Slashdot Mirror

← Back to Stories (view on slashdot.org)

Two Trojans For Mac OS X

Posted by kdawson on from the knock-knock-who's-there-trojan dept.

I Don't Believe in Imaginary Property writes "F-Secure is reporting that there are two new Mac OS X trojans. The first is just a proof-of-concept from the MacShadows people that takes advantage of the unpatched ARDAgent vulnerability to get root access when run by the user. The second relies on social engineering: it's a poker game that requests the user's password, claiming to have detected a 'corrupt preference file.' It then takes control of the computer. Now that the source of the proof-of-concept is publicly available, we can expect that future trojans won't just politely request your password."

1 of 326 comments (clear)

  1. The real "Next Step for Mac (& Windows) Users" by argent · · Score: 4, Informative

    History shows us that even the smartest of users can catch malware.

    It's been 17 years since the last time I had to remove a virus from my own computer, even when that computer's been unpatched Windows 2000 connected to the Internet. In the years that I was network and security admin and had control of the network, the only time we had any systems infected was when a user had either downloaded and run a file (that is, they were social-engineered, and in 10 years only one person came to me with an infected laptop after doing that twice) or they had violated my policy banning IE and Outlook at our location.

    The potential for infection if you avoid software that supports automatic execution of remote content is very very small, even on Windows. The reason that Windows has a high infection rate is because of IE and Outlook, not simply because it's popular.

    If you're on a Mac, and use Safari, here's the next steps you should take:

    (1) Go into preferences and make sure "Open 'Safe' Files after Downloading" is disabled.
    (2) Get a standalone FTP client and use one of the third-party LaunchServices editors (look for internet access preference panes) and change the default application for FTP: URLs from Finder to something else.
    (3) Use Tinkertool or equivalent to disable Dashboard.

    #1 is the most important. #2 and #3 don't allow automatic execution of untrusted content, but they do make social engineer ing easier.

    If you use a Gecko-based browser like Firefox or Camino, you don't need to worry about these.

    If you're on Windows: avoid using any application that uses the Microsoft HTML control to access untrusted content. That includes IE, Outlook (not all versions, any more, but I believe you have to accept the Vista-style UI to avoid it), Windows Media Player, Realplayer, and some Firefox plugins and some versions of Netscape.

    In Firefox, Windows or Mac or Linux, always clean out the whitelist for installing extensions after you install an extension... the installer is an autoexecution mechanism, and there have been exploits that took advantage of that even if you don't approve the install dialog.

    The scary part is that most Mac OS users think they can't catch malware because they're smart enough not to install it.

    At the moment that's not far from the truth. You can avoid catching malware by being smart enough to avoid running it, on Windows or OS X, if you exercise some care in the applications you use, and how they're configured. It's harder on Windows, but it's still possible.