New trojan attacks mac

Posted:
in macOS edited January 2014
Quote:

New Apple Trojan Means Mac Hunting Season Is Open

By Ryan Singel Email 11.01.07 | 8:30 PM

A Trojan that targets Mac users visiting a porn site pretends to be video-decoding software, but instead installs rogue code.

Screenshot: Courtesy of Sunbelt Software



The Mac has officially gone mainstream.



The proof? On Halloween, professional online criminals were found using Trojan-horse software to target, for the first time, computers running Apple's OS X operating system -- just as they have been doing for years on the more ubiquitous flavors of Windows.



"Apple's day has finally come, and Apple users are going to get hit hard," security researcher Gadi Evron said. "OS X is the new Windows 98."



The Trojan comes disguised as a video-decoding plug-in that users are told they must install to watch free porn clips. Instead, the software burrows into the operating system and diverts some of the victim's future web surfing to sites under the attacker's control. It's the professional attack on Macs that the security community has long predicted, according to Dave Marcus, security research manager at McAfee's Avert Lab, who said it was "written by people who know how to write malware."



The arrival of the Mac Trojan signals that cybercrooks have decided there are finally enough Apple systems on the internet to make attacking them profitable, according to security experts. Apple is the nation's No. 3 desktop and laptop seller in the United States, behind Dell and Hewlett Packard. And this year, the Cupertino company accounted for an impressive 8.1 percent of the personal-computer market for the third quarter, up nearly two percentage points from the same period a year ago. Evron and other observers predict that black hats will have a field day with Macs, as well as with Apple's new mobile platforms.



"With 2 million iPhones and iPod Touches, it makes sense they will think of them as an evolving market to exploit, and there are a lot of new Mac users who aren't as savvy as Mac's earlier users," said CEO Alex Eckelberry of Sunbelt Software, which sells security software for Windows machines.



But Carl Howe, an Apple analyst at Blackfriars Communications, disputes the security researchers' theories. He thinks that OS X's Linux heritage makes Apple systems less vulnerable to attack than Windows-based platforms. He argues that even if hacking Macs hasn't been profitable in the past, attackers would have done it anyway if they'd been able -- just for the attention.



"I think the market-share thing has always been a myth," Howe said. "It's a good story to talk about."



Announced Wednesday by Mac-focused security company Intego, the Mac Trojan was found on a set of pornography sites, where attackers dangled free movies that supposedly required users to install a special Quicktime codec to view.



The codec, however, is fake. Instead of unlocking a skin flick, it installs what Intego dubbed the OSX.RSPlug.A Trojan horse on the user's computer.



Black-hat hackers have been using fake codecs for more than a year to trick Windows users into installing software. In this case, when the site serving the malware determines that a user is on a Mac, it delivers a Mac-specific version.



Once installed, the Trojan hijacks the system's domain-name service. Internet-connected applications use DNS to translate the domain part of an URL, such as www.Wired.com, into the numeric IP address of a server. By hijacking the DNS, the attacker is able to replace search results with links to sites that he controls, in hopes of making money from online purchases, according to Eckelberry.



The software could also intercept intended visits to sites such as banks, eBay and PayPal and redirect them to fake websites that harvest users' logins and passwords. The scammers could then use that info to to get money out of the real sites, but neither Sunbelt nor McAfee researchers have seen the malware harvesting personal-finance info.



Unlike many Windows-based attacks, the Trojan doesn't exploit a hole in Apple's software, and it can't install itself. Instead, it relies on social engineering, tricking users into downloading the codec, and requiring that they type in the administrator password to install it.



But the fact that the hackers aren't attacking through software bugs doesn't change the portent of this week's attack, according to Eckelberry. "I don't care if you have to type in your admin password," Eckelberry said. "If you are asked to install a QuickTime plug-in, you will."



For the past year, fake codecs have been among the top problems encountered by Windows users, according to Eckelberry. The attacks have gotten so professional-looking that the fake codecs even have fake, annoying end-license-user agreements that users have to agree to.



The Mac Trojan is created by the same malware crew that has been infecting Windows machines with the Trojans known as Zlob and DNSChanger, according to Eckelberry and Marcus.



Marcus said McAfee researchers have already found the Mac Trojan on 65 websites. But he said the malware is not living up to its full potential: It only redirects users who attempt to visit one obscure adult website.



"Truthfully, this is kind of strange," said Marcus. "If you are going to mess with someone's DNS, I would have done far more fake DNS entries. I have a sneaking suspicion is that word got out before they wanted it to, but that's just an educated guess."



Evron sees more problems for Apple users than just new Trojans that try to trick users. Hackers will find it profitable and all too easy to find holes in Apple software, because the company hasn't paid sufficient attention to security, said Evron.



He predicts Apple will experience a full-range of attacks, just as Microsoft did a decade ago when Windows machines and the internet first met.



"It's Mac season. The next two years will be interesting."



---



Staff writer David Kravets contributed to this story.




Just be careful with porn I guess, lol. HERE THE ARTICLE FROM WIRED

Comments

  • Reply 1 of 13
    well its a good thing i don't watch porn online.
  • Reply 2 of 13
    mcarlingmcarling Posts: 1,106member
    Anybody stupid enough to type in their administrator password to install software they found on a porn website deserves whatever they have coming. Why on earth would a legitimate porn site write a custom codec? That is so obviously wrong that I have no sympathy for the dupes.
  • Reply 3 of 13
    mr. memr. me Posts: 3,221member
    Quote:
    Originally Posted by mcarling View Post


    Anybody stupid enough to type in their administrator password to install software they found on a porn website deserves whatever they have coming. Why on earth would a legitimate porn site write a custom codec? That is so obviously wrong that I have no sympathy for the dupes.



