumb" users "getting what they deserve."

I'm an apple user. I own several of their systems, and find them -- on the whole -- to be incredibly fun and easy to use. But Apple shouldn't get a free pass on this (nor should Microsoft, nor should Canonical or any other Linux distro). By setting this trivial "convenience" up by default, they've made their system more insecure. Yes, there are still people who will double-goddamn-click on anything and everything, but let's at least make it harder for the simpletons to inconvenience all of us. It would be a fairly simple fix for them to make, and one which they should have made a long time back.

Re:It begins

[LWATCDR]

Not really. Is it a security exploit if the user must type in a password and install the program to make it work?
Sorry but there is nothing that an OS can do to prevent someone with admin rights from installing and running a program.
I am not a Mac User but anybody that installs a codec to view porn that they get from the porn site...
As the Honda motorcycle safty ads put oh so well.
Stupid Hurts.

Re:You get what you deserve.

[Niten]

That's an interesting straw man you've drawn up. Personally, I don't know anybody who purchased a Mac because he or she thought it was somehow immune to all forms of malware.

I agree with the parent poster in a sense. OK, they don't really "deserve" to be infected, but there is a fundamental limit to what current computer security models are able to achieve. This infection doesn't occur through the exploit of some flaw in the web browser or OS X, it's pure social engineering. The malware gets installed just like any valid software package would; if the computer's administrator cannot be relied upon to intelligently differentiate between trustworthy and untrustworthy software, then all other technical countermeasures aside, there is absolutely no hope of keeping that system secure.

So much more user friendly

[blueZ3]

The Windows way. None of this download, mount, open, click, password, click, click nonsense.

Who says Macs "just work"? Obviously they don't for trojans!

Re:But does it matter?

[Vancorps]

Trojans don't rely IE vulnerabilities to get email addresses after infection. They can do the exact same thing they do on Windows on an OS X box once infected.

It sounds like this trojan comes with a local privilege escalation vulnerability otherwise this also depends on users on Macs having root level access.

It was only a matter of time before someone would target it. Whether more and more people target it is a completely separate issue.

As a cross-platform user of all sorts of systems I generally prefer that things aren't targeted at all. I do enjoy the people saying OS X was inherently secure based on absolutely no knowledge of OS X's foundation finally being hit with the clue-by-four. Now they can actually start learning what it is they are spouting about and present intelligent arguments which are always better than empty ones.

Of course that may just be a tad bit optimistic on my part. No system connected to the outside world is 100% secure, does this in any way change my thoughts on OS X security? Nope, not at all because I always understood this problem as it exists on any platform which lets the user download and run software.

Re:It begins

[superbus1929]

I don't think one or the other is "superior", but what worries me about Mac users is that they're so unused to stuff like this - security through obscurity, if you will - that they start to think they're invincible. Your average Macintosh luser is more likely to get hammered than your average Windows luser if you take into account a set control number of malware infections that require user interactivity; if you get the same trojan on both OSes, the average luser on Mac is more likely to go through the steps than a Windows luser with the same experience and training because the Windows guy is more likely to be paranoid and ask questions.

One would expect one to automatically question stuff like this, but when you've told yourself "this stuff doesn't apply to me because I'm different" for so long... what happens when that's no longer true?

In a metaphorical sense, it's like a country that's been peaceful for a long time, and has not had the need, means or motivation to keep the knowledge of how to defend itself getting overrun with barely any resistance by a more aggressive neighbour.

Re:It's about CRITICAL MASS...

[Brainix]

Your argument isn't as original as you'd like. It's also flawed. Just compare Apache to IIS. Apache has much greater market share, but IIS get exploited like Swiss cheese. How do you explain that?

Another counter argument: Although Linux has a much smaller installed base than Windows, a cracker could stand to gain much more by exploiting Linux. Imagine the wealth of sensitive data hosted on Linux servers.

Re:It begins

[jackpot777]

Exactly. This isn't a computer virus. It's a social engineering virus.

Anyone that can write a keystroke logger program can also add wording that it's actually a codec for viewing videos. One more level of dishonesty's not going to stop them.

People often criticize Wiki, but seeing as the Wiki definition of a computer virus [wikipedia.org] is "a computer program that can copy itself and infect a computer without permission or knowledge of the user", this is no virus.

Re:But does it matter?

[heinousjay]

I consider trojans like this to be Darwinian. Anyone who gets hit with it deserves it, basically. If it happens to be one of the loudmouth braying donkeys who scream about how the Mac is immune, all the better.

