Two Trojans For Mac OS X

I Don't Believe in Imaginary Property writes "F-Secure is reporting that there are two new Mac OS X trojans. The first is just a proof-of-concept from the MacShadows people that takes advantage of the unpatched ARDAgent vulnerability to get root access when run by the user. The second relies on social engineering: it's a poker game that requests the user's password, claiming to have detected a 'corrupt preference file.' It then takes control of the computer. Now that the source of the proof-of-concept is publicly available, we can expect that future trojans won't just politely request your password."

users

Now that the source of the proof-of-concept is publicly available, we can expect that future trojans won't just politely request your password. Are you sure? After all, we are talking about *mac* users. :P

Let the flamewars begin!

Two Trojans For Mac OS X Users

[stuntmanmike]

One for you, one for your partner.

Re:Two Trojans For Mac OS X Users

[somersault]

This exploit is done via AppleScript and the Apple Remote Desktop Agent, which should hopefully give you some kind of hint as to why this particular issue is not going to be a problem on Linux.

OSX is certified yes, and presumably some of the basic shell commands will be exactly the same at a source level as in Linux, but in the Linux world patches are uploaded to repositories pretty quickly and users can then download updates immediately. Apple users (of which I am one) have to wait for Apple to release updates, unless they compile everything themself. I don't know if there's an equivalent of apt-get for OSX, I haven't looked..

Then there's the fact that 99.99% (number pulled out of my ass obviously) of exploitable bugs will have already been patched in the common OS level commands by now simply because they are being used in so many different distros. Sure there is the odd high profile bug, I remember one a few weeks ago on /. about a bug in some file listing function, though I don't think it was actually a security risk as opposed to just an annoying bug.

Worst. Trojan. Ever.

The second relies on social engineering: it's a poker game that requests the user's password, claiming to have detected a 'corrupt preference file.' It then takes control of the computer.

Worst. Trojan. Ever.

Hey guys, I've got a great new idea for a worm, I'm gonna start a e-mail chain letter that tells people they'll have bad 7 years bad luck if they don't forward the e-mail to 10 friends and send me their root passwords, IP address and their bank account and credit card numbers. It's sure to be a smashing success!

Proof of Concept Slashdot Trojan

[frictionless+man]

Hi Slashdot User!

We have detected your Slashdot account preferences have been corrupted.

To fix this, please post your user id and password in response to this message, and one of our customer service operatives will fix your account and recover posting privileges as soon as possible.

Yours Sincerely, Trojan

Re:Proof of Concept Slashdot Trojan

That sounds like a combination an idiot would have on his luggage.

Re:Proof of Concept Slashdot Trojan

User Id: Anonymous Coward
Password is blank.

I hope you fix my preferences soon, my karma never seems to go up, no matter how much I get modded up.

Re:Proof of Concept Slashdot Trojan

[weicco]

1 2 3 4 5? That's amazing! I've got the same combination on my luggage!

Re:Proof of Concept Slashdot Trojan

[JohnBailey]

Wow.. thanks for the heads up.. my password is "********"

Re:Proof of Concept Slashdot Trojan

[Hal_Porter]

O/T but have you noticed how if you post sensitive information like your password here SlashCode filters it to X's. Very nice idea.

Re:Proof of Concept Slashdot Trojan

[mrbluze]

1 2 3 4 5? That's amazing! I've got the same combination on my luggage! Is your luggage by any chance in the form of a wooden horse?

Re:Proof of Concept Slashdot Trojan

[fatphil]

Obligatory: http://www.bash.org/?244321

Re:Proof of Concept Slashdot Trojan

[lurch_mojoff]

And where's the comment playing down the seriousness of the first proof-of-concept? The one that uses an unpatched ARDAgent vulnerability? Some Mac users just can't face that they're not as invincible as Apple marketing wants them to think, and reject any evidence to the contrary. (I'm about to be told how this local root vulnerability isn't a real vulnerability, because it's local.) That comment is in the thread of the previous "How to Save Mac OS X From Malware" article, as well as in the comment thread of the article originally reporting the ARD vulnerability posted last week. Yes, Arty McStrawman does believe that his Mac is invincible. Not many beside him do, though. Also, if you already know what will people respond to you, why do you ask your, fairly inflammatory, I might add, question, even if you intended it to be a rhetorical one?

Re:Proof of Concept Slashdot Trojan

[0100010001010011]

<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.

(For those that don't want to copy and paste)

Lame

[grusin]

On windows they do that without asking for password

Yawn

[rsmith-mac]

We go through this about twice a year with the same results every time. "Someone" releases a trojan, presumably as proof that Mac OS X has security holes. Then everyone gets whipped in a frenzy and ultimately no one is infected by the damn thing in the first place. Mac OS X does have its holes (some of which are quite unreasonable), but trying to scare the users (in to buying anti-virus software, perhaps?) gets tiring after a while. No one has yet to do anything that matters with these trojans and security vulnerabilities, the real troublemakers continue to target Windows.

Mac OS X's day will definitely come at some point, but if people keep crying wolf every time someone whips up a theoretical and entirely implausible situation, no one is going to believe the security community once some black-hat does finally decide to attack the Macs.

