November 8, 2007 5:51 AM PST

Multiplying Mac Trojan not epidemic yet

Multiplying Mac Trojan not epidemic yet
Related Stories

Apple plugs 25 Mac OS X flaws

April 19, 2007

Study: Windows has fewest security holes

March 23, 2007

Is Mac OS as safe as ever?

February 27, 2006
Related Blogs

Mac OS malware targets porn surfers


October 31, 2007
If Mac users thought the Trojan discovered last week was a one-off, they'll need to think again.

Security firm F-Secure has discovered 32 variants of it, but claims about its powers have been wildly overstated, according to experts.

"Looks like the Mac Trojan we posted about last week was not an isolated incident. The gang behind it seems serious about targeting Mac users as well as Windows users. And they keep putting out slightly modified versions of the Trojan for the Mac too," Mikko Hypponen, chief research officer at F-Secure, wrote in his blog this week.

Last week, Mac security software vendor Intego discovered a Trojan designed for Mac OS X being distributed via porn sites.

The Trojan is being disguised as a codec, a device used to decode digital streams. If it is downloaded, it alters a computer's domain name system (DNS) server, redirecting the machine to porn sites of the malware distributor's choice. The prime purpose appears to be to make money when people click on ads served on the sites.

The "payloads" of the 32 variants of the Trojan are the same as the original discovered by Intego. However, F-Secure technical manager Patrik Runald said the Trojan is also on a reconnaissance mission of sorts: it reports its findings back to an IP address in the Ukraine.

"It reports the name of the computer and the operating system version back to another IP address within the Ukraine to keep track of the installs they have," he told ZDNet Australia.

There is also a version for Windows platform users, said Runald, and it was this version that led him to the conclusion the group behind the DNS-changing Mac Trojan is the same group behind the malware released earlier this year known as "zlob."

"Zlob is also about click ads and showing ads on your PC and are also typically distributed through fake codecs," Runald said.

It shows that Macs are "starting to get interesting for the bad guys," he added.

"It's not an isolated incident because it's a professional gang behind it, not some teenagers trying to prove a point," Runald said. "They're actually making money out of it and because of this it's unlikely to end soon."

However, Runald said, the Trojan does not mean Mac platforms are facing a malware epidemic.

Liam Tung of ZDNet Australia reported from Sydney.

See more CNET content tagged:
epidemic, F-Secure Corp., Ukraine, trojan horse, Apple Macintosh

65 comments

Join the conversation!
Add your comment
Macs... not as safe as some thing... BUT...
Macs are not as safe as some thing... but they're also not as dangerous as others purport.

Personally, I like Linux much better, but at least a Mac has more clout than a Windowz machine!

(* GRIN *)

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Meh - I use both and more.
I happily use Macs, Linux, and FreeBSD. No biggie.

(though to be honest, if a few certain 3D/CG app makers had a native Linux port for a few of their products, I'd prolly go full-on Linux in a heartbeat).
Posted by Penguinisto (5042 comments )
Link Flag
The downside of Apple's switch to Intel
Many things made Macs more secure than PCs. Part of it was security through obscurity, due to the lesser market share. Part of it was real security due to the FreeBSD / Mach / Darwin core, and the fact that users have to jump through hoops to get root access.

But part of it was that many more would-be hackers know how to program Intel x86 chips than know how to program Motorolla / IBM PowerPC chips at the machine code level.

Apple has removed that latter layer of protection, by switching to the Intel chips. I understand the reasons they did so (Motorolla and IBM failing to live up to their clock speed and supply promises, and Intel?s then-new Core line finally becoming truly efficient [though still not as efficient on a power-per-MHz basis as the PowerPCs] unlike their horrendous NetBurst [NutBust] Pentium 4 predecessors), but there was a price to pay, and now we?re paying it. Current Windows hackers who are wannabe Mac hackers now have a substantially lowered learning curve. This also weakens the value of the security-through-obscurity angle, as the return on learning curve investment can be much greater even though the market share remains relatively small, if not as much learning curve has to be invested.
Posted by COMALite J (16 comments )
Link Flag
Story slightly inaccurate
The story reads, "If it is downloaded, it alters a computer's domain name system (DNS) server, redirecting the machine to porn sites of the malware distributor's choice."