Re:Hmm

[JamesRose]

http://www.apple.com/getamac/viruses.html [apple.com]

And i quote "850 new threats were detected against Windows. Zero for Mac."

Yes, it admits it's possible, it doesn't however, admit there are any.

Re:But does it matter?

[Vancorps]

I couldn't agree more. Darwin is everywhere and on everything. There are bad drivers of the safest cars out there that still get in accidents.

That's how they spread.

[khasim]

Trojans don't rely IE vulnerabilities to get email addresses after infection.

I did not say that they did. I said that the trojan scanned the hard drive of the infected computer to find anything that looked like an email address so it could send links to those addresses.

If someone clicked on one of those links AND had a version of IE that was exploitable, then they were infected.

That is how X increases in the Windows segment.

They can do the exact same thing they do on Windows on an OS X box once infected.

Yes they can. But they still depend upon a browser vulnerability in that scenario. Microsoft's decisions with IE (ActiveX, "integrating" it into the OS) means that the exploits are worse with IE than with, say, Firefox.

It was only a matter of time before someone would target it. Whether more and more people target it is a completely separate issue.

Targeting it does not matter. What matters is how to increase X%.

If the infection rate is below the disinfection rate, the trojan dies "in the wild".

As a cross-platform user of all sorts of systems I generally prefer that things aren't targeted at all.

Yeah. You go with that.

I do enjoy the people saying OS X was inherently secure based on absolutely no knowledge of OS X's foundation finally being hit with the clue-by-four. Now they can actually start learning what it is they are spouting about and present intelligent arguments which are always better than empty ones.

Actually, it appears that your argument is the one that is empty.

Getting ONE person to infect his Mac is not much of an achievement. With enough users, eventually you'll find one dumb enough for fall for any scam.

What matters is how fast it will spread.

So far, this trojan has demonstrated that Mac's are extremely secure. The trojan is not spreading.

Compare that with the Storm Worm.

Of course that may just be a tad bit optimistic on my part. No system connected to the outside world is 100% secure, does this in any way change my thoughts on OS X security? Nope, not at all because I always understood this problem as it exists on any platform which lets the user download and run software.

And who is saying that 100% security is needed?

Security is a PROCESS. Not an end-item.

All that is needed is for Mac's to have an infection rate that is BELOW the disinfection rate. The the viruses and trojans and worms will all die "in the wild".

No need to make any claims about "100% secure" or not. It's the infection rate that matters. Does it spread faster than it is removed? If it does not, then it is not a threat. If it is not a threat, then the Mac is still considered "secure" by its user.

No it isn't

[Sycraft-fu]

I hate this ignorant attitude that unless something happens automatically it won't happen. Sorry, but most trojans go in the front door, not the back one (hence the name "trojan"). Better than 90% of the infected computers I encounter are infected with something the user had to take an active hand in installing.

One of my all time favourites was an e-mail virus. This happened after we installed our spam filter, which is also a virus scanner, so it was a surprise to us since installing it had dropped the occurrence to zero prior to this (no matter how many times we harp on them, many people refuse to run virus scanners). At any rate the way this file got around the virus scanner was by sticking itself in an encrypted zip file. It would then put the password to decrypt in the e-mail message.

So what a user had to do was get the e-mail, save the attachment, try to open it, look in the e-mail for the password, enter the password, get the exe, ignore everything we told them about not running exes and then run the exe. Quite complicated yet a number of people (4 if I remember correctly) did it. They assumed it HAD to be legit.

Well, same shit here. This is just proof that no, requiring an admin password doesn't make your system magically secure if the admin is willing to give it up. All they did is present the user with a mildly plausible scenario (that you need a new video codec) and bait that the users wanted (a porn video) and there you go.

This is simply proof of what many of us have been saying for a long time: Things like needing to enter an admin password are just hoops for a normal user to jump through. They do nothing to enhance security if there isn't a skilled operator. It isn't some magic security shield that will protect you from evil stuff. The power to install software implies the power to install bad software. The power to control a system implies the power to damage the system, and so on.

There's been a lot of make-believe going on that MacOS is immune to spyware/trojans because of its design, specifically the privilege escalation thing. This is proof that's not the case. You can put as many hoops up as you want, if the users want what's at the other end bad enough, they'll jump through them without looking to see if they are on fire.

