Fake Codec is Mac OS X Trojan

Kenny A. writes "Multiple news organisations are reporting on an in-the-wild Mac OS X malware attack that uses porn lures to plant phishing Trojans on Mac machines. The attack site attempts to trick users into download a disk image (.dmg) file disguised as a codec that's required for viewing the video. If the Mac machine's browser is set to to open 'Safe' files after downloading, the .dmg gets mounted and the Installer is launched. The target must click through a series of screens to become infected but once the Trojan is installed, it has full control of the machine."

Re:Hmm

[sogoodsofarsowhat]

Um they do. But if you decide to install malicious software on your system as the owner what can we do? What can anybody do? Seriously this is not a virus it is a human (id10T) user weakness...seen on ALL systems regardless of OS.

DNS

[Anonymous Coward]

The summary is misleading, it does not give full control of the computer to the attacker, but changes the DNS server for phishing.
It could just as easily install a VNC server I suppose.

Full Control?

[yroJJory]

Full control of DNS, yes. As far as I've seen, it's not a remote root exploit or anything. It just installs global DNS servers that cannot be easily removed or even noticed.

Steps to get infected

[giminy]

To get infected, you have to:

1) Go to a porn site
2) Download a plugin from the porn site
3) Click "OK" that you are downloading a .DMG file.
4) Mount the .DMG
5) Go back to the Finder
6) Double-click the installer
7) Type in your account password
8) Click next a few times

Calling this, "In the Wild," is laughable. How did the porn site "get infected"? I'll bet anything that the porn site(s) in question know exactly what they are doing...

Re:Hmm

[sm62704]

This is neither a virus or a worm; it's a trojan. A trojan is a program that does or claims to do something useful, which gets you to install it. Once installed, it does something else in addition to or instead of what you installed it for.

No OS is foolproof, and even Mac and Linux users can be fools. Mac and Linux machines can be broken into, can get trojans, theur users can be tricked into giving out passwords, but there are no Mac or Linux viruses in the wold.

This is not a virus, it's a "wetware" exploit.

[plasmacutter]

Malware does not equal virus, iit does not "break" into a machine through security holes, it hacks the wetware between the monitor and the seat, convincing them to consent to the install.
It's impossible to make a machine fully idiot proof, but in the past couple versions apple has added 3 new "nag" boxes to safari in attempts to warn people.
Anyone who goes through that many screens deserves to have it installed.

I don't install any media player or codec if it asks for root permission.

even flip4mac doesn't require full permissions.

you drop the free component into your home's library folder and it runs in user space when websites call for wmv decoding.

Re:It begins

[cromar]

Actually, there was the "MacMag" [symantec.com] HyperCard trojan from way back in 1988...

Insecure settings

[xouumalperxe]

We're simply talking about social engineering. Windows, OS X, *BSD, Linux (and probably most other operating systems out there) are all vulnerable to this sort of attack, there's just little in the way of motivation to actually do it.

The part where the dmg is automatically opened is the only thing that even resembles a vulnerability as such, though it should actually be filed under "insecure default settings" rather than a vulnerability per se. This said, both linked articles are quite sparse with information regarding the actual installation. From my experience Safari should say something about the archive/disk image containing an application before actually mounting the dmg, and then prompting for an administrator password for the package to be installed. If either of these steps are compromised, you can call this interesting, because there's an exploit at work. If not, then it's a bog standard social engineering attack, to which every platform is vulnerable. The only news here are that you can't browse the web with your Mac in a completely carefree manner anymore, because there are some Bad Things out there targeting you.

Re:Macs...

[plasmacutter]

not quite, the only player i've come across which needs root access for install was real player (assumably for the DRM)

mplayer, vlc, and even flip4mac wmv codec do not require root permissions.

the reason this is not required is the way mac apps access libraries.

the codecs in mplayer and vlc (much like the libraries in most other mac apps) are combined into the app, and therefore not shared among all users. each user has his own set (and configuration) and they operate in user space.

quicktime works similarly. While you can drop your components (codecs) into the root library directory, each home folder has one of its own, again allowing each user to customize the codecs used.

Full Control of the Machine?

[His Shadow]

Bullshit. It appends the DNS servers to point the user to phishing and porn sites and runs a cron job to make sure the changes are modified. Does it then email everyone in your address book and infect every other machine on your network? No. It can't even install itself without the Admin password. It's a social hack.

Nice Try tho...

Re:Hmm

[NatasRevol]

Trojan, that requires the admin password.

Intego at it again

[eclectic4]

Yes, but hasn't Intego tried to scare Mac users [daringfireball.net] into purchasing their virus protection before? In fact, they've done this quite a bit. Check out their report [intego.com] and pay close attention to the "Means of protection" paragraph at the end of the article.

