Forgot your password?
typodupeerror
OS X Security Apple

New Mac Virus Discovered, Making the Rounds 239

Posted by Soulskill
from the sharing-is-caring dept.
sl4shd0rk writes "A new Mac OS X exploit was discovered Friday morning by Kaspersky Labs which propogates through a zipfile attachment. The attachment tricks the Mac user into installing a variant of the MaControl backdoor via point-and-grunt. Embedded in the virus is an encrypted IP address belonging to a server in China which is believed to be a C+C server. Once installed, the virus opens a backdoor allowing the attacker on the C+C server to run commands on the compromised machine. Shortly after Kaspersky's announcement, AlienVault Labs claims to have found a similar version of the Mac malware which infects Windows machines. The Windows version appears to be a variant of the Gh0st RAT malware used last month in targeted attacks against Central Tibetan Administration. Both viruses are suspected of being tools in a campaign to attack Uyghur Activists."
This discussion has been archived. No new comments can be posted.

New Mac Virus Discovered, Making the Rounds

Comments Filter:
  • by Kenja (541830) on Friday June 29, 2012 @06:35PM (#40500203)
    I know its overly popular these days to call any malware, trojan or other malicious bit of software a virus, but they really dont meet the definition. Frankly, I cant think of a real virus being released in quite some time. Which just seems lazy to me.
    • by nurb432 (527695) on Friday June 29, 2012 @06:38PM (#40500219) Homepage Journal

      Misuse use of terms like this really pisses me off.

      Like 'hacker', 'pirate', 'theft', and a host of others that have been twisted to the point of being ludicrous.

    • Re: (Score:3, Insightful)

      by toadlife (301863)

      "Virus" is the new "hacker". Get over it.

      • Re: (Score:2, Insightful)

        by Anonymous Coward
        We shouldn't constantly accept wrong terms just because they somehow crept into the language.
    • by cpu6502 (1960974)

      This would be a trojan horse.

    • by Darinbob (1142669)

      Yes this is getting pretty sad. Like saying a virus from Nigeria tricked me into thinking I'd share in a windfall if I mailed it some money orders first.

    • by ubrgeek (679399)
      Not to mention "C+C" ... I'm sure the crappy band would object to being associated with malware*. I think the term is C2 - Command and Control [wikipedia.org].

      *Although it would mean more popularity than they've had in years.
    • Re: (Score:3, Insightful)

      by nadaou (535365)

      the /. editor is not doing his job, which makes the site a worse place to visit.

      • by Dwonis (52652)

        the /. editor is not doing his job, which makes the site a worse place to visit.

        You must be new here.

        • by nadaou (535365)

          the /. editor is not doing his job, which makes the site a worse place to visit.

          You must be new here.

          I can expect, and even respect, a healthy amount of slack at a site where the users tend to take things way too seriously. But at some point the untended community garden turns into an abandoned lot, and it's feeling a lot more like that these days.

    • Re: (Score:3, Insightful)

      by hairyfeet (841228)

      Oh please! You say trojan to the average user and the want to know why their PC needs a rubber, you say backdoor and they start looking for that rubber for their PC and you say rootkit you get a deer in the headlights look.

      Frankly, and I'm sure i'll get hate for saying this but ask me if I care, truth is truth, is that most of those I've seen that really REALLY care about that is because they are "true believers" who want to use it to say "But it doesn't count!" like an 8 year old demanding a do over on the

      • Re: (Score:3, Insightful)

        by Pfhorrest (545131)

        The only way to patch the "bug" of stupid users being able to install malware on their computers is to prohibit users from installing arbitrary software on their computers, which would be a much bigger bug than any social exploit vulnerability.

        If the system didn't get infected by exploiting some weakness of the system, but rather by exploiting a weakness of its user, then the system is not at fault. THIS is why people get defensive. Much like making DRM work, it is impossibly to completely patch the social-

      • Oh please! You say trojan to the average user and the want to know why their PC needs a rubber,

        You'd suffocate in a large rubber horse though, also it would be very hot. Besides, it would have to be Vulcanized to work, and Vulcans weren't invented until TV & StarTrek.

    • by NoKaOi (1415755)

      I know its overly popular these days to call any malware, trojan or other malicious bit of software a virus, but they really dont meet the definition. Frankly, I cant think of a real virus being released in quite some time. Which just seems lazy to me.

      Get over it. The real question is: Do you know what they mean? Methinks you do know what it means. It's like the word "organic" and "chemical" at your local Whole Foods. I mean, wtf, if you dump a fertilizer with anything derived from petroleum (a mix of organic compounds) in it, it's not organic, but if you dump water on it (an inorganic chemical , gasp!) then it can still be called organic. The real question is, if you see the word, are you able to determine from context what it means? In the case

    • I know its overly popular these days to call any malware, trojan or other malicious bit of software a virus, but they really dont meet the definition. Frankly, I cant think of a real virus being released in quite some time. Which just seems lazy to me.