Re:Hmm

[Anonymous Coward]

Okay, how about I do. iPhone runs MacOSX, right? Well, it does have a vulnerability that lets a malicious website or email content take complete control of the device. It's been there for a couple of weeks, is highly publicized and Apple has yet to fix it.

Nothing like having a website able to dial 911 for you, eh?

http://secunia.com/advisories/27213/ [secunia.com]

Re:Steps to get infected

[Llywelyn]

Does the installer launch automatically when the DMG is mounted? If not then all that is removed is step 4.

Re:You get what you deserve.

[russotto]

Techies who burn themselves boiling water don't curse the stove manufacturer, pot manufacturer, or water company for screwing things up. And they usually don't repeat the steps with which they burned themselves, over and over again, despite having it pointed out that this is what is causing the burns.

What do you mean by default?

[SuperKendall]

This is an *insecure* default setting.

What is? BY DEFAULT Safari prompts you to allow downloading things like disk images from a remote website. Then BY DEFAULT it asks you if you trust an application from wherever it came from - even allowing you at any time to revisit the web page it was downloaded from! Then after all than, if you choose to run the file in the disk image you are further prompted BY DEFAULT for an admin password.

What exactly is the DEFAULT behavior that is wrong here? Should all ability for the user to download and install applications be removed?

This is not a NEW "exploit", I remember hearing about this same exploit in a different form at least a year and a half ago. Apple had plenty of time to disable this feature

What, the ability to download an run applications?

I don't see what your complaint is on this one. Apple has made the system as secure as they can make it, at some point the rest has to be left to the user.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:That's how they spread.

[Vancorps]

Actually you completely missed my point entirely. Congratulations on your poor reading comprehension.

No matter how secure your browser is you will still find people that download and run malicious software. That was my entire point. It is irrelevant what platform the user is running because it's the same problem whenever a user is allowed to download and run software.

You just seem eager to write this off trying to rely on OS X being magically secure when it does have its problems. I knew about this problem all along and so did most people that have any kind of security background. If you give the user freedom expect them to screw it up.

As for the infection rate, that does indeed matter but a trojan on a Mac is just as capable of scanning a Mac for email addresses and propagating further using the same mechanism as it would on a Windows box. There is nothing in OS X that magically protects the user from themselves. I've seen Mac users blindly click and even type passwords when it pops up on their screen. This problem is not unique to Windows users so matter how much you would like to blame Microsoft for this particular fault.

Furthermore, IE7 and even IE6 don't automatically install software from websites. IE 7 in particular is much improved in regards to security which is why it broke so many web applications. IE 6 you had to manually turn off ActiveX installations but you always had the ability, even in IE 4.

Last "argument", more of a question really, how in the world do you make the logical leap that this demonstrates that OS X is "extremely secure?" As I said in my post, this has absolutely no baring on how secure OS X is as its a cross-platform problem. It is merely an illustration of the same problem encountered everywhere in every aspect of society. You can be driving the safest car in the world, if you drive like an idiot you will still eventually get into an accident. The two are loosely related so I understand the confusion but I would expect someone commenting on the security of a product to be familiar and demonstrate that familiarity and realize that this problem will continue to exist, that it was always there and has nothing to do with this specific exploit as there are hundreds of other examples which don't propagate on their own. I monitor my network activity and I'm aware of trojans that crop up and over my admittedly not too many years of experience I've seen it on many more than a single occasion on OS X, Windows, and even various Linux distros.

Until humans stop trusting one another which will be a horrible day this problem will exist. It can be mitigated through education but the risk will always exist.

Re:That's how they spread.

[drsmithy]

Yes they can. But they still depend upon a browser vulnerability in that scenario. Microsoft's decisions with IE (ActiveX, "integrating" it into the OS) means that the exploits are worse with IE than with, say, Firefox.

While the ActiveX part is debatable, IE being "integrated" doesn't make exploiting it inherently any more damaging than Firefox. There's nothing IE can do that Firefox can't (and in many cases it can't do as much, since in some configuration IE runs with decreased privileges by default).

If the infection rate is below the disinfection rate, the trojan dies "in the wild".

It dies when no machine still has it installed. This is an independent factor to "rates".

So far, this trojan has demonstrated that Mac's are extremely secure. The trojan is not spreading.

Market share has a massive impact on propogation rates. It cannot be dismissed out of hand.

Re:That's how they spread.

[Jezz]

This logic is flat out wrong.

