Slashdot Mirror
Fake Codec is Mac OS X Trojan
Kenny A. writes "Multiple news organisations are reporting on an in-the-wild Mac OS X malware attack that uses porn lures to plant phishing Trojans on Mac machines. The attack site attempts to trick users into download a disk image (.dmg) file disguised as a codec that's required for viewing the video. If the Mac machine's browser is set to to open 'Safe' files after downloading, the .dmg gets mounted and the Installer is launched. The target must click through a series of screens to become infected but once the Trojan is installed, it has full control of the machine."
In my Macintosh? It's more likely than you think.
Comment removed based on user account deletion
The only cure to stupidity is intelligence.
If someone is stupid enough to download something, run it and give it the admin password, it will obviously be able to take control of the machine. No operating system or security software will stop that.
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
Or smart enough. Stupid people wouldn't make it through the install process. "Next" buttons are hard.
The summary is misleading, it does not give full control of the computer to the attacker, but changes the DNS server for phishing.
It could just as easily install a VNC server I suppose.
> If you're stupid enough to go through all of those steps, you deserve to be infected.
And does everyone else that your zombied machine spams or DDoS's deserve it?
25% Funny, 25% Insightful, 25% Informative, 25% Troll
And by finally I assume you mean that Apple finally has succeeded in luring the coveted dimwit market to its products.
That's like saying that Troy had to put their enemies in the horse, then drag it up to the gate, drag it through and then offer a soft cushy landing spot for warriors coming out of the horse.
There are dimwits and every market. If you think otherwise, it's because you are amongst the ranks...
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
Name an operating system that can't be infected when a user gives an admin password.
To get infected, you have to:
.DMG file. .DMG
1) Go to a porn site
2) Download a plugin from the porn site
3) Click "OK" that you are downloading a
4) Mount the
5) Go back to the Finder
6) Double-click the installer
7) Type in your account password
8) Click next a few times
Calling this, "In the Wild," is laughable. How did the porn site "get infected"? I'll bet anything that the porn site(s) in question know exactly what they are doing...
The Right Reverend K. Reid Wightman,
If Apple really wants to continue to provide users with the "Open Safe Files" option in Safari, it would make a whole lot of sense to associate that feature with a white list of approved domain names like apple.com, adobe.com, etc.
Part of the hardcore faithful who believed in Apple long before it was cool again to do so
Comment removed based on user account deletion
Your subject seems to suggest that you believe that now that there's actual a piece of Mac malware in the wild, things with snowball, and there will be more and more. Is there any logical reason to believe that this is the case? In the latter days of pre-X Mac OS, there was some malware program or other released every year or three, but the rate never seemed to climb.
Any Mac haters gleefully hoping that this is the start of a Mac threat environment similar to the Windows threat environment is probably going to be quite disappointed.
This space unintentionally left unblank.
This is neither a virus or a worm; it's a trojan. A trojan is a program that does or claims to do something useful, which gets you to install it. Once installed, it does something else in addition to or instead of what you installed it for.
No OS is foolproof, and even Mac and Linux users can be fools. Mac and Linux machines can be broken into, can get trojans, theur users can be tricked into giving out passwords, but there are no Mac or Linux viruses in the wold.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
Malware does not equal virus, iit does not "break" into a machine through security holes, it hacks the wetware between the monitor and the seat, convincing them to consent to the install.
It's impossible to make a machine fully idiot proof, but in the past couple versions apple has added 3 new "nag" boxes to safari in attempts to warn people.
Anyone who goes through that many screens deserves to have it installed.
I don't install any media player or codec if it asks for root permission.
even flip4mac doesn't require full permissions.
you drop the free component into your home's library folder and it runs in user space when websites call for wmv decoding.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Actually, the only people claiming that Macs are immune to malware, are people like you claiming others are doing so specifically so you can say these mythical people are wrong. This is a case of a program not being what it claims to be, and using social engineering to get someone to install something, make it executable, authenticate as root, and run it. No different than a year or three ago when someone came out with a fake Office for OSX package they shared on the P2P networks which was really a shell script that removed files. Not a virus - this doesn't install itself.
