Slashdot Mirror
Fake Codec is Mac OS X Trojan
Kenny A. writes "Multiple news organisations are reporting on an in-the-wild Mac OS X malware attack that uses porn lures to plant phishing Trojans on Mac machines. The attack site attempts to trick users into download a disk image (.dmg) file disguised as a codec that's required for viewing the video. If the Mac machine's browser is set to to open 'Safe' files after downloading, the .dmg gets mounted and the Installer is launched. The target must click through a series of screens to become infected but once the Trojan is installed, it has full control of the machine."
Am I the only one to think 'finally'?
In my Macintosh? It's more likely than you think.
Comment removed based on user account deletion
If you're stupid enough to go through all of those steps, you deserve to be infected.
The only cure to stupidity is intelligence.
If someone is stupid enough to download something, run it and give it the admin password, it will obviously be able to take control of the machine. No operating system or security software will stop that.
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
Where is the "haha" tag for this post? WHERE?!
The summary is misleading, it does not give full control of the computer to the attacker, but changes the DNS server for phishing.
It could just as easily install a VNC server I suppose.
Full control of DNS, yes. As far as I've seen, it's not a remote root exploit or anything. It just installs global DNS servers that cannot be easily removed or even noticed.
Jory
That's like saying that Troy had to put their enemies in the horse, then drag it up to the gate, drag it through and then offer a soft cushy landing spot for warriors coming out of the horse.
Name an operating system that can't be infected when a user gives an admin password.
To get infected, you have to:
.DMG file. .DMG
1) Go to a porn site
2) Download a plugin from the porn site
3) Click "OK" that you are downloading a
4) Mount the
5) Go back to the Finder
6) Double-click the installer
7) Type in your account password
8) Click next a few times
Calling this, "In the Wild," is laughable. How did the porn site "get infected"? I'll bet anything that the porn site(s) in question know exactly what they are doing...
The Right Reverend K. Reid Wightman,
If Apple really wants to continue to provide users with the "Open Safe Files" option in Safari, it would make a whole lot of sense to associate that feature with a white list of approved domain names like apple.com, adobe.com, etc.
Part of the hardcore faithful who believed in Apple long before it was cool again to do so
Comment removed based on user account deletion
Your subject seems to suggest that you believe that now that there's actual a piece of Mac malware in the wild, things with snowball, and there will be more and more. Is there any logical reason to believe that this is the case? In the latter days of pre-X Mac OS, there was some malware program or other released every year or three, but the rate never seemed to climb.
Any Mac haters gleefully hoping that this is the start of a Mac threat environment similar to the Windows threat environment is probably going to be quite disappointed.
This space unintentionally left unblank.
This is neither a virus or a worm; it's a trojan. A trojan is a program that does or claims to do something useful, which gets you to install it. Once installed, it does something else in addition to or instead of what you installed it for.
No OS is foolproof, and even Mac and Linux users can be fools. Mac and Linux machines can be broken into, can get trojans, theur users can be tricked into giving out passwords, but there are no Mac or Linux viruses in the wold.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
Malware does not equal virus, iit does not "break" into a machine through security holes, it hacks the wetware between the monitor and the seat, convincing them to consent to the install.
It's impossible to make a machine fully idiot proof, but in the past couple versions apple has added 3 new "nag" boxes to safari in attempts to warn people.
Anyone who goes through that many screens deserves to have it installed.
I don't install any media player or codec if it asks for root permission.
even flip4mac doesn't require full permissions.
you drop the free component into your home's library folder and it runs in user space when websites call for wmv decoding.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Actually, the only people claiming that Macs are immune to malware, are people like you claiming others are doing so specifically so you can say these mythical people are wrong. This is a case of a program not being what it claims to be, and using social engineering to get someone to install something, make it executable, authenticate as root, and run it. No different than a year or three ago when someone came out with a fake Office for OSX package they shared on the P2P networks which was really a shell script that removed files. Not a virus - this doesn't install itself.
A "virus" with an install procedure which includes "and then become root and run it" isn't going to have legs.
Right now you have to convince people to install the trojan.
... I don't see the growth rate being above the disinfection rate.