    Many porn download sites require the user to download special downloaders. At least, that's what I've read These downloaders have been exclusively Windows-based. To the switcher who has never been burned by a downloadable downloader, it might not seem out-of-line to download a special codec on the Mac.



    This new attack vector will get a lot of publicity. A few Mac users may be victimized by it, but it will not last long. It requires an extremely cooperative but undefended user. These two basic requirements will not last long.
  • Reply 4 of 13
    I agree that this isn't particularly dangerous to more experienced users - however, it's undoubtedly the start of attacks against the Mac. Sure, OS X doesn't have the many vulnerabilities of Windows that allow software to install itself automatically and without notifying the user, but eventually malware is going to make its way onto the Mac on its own.



    Thinking about that subject, I wondered if Apple isn't planning to release integrated malware detection and removal tools harnessing the indexing power of Spotlight and Time Machine. One of the main problems with Windows is (even after SP2 and Vista) that it has never packaged these tools, so users have to go to a third party to download not one, but several pieces of overlapping security software AND in most cases regularly run that software themselves.



    Meanwhile, Apple's bread and butter is packaging effective software with its computers. There are already third-party malware solutions for Mac out there, but wouldn't Apple want to address that themselves? They'd be stepping on the toes of some developers, but this is security. Apple didn't allow third-parties to develop for the iPhone until security concerns were addressed, so why would it leave protection on its core desktop product to third parties?



    With the powerful indexing that Spotlight (and now Time Machine) already does automatically, it seems like there's already a perfect system in place for scanning for malware that wouldn't slow down the computer at all. Does anyone know if Apple is working on leveraging these technologies to deploy some kind of security software?
  • Reply 5 of 13
    Quote:
    Originally Posted by Mr. Me View Post


    This new attack vector will get a lot of publicity.



    You can say that again. All I see are headlines: Mac Virus Attack! Mac's Finally In Trouble! That sort of thing. Always a virus. Never a Trojan (unless you read the fine print in the articles), and nothing about: don't be an idiot at the porn sites (but then, which one of us is truly thinking in our right minds at these sites? ). Isn't there always some virus scare about once a year?
  • Reply 6 of 13
    Quote:
    Originally Posted by mzaslove View Post


    You can say that again. All I see are headlines: Mac Virus Attack! Mac's Finally In Trouble! That sort of thing. Always a virus. Never a Trojan (unless you read the fine print in the articles), and nothing about: don't be an idiot at the porn sites (but then, which one of us is truly thinking in our right minds at these sites? ). Isn't there always some virus scare about once a year?



    The WSJ article issued a correction for calling it a virus in the original headline, and changed the headline to say malware instead.
  • Reply 7 of 13
    Quote:
    Originally Posted by potterhead4 View Post


    The WSJ article issued a correction for calling it a virus in the original headline, and changed the headline to say malware instead.



    Yeah, but the horse is already out of the barn, and everyone else picked up on it and is calling it a virus. Journalists no longer do their own research anymore; especially on the Web.
  • Reply 8 of 13
    nofeernofeer Posts: 2,422member
    since this is out there there will be copycats so we should be aware of any site porn or not that might try to gets it's rocks off with this thing....the big thing it doesn't reproduce or attach your email address book. so maybe apple will update leopard security to seek out this thing. and for those of you who think it's only a "porn" site. they could disguise the intitial site as "vague" then point your dns to a mess of porn sites that automatically load a billion porn bookmarks into safari. i wonder if the iphone is vunerable/
  • Reply 9 of 13
    mr. memr. me Posts: 3,221member
    Quote:
    Originally Posted by potterhead4 View Post


    ... but eventually malware is going to make its way onto the Mac on its own.



    ...



    No. Remember, this was a professional action. It targets MacOS X users who are dumb enough to fall for the ruse, but have the money to make the effort worthwhile. That is a very small group and it will only get smaller.



    It is also important to understand that the "attack" did not breach the OS. One can rest assured that MacOS X will soon have countermeasures to defend against attacks of this sort. The malware developers will have a moving target.
  • Reply 10 of 13
    pbpb Posts: 4,234member
    Quote:
    Originally Posted by iwonttell View Post


    "OS X is the new Windows 98."



    Quote:
    Originally Posted by iwonttell View Post


    Unlike many Windows-based attacks, the Trojan doesn't exploit a hole in Apple's software, and it can't install itself. Instead, it relies on social engineering, tricking users into downloading the codec, and requiring that they type in the administrator password to install it.



    These two sentences say it all. I find it worthless even to comment.
  • Reply 11 of 13
    buddhabuddha Posts: 386member
    Quote:
    Originally Posted by PB View Post


    These two sentences say it all. I find it worthless even to comment.



    Those sentences contradict each other actually.
  • Reply 12 of 13
    pbpb Posts: 4,234member
    Quote:
    Originally Posted by buddha View Post


    Those sentences contradict each other actually.



    That's exactly my point. Think about it.
  • Reply 13 of 13
    Quote:
    Originally Posted by Mr. Me View Post


    No. Remember, this was a professional action. It targets MacOS X users who are dumb enough to fall for the ruse, but have the money to make the effort worthwhile.



    Yes, that's why I said eventually.
Sign In or Register to comment.