The news is Intego attempting to scare up business, this is not a Mac virus, especially when you have to do quite a few stupid things along with giving permission to install from an admin. My goodnes...

Re:What goes through the mind of the designer - ?

[spud603]

"Sure, Russian porn site offering me 'free' videos ripped from US porn producers ... I trust you to give me software to install in order to watch your video. Wait, I'm using a Mac - which ships with nearly every conceivable video codec I'd ever need to produce and edit professional video because It Just Works. What are the chances that Russian Mafia are one-up on Apple for a video codec I'd need?"

"Every conceivable video codec I'd ever need" except the few doozies: wmv, realplayer, and divx. Like it or not these are widely used, and not just for porn.

Looks scary

[wumpus188]

But easy to remove [macworld.com].

Re:It begins

[sgant]

"finally"....what? That a trojan is on an OS? Every OS can have a trojan on it.

A "virus" takes advantage of flaws in the OS. A "trojan" takes advantage of flaws in the user of the OS.

You could have the most secure, bug free OS in the world and still a trojan could bring it all down like a house of cards. All it needs to do is fool the user/admin into giving it root access and WHAM, you're system is compromised. It's not the fault of the OS or any inherent flaws in the OS.

Hell, you could have a sheet of paper laying next to computer that itself is a "trojan". All it has to say is "To fix this problem, bring up Terminal, type "sudo rm -rf /" and all your troubles will be wiped away". Someone that isn't totally computer literate may fall for something like this.

So before anyone jumps all over OS X or any OS as being vulnerable, think for a moment.

There is no "finally" to this. This isn't an exploit. This isn't a virus.

Re:First Remedy Apple Should Implement

[Llywelyn]

If you have open safe files, it mounts the disk image and then you have to run the installer.

If you do not have open safe files, you have to double click the disk image before you can run the installer.

If you have been so thoroughly tricked that you will run the installer, whether "open safe files" is checked is irrelevant.

Re:Not really

[Stamen]

load of shareware as there isn't much proper software out there.

First off, shareware is a method of distribution, not a type of software. Most software that is called 'shareware' isn't. If being able to download and demo software for a period of time then unlocking it with a serial number is shareware, then Photoshop and Microsoft Office are shareware.

Second off, I assume you mean software from small independent vendors, I'm curious why this type software isn't "proper software".

Lastly, you rarely "install" applications in OS X, it isn't Windows. You can run them from your own Applications folder which requires only your own rights. The apps that do require admin rights, are modifying the system in some way, and those do require you to give the administrator password. Since this dialog is rare, people do pay special attention when it pops up. There's only so much an OS designer can do.

Re:Hmm

[djh101010]

http://www.apple.com/getamac/viruses.html [apple.com]

And i quote "850 new threats were detected against Windows. Zero for Mac."

Yes, it admits it's possible, it doesn't however, admit there are any.

Wow, that's an astonishingly blatant use of creative quoting without context. Lets read the whole paragraph, unedited, shall we?

By the end of 2005, there were 114,000 known viruses for PCs. In March 2006 alone, 850 new threats were detected against Windows. Zero for Mac. While no computer connected to the Internet will ever be 100% immune from attack, Mac OS X has helped the Mac keep its clean bill of health with a superior UNIX foundation and security features that go above and beyond the norm for PCs. When you get a Mac, only your enthusiasm is contagious.

A bit different than your out of context snippet this way, isn't it.

How do the facts then agree with your claim that "it doesn't however, admit there are any."? Says right there "While no computer connected to the Internet will ever be 100% immune from attack,". Sheesh. It's almost like you figured nobody would check your claim to see how blantantly you misrepresented it.

Re:fanboys unite

[vitaflo]

and why does safari have the Open "safe" files on by default, again? I don't get that.

Actually it used to be worse. Safari used to have a hidden pref that allowed you to open any file you downloaded, not just "safe" ones. All it took was editing some XML prefs to add file types you wanted to auto open when downloaded. I used this to write a file browser that let me open various files after I downloaded them (like PSD's in Photoshop, basically stuff I actually found useful). A few years ago Apple cut that part out and restricted it to only files they deem as safe, which is a pretty small subset of file types.

That said, I don't mind the option (rather like it actually) but it should be turned off by default.

Re:Steps to get infected

[Frogg]

On a Mac, i believe you can get the Quicktime engine to have all the codecs you'll ever need by installing the free open source package Perian [perian.org] and the free (closed source) Flip4Mac WMV [macupdate.com], which covers the last few.

Arguably, Apple should pre-install both of these packages - or variants thereof.

Now to get back onto the main topic..