Okay, that will give you X% of all the Mac users out there.
Then what? How do you increase X?
With Windows, the trojans scan the hard drive for email addresses and send out links to every address it can find. That depends upon unpatched exploits in IE or you having friends who are as dumb as you.
If the same happens here
We're simply talking about social engineering. Windows, OS X, *BSD, Linux (and probably most other operating systems out there) are all vulnerable to this sort of attack, there's just little in the way of motivation to actually do it.
The part where the dmg is automatically opened is the only thing that even resembles a vulnerability as such, though it should actually be filed under "insecure default settings" rather than a vulnerability per se. This said, both linked articles are quite sparse with information regarding the actual installation. From my experience Safari should say something about the archive/disk image containing an application before actually mounting the dmg, and then prompting for an administrator password for the package to be installed. If either of these steps are compromised, you can call this interesting, because there's an exploit at work. If not, then it's a bog standard social engineering attack, to which every platform is vulnerable. The only news here are that you can't browse the web with your Mac in a completely carefree manner anymore, because there are some Bad Things out there targeting you.
You find this "movie codec thingy" at a shady pr0n website (alarm #1), and it asks you to specifically download a .dmg file (alarm #2), install it with admin/root permissions (alarm #3) just to play a non-standard codec (alarm #4).
Meanwhile, by comparison, there are a whole host of Windows nasties you can get just by, say, visiting a website with a rigged IFRAME in the page.
QED: It's not a question of fanboys pooh-poohing something because it's their pet OS - it's a question of simple fucking logic.
Come back and tell us about it when OSX (eventually) has an attack vector that doesn't require the user to be a complete and utter dumbass, please.
Quo usque tandem abutere, Nimbus, patientia nostra?
I've seen this story on several Apple/Mac related news sites yet, and the majority of the comments consisted of Apple apologists telling each other "nothing to worry about, because you still have to enter your admin password".
The type of people who will be infected by this will be similar to the types that get caught up in the 419 scam.
The only real reason this is news is because it's the first occurrence of an OSX trojan in the wild. Much like Crispus Attucks, it's only getting exposure because it's the first.
This really isn't any different than someone creating an applescript called FreePr0n.app that erases a user's harddrive, and as other commentors have pointed out, it requires a bit of user interaction to actually get itself installed. Although I'm sure people who jumped ship to OSX thinking that the mac is virusproof are going to run anything and everything they come across on the internet thinking their safe.
Good thing Leopard adds an extra layer of protection.
and why does safari have the Open "safe" files on by default, again? I don't get that.
...spike
Ewwwwww, coconut...
not quite, the only player i've come across which needs root access for install was real player (assumably for the DRM)
mplayer, vlc, and even flip4mac wmv codec do not require root permissions.
the reason this is not required is the way mac apps access libraries.
the codecs in mplayer and vlc (much like the libraries in most other mac apps) are combined into the app, and therefore not shared among all users. each user has his own set (and configuration) and they operate in user space.
quicktime works similarly. While you can drop your components (codecs) into the root library directory, each home folder has one of its own, again allowing each user to customize the codecs used.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
One thing I noticed was that the more times a user has to enter their security password the more likely they become complacent and assume that any install is going to require it and any install that occurs is going to be safe.
Basically what sunk later attempts by Microsoft to patch security. As soon as they added "warnings" (aka popups) people got into the habit of clicking yes and thereby undoing any chance the programmers had at protecting users from being stupid. You can even blame this behavior on EULA's which require click through - people do this automatically.
As the Mac gains in popularity the numbers of careless people will go up and infections like this will occur more often. The key is finding a way to train the user that its WRONG. That or finding a way to have the OS run objects installed in some form of "safe mode" for a time without letting the user in on it.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Nice Try tho...
Fiat Homos et Pereat Theos
Trojan, that requires the admin password.
There are two types of people in the world: Those who crave closure
The Windows way. None of this download, mount, open, click, password, click, click nonsense.
Who says Macs "just work"? Obviously they don't for trojans!
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
Yes, but hasn't Intego tried to scare Mac users into purchasing their virus protection before? In fact, they've done this quite a bit. Check out their report and pay close attention to the "Means of protection" paragraph at the end of the article.