      Once installed, the virus opens a backdoor allowing the attacker on the...

      Right, it's not a virus and it certainly doesn't open any backdoor, either, unless the malware authors also work for Apple and slipped that one by the QA and security audit guys during the last OS X build. This is misrepresenting what it's probably actually doing, merely initiating a connection to a Chinese server. But using the term "backdoor" makes the summary author sound 1337 and the attackers sound even more nefarious, even if it isn't even close to an accurate description of reality. The OP has done m

    • Re: (Score:2, Informative)

      by Anonymous Coward
      Some good analogies to teach your average joe about interweb threats.

      VIRUS: The girl have an STD.
      MALWARE: The girl have crabs.
      TROJAN: That girl is 2 weeks pregnant.

      All with the same solution, dont have slutty sex.
      • by sco08y (615665)

        I guess PHISHING and WORMS were just self-explanatory, and the parent didn't want to get special-modded "Too Much Informative".

    • This sentence is downright terrible:

      Embedded in the virus is an encrypted IP address belonging to a server in China which is believed to be a C+C server.

      Not only does it misuse the term "virus", as you mentioned, but it also misuses the term "encrypted". The correct term here is "obfuscated". The obfuscation code might happen to contain something that looks very similar to AES, but it isn't encryption (and it certainly isn't AES) if the "key" can just be recovered from the executable.

    • by v1 (525388)

      I know its overly popular these days to call any malware, trojan or other malicious bit of software a virus, but they really dont meet the definition. Frankly, I cant think of a real virus being released in quite some time. Which just seems lazy to me.

      Not lazy, just sensational journalism. Exaggerate in the summary to get more people to read it because of how surprising it would be if it were actually true

      Either the /. editors are hopping on the sensationalism bandwagon, or they're lazy. Any nerd that sti

      • Either the /. editors are hopping on the sensationalism bandwagon, or they're lazy.

        That isn't an exclusive OR, I hope?

  • by imagined.by (2589739) on Friday June 29, 2012 @06:42PM (#40500247)

    Malware, not virus. Virii aren't installed by the users themselves...

    Thank you very much.

  • Reading that I feel like an old man, disconnected from the modern day. Is some new tech online porn technology that I've missed out on? Please... I NEED... TO... KNOW... !!!
  • by billcopc (196330) <vrillco@yahoo.com> on Friday June 29, 2012 @06:54PM (#40500355) Homepage

    Pardon my crystallized forebrain, but what's "point-and-grunt" ? Is that one of those newfangled hipster Fail-on-Rails thingamabobs that goes into the weird rounded USB thing on my tee-vee ?

  • Why is this news? (Score:5, Insightful)

    by Grayhand (2610049) on Friday June 29, 2012 @06:58PM (#40500389)
    It's hard to blame Mac when you open an infected file. People have been unwittingly installing Malware and other infecting programs onto Macs for years. This is very different from one that propagates without the help of the user. It's a non story.
    • by 93 Escort Wagon (326346) on Friday June 29, 2012 @07:23PM (#40500559)

      Well, except when this happens in the PC world at least some subset of folks do blame Microsoft for it, and loudly.

      There was a time when Microsoft WAS at fault - back in the days of Slammer, for example. But most of the malware that goes around anymore relies on social engineering to propagate, because Windows and OS X are really pretty secure.

      • by thetoadwarrior (1268702) on Friday June 29, 2012 @07:45PM (#40500733) Homepage
        Microsoft *was* at fault at times like when Outlook express' preview pane ran anything in the preview pane which was on by default so you could get infected by virture of a new email just coming in even if you'd be smart enough not to open it. Which is definitely different from a Mac asking you to be sure and you open it anyway.
        • by 93 Escort Wagon (326346) on Friday June 29, 2012 @08:36PM (#40501031)

          Microsoft *was* at fault at times like when Outlook express' preview pane ran anything in the preview pane which was on by default so you could get infected by virture of a new email just coming in even if you'd be smart enough not to open it. Which is definitely different from a Mac asking you to be sure and you open it anyway.

          Except remember how Safari had a similar issue several years ago? It could automatically launch stuff that was downloaded just by virtue of you hitting the wrong page? That's why you get asked now - that was part of the fix Apple added to solve the problem.

          I've been a Mac user since 2003. I like the OS, and I think it's had a pretty good security track record overall... but Apple's definitely made a few missteps along the way. Nothing of the sheer magnitude of Slammer or Blaster - the only remote OS X exploit I can remember required the attacker to be on the same subnet (think it was an AFS exploit, but I might be mis-remembering).

          • I realize it can be bad form to reply to oneself, but I wanted to correct one thing - the remote exploit I was thinking of was the 2003 local subnet DHCP exploit [slashdot.org]. That was a remote root exploit that required the attacker to be on the same subnet.

