Fake Codec is Mac OS X Trojan

Kenny A. writes "Multiple news organisations are reporting on an in-the-wild Mac OS X malware attack that uses porn lures to plant phishing Trojans on Mac machines. The attack site attempts to trick users into download a disk image (.dmg) file disguised as a codec that's required for viewing the video. If the Mac machine's browser is set to to open 'Safe' files after downloading, the .dmg gets mounted and the Installer is launched. The target must click through a series of screens to become infected but once the Trojan is installed, it has full control of the machine."

It begins

[JohnPnP]

Am I the only one to think 'finally'?

Re:It begins

And by finally I assume you mean that Apple finally has succeeded in luring the coveted dimwit market to its products.

Re:It begins

[prockcore]

The thing is, if it weren't for the DNS modifications, this wouldn't need a password.

Here's a basic outline of what could be a very nasty trojan for OSX:

A simple program that actually does something handy.. like fix the dock in Leopard. When you run it it also replaces Safari with a hacked version that sends all SSL traffic unencrypted to a 3rd party.

Any program you run on OSX can modify the apps in your /Applications directory *without* requiring a password.

It begins?

[znu]

Your subject seems to suggest that you believe that now that there's actual a piece of Mac malware in the wild, things with snowball, and there will be more and more. Is there any logical reason to believe that this is the case? In the latter days of pre-X Mac OS, there was some malware program or other released every year or three, but the rate never seemed to climb.

Any Mac haters gleefully hoping that this is the start of a Mac threat environment similar to the Windows threat environment is probably going to be quite disappointed.

But does it matter?

[khasim]

Right now you have to convince people to install the trojan.

Okay, that will give you X% of all the Mac users out there.

Then what? How do you increase X?

With Windows, the trojans scan the hard drive for email addresses and send out links to every address it can find. That depends upon unpatched exploits in IE or you having friends who are as dumb as you.

If the same happens here ... I don't see the growth rate being above the disinfection rate.

Re:But does it matter?

[Matey-O]

FWIW, I discoverd Parallels incudes a demo of Kapersky's virus scanner. Installing it on a lark, it discovered a 'proof of concept bluetooth stack' exploit when scanning the folders that Parallels shares with the guest OS.

I have no idea where it came from, and it looks like it didn't activate (the vector is, apparently 'you've received an OOBEX file exchange, do you want to accept it?' at which point it infects the system.

I think our days of blissful ignorance are drawing to a close. That said, I don't believe a Mac virus solution needs to be as overbearing and draconian as the ones I've seen for the PC (Symantec, Norton, etc.)

Re:Steps to get infected

[Rob+T+Firefly]

3) Click "OK" that you are downloading a .DMG file. But I thought Macs had no step 3!!

Really typical trojan actually - old school stuff

[necro2607]

This basic "social engineering"-based trojan is old news.

I remember back when I ran a Hotline server (with fully legal files of course) from around 1997-2001, and people would try to "hack" my server by uploading these well-disguised "utilities" that were actually AppleScript applets that, when executed, would secretely add a maximum-priveleged admin account to the HL server. Someone would upload one of those and go "Hey dude check out this sweet [game/app/whatever], it's pretty cool!"... Of course, I always highly scrutinized user uploads and managed to catch them every time (fortunately), but the trojans were pretty damn convincing in terms of seeming genuine. Legit-looking application icon and detailed info with copyright etc. for whatever program the applet was masquerading as.

I'm sure a lot of other former Hotline server admins will remember the exact same thing, and I'm sure a lot of people unsuspectingly ran these malicious apps back in the day, not realizing how easy it was to disguise an app and conceal its actual purpose.

Anyway, needless to say, this type of trojan is old news. The only good thing about all the "OMFG" news-reporting is that users will be a little more vigilant about what they download and run, hopefully. Besides that, it's a complete non-item.

Macintosh vs. Unicorns.

[Kaenneth]

Modern Macs may have few viruses, trojans, etc. (a 68000 based Mac is where I first saw a virus myself, but I know OS/X is much better.)

However, I have also never seen a unicorn with rabies.

A Mac virus won't spread via the 'net because the odds of a random connection leading to another Mac is much smaller than hitting a PC.

What I would find interesting is a multi-platform worm/virus (which would be easier with newer Macs being x86 based (are there 64 bit Macs? what's their RAM limit?)) Not something high level, like a Word-macro or Java virus, but something that when executing on a PC, keeps it's Mac payload as data, and vice-versa, maybe even using 'boot-camp' machines to cross bounderies.

I think IPv6 may do a lot to reduce internet worms; first, by eliminating non-compatible worms, secondly, by making scanning the global IP address space take about 79228162514264337593543950336 times as many probes. But address books and such will still be sources of targets.