Multiplying Mac Trojan not epidemic yet

If Mac users thought the Trojan discovered last week was a one-off, they'll need to think again.

Security firm F-Secure has discovered 32 variants of it, but claims about its powers have been wildly overstated, according to experts.

"Looks like the Mac Trojan we posted about last week was not an isolated incident. The gang behind it seems serious about targeting Mac users as well as Windows users. And they keep putting out slightly modified versions of the Trojan for the Mac too," Mikko Hypponen, chief research officer at F-Secure, wrote in his blog this week.

Last week, Mac security software vendor Intego discovered a Trojan designed for Mac OS X being distributed via porn sites.

The Trojan is being disguised as a codec, a device used to decode digital streams. If it is downloaded, it alters a computer's domain name system (DNS) server, redirecting the machine to porn sites of the malware distributor's choice. The prime purpose appears to be to make money when people click on ads served on the sites.

The "payloads" of the 32 variants of the Trojan are the same as the original discovered by Intego. However, F-Secure technical manager Patrik Runald said the Trojan is also on a reconnaissance mission of sorts: it reports its findings back to an IP address in the Ukraine.

"It reports the name of the computer and the operating system version back to another IP address within the Ukraine to keep track of the installs they have," he told ZDNet Australia.

There is also a version for Windows platform users, said Runald, and it was this version that led him to the conclusion the group behind the DNS-changing Mac Trojan is the same group behind the malware released earlier this year known as "zlob."

"Zlob is also about click ads and showing ads on your PC and are also typically distributed through fake codecs," Runald said.

It shows that Macs are "starting to get interesting for the bad guys," he added.

"It's not an isolated incident because it's a professional gang behind it, not some teenagers trying to prove a point," Runald said. "They're actually making money out of it and because of this it's unlikely to end soon."

However, Runald said, the Trojan does not mean Mac platforms are facing a malware epidemic.

Liam Tung of ZDNet Australia reported from Sydney.

[wbenton]

Macs... not as safe as some thing... BUT...

Macs are not as safe as some thing... but they're also not as dangerous as others purport.<br /><br />Personally, I like Linux much better, but at least a Mac has more clout than a Windowz machine!<br /><br />(* GRIN *)<br /><br />Walt

[Penguinisto]

Meh - I use both and more.

I happily use Macs, Linux, and FreeBSD. No biggie.<br /><br />(though to be honest, if a few certain 3D/CG app makers had a native Linux port for a few of their products, I'd prolly go full-on Linux in a heartbeat).

[COMALite J]

The downside of Apple's switch to Intel

Many things made Macs more secure than PCs. Part of it was security through obscurity, due to the lesser market share. Part of it was real security due to the FreeBSD / Mach / Darwin core, and the fact that users have to jump through hoops to get root access.<br /><br />But part of it was that many more would-be hackers know how to program Intel x86 chips than know how to program Motorolla / IBM PowerPC chips at the machine code level.<br /><br />Apple has removed that latter layer of protection, by switching to the Intel chips. I understand the reasons they did so (Motorolla and IBM failing to live up to their clock speed and supply promises, and Intel?s then-new Core line finally becoming truly efficient [though still not as efficient on a power-per-MHz basis as the PowerPCs] unlike their horrendous NetBurst [NutBust] Pentium 4 predecessors), but there was a price to pay, and now we?re paying it. Current Windows hackers who are wannabe Mac hackers now have a substantially lowered learning curve. This also weakens the value of the security-through-obscurity angle, as the return on learning curve investment can be much greater even though the market share remains relatively small, if not as much learning curve has to be invested.

[samkass]

Story slightly inaccurate

The story reads, "If it is downloaded, it alters a computer's domain name system (DNS) server, redirecting the machine to porn sites of the malware distributor's choice."<br /><br />In reality, the software must be downloaded, double-clicked on, the warning clicked away, and then user must type their administrator password into an authentication dialog in order for the software to do its thing on a Mac. While it's certainly possible to trick some people into doing this, this software isn't something that's going to automatically spread like wildfire.

[rhsc]

not inaccurate

Trojans generally do require an action on the part of the user for activation, rather than just installing themselves unbeknownst to the user. That's what separates them from other forms of malware. <br /><br />Trojan -&gt; Trojan horse<br />a malicious program disguised as an innocuous one to trick the user into letting his [digital] guard down

[k2dave]

Almost the same as XP

It is almost the same in Win XP:<br />In reality, the software must be downloaded, double-clicked on, the warning clicked away, and then user must be logged into a account with admin privliges in order for the software to do its thing in Win XP, assuming that the AV program does not step in also.