In reality, the software must be downloaded, double-clicked on, the warning clicked away, and then user must type their administrator password into an authentication dialog in order for the software to do its thing on a Mac. While it's certainly possible to trick some people into doing this, this software isn't something that's going to automatically spread like wildfire.
Posted by samkass (310 comments )
Reply Link Flag
not inaccurate
Trojans generally do require an action on the part of the user for activation, rather than just installing themselves unbeknownst to the user. That's what separates them from other forms of malware.

Trojan -> Trojan horse
a malicious program disguised as an innocuous one to trick the user into letting his [digital] guard down
Posted by rhsc (111 comments )
Link Flag
Almost the same as XP
It is almost the same in Win XP:
In reality, the software must be downloaded, double-clicked on, the warning clicked away, and then user must be logged into a account with admin privliges in order for the software to do its thing in Win XP, assuming that the AV program does not step in also.
Posted by k2dave (213 comments )
Link Flag
Rename the article - Mac Torjan and the Darwin effect
This is Apple's secret way of thinning the herd.

Anyone who would go through all the steps to install this silly program deserves to have their DNS redirected! :)
Posted by LarryLo (164 comments )
Reply Link Flag
But the idiots were told it was safe by people like you
"Anyone who would go through all the steps to install this silly program deserves to have their DNS redirected!"

What tripe! How many mac fanboys have I heard over the last several years state, "I do not have to worry about viruses. I do not run any antivirus software. Mac's are 100% safe." My response has ALWAYS been "BE PREPARED. Past performance is no guarantee of safety."

How dare you blame the users who were told repeatedly by the macboys, "you'll never get a virus."
Posted by Seaspray0 (9714 comments )
Link Flag
HA!
Darwins Natural Selection at work in cyberspace, lol, not sure if he'd approve, but still, damn funny :P
Posted by starcannon (54 comments )
Link Flag
Multiplying how, exactly?
Is the trojan spreading itself via a flaw in Mac OS X? What about
a vulnerability in Safari or its WebKit rendering engine?

No?

Then stop using sensational headlines for traffic. This is by no
means an epidemic and doesn't really have a chance to become
one. This trojan not only requires the user to *deliberately
download a file from a shady porn site,* but it also requires the
user to *manually start the installer,* as well as *provide an
admin password to install the software.*

There is no automatic spreading of the trojan.
There is no epidemic.

Just a blatantly cluless or baiting headline for pageviews.

Stop it.
Posted by DavidChartier (5 comments )
Reply Link Flag
multiplying the way all trojans do -- by definition
"deliberately download a file from a shady porn site"

Right - that's the common avenue of SUCCESS. Only because that group is already pretty much prone to do whatever they have to in order that they see boobs. But, as others have pointed out, there any many ways this thing is (and will be) spread. Don't dismiss trojans as something only people in porn wear... er, I mean, get...

"There is no automatic spreading of the trojan."

Riiiight. Which is why the author correctly identifies it as a trojan, and not a worm or something else. See, most readers of CNet know the difference. And if you're not one of those folks, maybe you should just read quietly. The folks in the battle of Troy didn't teleport their giant wooden badger behind the gate, after all....

"This is by no means an epidemic and doesn't really have a chance to become one. "
The first statement is actually right in the title. The second, is a difference of opinion. How many people were really cautious when they first installed an xVid/DivX codec and took great care in the source of that install? Not most users, on any platform. That said, I don't necessarily disagree with your opinion there, and I certainly agree that the headline is sensational -- sad, but something we've come to expect from the news in all forms.
Posted by gsauce (2 comments )
Link Flag
Yeah but
when you say it your way its less sensational, and doesn't cause all the F.U.D. that the OP had hoped for.
Posted by starcannon (54 comments )
Link Flag
The NEWS Is ... Targetting the Mac Platform
Hey, the whole article is a great advertisement for Macs: they are finaly popular enough for someone to target them for malware!