One could also argue that the Apple-provided Quicktime player sucks ass big-time - and of course that is very true - but that's easily fixed by installing NicePlayer [sourceforge.net] (also FOSS) - the other route is to ignore all the Quicktime-based solutions, and use something like VLC [videolan.org].

None of the above will stop an uneducated and/or unsuspecting user from clicking their way through an installer (and giving up an administrator password) believing it to install something great/fun/useful. If you try too hard to protect the naive and/or foolish from their own actions when administering the system then you end up taking the route Microsoft have with Vista (and their earlier Windows, each to a lesser extent) -- Are you sure? Are you really sure? Are you really really certain? Can i get a password with that? -- Ah.. Mac users are getting used to giving passwords during installs - bummer. (Mind you, they don't do it as quickly as the average Windows user/administrator can click Ok, Ok, Ok, Ok)

Being honest though, i don't think naivety or foolishness really enter into the equation - after all, it's a social engineering trick driven by the simple male quest for boobies - a somewhat unstoppable force!

Re:This is not a virus, it's a "wetware" exploit.

[eli pabst]

Malware does not equal virus, iit does not "break" into a machine through security holes

Actually a worm is the only type of malware that exploits are security hole. Trojans and viruses really only differ in that a virus is a file infecter, ie it's going to append its code to legitimate executable file(s) existing on the system. A trojan is just malware pretending to be something it's not, much like the real trojan horse. Granted, much of the malware today are blended threats with some aspects of each, so the distinctions are somewhat blurred. But IMO, the original distinctions very accurately described how each malware functioned, like how floppy disks used to be notorious vectors for transmission of viruses similarly to how a real virus would spread in the community.

Re:fanboys unite

[noamsml]

That was supposed to be the OS that can't be hijacked.

(I know nothing about kernel programming, please don't lynch me)

Removal

[mkiwi]

So how do we remove the Trojan if it gets stuck inside the Mac?*

*Take in any context you like.

Re:But does it matter?

[mollymoo]

From the point of view of avoiding accidents, the safest cars aren't generally the ones considered or rated as "safe". Avoiding accidents ("active safety") is an entirely different ball game to surviving crashes ("passive safety"), which is what most people think of when they talk about safety. If you want to avoid an accident, you want lots of grip, good brakes, minimal mass, good visibility and small size. In other words, you want a sports car. If you want to survive an accident, you want large size and high mass. In other words you (theoretically) want an SUV (theoretically because SUVs are not all built to the same standards as cars).

Re:But does it matter?

[iluvcapra]

The GP:

It sounds like this trojan comes with a local privilege escalation vulnerability otherwise this also depends on users on Macs having root level access.

Stare argumentum; this executable in question makes no use of an exploit, the OS behaves exactly as the user commands.

OS X most certainly does have a root user, it's *interactive* logins by root that are disabled by default.

Not just interactive logins, logins period. There is no process you can undertake by which you will be recognized as real user 0 without setuid(), thus you already need to be euid 0, and thus you must be either a sudoer and recently authenticated or running a binary owned by root. I think the distinction is semantic and doesn't advance on the original point the poster made. "Users" on Macs don't have root-level access, they only have the privilege of running a program with euid of root, given they enter their password. That's very different from the implied "they all run in admin mode" of the parent.

Re:But does it matter?

[krunk7]

Trojans don't rely IE vulnerabilities to get email addresses after infection. They can do the exact same thing they do on Windows on an OS X box once infected. It sounds like this trojan comes with a local privilege escalation vulnerability otherwise this also depends on users on Macs having root level access. It was only a matter of time before someone would target it. Whether more and more people target it is a completely separate issue. As a cross-platform user of all sorts of systems I generally prefer that things aren't targeted at all. I do enjoy the people saying OS X was inherently secure based on absolutely no knowledge of OS X's foundation finally being hit with the clue-by-four. Now they can actually start learning what it is they are spouting about and present intelligent arguments which are always better than empty ones. Of course that may just be a tad bit optimistic on my part. No system connected to the outside world is 100% secure, does this in any way change my thoughts on OS X security? Nope, not at all because I always understood this problem as it exists on any platform which lets the user download and run software.

Let me clarify: There is no OS ever made that is immune to user stupidity. I could have an installer for any *nix based OS authenticate then run rm -rf /* or "take over a system". This is a given. It's not a security flaw, it's a user stupidity flaw. When windows is appropriately bashed for its poor security record, it is due to unavoidable holes and exploits that allow escalation of privileges. IE has had a particularly horrid record in this area. Further, remote exploits impact on windows systems are aggravated by having said services enabled by default ready and willing for any network probe from an infected computer.

I suppose we could go