Re:Yawn

[KGIII]

At risk of being called a troll... The adage does actually apply but I will spell it out a bit. If you're going to attack then your goal is to do as much damage as you can as efficiently as you can. The vast majority of users are still using Windows. The vast majority of business data is still being transported on Windows based machines. You are as unlikely to find mass-effect malware for a Mac as you are for RiscOS, Amiga, Solaris, BSD, or Linux. The ends don't justify the means from a realistic view and if anyone thinks that malware authors are out there doing it just to "show the man" or for "fame" these days hasn't actually paid attention to the malware scene for the past five years. Today it is about blended threats, specific highly targeted attacks, gaining information as opposed to causing destruction and the goal isn't geekiness nor fame but rather is about money. Mac users are just as likely to type in their password as are Windows users. (As *NIX is not aimed at the mainstream I'd argue that *NIX users are less likely to do so, and yes, I use all the above OSes when required or have used them to play with them.)

Re:Yawn

[marcello_dl]

Except that worms for linux would find most servers on the net vulnerable- do you realize the potential for mischief?
In fact worms for linux were produced.

Re:Yawn

[Tim+C]

Do you have any figures to back that claim up? Most servers are looked after by admins, and any admin worth their salt will at least put their machines behind a firewall, opening up only those ports that are absolutely necessary.

Yes, some will be vulnerable, but as another poster points out the number will be utterly insignificant compared to the number of networked clients running Windows. The target simply isn't big enough to be worth the effort.

Re:Yawn

[Admiral+Ag]

"Maybe a boat of Tahiitian hookers shipwrecks on the island?"

So you're the guy with the device that can read my dreams. Please stop.

Re:Yawn

[Tom]

Mac users are just as likely to type in their password as are Windows users. Evidence for that claim?

Mac's "I need your password" dialog is better done and, more importantly, a lot less common than windos UAC. As such, most Mac users don't roll their eyes and mutter "get on with it already, moron" when it pops up. In fact, when it pops up, I either expected it to, or it surprises me enough that I actually read what it's about.

Re:Yawn

[Aram+Fingal]

I have been one of the first to point out the same thing in each of these past cases but this is different. We have a scriptable application setuid to root. That's an obvious vulnerability on a sliver platter. What was Apple thinking?

Re:Yawn

[phantomfive]

The primary purpose of botnets is NOT monetary, it is political. They are rarely used to directly make money. Woah, you are way off base on this one, and I refer to Misha Glenny, his book where he investigates global hacking schemes.

Even if you think of it, the potential for profit is just too great. If you can harvest 20,000 credit cards, and only take $5 from each one (call it a service charge or something), will the people notice? If you can do it with 20,000, why not a million? Can you not imagine that this would be tempting to people? It is. Horribly tempting.

Another example we had on slashdot here a few years ago was a story about botnets being used to DDOS offshore gambling sites, and then ask extortion money to stop the attack. Here, check it out. There are many ways to make money with a botnet. Of course spam is another common way. Hacking is big business.

Grrr...

[mallardtheduck]

The ARDAgent vulnerability is pretty serious and stupid, but social engineering is not OS specific. The "poker game" could just as easily be implemented on Windows or Linux.

There is nothing that any OS can do to prevent trojans. (At least not without seriously limiting the functionality of legitimate programs.)

Slashdot's own summarry of the ARDAgent vulnerability included a "proof-of-concept" it is trivially easy to exploit and should be fixed ASAP.

There is no news here.

Society is not an OS X vulnerability

For crying out loud people, the poker game one is applicable to any system you want to code it on! What does this have to do with being a Mac OS X security hole? It would work on Linux, BSD, RandomOSMadeUpOnTheSpurOfTheMoment (Infinium labs).

Re:Society is not an OS X vulnerability

[squiggleslash]

Do you really think the average computer user is a "standard" sysadmin who knows "standard sysadmin stuff"?

Most people who buy computers want and expect it to "just work" rather than to spend time learning how to maintain the system. The ideal system, for them, is maintenance free. Funnily enough, one computer manufacturer in particular specializes in the whole "just works" concept. Their customers definitely do not expect to have to set up cronjobs to copy files across the network to a secure RAID server in the closet.

Can you guess which manufacturer that is?

FUDmeisters

[Werrismys]

It's F-Secure's business to cry wolf.

You'd be amazed how dumb users are

[Sycraft-fu]

I swear, some people go out of their way to infect their machines. The one that stands out in my mind the most was a virus for Windows a number of years ago. Came as an attachment in a message that said "Hi I send you the file in order to have your advice." So never mind the bad grammar and such, but before campus got hit we got wind of the thing and sent out an e-mail message to all users saying "Don't open this shit it's bad news." One of the users called in saying she was having problems with e-mail, we came and looked. The "problem" was that she wasn't an admin and so, thankfully, couldn't run the damn virus.

Or somewhat more recently we had a virus that slipped by our e-mail scanner. It did so by sending itself in encrypted zip files, and then putting the decryption key in the message. That meant you had to open the mail, save the zip, open the zip, enter the code, extract the executable, and run it. Two users did just that and got infected.