THIS Trojan does nothing to show a weakness in Mac OS X (compared to other systems in large scale use).

Of course, we're only talking about this one - which is really an social engineering issue (the user is tricked into installing it - the OS doesn't install it, the user even has to type the admin password!) a different attack could be quite different. Thus far we've not seen that on Mac OS X, that's not to say we won't - just hasn't happened yet. That happening is no more or less likely today than it was yesterday. There have been flaws in Mac OS X that could have allowed that, but the ones **we** (I mean us, not people inside Apple or people working to find such flaws in OS X for "fun or profit") know about have been patched. Is this different to Windows? Possibly only in terms of scale, that is there **may** have been fewer such flaws (you know the really nasty ones that can allow something nasty to happen on a "normal" box) or there **might** be fewer people seeking "fun or profit" on Mac OS X. Personally I think both are true, and that might explain a lot. I'm perhaps a little less inclined to think Apple fix these things **much** faster than Microsoft. Never the less the Mac is my "weapon of choice" (most of the time).

Re:Macintosh vs. Unicorns.

[mstone]

---- A Mac virus won't spread via the 'net because the odds of a random connection leading to another Mac is much smaller than hitting a PC.

Would people please get over the idea that you need an infected Mac to infect another Mac?

An exploit is a package of bytes. Period. You can send that packet of bytes from any machine running any OS, to any machine running any OS. My NetBSD servers get any number of probes that could compromise a suitably-(mis)configured Windows box. Botnet managers don't lovingly hand-craft their networks. They send out a huge number of attacks to potential targets, and collect the ones that succeed. If 99.9% of those attacks fail, who cares? It's not like they're paying for the bandwidth, hardware, or electricity.

If there was a vulnerability in the Mac OS that could turn the machine into another component of a botnet without requiring user interaction, the people creating botnets would be on it like buzzards on a shit-wagon. There is absolutely no technical limitation which would prevent the Storm Worm botnet from launching an attack against Macs if the chance of getting any returns at all made it worth the effort. So far, the security practices OS X has inherited from its Unix predecessors -- which grew up in an untrusted network environment -- have kept that from happening. The whole dick-measuring thing of comparing installed bases is utterly irrelevant.

Mac Fanboys/Haters

[p00pyd00py]

This is a really interesting situation. There has always been smugness with the Mac community about OS X and getting pwn3d. The guys at Apple are mostly to blame for this. Instead of Apple telling it's minions that yes in fact there is a threat to users of the Mac OS X system (as in every operating system) so you should add layers of security to protect yourself. I have to admit the Mac OS X system seems to be one of the more secure platforms and that is great. But Apple is setting it's users up for failure.

I work in an office that handles computer security for a large network and have noticed that users tend to not install Anti-Virus software on their Mac systems. Apple has made them think they are superman or something. This will end up being a big mistake. Social engineering is one of the biggest attack vectors right now for malware so this new Trojan falls right into a nice comfy spot. And since Apple is making their users think they are made of Kryptonite it is likely that social engineering will work better on Mac users. As more evil doers create more variants of this type of Trojan they will use different methods to get users to open the file and install it. If you don't have AV installed how are you supposed to know that something evil is on your system? Your average Mac user won't have a clue.

This could in fact be a turning point if more malware is written for the Mac. Right now the biggest target is Windows and it is social engineering (not vulnerabilities) that is the most successful. It would be 'due diligence' to install Anti Virus!

Re:Mac Fanboys/Haters

[stewbacca]

What's the point of installing anti-virus software when there aren't any viruses for the anti-virus software companies to write anti-virus software against? You can't really keep your anti-virus software up-to-date either if there are no viruses. Don't get me wrong, I'm not being a smug smart ass here, I'm just saying the anti-virus software has to know what it is attacking for it to be effective, but there is NOTHING out there for it to be programmed against (yet). Or maybe I don't understand how anti-virus software works?

If I used anti-virus software on my Mac now, all that would happen would be that it would keep interrupting my daily routines by taking wild guesses as what is malicious code and what isn't...exactly the sort of thing that drives many people away from Windows in the first place.

What's the freaking big deal?

[jvd]

mean, you can install a Trojan like that any Unix-like OS (other than OS X) if you follow ALL the necessary steps to install it. The problem is not whether it's possible to install a Trojan on certain operating systems; the problem is the easiness of how it can be done. In Mac OS X you have to click through several screens to "get infected" while on Windows you're only one click away of getting infected. That's the difference.