Security by obscurity no more!

Now let's see:

1) How secure the Mac OS really is;
2) How many Mac users actually pay any attention to security/passwords/root accounts/privileged users;
3) Whether anti-malware vendors make a bundle of money on Macs!
4) Whether Mac users will upgrade their haedware to compensate for the HIT they will take on anti-malware.

Sounds like a corporate win-win situation to me.
Posted by pmchefalo (135 comments )
Link Flag
Huh!!
From the original news item:

But to get infected with the malware, you have to accept the
invitation to download "new version of codec," open up the .dmg
(disk image) file, click the installer.pkg file, and enter your
administrator's password, according to Intego. Once infected,
the malware changes your DNS settings to hijack Web traffic and
redirect it to phishing sites or ads for porn. And you still won't
get to watch the video.


So! You have to voluntarily download it, mount it, install it, and
supply it with your admin password for it to infect you??

Last time I checked Windows automates all these steps with you
:-) It installs trojan with zero user intervention!

I guess Apple should ship a version of OS X for stupid people in
which your password is not known even to you.
Posted by ATSkyWalker (2 comments )
Reply Link Flag
RE: Huh!!
Actually, that is not quite correct. As a previous reader posted a
Trojan, by definition, normally requires user input even on a
Windows PC. But that is not the point of the article. The point is
that there are now enough Mac users in the world to make the
effort profitable. And yes, there are mac users stupid enough to
install this trojan.

Social Engineering will continue to be the primary method of
getting people to install malware regardless of which OS the
person is using. Not even OS X can be made impervious to this
kind of attack.

And FYI, my primary computer is a PowerMac. My other
computer runs BSD and with a stupid person sitting at the
keyboard either of them could be infected with malware if it
were available.
Posted by protagonistic (1868 comments )
Link Flag
HUH!!!
That is the reason why Mac is not prone to trojans and viruses because it doesn't automate everything like windows. it would require a user intervention before it'll install some things. I do believe this is a briliant idea!
Posted by hotcoffee1122 (3 comments )
Link Flag
Falsehoods Galore!
Windows XP always required user intervention to download and install anything. SP2 made it much more annoying to do this with IE (the most common attack vector) with the yellow band warning. Only if the (brilliant!) user disables those features is your comment about automation of installs correct.
Posted by pmchefalo (135 comments )
Link Flag
This is awesome news!!!!
This means that Macs are making huge market share gains for the virus guys to even consider it (safety through obscurity - or something like that)!!!! Yeah Mac users rejoice - one more stupid milestone to overcome before PC users accept Mac's as superior to their choice :-)
Posted by oharag1111 (17 comments )
Reply Link Flag
Not a flaw in the Operating System
When someone manages to accomplish malware that doesn't require someone to do something stupid on a Mac, then I'll be concerned.
Posted by ittesi259 (727 comments )
Link Flag
fanboi
Wow, "PC users accept Mac's as superior to their choice :-)"

Um, no they are not. They are overpriced computers with a very nice O/S. Thats it. My current install of XP has lasted 4 years now without any problems. Yeah, my hardware is getting pretty long in the tooth, but thats a different story. I would rather build my own Windows PC for about 1/3 of the cost of a mac when it comes to performance.

Plus, cant play the popular games on a Mac without bootcamp, but then why buy a mac?
Posted by tanis143 (122 comments )
Link Flag
PEBKC
Problem exists between keyboard and back of chair.

Maybe congress should enact a law stating that all porn
websites along with the under 18 warning should also include a
don't install any software warning.

