Slashdot Mirror
Fake Codec is Mac OS X Trojan
Kenny A. writes "Multiple news organisations are reporting on an in-the-wild Mac OS X malware attack that uses porn lures to plant phishing Trojans on Mac machines. The attack site attempts to trick users into download a disk image (.dmg) file disguised as a codec that's required for viewing the video. If the Mac machine's browser is set to to open 'Safe' files after downloading, the .dmg gets mounted and the Installer is launched. The target must click through a series of screens to become infected but once the Trojan is installed, it has full control of the machine."
Um they do. But if you decide to install malicious software on your system as the owner what can we do? What can anybody do? Seriously this is not a virus it is a human (id10T) user weakness...seen on ALL systems regardless of OS.
. I love the sound of burning women and screaming rubber....
The summary is misleading, it does not give full control of the computer to the attacker, but changes the DNS server for phishing.
It could just as easily install a VNC server I suppose.
Full control of DNS, yes. As far as I've seen, it's not a remote root exploit or anything. It just installs global DNS servers that cannot be easily removed or even noticed.
Jory
To get infected, you have to:
.DMG file. .DMG
1) Go to a porn site
2) Download a plugin from the porn site
3) Click "OK" that you are downloading a
4) Mount the
5) Go back to the Finder
6) Double-click the installer
7) Type in your account password
8) Click next a few times
Calling this, "In the Wild," is laughable. How did the porn site "get infected"? I'll bet anything that the porn site(s) in question know exactly what they are doing...
The Right Reverend K. Reid Wightman,
This is neither a virus or a worm; it's a trojan. A trojan is a program that does or claims to do something useful, which gets you to install it. Once installed, it does something else in addition to or instead of what you installed it for.
No OS is foolproof, and even Mac and Linux users can be fools. Mac and Linux machines can be broken into, can get trojans, theur users can be tricked into giving out passwords, but there are no Mac or Linux viruses in the wold.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
Malware does not equal virus, iit does not "break" into a machine through security holes, it hacks the wetware between the monitor and the seat, convincing them to consent to the install.
It's impossible to make a machine fully idiot proof, but in the past couple versions apple has added 3 new "nag" boxes to safari in attempts to warn people.
Anyone who goes through that many screens deserves to have it installed.
I don't install any media player or codec if it asks for root permission.
even flip4mac doesn't require full permissions.
you drop the free component into your home's library folder and it runs in user space when websites call for wmv decoding.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Actually, there was the "MacMag" HyperCard trojan from way back in 1988...
We're simply talking about social engineering. Windows, OS X, *BSD, Linux (and probably most other operating systems out there) are all vulnerable to this sort of attack, there's just little in the way of motivation to actually do it.
The part where the dmg is automatically opened is the only thing that even resembles a vulnerability as such, though it should actually be filed under "insecure default settings" rather than a vulnerability per se. This said, both linked articles are quite sparse with information regarding the actual installation. From my experience Safari should say something about the archive/disk image containing an application before actually mounting the dmg, and then prompting for an administrator password for the package to be installed. If either of these steps are compromised, you can call this interesting, because there's an exploit at work. If not, then it's a bog standard social engineering attack, to which every platform is vulnerable. The only news here are that you can't browse the web with your Mac in a completely carefree manner anymore, because there are some Bad Things out there targeting you.
not quite, the only player i've come across which needs root access for install was real player (assumably for the DRM)
mplayer, vlc, and even flip4mac wmv codec do not require root permissions.
the reason this is not required is the way mac apps access libraries.
the codecs in mplayer and vlc (much like the libraries in most other mac apps) are combined into the app, and therefore not shared among all users. each user has his own set (and configuration) and they operate in user space.
quicktime works similarly. While you can drop your components (codecs) into the root library directory, each home folder has one of its own, again allowing each user to customize the codecs used.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Nice Try tho...
Fiat Homos et Pereat Theos
Trojan, that requires the admin password.
There are two types of people in the world: Those who crave closure
Yes, but hasn't Intego tried to scare Mac users into purchasing their virus protection before? In fact, they've done this quite a bit. Check out their report and pay close attention to the "Means of protection" paragraph at the end of the article.
The news is Intego attempting to scare up business, this is not a Mac virus, especially when you have to do quite a few stupid things along with giving permission to install from an admin. My goodnes...
"The greatest obstacle to discovery is not ignorance - it is the illusion of knowledge." - Daniel Boorstin
"Every conceivable video codec I'd ever need" except the few doozies: wmv, realplayer, and divx. Like it or not these are widely used, and not just for porn.
But easy to remove.
"finally"....what? That a trojan is on an OS? Every OS can have a trojan on it.
/" and all your troubles will be wiped away". Someone that isn't totally computer literate may fall for something like this.