            The AFP exploit was from 2010 [cqure.net], and could provide remote access to a user's home directory. Still bad, but not at the same level of bad.

          • Re:Why is this news? (Score:4, Informative)

            by TheRaven64 (641858) on Saturday June 30, 2012 @05:04AM (#40503073) Journal

            Except remember how Safari had a similar issue several years ago? It could automatically launch stuff that was downloaded just by virtue of you hitting the wrong page?

            That particular issue was related to the definition of 'safe' files. By default, every web browser runs some kinds of files, in particular HTML and (usually) JavaScript and images. If you have a vulnerability in your png renderer or HTML parser, for example, then opening any web page will exploit the browser. The only difference with Safari was that PDF was included in the list of files that are safe. The same applies to most browsers with the Adobe plugin installed. The Adobe plugin has also had a number of vulnerabilities in recent years.

            The problem here wasn't running code by default, it was loading untrusted data through a large body of complex code outside a sandbox. Chromium and Safari (and, I think, IE9) now open everything that's downloaded from an untrusted source and loaded automatically in an environment with reduced privilege. The Chromium sandbox is a bit better (although it varies a lot depending on the platform: on Windows it's pretty poor) and runs at a finer granularity, so with Safari an exploit may still give an attacker access to state held by other tabs (the same applies to Chromium if you have more than some threshold number of tabs open - 20, I believe).

  • by pbjones (315127) on Friday June 29, 2012 @06:58PM (#40500391)

    this isn't a virus, it doesn't replicate. It's an email trojan. It's not a Mac or PC exploit, because it exploits the person not the machine. And it's got a very specific target. Thanks for the warning, I won't, and don't click on attachments anyway.

  • lists like http://www.okean.com/chinacidr.txt [okean.com] are nice and hand to feed into your edge router.
  • by Legion303 (97901) on Friday June 29, 2012 @07:52PM (#40500781) Homepage

    Kaspersky discovered that if users willingly execute files that turn out to be malicious, their computers will be backdoored.

    In other news, I discovered that fire produces heat. Please front-page this important announcement immediately.

  • Jesus, not again (Score:5, Insightful)

    by sootman (158191) on Friday June 29, 2012 @09:52PM (#40501365) Homepage Journal

    I know Slashdot editors are famously lazy ('sup, guys!) but why does the summary they posted say "The attachment tricks the Mac user into installing..." when TFA* clearly says "the [attack] described here relies on social engineering to get the user to run the backdoor"? You know, just like every single other Trojan out there?!?** The attachment itself is totally benign until someone clicks on it several times. (Even if you view the message with webmail with Safari's "Open 'safe' files after downloading" in its (admittedly brain-dead) default "checked" position***, you still have to click on the attachment link in your webmail and then double-click the visible file to run it.) The only way this actually happens is if someone reads the email and takes a few steps on their own. As always, the attachment itself does nothing.****

    Slashdot has been a techy news site for a decade and a half now. You'd think errors as blatant as this would get caught by the editors, even with their usual lack of checking.

    You know what would be an awesome site? Exactly what Slashdot is, but with better editors. (And maybe lay off the JavaScript some.)

    Anyway: sky is blue, water is wet, sun rises in the east, and all computers--by definition--are vulnerable to trojans. Film at 11.

    And by the way, WTF is "point-and-grunt"? Does that imply that users are dumbly clicking on things? If so, doesn't that also imply that the users just might be the problem? Trojans are trivially easy to write. Here's one in one line:

    echo "rm -rf ~/*" > NataliePortmanHotGrits.jpg.command; chmod 755 NataliePortmanHotGrits.jpg.command

    Voila. Type that into Terminal, email it to all of Slashdot, and wait for a great disturbance in the Force, as if millions of home directories suddenly cried out in terror and were suddenly silenced.

    * I know no one here reads them, but I think the submitter should, right? Even if they don't, they should just submit the URL and not make up shit for the summary.

    ** Which is to say, like every single Mac "virus" of the last decade as well.

    *** Apple even puts "Safe" in quotes, so they obviously know that's not an ideal term. They should set it to "off" by default--and then remove the option.

    **** Unlike the bad old days with Outlook Express' infinitely more brain-dead "Hey, let me run that executable attachment for you!" setting.

    • by PPH (736903)

      And yet, Slashdotters will still click on links promising more info. followed by [goatse.cx] and then scream, "My eyes!"

      Social engineering works.

  • So there's a Windows version of it that targets Tibetan activists but they bothered to make a mac version of it to...in case Tibetan activists had macs? WHAT?! I don't think they have that kind of money. Something doesn't quite add up there. Whatever, I don't care as long as it knock Apple down a peg again. That "we're magically immune to viruses" crap they finally removed from their website was about 10 years overdue.
    • by gl4ss (559668)

      what the activits actually have doesn't matter, what matters is what the guys selling surveillance software to china can sell.

Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd.

Working...