So while it seems armature to do a "Download this then enter your password," kind of trojan, that shit works waaaay more than you'd think.

I wouldn't call this crying wolf

[Sycraft-fu]

More like warning that just because you live in a good neighbourhood, doesn't mean you should leave your door unlocked. Too many people who have Macs take the lax approach of "Well Macs don't get hacked so I don't have to worry." Ok well maybe they generally don't (though I've seen it happen due to immense user stupidity) but you should still assume that it can happen, and have security to prevent it.

I'm all about proactive security, not reactive. Don't wait until something is a problem, identify weaknesses and fix that shit BEFORE someone exploits it. If nobody ever tries, ok great. However if someone does, you are glad you set up security.

As I said it is the difference between living in a low crime neighbourhood and a high one. You live in a low crime neighbourhood and figure "Oh well there's no crime here, so I don't need to bother with a door lock or alarm." Ok, that's great right up until the criminals try, then you are screwed since you had no security. Well someone who lives in a high crime neighbourhood might have to put up with attempts more often but if they have their doors locked, windows barred, alarm on and so on it doesn't matter because their security stops it.

Computers are the same way. Just because you run a platform that isn't targeted much, doesn't mean you should just ignore security. Hope for the best but prepare for the worst, then you are ready no matter what.

It is like backups. Backups are a waste of time and money when your system has always been reliable... Right up until the moment when it isn't and you lose all your shit. You hope you never need the backups, and most won't computers are pretty reliable, but you make them anyways just in case. You prepare for the worst, even if it is unlikely, so that if it hits you aren't screwed.

Re:Apple spin

[doyoulikeworms]

iTrojan - It just works.

Re:"Politely request your password"... Meh

[gnasher719]

A trojan which requires the user to manually download and run it isn't really a trojan... A trojan which requires the user to manually download and run it is _exactly_ a trojan. It is not a worm or a virus. A "trojan" is software that makes the user believe it does something useful or entertaining while in reality containing malware, and it relies on the user getting around security in order to access the useful or entertaining bits.

Re:"Politely request your password"... Meh

[Tim+C]

That is exactly what a trojan is!

A trojan is a piece of software that appears to be benign or otherwise safe or desirable, but in fact is malign. It may or may not also act as advertised.

A virus is a piece of software that piggy-backs on other executables, "infecting" them with its own code and modifying them so that when they are launched, the virus code is also run. They spread by searching for and infecting other executables on the machine.

A worm is self-propagating, and does not require user intervention. It actively seeks out and exploits a given vulnerability or vulnerabilities, using them to covertly gain access to the machine.

Of the three broad types of malware, the only one that does not require the user to manually run it is a worm.

And if a program requests the root password and the user gives it, is this the OS's fault?

No, of course not - but you'd be amazed at the number of people who blame Windows even for such social engineering tricks, or believe that if we only all switched to Linux malware would be a thing of the past. The weakest link in any computer system is the user, and there's little or nothing an OS can do to protect itself from a naive or malicious user armed with the root/admin password. While this is a non-story, it does at least demonstrate that the same is true of other OSes than Windows.

The real "Next Step for Mac (& Windows) Users"

[argent]

History shows us that even the smartest of users can catch malware.

It's been 17 years since the last time I had to remove a virus from my own computer, even when that computer's been unpatched Windows 2000 connected to the Internet. In the years that I was network and security admin and had control of the network, the only time we had any systems infected was when a user had either downloaded and run a file (that is, they were social-engineered, and in 10 years only one person came to me with an infected laptop after doing that twice) or they had violated my policy banning IE and Outlook at our location.

The potential for infection if you avoid software that supports automatic execution of remote content is very very small, even on Windows. The reason that Windows has a high infection rate is because of IE and Outlook, not simply because it's popular.

If you're on a Mac, and use Safari, here's the next steps you should take:

(1) Go into preferences and make sure "Open 'Safe' Files after Downloading" is disabled.
(2) Get a standalone FTP client and use one of the third-party LaunchServices editors (look for internet access preference panes) and change the default application for FTP: URLs from Finder to something else.
(3) Use Tinkertool or equivalent to disable Dashboard.

#1 is the most important. #2 and #3 don't allow automatic execution of untrusted content, but they do make social engineer ing easier.

If you use a Gecko-based browser like Firefox or Camino, you don't need to worry about these.

If you're on Windows: avoid using any application that uses the Microsoft HTML control to access untrusted content. That includes IE, Outlook (not all versions, any more, but I believe you have to accept the Vista-style UI to avoid it), Windows Media Player, Realplayer, and some Firefox plugins and some versions of Netscape.

In Firefox, Windows or Mac or Linux, always clean out the whitelist for installing extensions after you install an extension... the installer is an autoexecution mechanism, and there have been exploits that took advantage of that even if you don't approve the install dialog.

The scary part is that most Mac OS users think they can't catch malware because they're smart enough not to install it.

At the moment that's not far from the truth. You can avoid catching malware by being smart enough to avoid running it, on Windows or OS X, if you exercise some care in the applications you use, and how they're configured. It's harder on Windows, but it's still possible.