I think users that came from a windows background are
probably more susceptible to this due to being used to having
install a billion different codecs to make things play.

I find on my mac I no longer have to install codecs and if it
doesn't automatically play then i just don't want to see it that
bad.
Posted by Wind_Freak (16 comments )
Reply Link Flag
Typical blind faith
As someone who used to work in the anti-malware industry, I can tell you that the vast majority of Windows malware (especially spyware) is also PEBKAC. Mac isn't any safer than Windows and if you think it is, you're just kidding yourself. I'm saying this as someone who has developed on Windows machines and run Macs at home for many years. The fact that these particular bad guys are using a CODEC hosted on porn sites as their attack vector in no way means this is the only way to infect an OSX system. It just as easily could have propagated as an email worm that said "This game is cool! Give it a try!" The average Mac user would probably open the attachment up if the message appeared to come from a friend, just like the average Windows user. And these are both attack vectors that require no exploit (and there are exploitable vulnerabilities on OSX - I'm not implying there aren't) in the underlying system, other than a gullible user willing to install software from a dubious source.

The problem, as it almost always is, is people. Someone in management at the aforementioned anti-malware company where I worked decided it would be a good idea for engineers to listen in on support calls one day a quarter. During those calls, I gained a new appreciation for just how naive, ignorant, and, dare I say, stupid the average computer user is. You have to keep in mind that half of the people in this world have an IQ in the double digits. Think about that for a minute and the whole malware problem comes into much better focus.
Posted by gigabot (4 comments )
Link Flag
32 variants of stupid.
I give props to F-Secure for stating the case clearly, and not giving in to the hype.

Intego, OTOH... well, they're no-name fools, and two months from now no one will remember who they were.

If the folks behind are professionals then of course they're going to explore all options. It'll be fun to watch them become slowly disappointed that the Macs aren't giving them the ill-gotten gains that certain other OSes have for 'em.

/P
Posted by Penguinisto (5042 comments )
Reply Link Flag
blind faith in so-called perfection is also stupid
you're optimistic. Any system can be hacked. It's just a matter of time and interest in doing so. Just because old Steve says his pretty Macs are airtight doesn't make them so. Don't be surprised if in a few years you start finding worms in your Apple
Posted by rhsc (111 comments )
Link Flag
I ran into this yesterday
I administer a forum, and this little beast was on it yesterday. Here are some points these hype articles are not covering:


1. It comes into the forum as a spam post.

2. They are disguised as YouTube videos, and are NOT necessarily porn. In our case it was disguised as some sort of music video.

3. If you have Safari set to Safe mode, clicking the fake YouTube video will take you to a website and will AUTOMATICALLY begin downloading this fake codec, and ask you if you want to install it. It is at this point that users are most vulnerable.

4. If you type in your admin password, the dmg file will install.



Now, some key points:

1. The media needs to alert people to be watchful of these fake YouTube videos.

2. This does require the user to do an install, but inexperienced users can easily be fooled by this thing.

3. This is not an exploit OSX, yet. Perhaps it may morph into that, but as of now you are okay if you don't do the install. They are certainly trying though to exploit YouTube and many users. The technique is not being well explained by most of the media. If you manage forums or blogs, the
fake YouTube links, at least the one I had, was
obvious to me, but to most users I suspect many
can easily fall for this trap.


4. Check your /Library/Internet Plugins folder. If you find a file named "plugins.settings" you are infected.

5. Be careful out there. Whoever is behind this
is very clever and scary.

Macworld has a detailed article on how to manually make sure your OSX system is clean:

<a class="jive-link-external" href="http://www.macworld.com/2007/10/firstlooks/trojanhorse/index.php" target="_newWindow">http://www.macworld.com/2007/10/firstlooks/trojanhorse/index.php</a>
Posted by R. U. Sirius (745 comments )
Reply Link Flag
Useful info
Thanks for the additional info on this trojan.

