“The Mac’s first Trojan won’t be its last: Security researchers at F-Secure have found that the gang behind the malware has been churning out slightly modified versions to evade anti-malware detection,” Lisa Vaas reports for eWeek.
MacDailyNews Take: “The Mac’s first Trojan won’t be its last” – and, to think, it’s not even its first!
Vaas continues, “That’s nothing new—the fake codec the Trojan is masquerading as is a variant of Trojan.DNSChanger, malware that’s been plaguing Windows users for some time.”
“There are typically multiple sites that distribute the DNS Changer Trojan. At any given time, there might be thousands of variants active. Adam Thomas, a Sunbelt security researcher, told eWEEK that as of five days ago, one site—procodec.net—was serving up 1,090 slightly different installers, each one built for a different ‘affiliate’ site,” Vaas reports.
“The DNS Changer Trojan was being served on porn sites, purportedly as a codec that would enable visitors to view porno videos. Various porn sites would each get one installer, which the gang would then use for tracking purposes. The codecs are modified throughout the day to evade detection,” Vaas reports.
Full article here.
MacDailyNews Take: Once again: This is not the first Mac trojan, nor will it be the last. As always: Do not enter your Mac OS X admin password to install anything from an unknown and/or untrusted source.
Until this thing goes viral, Im not worried. If someone is dumb enough to give something they download from a porn site admin access to their system they deserve the ensuing image spam…
Malware that requires user action to be downloaded, user action to be run, and user permission to be installed (and does not self-propagate) will never be a significant threat to Mac users. Windows malware often installs, runs, and propagates without any user intervention. That’s quite a difference…
Hmmmm, hedge funds? Sniff, sniff. Some bad news? How about a little panic?
I fell into that trap once. Our admin gave me that DVD. I inserted it, and then some installer program asked for permission to install. Stupidly, I pressed OK and gave my password. Now I’m stuck with something called Office 10.8. It pops up all the time when I click on certain documents, takes half a minute to start, and slows down my Mac.
The problem is Apple allowed developers to get careless with the admin password for installers.
Now users just give out root access (using sudo; aka admin password) to anything they please.
I knew this problem was going to appear years ago.
The admin password gives a installer or application total access to one’s OS.
For instance, why does a photoediting or a office suit require a admin (thus root power using “sudo”) password to be run or installed?
What hooks are being installed in the OS? What ports are being secretly opened? What’s being installed in EFI to monitor you or allow a exploit a way into your machine later? What marketing gleaming data is going out of your machine without your knowledge?
What’s wrong with a simple drag and drop install anymore?
It’s Apple’s lack of concern for users privacy is what is causing this malware attack vector.
Apple itself does all sort monitoting of a users system and app usage. (When you boot, when you open iTunes, when you open Address Book and so on and so on.)
Any computer company that installs the privacy destroying EFI firmware (a firmware level OS with complete access to the internet and hardware regardless of OS running or not) has to be insane or consider their users idiots.
So Apple considers it’s users idiots, because they sure don’t consider their needs or privacy anymore.
They just do a better job of keeping the common bad guys out, that’s all.
my screen was “hack” by a fake scan window after I click…
I also get mad at installers asking for system access. I think Apple should invoke some method to make software makers state why a system password is required. Some already do this I think.
For example I would NEVER let any Microsoft software go NEAR my system password!
I can’t imagine any circumstance where I would succumb to this. This basically amounts to a phishing attack, in that the user has to allow system access. It’s like inviting a vampire into your home …
I don’t even see this as a security issue as it is user-dependent. A user could decide to format her own drive or enter destructive commands into the terminal, but we don’t call that a “security risk”.
A true security threat is code that can damage or dominate a system without the user’s knowledge or consent.
Windows users get date raped. But you have to ask a Mac user to dance before you get your hand on our ass.
I see F-Secure are phishing again. What a bore. If this is another bore would you call it a re-bore??
I mourn the day when surfing porn sites is dangerous for my computer.
Oh, well. At least my right arm will get some rest.
To make your Mac safer when visiting porn sites
1: Enable advanced firewall options
2: Turn off Safari “open safe files” (should be off regardless)
3: Turn off plugins and Javascript.