[LarryLo]

Rename the article - Mac Torjan and the Darwin effect

This is Apple's secret way of thinning the herd.<br /><br />Anyone who would go through all the steps to install this silly program deserves to have their DNS redirected! :)

[Seaspray0]

But the idiots were told it was safe by people like you

"Anyone who would go through all the steps to install this silly program deserves to have their DNS redirected!"<br /><br />What tripe! How many mac fanboys have I heard over the last several years state, "I do not have to worry about viruses. I do not run any antivirus software. Mac's are 100% safe." My response has ALWAYS been "BE PREPARED. Past performance is no guarantee of safety."<br /><br />How dare you blame the users who were told repeatedly by the macboys, "you'll never get a virus."

[starcannon]

HA!

Darwins Natural Selection at work in cyberspace, lol, not sure if he'd approve, but still, damn funny :P

[DavidChartier]

Multiplying how, exactly?

Is the trojan spreading itself via a flaw in Mac OS X? What about <br />a vulnerability in Safari or its WebKit rendering engine?<br /><br />No? <br /><br />Then stop using sensational headlines for traffic. This is by no <br />means an epidemic and doesn't really have a chance to become <br />one. This trojan not only requires the user to *deliberately <br />download a file from a shady porn site,* but it also requires the <br />user to *manually start the installer,* as well as *provide an <br />admin password to install the software.*<br /><br />There is no automatic spreading of the trojan.<br />There is no epidemic.<br /><br />Just a blatantly cluless or baiting headline for pageviews.<br /><br />Stop it.

[gsauce]

multiplying the way all trojans do -- by definition

"deliberately download a file from a shady porn site" <br /><br />Right - that's the common avenue of SUCCESS. Only because that group is already pretty much prone to do whatever they have to in order that they see boobs. But, as others have pointed out, there any many ways this thing is (and will be) spread. Don't dismiss trojans as something only people in porn wear... er, I mean, get... <br /><br />"There is no automatic spreading of the trojan."<br /><br />Riiiight. Which is why the author correctly identifies it as a trojan, and not a worm or something else. See, most readers of CNet know the difference. And if you're not one of those folks, maybe you should just read quietly. The folks in the battle of Troy didn't teleport their giant wooden badger behind the gate, after all.... <br /><br />"This is by no means an epidemic and doesn't really have a chance to become one. "<br />The first statement is actually right in the title. The second, is a difference of opinion. How many people were really cautious when they first installed an xVid/DivX codec and took great care in the source of that install? Not most users, on any platform. That said, I don't necessarily disagree with your opinion there, and I certainly agree that the headline is sensational -- sad, but something we've come to expect from the news in all forms.

[starcannon]

Yeah but

when you say it your way its less sensational, and doesn't cause all the F.U.D. that the OP had hoped for.

[pmchefalo]

The NEWS Is ... Targetting the Mac Platform

Hey, the whole article is a great advertisement for Macs: they are finaly popular enough for someone to target them for malware! <br /><br />Security by obscurity no more!<br /><br />Now let's see:<br /><br />1) How secure the Mac OS really is;<br />2) How many Mac users actually pay any attention to security/passwords/root accounts/privileged users;<br />3) Whether anti-malware vendors make a bundle of money on Macs!<br />4) Whether Mac users will upgrade their haedware to compensate for the HIT they will take on anti-malware.<br /><br />Sounds like a corporate win-win situation to me.

[ATSkyWalker]

Huh!!

From the original news item:<br /><br />But to get infected with the malware, you have to accept the <br />invitation to download "new version of codec," open up the .dmg <br />(disk image) file, click the installer.pkg file, and enter your <br />administrator's password, according to Intego. Once infected, <br />the malware changes your DNS settings to hijack Web traffic and <br />redirect it to phishing sites or ads for porn. And you still won't <br />get to watch the video.<br /><br /><br />So! You have to voluntarily download it, mount it, install it, and <br />supply it with your admin password for it to infect you?? <br /><br />Last time I checked Windows automates all these steps with you <br />:-) It installs trojan with zero user intervention! <br /><br />I guess Apple should ship a version of OS X for stupid people in <br />which your password is not known even to you.

[protagonistic]

RE: Huh!!

Actually, that is not quite correct. As a previous reader posted a <br />Trojan, by definition, normally requires user input even on a <br />Windows PC. But that is not the point of the article. The point is <br />that there are now enough Mac users in the world to make the <br />effort profitable. And yes, there are mac users stupid enough to <br />install this trojan.<br /><br />Social Engineering will continue to be the primary method of <br />getting people to install malware regardless of which OS the <br />person is using. Not even OS X can be made impervious to this <br />kind of attack.<br /><br />And FYI, my primary computer is a PowerMac. My other <br />computer runs BSD and with a stupid person sitting at the <br />keyboard either of them could be infected with malware if it <br />were available.