The news is Intego attempting to scare up business, this is not a Mac virus, especially when you have to do quite a few stupid things along with giving permission to install from an admin. My goodnes...
"The greatest obstacle to discovery is not ignorance - it is the illusion of knowledge." - Daniel Boorstin
"Every conceivable video codec I'd ever need" except the few doozies: wmv, realplayer, and divx. Like it or not these are widely used, and not just for porn.
But easy to remove.
No more shall we endure your taunts of being too obscure a minority to content with! Even the Russian Mafia thinks we're worth taking notice of now.
...Now we too shall now the bane of being pestered by colleagues and neighbours to help them score pirate software and to undo the embarrassing things they do their machines.
These stories are free but worth money.
The attack site attempts to trick users into download a disk image (.dmg) file disguised as a codec
.damage file. They should have never named it .dmg, it just begs to be used to .damage something!
.dmg gets mounted and the Installer is launched. The target must click through a series of screens to become infected but once the Trojan is installed
.damaged Trojan, or you may become infected.
I always knew there was something phishy about a
the
Lesson learned - NEVER mount a
He who knows best knows how little he knows. - Thomas Jefferson
Your argument isn't as original as you'd like. It's also flawed. Just compare Apache to IIS. Apache has much greater market share, but IIS get exploited like Swiss cheese. How do you explain that?
Another counter argument: Although Linux has a much smaller installed base than Windows, a cracker could stand to gain much more by exploiting Linux. Imagine the wealth of sensitive data hosted on Linux servers.
Raj Against the Machine! http://social-butterfly.appspot.com/
I did not say that they did. I said that the trojan scanned the hard drive of the infected computer to find anything that looked like an email address so it could send links to those addresses.
If someone clicked on one of those links AND had a version of IE that was exploitable, then they were infected.
That is how X increases in the Windows segment.
Yes they can. But they still depend upon a browser vulnerability in that scenario. Microsoft's decisions with IE (ActiveX, "integrating" it into the OS) means that the exploits are worse with IE than with, say, Firefox.
Targeting it does not matter. What matters is how to increase X%.
If the infection rate is below the disinfection rate, the trojan dies "in the wild".
Yeah. You go with that.
Actually, it appears that your argument is the one that is empty.
Getting ONE person to infect his Mac is not much of an achievement. With enough users, eventually you'll find one dumb enough for fall for any scam.
What matters is how fast it will spread.
So far, this trojan has demonstrated that Mac's are extremely secure. The trojan is not spreading.
Compare that with the Storm Worm.
And who is saying that 100% security is needed?
Security is a PROCESS. Not an end-item.
All that is needed is for Mac's to have an infection rate that is BELOW the disinfection rate. The the viruses and trojans and worms will all die "in the wild".
No need to make any claims about "100% secure" or not. It's the infection rate that matters. Does it spread faster than it is removed? If it does not, then it is not a threat. If it is not a threat, then the Mac is still considered "secure" by its user.
I don't know about you, but if grandmagoldenshowers.com recommends that I download software, I do. If my operating system give me a detailed warning about the software that I downloaded from the porn site, I disregard it. And if I'm forced to authenticate the installation, I do.
Porn sites have given me hours of free orgasms at my desk, why wouldn't I blindly trust them?
Oh and I also always give my credit card and social security number to Ebay when they're having problems with my account and they direct me to www.secureauthenticate.ebay.com.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
I hate this ignorant attitude that unless something happens automatically it won't happen. Sorry, but most trojans go in the front door, not the back one (hence the name "trojan"). Better than 90% of the infected computers I encounter are infected with something the user had to take an active hand in installing.
One of my all time favourites was an e-mail virus. This happened after we installed our spam filter, which is also a virus scanner, so it was a surprise to us since installing it had dropped the occurrence to zero prior to this (no matter how many times we harp on them, many people refuse to run virus scanners). At any rate the way this file got around the virus scanner was by sticking itself in an encrypted zip file. It would then put the password to decrypt in the e-mail message.