A "virus" takes advantage of flaws in the OS. A "trojan" takes advantage of flaws in the user of the OS.
You could have the most secure, bug free OS in the world and still a trojan could bring it all down like a house of cards. All it needs to do is fool the user/admin into giving it root access and WHAM, you're system is compromised. It's not the fault of the OS or any inherent flaws in the OS.
Hell, you could have a sheet of paper laying next to computer that itself is a "trojan". All it has to say is "To fix this problem, bring up Terminal, type "sudo rm -rf
So before anyone jumps all over OS X or any OS as being vulnerable, think for a moment.
There is no "finally" to this. This isn't an exploit. This isn't a virus.
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
If you have open safe files, it mounts the disk image and then you have to run the installer.
If you do not have open safe files, you have to double click the disk image before you can run the installer.
If you have been so thoroughly tricked that you will run the installer, whether "open safe files" is checked is irrelevant.
Integrate Keynote and LaTeX
Second off, I assume you mean software from small independent vendors, I'm curious why this type software isn't "proper software".
Lastly, you rarely "install" applications in OS X, it isn't Windows. You can run them from your own Applications folder which requires only your own rights. The apps that do require admin rights, are modifying the system in some way, and those do require you to give the administrator password. Since this dialog is rare, people do pay special attention when it pops up. There's only so much an OS designer can do.
And i quote "850 new threats were detected against Windows. Zero for Mac."
Yes, it admits it's possible, it doesn't however, admit there are any.
Wow, that's an astonishingly blatant use of creative quoting without context. Lets read the whole paragraph, unedited, shall we?
By the end of 2005, there were 114,000 known viruses for PCs. In March 2006 alone, 850 new threats were detected against Windows. Zero for Mac. While no computer connected to the Internet will ever be 100% immune from attack, Mac OS X has helped the Mac keep its clean bill of health with a superior UNIX foundation and security features that go above and beyond the norm for PCs. When you get a Mac, only your enthusiasm is contagious.
A bit different than your out of context snippet this way, isn't it.
How do the facts then agree with your claim that "it doesn't however, admit there are any."? Says right there "While no computer connected to the Internet will ever be 100% immune from attack,". Sheesh. It's almost like you figured nobody would check your claim to see how blantantly you misrepresented it.
and why does safari have the Open "safe" files on by default, again? I don't get that.
Actually it used to be worse. Safari used to have a hidden pref that allowed you to open any file you downloaded, not just "safe" ones. All it took was editing some XML prefs to add file types you wanted to auto open when downloaded. I used this to write a file browser that let me open various files after I downloaded them (like PSD's in Photoshop, basically stuff I actually found useful). A few years ago Apple cut that part out and restricted it to only files they deem as safe, which is a pretty small subset of file types.
That said, I don't mind the option (rather like it actually) but it should be turned off by default.
(I know nothing about kernel programming, please don't lynch me)
My new blog
*Take in any context you like.
From the point of view of avoiding accidents, the safest cars aren't generally the ones considered or rated as "safe". Avoiding accidents ("active safety") is an entirely different ball game to surviving crashes ("passive safety"), which is what most people think of when they talk about safety. If you want to avoid an accident, you want lots of grip, good brakes, minimal mass, good visibility and small size. In other words, you want a sports car. If you want to survive an accident, you want large size and high mass. In other words you (theoretically) want an SUV (theoretically because SUVs are not all built to the same standards as cars).
Chernobyl 'not a wildlife haven' - BBC News
The GP:
It sounds like this trojan comes with a local privilege escalation vulnerability otherwise this also depends on users on Macs having root level access.Stare argumentum; this executable in question makes no use of an exploit, the OS behaves exactly as the user commands.
OS X most certainly does have a root user, it's *interactive* logins by root that are disabled by default.Not just interactive logins, logins period. There is no process you can undertake by which you will be recognized as real user 0 without setuid(), thus you already need to be euid 0, and thus you must be either a sudoer and recently authenticated or running a binary owned by root. I think the distinction is semantic and doesn't advance on the original point the poster made. "Users" on Macs don't have root-level access, they only have the privilege of running a program with euid of root, given they enter their password. That's very different from the implied "they all run in admin mode" of the parent.
Don't blame me, I voted for Baltar.
Let me clarify: There is no OS ever made that is immune to user stupidity. I could have an installer for any *nix based OS authenticate then run rm -rf /* or "take over a system". This is a given. It's not a security flaw, it's a user stupidity flaw. When windows is appropriately bashed for its poor security record, it is due to unavoidable holes and exploits that allow escalation of privileges. IE has had a particularly horrid record in this area. Further, remote exploits impact on windows systems are aggravated by having said services enabled by default ready and willing for any network probe from an infected computer.
I suppose we could go