As usual the biggest vulnerability on any computing system is the user.
Posted by Fireweaver (105 comments )
Link Flag
Can You Easily Restrict User Rights with Domain Policy?
So, on your Mac:

How does this affect "Power User" rather than "User" accounts? Can you control this with group policy?

Oh, wait ... these are Macs we're taling about; comsumer electronics devices.

Hmmm ... Unix rules apply? So, is it the root password you use? Or just the blank that the first user used to get in?
Posted by pmchefalo (135 comments )
Link Flag
The need of fear...
Why are two known security companies trying very hard to scare mac users into thinking their machines aren't safe from porn sites, youtube, or online forums? Is it because they want to sell more of their products to those users? After all, sales of macs are up because now you can also run windows on them, allowing macs to have the best (and worst) of both worlds.

Imagine: A mac user using a mac version of an antivirus program and a pc version, made by the same company.
Posted by thedreaming (573 comments )
Reply Link Flag
Good Point!
Has anyone looked at the fine print for their purchase of an antivirus program from a security company? I'm interested in knowing if the agreement is for protecting one computer or one operating system. If for one computer, it seems you should be able to protect all the operating systems that are running on it.
Posted by Seaspray0 (9714 comments )
Link Flag
HAHAHA
Oh my god, too funny, they are getting some mileage out of this story aren't they.

Funnier still is that anyone on a Mac would be infected by this, for criesakes you have to give an administration password after clicking yes a few times just to install this crap.

I'm no fan of Mac, but still, I couldn't imagine getting infected with any form of malicious wares through the "you need this codec" method.
1) I'd go find the codec from a trusted source, or find out if its even really a codec that exists.
2) I'd go find porn that didn't require me to jump through hoops to view.

Windows users, yeah I can see how it would happen, sorry, but you are on windows, not much can be done to save you from the wolves.
Posted by starcannon (54 comments )
Reply Link Flag
What people really don't seem to get...
... is that any OS capable of running custom software will have
some form of malware.

This news is hardly surprising and has been bound to happen for a
long while.
Posted by _t3h (17 comments )
Reply Link Flag
Nothing to do with Intel.
This has absolutely nothing to do with Intel, or hackers knowing
how to program in one architecture or the other. Most of this
malware would be written in C or another high-level
programming language. The same code (if it's written properly
i.e. endianness issues) will be able to run on either architecture
quite easily.

The only time architecture would matter is if it was done in
assembly, which this would not have to be. These malware apps
are not the work of "hackers" in the true sense - they are rather
quickly programmed apps by malware authors wanting to make
money (look at what this thing does). Assembly would not be
worth the effort.
Posted by _t3h (17 comments )
Reply Link Flag
Should've been a reply to "COMALite J"'s comment
See above... (reply to story / reply to comment should be made a
little clearer IMO)
Posted by _t3h (17 comments )
Link Flag
So the steps you'd have to go through to install this are...
Right, if this is actuall going to affect a Mac user they'd need to:
1) Download it (Safari will warn them they are downloading an application)
2)Open it, requiring administrator password
3)Run it, and the OS will warn you that you've not opened it before.

That's at least 3 warnings people get that they're getting an executable file, and the fact that they would have to put in their Admin password to run it should ring alarm bells.

This isn't a weakness of OS X (there are more steps in the way of people running this kind of executable than there are on XP) it is a fault of the end user.
As for the 'stupid people buy Macs' said stupid people will almost definitely have owned a PC before hand, something which many of you are keen to forget.

This is social engineering pure and simple, most of the not computer-savvy people I know are sufficiently paranoid about what they're doing to ask before doing stuff like this, a by-product of years using Windows.

This is nothing like the huge worldwide Windows malware like Blaster that made it through requiring little (any?) user interaction whatsoever. When Macs can be attacked without the User knowing what's going on, that is when the PC guys can finally tell Mac users to suck it, this is just a well done social engineering mechanism.
Posted by grandmasterdibbler (78 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.