A "virus" with an install procedure which includes "and then become root and run it" isn't going to have legs.
Right now you have to convince people to install the trojan.
... I don't see the growth rate being above the disinfection rate.
Okay, that will give you X% of all the Mac users out there.
Then what? How do you increase X?
With Windows, the trojans scan the hard drive for email addresses and send out links to every address it can find. That depends upon unpatched exploits in IE or you having friends who are as dumb as you.
If the same happens here
You find this "movie codec thingy" at a shady pr0n website (alarm #1), and it asks you to specifically download a .dmg file (alarm #2), install it with admin/root permissions (alarm #3) just to play a non-standard codec (alarm #4).
Meanwhile, by comparison, there are a whole host of Windows nasties you can get just by, say, visiting a website with a rigged IFRAME in the page.
QED: It's not a question of fanboys pooh-poohing something because it's their pet OS - it's a question of simple fucking logic.
Come back and tell us about it when OSX (eventually) has an attack vector that doesn't require the user to be a complete and utter dumbass, please.
Quo usque tandem abutere, Nimbus, patientia nostra?
One thing I noticed was that the more times a user has to enter their security password the more likely they become complacent and assume that any install is going to require it and any install that occurs is going to be safe.
Basically what sunk later attempts by Microsoft to patch security. As soon as they added "warnings" (aka popups) people got into the habit of clicking yes and thereby undoing any chance the programmers had at protecting users from being stupid. You can even blame this behavior on EULA's which require click through - people do this automatically.
As the Mac gains in popularity the numbers of careless people will go up and infections like this will occur more often. The key is finding a way to train the user that its WRONG. That or finding a way to have the OS run objects installed in some form of "safe mode" for a time without letting the user in on it.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Not really. Is it a security exploit if the user must type in a password and install the program to make it work?
Sorry but there is nothing that an OS can do to prevent someone with admin rights from installing and running a program.
I am not a Mac User but anybody that installs a codec to view porn that they get from the porn site...
As the Honda motorcycle safty ads put oh so well.
Stupid Hurts.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
That's an interesting straw man you've drawn up. Personally, I don't know anybody who purchased a Mac because he or she thought it was somehow immune to all forms of malware.
I agree with the parent poster in a sense. OK, they don't really "deserve" to be infected, but there is a fundamental limit to what current computer security models are able to achieve. This infection doesn't occur through the exploit of some flaw in the web browser or OS X, it's pure social engineering. The malware gets installed just like any valid software package would; if the computer's administrator cannot be relied upon to intelligently differentiate between trustworthy and untrustworthy software, then all other technical countermeasures aside, there is absolutely no hope of keeping that system secure.
Nice Try tho...
Fiat Homos et Pereat Theos
Your argument isn't as original as you'd like. It's also flawed. Just compare Apache to IIS. Apache has much greater market share, but IIS get exploited like Swiss cheese. How do you explain that?
Another counter argument: Although Linux has a much smaller installed base than Windows, a cracker could stand to gain much more by exploiting Linux. Imagine the wealth of sensitive data hosted on Linux servers.
Raj Against the Machine! http://social-butterfly.appspot.com/
Exactly. This isn't a computer virus. It's a social engineering virus.
Anyone that can write a keystroke logger program can also add wording that it's actually a codec for viewing videos. One more level of dishonesty's not going to stop them.
People often criticize Wiki, but seeing as the Wiki definition of a computer virus is "a computer program that can copy itself and infect a computer without permission or knowledge of the user", this is no virus.
Shiny. Let's be bad guys...
I did not say that they did. I said that the trojan scanned the hard drive of the infected computer to find anything that looked like an email address so it could send links to those addresses.
If someone clicked on one of those links AND had a version of IE that was exploitable, then they were infected.
That is how X increases in the Windows segment.
Yes they can. But they still depend upon a browser vulnerability in that scenario. Microsoft's decisions with IE (ActiveX, "integrating" it into the OS) means that the exploits are worse with IE than with, say, Firefox.
Targeting it does not matter. What matters is how to increase X%.
If the infection rate is below the disinfection rate, the trojan dies "in the wild".
Yeah. You go with that.
Actually, it appears that your argument is the one that is empty.