[hotcoffee1122]

HUH!!!

That is the reason why Mac is not prone to trojans and viruses because it doesn't automate everything like windows. it would require a user intervention before it'll install some things. I do believe this is a briliant idea!

[pmchefalo]

Falsehoods Galore!

Windows XP always required user intervention to download and install anything. SP2 made it much more annoying to do this with IE (the most common attack vector) with the yellow band warning. Only if the (brilliant!) user disables those features is your comment about automation of installs correct.

[oharag1111]

This is awesome news!!!!

This means that Macs are making huge market share gains for the virus guys to even consider it (safety through obscurity - or something like that)!!!! Yeah Mac users rejoice - one more stupid milestone to overcome before PC users accept Mac's as superior to their choice :-)

[ittesi259]

Not a flaw in the Operating System

When someone manages to accomplish malware that doesn't require someone to do something stupid on a Mac, then I'll be concerned.

[tanis143]

fanboi

Wow, "PC users accept Mac's as superior to their choice :-)"<br /><br />Um, no they are not. They are overpriced computers with a very nice O/S. Thats it. My current install of XP has lasted 4 years now without any problems. Yeah, my hardware is getting pretty long in the tooth, but thats a different story. I would rather build my own Windows PC for about 1/3 of the cost of a mac when it comes to performance. <br /><br />Plus, cant play the popular games on a Mac without bootcamp, but then why buy a mac?

[Wind_Freak]

PEBKC

Problem exists between keyboard and back of chair.<br /><br />Maybe congress should enact a law stating that all porn <br />websites along with the under 18 warning should also include a <br />don't install any software warning.<br /><br />I think users that came from a windows background are <br />probably more susceptible to this due to being used to having <br />install a billion different codecs to make things play.<br /><br />I find on my mac I no longer have to install codecs and if it <br />doesn't automatically play then i just don't want to see it that <br />bad.

[gigabot]

Typical blind faith

As someone who used to work in the anti-malware industry, I can tell you that the vast majority of Windows malware (especially spyware) is also PEBKAC. Mac isn't any safer than Windows and if you think it is, you're just kidding yourself. I'm saying this as someone who has developed on Windows machines and run Macs at home for many years. The fact that these particular bad guys are using a CODEC hosted on porn sites as their attack vector in no way means this is the only way to infect an OSX system. It just as easily could have propagated as an email worm that said "This game is cool! Give it a try!" The average Mac user would probably open the attachment up if the message appeared to come from a friend, just like the average Windows user. And these are both attack vectors that require no exploit (and there are exploitable vulnerabilities on OSX - I'm not implying there aren't) in the underlying system, other than a gullible user willing to install software from a dubious source. <br /><br />The problem, as it almost always is, is people. Someone in management at the aforementioned anti-malware company where I worked decided it would be a good idea for engineers to listen in on support calls one day a quarter. During those calls, I gained a new appreciation for just how naive, ignorant, and, dare I say, stupid the average computer user is. You have to keep in mind that half of the people in this world have an IQ in the double digits. Think about that for a minute and the whole malware problem comes into much better focus.

[Penguinisto]

32 variants of stupid.

I give props to F-Secure for stating the case clearly, and not giving in to the hype. <br /><br />Intego, OTOH... well, they're no-name fools, and two months from now no one will remember who they were.<br /><br />If the folks behind are professionals then of course they're going to explore all options. It'll be fun to watch them become slowly disappointed that the Macs aren't giving them the ill-gotten gains that certain other OSes have for 'em.<br /><br />/P

[rhsc]

blind faith in so-called perfection is also stupid

you're optimistic. Any system can be hacked. It's just a matter of time and interest in doing so. Just because old Steve says his pretty Macs are airtight doesn't make them so. Don't be surprised if in a few years you start finding worms in your Apple

[R. U. Sirius]

I ran into this yesterday

I administer a forum, and this little beast was on it yesterday. Here are some points these hype articles are not covering:<br /><br /><br />1. It comes into the forum as a spam post. <br /><br />2. They are disguised as YouTube videos, and are NOT necessarily porn. In our case it was disguised as some sort of music video.<br /><br />3. If you have Safari set to Safe mode, clicking the fake YouTube video will take you to a website and will AUTOMATICALLY begin downloading this fake codec, and ask you if you want to install it. It is at this point that users are most vulnerable.<br /><br />4. If you type in your admin password, the dmg file will install.<br /><br /><br /><br />Now, some key points:<br /><br />1. The media needs to alert people to be watchful of these fake YouTube videos.<br /><br />2. This does require the user to do an install, but inexperienced users can easily be fooled by this thing.<br /><br />3. This is not an exploit OSX, yet. Perhaps it may morph into that, but as of now you are okay if you don't do the install. They are certainly trying though to exploit YouTube and many users. The technique is not being well explained by most of the media. If you manage forums or blogs, the<br />fake YouTube links, at least the one I had, was <br />obvious to me, but to most users I suspect many<br />can easily fall for this trap.<br /><br /><br />4. Check your /Library/Internet Plugins folder. If you find a file named "plugins.settings" you are infected.<br /><br />5. Be careful out there. Whoever is behind this<br />is very clever and scary.<br /><br />Macworld has a detailed article on how to manually make sure your OSX system is clean:<br /><br /><a class="jive-link-external" href="http://www.macworld.com/2007/10/firstlooks/trojanhorse/index.php" target="_newWindow">http://www.macworld.com/2007/10/firstlooks/trojanhorse/index.php</a>