So what a user had to do was get the e-mail, save the attachment, try to open it, look in the e-mail for the password, enter the password, get the exe, ignore everything we told them about not running exes and then run the exe. Quite complicated yet a number of people (4 if I remember correctly) did it. They assumed it HAD to be legit.
Well, same shit here. This is just proof that no, requiring an admin password doesn't make your system magically secure if the admin is willing to give it up. All they did is present the user with a mildly plausible scenario (that you need a new video codec) and bait that the users wanted (a porn video) and there you go.
This is simply proof of what many of us have been saying for a long time: Things like needing to enter an admin password are just hoops for a normal user to jump through. They do nothing to enhance security if there isn't a skilled operator. It isn't some magic security shield that will protect you from evil stuff. The power to install software implies the power to install bad software. The power to control a system implies the power to damage the system, and so on.
There's been a lot of make-believe going on that MacOS is immune to spyware/trojans because of its design, specifically the privilege escalation thing. This is proof that's not the case. You can put as many hoops up as you want, if the users want what's at the other end bad enough, they'll jump through them without looking to see if they are on fire.
Second off, I assume you mean software from small independent vendors, I'm curious why this type software isn't "proper software".
Lastly, you rarely "install" applications in OS X, it isn't Windows. You can run them from your own Applications folder which requires only your own rights. The apps that do require admin rights, are modifying the system in some way, and those do require you to give the administrator password. Since this dialog is rare, people do pay special attention when it pops up. There's only so much an OS designer can do.
"The target must click through a series of screens"
And engage in a specific pattern of toe-tapping and handwaving.
September 2011: Looking for Cocoa/iOS work in Boston area Cocoa Programmer Quincy, MA
I thought that, given their hip status, that they'd be having sex instead of watching porn. Does this make them as pathetic as Windows users, yet?
This is an *insecure* default setting.
What is? BY DEFAULT Safari prompts you to allow downloading things like disk images from a remote website. Then BY DEFAULT it asks you if you trust an application from wherever it came from - even allowing you at any time to revisit the web page it was downloaded from! Then after all than, if you choose to run the file in the disk image you are further prompted BY DEFAULT for an admin password.
What exactly is the DEFAULT behavior that is wrong here? Should all ability for the user to download and install applications be removed?
This is not a NEW "exploit", I remember hearing about this same exploit in a different form at least a year and a half ago. Apple had plenty of time to disable this feature
What, the ability to download an run applications?
I don't see what your complaint is on this one. Apple has made the system as secure as they can make it, at some point the rest has to be left to the user.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
And i quote "850 new threats were detected against Windows. Zero for Mac."
Yes, it admits it's possible, it doesn't however, admit there are any.
Wow, that's an astonishingly blatant use of creative quoting without context. Lets read the whole paragraph, unedited, shall we?
By the end of 2005, there were 114,000 known viruses for PCs. In March 2006 alone, 850 new threats were detected against Windows. Zero for Mac. While no computer connected to the Internet will ever be 100% immune from attack, Mac OS X has helped the Mac keep its clean bill of health with a superior UNIX foundation and security features that go above and beyond the norm for PCs. When you get a Mac, only your enthusiasm is contagious.
A bit different than your out of context snippet this way, isn't it.
How do the facts then agree with your claim that "it doesn't however, admit there are any."? Says right there "While no computer connected to the Internet will ever be 100% immune from attack,". Sheesh. It's almost like you figured nobody would check your claim to see how blantantly you misrepresented it.
and why does safari have the Open "safe" files on by default, again? I don't get that.
Actually it used to be worse. Safari used to have a hidden pref that allowed you to open any file you downloaded, not just "safe" ones. All it took was editing some XML prefs to add file types you wanted to auto open when downloaded. I used this to write a file browser that let me open various files after I downloaded them (like PSD's in Photoshop, basically stuff I actually found useful). A few years ago Apple cut that part out and restricted it to only files they deem as safe, which is a pretty small subset of file types.
That said, I don't mind the option (rather like it actually) but it should be turned off by default.
I've found a great way of getting free pr0n and warez on Mac OSX. Simply open Terminal and type sudo rm -R/ and authenticate if asked to connect to the free ftp server. Works like a charm for me.
