New Mac Virus Discovered, Making the Rounds

← Back to Stories (view on slashdot.org)

New Mac Virus Discovered, Making the Rounds

Posted by Soulskill on Friday June 29, 2012 @10:31AM from the sharing-is-caring dept.

sl4shd0rk writes "A new Mac OS X exploit was discovered Friday morning by Kaspersky Labs which propogates through a zipfile attachment. The attachment tricks the Mac user into installing a variant of the MaControl backdoor via point-and-grunt. Embedded in the virus is an encrypted IP address belonging to a server in China which is believed to be a C+C server. Once installed, the virus opens a backdoor allowing the attacker on the C+C server to run commands on the compromised machine. Shortly after Kaspersky's announcement, AlienVault Labs claims to have found a similar version of the Mac malware which infects Windows machines. The Windows version appears to be a variant of the Gh0st RAT malware used last month in targeted attacks against Central Tibetan Administration. Both viruses are suspected of being tools in a campaign to attack Uyghur Activists."

20 of 239 comments (clear)

Min score:

Reason:

Sort:

Misuse of the term "virus". by Kenja · 2012-06-29 10:35 · Score: 5, Insightful

I know its overly popular these days to call any malware, trojan or other malicious bit of software a virus, but they really dont meet the definition. Frankly, I cant think of a real virus being released in quite some time. Which just seems lazy to me.

--

"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
1. Re:Misuse of the term "virus". by nurb432 · 2012-06-29 10:38 · Score: 5, Insightful
  
  Misuse use of terms like this really pisses me off.
  Like 'hacker', 'pirate', 'theft', and a host of others that have been twisted to the point of being ludicrous.
  
  --
  ---- Booth was a patriot ----
2. Re:Misuse of the term "virus". by jhoegl · 2012-06-29 10:56 · Score: 4, Funny
  
  I know right?
  I mean, since when did a pirate never sail the seas drinking rum and killing people for their loot? I mean they actually worked for it!
  But now a days, you got these kids sitting at home, browsing sites, looking for software that is outside their financial reach so they can learn it to get a good job.
  What a bunch of ass grabbers!
3. Re:Misuse of the term "virus". by humanrev · 2012-06-29 11:45 · Score: 4, Funny
  
  What, like Game of Thrones?
  
  --
  Most people on Slashdot are fucking idiots.
4. Re:Misuse of the term "virus". by Gilmoure · 2012-06-29 14:44 · Score: 5, Funny
  
  Romanes eunt domus?
  
  --
  I drank what? -- Socrates
5. Re:Misuse of the term "virus". by interkin3tic · 2012-06-29 14:58 · Score: 5, Insightful
  
  A friend of mine was doing an internship in Washington DC, he saw on a schedule a congressional briefing thing about piracy. He went assuming it was about napster etc. It was actually about Somalia. He walked away caring about online piracy a little less.
What is wrong with you people? by imagined.by · 2012-06-29 10:42 · Score: 4, Insightful

Malware, not virus. Virii aren't installed by the users themselves...
Thank you very much.
1. Re:What is wrong with you people? by KhabaLox · 2012-06-29 11:06 · Score: 4, Informative
  
  http://en.wikipedia.org/wiki/Plural_form_of_words_ending_in_-us#Virus
  
  --
  Ceci n'est pas un sig.
2. Re:What is wrong with you people? by newcastlejon · 2012-06-29 11:08 · Score: 4, Insightful
  
  No it doesn't, but hepatitis isn't a virus anyway. Hepatitis can be caused by a number of different pathogens and viruses are only one kind. Off the top of my head, Listeria can cause it and so can Cryptosporidium (bacteria and protozoa respectively). Of course this is all academic since your analogy was doomed from the start. You'd have had better luck if you compared it to kissing a person with a cold sore (Herpes) on their lips.
  
  --
  If God forks the Universe every time you roll a die, he'd better have a damned good memory.
3. Re:What is wrong with you people? by Rosyna · 2012-06-29 11:32 · Score: 5, Informative
  
  The problem here is that OSX inherently lacks software that raises flags when 'the incident' happens, or at least it seams to be that way.. Does the victim has any built-in protection to deal with such a malware infection?
  Mac OS X has an automatic malware scanner. The malware definitions are checked for updates daily, automatically.
  The last update to the definitions was on June 26th, 2012. I do not know if it contains the definitions for this malware yet.
4. Re:What is wrong with you people? by beelsebob · 2012-06-29 11:35 · Score: 5, Informative
  
  The problem here is that OSX inherently lacks software that raises flags when 'the incident' happens, or at least it seams to be that way.. Does the victim has any built-in protection to deal with such a malware infection?
  Yes, there's built in protection against selected malwares, come mountain lion, unsigned, or signed-with-revoked-certificates binaries will not run by default either.
  
  Does the OS X possess mechanisms to monitor or block outgoing traffic?
  Yes, and they're turned on by default.
  
