New Mac Virus Discovered, Making the Rounds

sl4shd0rk writes "A new Mac OS X exploit was discovered Friday morning by Kaspersky Labs which propogates through a zipfile attachment. The attachment tricks the Mac user into installing a variant of the MaControl backdoor via point-and-grunt. Embedded in the virus is an encrypted IP address belonging to a server in China which is believed to be a C+C server. Once installed, the virus opens a backdoor allowing the attacker on the C+C server to run commands on the compromised machine. Shortly after Kaspersky's announcement, AlienVault Labs claims to have found a similar version of the Mac malware which infects Windows machines. The Windows version appears to be a variant of the Gh0st RAT malware used last month in targeted attacks against Central Tibetan Administration. Both viruses are suspected of being tools in a campaign to attack Uyghur Activists."

Re:What is wrong with you people?

[KhabaLox]

http://en.wikipedia.org/wiki/Plural_form_of_words_ending_in_-us#Virus [wikipedia.org]

Re:What is wrong with you people?

[Rosyna]

The problem here is that OSX inherently lacks software that raises flags when 'the incident' happens, or at least it seams to be that way.. Does the victim has any built-in protection to deal with such a malware infection?

Mac OS X has an automatic malware scanner. The malware definitions are checked for updates daily, automatically.

The last update to the definitions was on June 26th, 2012. I do not know if it contains the definitions for this malware yet.

Re:Point and grunt ?

[LordLucless]

I've heard the term before, but not for a while. When I used to hear it, it was a dig at the intelligence of GUI users, as opposed to people who used the CLI. Since the GUI's become so dominant, I haven't heard it nearly so much. Looks like the OP's a recessive.

Re:What is wrong with you people?

[beelsebob]

The problem here is that OSX inherently lacks software that raises flags when 'the incident' happens, or at least it seams to be that way.. Does the victim has any built-in protection to deal with such a malware infection?

Yes, there's built in protection against selected malwares, come mountain lion, unsigned, or signed-with-revoked-certificates binaries will not run by default either.

Does the OS X possess mechanisms to monitor or block outgoing traffic?

Yes, and they're turned on by default.

Does this system even has a proper driver structure to allow insertion of your monitoring pass-through driver into the TCP or disk driver stack?

Yes, you can use dtrace to monitor this kind of thing if you want.

Re:So what's so special about this one?

[thetoadwarrior]

This story isn't covering a virus either. It is a malicious application but one that relies on an idiot running an application from a stranger and ignoring the warning suggesting that maybe you shouldn't open it.

Re:What is wrong with you people?

[jbolden]

OSX is a unix of course it allows insertion of software between the real and virtual TCP stack, the dev filesystem.

Here are two common utilities that wrap that functionality:
http://www.metakine.com/products/handsoff/ [metakine.com]
http://www.obdev.at/products/littlesnitch/index.html [obdev.at]

Re:Yawn

[LinuxIsGarbage]

Wake me up when they find something that can infect a Mac connected to the internet when no is one using it. You know, kind of like "install windows, connect to internet, pwned in 15 minutes"?

Anyone can do a user-mode trojan that says "PLEEZE INSTAWL ME! I'M A UPGRAYD!"

That was only an issue with Pre- WindowsXP-SP2 computers. SP2 was released 8 years ago. With SP2 Windows firewall came enabled by default, which protected unpatched services (like SMB) from being connected directly to the internet.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Misuse of the term "virus".

[k(wi)r(kipedia)]

But now a days, you got these kids sitting at home, browsing sites, looking for software that is outside their financial reach so they can learn it to get a good job.

If you sit at home the only thing within reach would be the keyboard. Seriously, I thought the two M's (including some P) was the stuff most kids got off the Net. That's why you get all these BT lawsuits from the entertainment industry, but few from the BSA, which prefers to target people who don't just sit at home all day.

Re:Misuse of the term "virus".

[Anonymous Coward]

Some good analogies to teach your average joe about interweb threats.

VIRUS: The girl have an STD.
MALWARE: The girl have crabs.
TROJAN: That girl is 2 weeks pregnant.

All with the same solution, dont have slutty sex.

Re:Why is this news?

[TheRaven64]

Except remember how Safari had a similar issue several years ago? It could automatically launch stuff that was downloaded just by virtue of you hitting the wrong page?

That particular issue was related to the definition of 'safe' files. By default, every web browser runs some kinds of files, in particular HTML and (usually) JavaScript and images. If you have a vulnerability in your png renderer or HTML parser, for example, then opening any web page will exploit the browser. The only difference with Safari was that PDF was included in the list of files that are safe. The same applies to most browsers with the Adobe plugin installed. The Adobe plugin has also had a number of vulnerabilities in recent years.

The problem here wasn't running code by default, it was loading untrusted data through a large body of complex code outside a sandbox. Chromium and Safari (and, I think, IE9) now open everything that's downloaded from an untrusted source and loaded automatically in an environment with reduced privilege. The Chromium sandbox is a bit better (although it varies a lot depending on the platform: on Windows it's pretty poor) and runs at a finer granularity, so with Safari an exploit may still give an attacker access to state held by other tabs (the same applies to Chromium if you have more than some threshold number of tabs open - 20, I believe).