[Fireweaver]

Useful info

Thanks for the additional info on this trojan.<br /><br />As usual the biggest vulnerability on any computing system is the user.

[pmchefalo]

Can You Easily Restrict User Rights with Domain Policy?

So, on your Mac:<br /><br />How does this affect "Power User" rather than "User" accounts? Can you control this with group policy?<br /><br />Oh, wait ... these are Macs we're taling about; comsumer electronics devices. <br /><br />Hmmm ... Unix rules apply? So, is it the root password you use? Or just the blank that the first user used to get in?

[thedreaming]

The need of fear...

Why are two known security companies trying very hard to scare mac users into thinking their machines aren't safe from porn sites, youtube, or online forums? Is it because they want to sell more of their products to those users? After all, sales of macs are up because now you can also run windows on them, allowing macs to have the best (and worst) of both worlds.<br /><br />Imagine: A mac user using a mac version of an antivirus program and a pc version, made by the same company.

[Seaspray0]

Good Point!

Has anyone looked at the fine print for their purchase of an antivirus program from a security company? I'm interested in knowing if the agreement is for protecting one computer or one operating system. If for one computer, it seems you should be able to protect all the operating systems that are running on it.

[starcannon]

HAHAHA

Oh my god, too funny, they are getting some mileage out of this story aren't they.<br /><br />Funnier still is that anyone on a Mac would be infected by this, for criesakes you have to give an administration password after clicking yes a few times just to install this crap.<br /><br />I'm no fan of Mac, but still, I couldn't imagine getting infected with any form of malicious wares through the "you need this codec" method.<br />1) I'd go find the codec from a trusted source, or find out if its even really a codec that exists.<br />2) I'd go find porn that didn't require me to jump through hoops to view.<br /><br />Windows users, yeah I can see how it would happen, sorry, but you are on windows, not much can be done to save you from the wolves.

[_t3h]

What people really don't seem to get...

... is that any OS capable of running custom software will have <br />some form of malware.<br /><br />This news is hardly surprising and has been bound to happen for a <br />long while.

[_t3h]

Nothing to do with Intel.

This has absolutely nothing to do with Intel, or hackers knowing <br />how to program in one architecture or the other. Most of this <br />malware would be written in C or another high-level <br />programming language. The same code (if it's written properly <br />i.e. endianness issues) will be able to run on either architecture <br />quite easily.<br /><br />The only time architecture would matter is if it was done in <br />assembly, which this would not have to be. These malware apps <br />are not the work of "hackers" in the true sense - they are rather <br />quickly programmed apps by malware authors wanting to make <br />money (look at what this thing does). Assembly would not be <br />worth the effort.

[_t3h]

Should've been a reply to "COMALite J"'s comment

See above... (reply to story / reply to comment should be made a <br />little clearer IMO)

[grandmasterdibbler]

So the steps you'd have to go through to install this are...

Right, if this is actuall going to affect a Mac user they'd need to:<br />1) Download it (Safari will warn them they are downloading an application)<br />2)Open it, requiring administrator password<br />3)Run it, and the OS will warn you that you've not opened it before.<br /><br />That's at least 3 warnings people get that they're getting an executable file, and the fact that they would have to put in their Admin password to run it should ring alarm bells.<br /><br />This isn't a weakness of OS X (there are more steps in the way of people running this kind of executable than there are on XP) it is a fault of the end user.<br />As for the 'stupid people buy Macs' said stupid people will almost definitely have owned a PC before hand, something which many of you are keen to forget. <br /><br />This is social engineering pure and simple, most of the not computer-savvy people I know are sufficiently paranoid about what they're doing to ask before doing stuff like this, a by-product of years using Windows.<br /><br />This is nothing like the huge worldwide Windows malware like Blaster that made it through requiring little (any?) user interaction whatsoever. When Macs can be attacked without the User knowing what's going on, that is when the PC guys can finally tell Mac users to suck it, this is just a well done social engineering mechanism.