  Does this system even has a proper driver structure to allow insertion of your monitoring pass-through driver into the TCP or disk driver stack?
  Yes, you can use dtrace to monitor this kind of thing if you want.
5. Re:What is wrong with you people? by Farmer+Tim · 2012-06-29 13:16 · Score: 4, Insightful
  
  True enough, most people do think viral when hepatitis is mentioned, but you wouldn't get away with that kind of imprecision in a professional medical forum. I suppose how much a similar terminological distinction matters depends on how close you consider /. is to being a professional tech forum...
  [lightbulb]
  ...OK, it's futile, I get it...
  
  --
  Blank until /. makes another boneheaded UI decision.
Point and grunt ? by billcopc · 2012-06-29 10:54 · Score: 4, Funny

Pardon my crystallized forebrain, but what's "point-and-grunt" ? Is that one of those newfangled hipster Fail-on-Rails thingamabobs that goes into the weird rounded USB thing on my tee-vee ?

--
-Billco, Fnarg.com
1. Re:Point and grunt ? by drinkypoo · 2012-06-29 11:14 · Score: 5, Funny
  
  Pardon my crystallized forebrain, but what's "point-and-grunt" ?
  It's a Zune function. It's what you do before you squirt.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Why is this news? by Grayhand · 2012-06-29 10:58 · Score: 4, Insightful

It's hard to blame Mac when you open an infected file. People have been unwittingly installing Malware and other infecting programs onto Macs for years. This is very different from one that propagates without the help of the user. It's a non story.
1. Re:Why is this news? by 93+Escort+Wagon · 2012-06-29 11:23 · Score: 4, Insightful
  
  Well, except when this happens in the PC world at least some subset of folks do blame Microsoft for it, and loudly.
  There was a time when Microsoft WAS at fault - back in the days of Slammer, for example. But most of the malware that goes around anymore relies on social engineering to propagate, because Windows and OS X are really pretty secure.
  
  --
  #DeleteChrome
2. Re:Why is this news? by thetoadwarrior · 2012-06-29 11:45 · Score: 4, Insightful
  
  Microsoft *was* at fault at times like when Outlook express' preview pane ran anything in the preview pane which was on by default so you could get infected by virture of a new email just coming in even if you'd be smart enough not to open it. Which is definitely different from a Mac asking you to be sure and you open it anyway.
3. Re:Why is this news? by 93+Escort+Wagon · 2012-06-29 12:36 · Score: 4, Insightful
  
  Microsoft *was* at fault at times like when Outlook express' preview pane ran anything in the preview pane which was on by default so you could get infected by virture of a new email just coming in even if you'd be smart enough not to open it. Which is definitely different from a Mac asking you to be sure and you open it anyway.
  Except remember how Safari had a similar issue several years ago? It could automatically launch stuff that was downloaded just by virtue of you hitting the wrong page? That's why you get asked now - that was part of the fix Apple added to solve the problem.
  I've been a Mac user since 2003. I like the OS, and I think it's had a pretty good security track record overall... but Apple's definitely made a few missteps along the way. Nothing of the sheer magnitude of Slammer or Blaster - the only remote OS X exploit I can remember required the attacker to be on the same subnet (think it was an AFS exploit, but I might be mis-remembering).
  
  --
  #DeleteChrome
Comment removed by account_deleted · 2012-06-29 13:25 · Score: 5, Informative

Comment removed based on user account deletion
Jesus, not again by sootman · 2012-06-29 13:52 · Score: 5, Insightful

I know Slashdot editors are famously lazy ('sup, guys!) but why does the summary they posted say "The attachment tricks the Mac user into installing..." when TFA* clearly says "the [attack] described here relies on social engineering to get the user to run the backdoor"? You know, just like every single other Trojan out there?!?** The attachment itself is totally benign until someone clicks on it several times. (Even if you view the message with webmail with Safari's "Open 'safe' files after downloading" in its (admittedly brain-dead) default "checked" position***, you still have to click on the attachment link in your webmail and then double-click the visible file to run it.) The only way this actually happens is if someone reads the email and takes a few steps on their own. As always, the attachment itself does nothing.****
Slashdot has been a techy news site for a decade and a half now. You'd think errors as blatant as this would get caught by the editors, even with their usual lack of checking.
You know what would be an awesome site? Exactly what Slashdot is, but with better editors. (And maybe lay off the JavaScript some.)
Anyway: sky is blue, water is wet, sun rises in the east, and all computers--by definition--are vulnerable to trojans. Film at 11.
And by the way, WTF is "point-and-grunt"? Does that imply that users are dumbly clicking on things? If so, doesn't that also imply that the users just might be the problem? Trojans are trivially easy to write. Here's one in one line:

echo "rm -rf ~/*" > NataliePortmanHotGrits.jpg.command; chmod 755 NataliePortmanHotGrits.jpg.command

Voila. Type that into Terminal, email it to all of Slashdot, and wait for a great disturbance in the Force, as if millions of home directories suddenly cried out in terror and were suddenly silenced.
* I know no one here reads them, but I think the submitter should, right? Even if they don't, they should just submit the URL and not make up shit for the summary.
** Which is to say, like every single Mac "virus" of the last decade as well.
*** Apple even puts "Safe" in quotes, so they obviously know that's not an ideal term. They should set it to "off" by default--and then remove the option.
**** Unlike the bad old days with Outlook Express' infinitely more brain-dead "Hey, let me run that executable attachment for you!" setting.

--
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.