“The [Mac DNS Changer] Trojan is relatively simple and works almost exactly the same as its brother for Windows operating systems. In case of execution, the Trojan changes the DNS settings on the machine and reports back to the C&C server,” Bojan Zdrnja reports for SANS Internet Storm Center.
“While the Trojan is relatively simple and not a big threat, two things came to my mind immediately: the bad guys are taking Mac now seriously – this is a professional attempt at attacking Mac systems (and they could have been much more damaging really). The second thing that folks at Sunbelt noticed is that when they sent a sample to VirusTotal there were 0 (zero, nada, nilch) products that detected this,” Zdrnja reports.
“Although the Trojan is really simple, it could have done much worst things (once the installer script has root privileges, it is game over anyway). This malware shows that we must not ignore Mac machines and that Mac users should not think they are invulnerable just by using a Mac and that they can click on absolutely everything,” Zdrnja reports.
Full article here.
McAfee calls this one “OSX/Puper” and rates its risk as “Low” for both home and corporate users, explaining, “Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. This trojan is most commonly installed by going to a malicious site.”
Full article here.
MacDailyNews Take: This is not the first Mac trojan, nor will it be the last. There’s not much else to say here beyond that the old rules still apply: Do not enter your Mac OS X admin password to install anything from an unknown and/or untrusted source.
It’s classic social engineering, masking it as codec to view pørn clips: they know that God gave man a penls and a brain, but not enough blood to operate them both at a time.
No computer is safe from a program an administrator CHOOSES to run. Basic smarts apply here; don’t run software from untrusted sources, and anything from a porn or warez or mp3 site should be considered untrustworthy. Stay away from net porn and piracy and you’ve much less to worry about.
More reasons why iPhone 3rd party apps should be delivered only through Apple (iTunes app store).
The MDN take is the key. This is not a breakdown or hole in MacOS X security. It is a user flaw, and Apple has already set things up to require admin password authorization for installation. You can only go so far with coding to mitigate stupidity.
I assume that Time Machine could help you to recover gracefully from that stupidity, though.
It has been said before (sorry, can’t attribute correctly, don’t remember):
You may feel free to get your QuickTime codec updates from a porn site.
I get my QuickTime updates from the Software Update application.
DER!
An Apple of discord could become another Trojan War.
It all sounds geek to me.
Please explain how it gets ROOT access if I don’t have that enabled!
It can only get administrator rights.
It can only trash the user account that allows it.
Please report it correctly.
Incompetent reporters!!
Your admin rights allow you to sudo which is pretty much root.
So that is why Macdailynews was featuring boobies and whatnot……..
good points made above – this is an inherit security issue in any OS you run, no matter how many firewalls and security things you run. if you give something permission to access your system, it’s game over.
no OS is 100% secure against user ignorance. but mac os x is still in better shape than windows, which is fine by me. =)
…pretty much root.
Oh give me a break. Access rights “are” or “are not”.
“pretty much” does not cut it.
And what average user is going to know how to SUDO?
Once again. There are two levels of access rights. It needs to be reported as such.
This is not about users also being told to SUDO and then type in terminal to delete something. Anyone who does that is a moron.
Just following the story, it only gets into the admin rights. They would actually do some good by explaining ROOT, it’s level and what admin is and it’s level. But the security companies want hype and headlines so what’s a little bending of the truth.
to “Think”:
In order for sudo to work you still need the root password. If root has not been enabled on the machine in question then nothing can happen. If root has been enabled, then the trojan would need the root password….or entice the user into entering it. I’m assuming the trojan would at least try to use the same password entered as the user/admin password for the root….if someone capable enough to have activated root in the first place has used the same password for root as they did for their user/admin account, then they deserve anything they get!
Apple could do well by setting up the computer (like Windows OOBE) with a standard user account instead of an Admin account. From this level, only applications Apple expressly allows should be able to self elevate – such as Apple Update – and should still require the user to enter their admin password. The Admin account should not be “login-able” unless you specifically go into the user preferences and hit the check box “User can log into the desktop” or similar.
The security companies always like to tar Apple’s OS X with the same susceptibility to malware as Windows. But even with trojans, where vulnerabilities are closer, Mac OS X is far less likely to be corrupted. Windows forces users to respond to so many useless dialog boxes — Cancel or Allow — that users turn off the nagging security features to get any work done. Mac OS X users do not often see such warnings, so that social engineering attempts to compromise the operating system on a Mac are far more obvious and thus, it is easier to avoid disaster.
I think that sudo just needs an admin password NOT a root password.
That being said I really don’t see the point of the root account if sudo allows you to do anything the root account can do.
Maybe I am wrong. Maybe you do need the root password like Bill said
NO. Sudo does NOT need the root password. sudo. Also, sudo can run on your machine EVEN IF you do not have root enabled.
IF the ROOT account is disabled, per Apple factory settings, can sudo still be employed to allow this trojan root access? What if the non-admin user account password is utilized, rather than an admin account password — can the trojan still install?
Root Man Fat
This would be less of a problem if Apple had applied the “sandboxing” feature into safari.
Here’s what I am unhappy about:
I bought and Leopard and installed it on a MBP and iMac Intel that already had Tiger installed and firewalls switched ON. So effectively it was an ‘upgrade’ rather than a clean install. Yet on both machines, the installer did NOT carry forward the firewall settings and turn them on in Leopard.
I was diligent enough to have developed a little check-list of things to do when upgrading and one of the first few items was to check and ensure the heatshields were up. And that took me a few minutes as not only were they turned OFF but Apple have moved the firewall from the ‘Sharing’ preferences panel to the Security preferences panel.
So just didn’t Apple respect and carry over all my system preference settings in the upgrade?
hagar57
That was beautiful!
Who has a stupid screen name like ‘BustingTheSkullsOfIdiots’?
Think, sudo is short for “superuser do” superuser is another name for root.
The root user exists on every Unix system, including OS X; what is not enabled on your machine is a gui account for that user.
@Real IT Guy
Superuser is NOT another name for root. Of course root is a superuser but a superuser does not have to be root. They are different and should be that way. Apple allows an admin user to be a superuser without being root. That is why you must expressly enable root if you want to do things that even a superuser cannot do.
In OSX the root account exists and is disabled. When the admin user chooses to enable root Apple have provided a way to do that. Theoretically it is possible for a malicious user who has control of an admin account to enable root but this would be difficult unless the regular user had already compromised the admin account. In addition I believe that Apple have coded it so that enabling root can only be done directly on the machine concerned and not as a remote operation.
sudo is superuser do which is like saying admin do but is not like saying root do.
My 2 cents
Root, twig, branch, leaf account-who cares?
This is about morons downloading crap onto their system from untrusted/unkown sites and running it.
What’s important here is the message that needs to get out to users-Pull your heads out of your butts and pay attention too common sense, simple security principles: Do not download anything from porn sites, do not click on links in emails, do not blindly enter your admin password ever.