There, can someone write a story about this now.
spoonerize "magic trackpad"
(I know nothing about kernel programming, please don't lynch me)
My new blog
*Take in any context you like.
"What's the sound of a thousand eyes rolling?"
:(
Jeez, I don't know, but it probably sounds pretty damn disgusting. Gross!
This basic "social engineering"-based trojan is old news.
I remember back when I ran a Hotline server (with fully legal files of course) from around 1997-2001, and people would try to "hack" my server by uploading these well-disguised "utilities" that were actually AppleScript applets that, when executed, would secretely add a maximum-priveleged admin account to the HL server. Someone would upload one of those and go "Hey dude check out this sweet [game/app/whatever], it's pretty cool!"... Of course, I always highly scrutinized user uploads and managed to catch them every time (fortunately), but the trojans were pretty damn convincing in terms of seeming genuine. Legit-looking application icon and detailed info with copyright etc. for whatever program the applet was masquerading as.
I'm sure a lot of other former Hotline server admins will remember the exact same thing, and I'm sure a lot of people unsuspectingly ran these malicious apps back in the day, not realizing how easy it was to disguise an app and conceal its actual purpose.
Anyway, needless to say, this type of trojan is old news. The only good thing about all the "OMFG" news-reporting is that users will be a little more vigilant about what they download and run, hopefully. Besides that, it's a complete non-item.
Modern Macs may have few viruses, trojans, etc. (a 68000 based Mac is where I first saw a virus myself, but I know OS/X is much better.)
However, I have also never seen a unicorn with rabies.
A Mac virus won't spread via the 'net because the odds of a random connection leading to another Mac is much smaller than hitting a PC.
What I would find interesting is a multi-platform worm/virus (which would be easier with newer Macs being x86 based (are there 64 bit Macs? what's their RAM limit?)) Not something high level, like a Word-macro or Java virus, but something that when executing on a PC, keeps it's Mac payload as data, and vice-versa, maybe even using 'boot-camp' machines to cross bounderies.
I think IPv6 may do a lot to reduce internet worms; first, by eliminating non-compatible worms, secondly, by making scanning the global IP address space take about 79228162514264337593543950336 times as many probes. But address books and such will still be sources of targets.
So basically you don't understand what a 0-day exploit is? You'd better patch your system so you don't get that 0-day exploit! Quick now!
Put identity in the browser.
No, they don't. And that part I mentioned about enabling the root account was just a big lie. A really big lie. Macs don't even have a terminal program. And they use a one-button mouse. And they only do black and white.
-- Boycott Shell
This is a really interesting situation. There has always been smugness with the Mac community about OS X and getting pwn3d. The guys at Apple are mostly to blame for this. Instead of Apple telling it's minions that yes in fact there is a threat to users of the Mac OS X system (as in every operating system) so you should add layers of security to protect yourself. I have to admit the Mac OS X system seems to be one of the more secure platforms and that is great. But Apple is setting it's users up for failure.
I work in an office that handles computer security for a large network and have noticed that users tend to not install Anti-Virus software on their Mac systems. Apple has made them think they are superman or something. This will end up being a big mistake. Social engineering is one of the biggest attack vectors right now for malware so this new Trojan falls right into a nice comfy spot. And since Apple is making their users think they are made of Kryptonite it is likely that social engineering will work better on Mac users. As more evil doers create more variants of this type of Trojan they will use different methods to get users to open the file and install it. If you don't have AV installed how are you supposed to know that something evil is on your system? Your average Mac user won't have a clue.
This could in fact be a turning point if more malware is written for the Mac. Right now the biggest target is Windows and it is social engineering (not vulnerabilities) that is the most successful. It would be 'due diligence' to install Anti Virus!
mean, you can install a Trojan like that any Unix-like OS (other than OS X) if you follow ALL the necessary steps to install it. The problem is not whether it's possible to install a Trojan on certain operating systems; the problem is the easiness of how it can be done. In Mac OS X you have to click through several screens to "get infected" while on Windows you're only one click away of getting infected. That's the difference.
Insanity: doing the same thing over and over again and expecting different results.