Getting ONE person to infect his Mac is not much of an achievement. With enough users, eventually you'll find one dumb enough for fall for any scam.
What matters is how fast it will spread.
So far, this trojan has demonstrated that Mac's are extremely secure. The trojan is not spreading.
Compare that with the Storm Worm.
And who is saying that 100% security is needed?
Security is a PROCESS. Not an end-item.
All that is needed is for Mac's to have an infection rate that is BELOW the disinfection rate. The the viruses and trojans and worms will all die "in the wild".
No need to make any claims about "100% secure" or not. It's the infection rate that matters. Does it spread faster than it is removed? If it does not, then it is not a threat. If it is not a threat, then the Mac is still considered "secure" by its user.
I don't know about you, but if grandmagoldenshowers.com recommends that I download software, I do. If my operating system give me a detailed warning about the software that I downloaded from the porn site, I disregard it. And if I'm forced to authenticate the installation, I do.
Porn sites have given me hours of free orgasms at my desk, why wouldn't I blindly trust them?
Oh and I also always give my credit card and social security number to Ebay when they're having problems with my account and they direct me to www.secureauthenticate.ebay.com.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
"The target must click through a series of screens"
And engage in a specific pattern of toe-tapping and handwaving.
September 2011: Looking for Cocoa/iOS work in Boston area Cocoa Programmer Quincy, MA
I thought that, given their hip status, that they'd be having sex instead of watching porn. Does this make them as pathetic as Windows users, yet?
This is an *insecure* default setting.
What is? BY DEFAULT Safari prompts you to allow downloading things like disk images from a remote website. Then BY DEFAULT it asks you if you trust an application from wherever it came from - even allowing you at any time to revisit the web page it was downloaded from! Then after all than, if you choose to run the file in the disk image you are further prompted BY DEFAULT for an admin password.
What exactly is the DEFAULT behavior that is wrong here? Should all ability for the user to download and install applications be removed?
This is not a NEW "exploit", I remember hearing about this same exploit in a different form at least a year and a half ago. Apple had plenty of time to disable this feature
What, the ability to download an run applications?
I don't see what your complaint is on this one. Apple has made the system as secure as they can make it, at some point the rest has to be left to the user.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
And i quote "850 new threats were detected against Windows. Zero for Mac."
Yes, it admits it's possible, it doesn't however, admit there are any.
Wow, that's an astonishingly blatant use of creative quoting without context. Lets read the whole paragraph, unedited, shall we?
By the end of 2005, there were 114,000 known viruses for PCs. In March 2006 alone, 850 new threats were detected against Windows. Zero for Mac. While no computer connected to the Internet will ever be 100% immune from attack, Mac OS X has helped the Mac keep its clean bill of health with a superior UNIX foundation and security features that go above and beyond the norm for PCs. When you get a Mac, only your enthusiasm is contagious.
A bit different than your out of context snippet this way, isn't it.
How do the facts then agree with your claim that "it doesn't however, admit there are any."? Says right there "While no computer connected to the Internet will ever be 100% immune from attack,". Sheesh. It's almost like you figured nobody would check your claim to see how blantantly you misrepresented it.
"What's the sound of a thousand eyes rolling?"
:(
Jeez, I don't know, but it probably sounds pretty damn disgusting. Gross!
Modern Macs may have few viruses, trojans, etc. (a 68000 based Mac is where I first saw a virus myself, but I know OS/X is much better.)
However, I have also never seen a unicorn with rabies.
A Mac virus won't spread via the 'net because the odds of a random connection leading to another Mac is much smaller than hitting a PC.
What I would find interesting is a multi-platform worm/virus (which would be easier with newer Macs being x86 based (are there 64 bit Macs? what's their RAM limit?)) Not something high level, like a Word-macro or Java virus, but something that when executing on a PC, keeps it's Mac payload as data, and vice-versa, maybe even using 'boot-camp' machines to cross bounderies.
I think IPv6 may do a lot to reduce internet worms; first, by eliminating non-compatible worms, secondly, by making scanning the global IP address space take about 79228162514264337593543950336 times as many probes. But address books and such will still be sources of targets.