4: Set the Safari download folder to a special porn folder. This way driveby downloads don’t appear on the desktop to be accidentially opened and you trojaned. Secure erase the folder when finsished.
5: Make sure your OS is up to date.
6: Install PithHelmet and modify the settings to block all images. A simple Command Shift R will reload with images.
7: Add the text file on this web page to the bottom of your “sudo pico /etc/hosts” file. It blocks the parasites of the internet. (arrow down, paste, control x to exit, y to save)
http://www.mvps.org/winhelp2002/hosts.htm
8: Best of all, create a (non-admin) user just for porn. This way if you double click on a Quicktime porn video and it’s a trojan wiping your files, you didn’t lose anything. (yes the metadata file exploit is still around)
9: Installing filter software is almost a waste of effort and cost. Some don’t specify between good and bad porn. Bad porn producers have everything switching constantly to evade such filters. If used, specify sites to block containing the word “teen”. There are a lot of legal 18 and 19 sites, but then link to preteen/ pre-adult sites. ISP’s are watching your traffic, be warned. If someone see’s you seeing CP, be prepared to go to jail and your ass kicked by everyone, regardless of your excuse.
10: Voice your opinion for a XXX domain, where the pron producers have to verify ages and play by the rules, not do trick links and ambushes.
11: Install Little Snitch to monitor your outbound connections. Eliminate the defaults and go from there for the best protection.
Porn can be a safe and fun release, a chance for couples to explore new fantasies. It doesn’t have to be the nasty, evil idenity it is now.
@hagar57
ROTFL!!
Jacob: Funny! I think I saw that van down by the river.
<cue: “Take A Chance On Me”>
Secret Squid Squad:
That’s some post. I wanna hear more about EFI. . .
Come back?
All my customers I setup their Macs with a localadmin user that only I and the IT guy knows. We then create a normal user account for that user.
They gotta come to us to install anything. For 90% of the users out there, that works just fine. Then there is the 8% that try to install junk all the time. That’s why they don’t have the password.
The other 2% actually request a new app that is really needed. We review it and make sure it is legit and install it for them.
No trojan problems here.
Secret Squid Squad wrote:
>What’s wrong with a simple drag and drop install anymore?
It’s a multi-user system. Permissions on Applications don’t permit non-admin users to write to Applications:
drwxrwxr-x 134 root admin 4556 Nov 5 07:46 Applications
and rightly so. Non-trusted users shouldn’t mess with Applications or most of the other system-level files.
If you don’t want to use your admin password put the app in your home directory.
If you don’t want to use your admin password put the app in your home directory.
But a lot of installers demand the admin password anyway. It’s the only way it works.
Mac OS X needs a multi-level security system.
Did you know one can walk into Cupertino HQ with a easily printed picture id? Just follow the work crowd in through the open doors in the morning.
You’ll have complete access to roam around inside, watch your camera though.
The same it is with Mac OS X security. It’s eggshell security, only strong on the outside.
What Apple and Mac OS X needs is COMPARTMENTALIZED security.
Secret Squid said: “The problem is Apple allowed developers to get careless with the admin password for installers.”
No, the problem is idiots who blindly run a file from an untrusted source. If you think you trust a random porn site, then there’s not much Apple, Microsoft, or the freakin’ FBI can do about it.
And, regarding EFI: deal with it. If you don’t like EFI, don’t use a Mac — you do have that choice. (Not that I give your paranoid rantings one bit of validity.)
I wanna hear more about EFI. . .
EFI is a pre-boot firmware level that sits between the OS and hardware. It has it’s own partition on the boot drive, can access the internet and prevent OS calls to the hardware.
EFI was created as part of Trusted Computing as a way for verification and DRM schemes. it can be used to monitor you and snoop on your hard drive, even if you have it encrypted as EFI can intercept the password through the keyboard.
Some early Intel Mac’s have the TPM chip installed, but lately none don’t. But it doesn’t matter. EFI is there and can be accessed remotely bypassing the OS, firewalls etc. If something bad is installed there.
EFI and/or Trusted Computing is a serious violation of a users trust as it allows code execution outside of the OS.
There is a lot of developement going on in this EFI firmware level, some of this code can be installed in your IntelMac EFI and you wouldn’t know. unless you had a means to explore the EFI partition.
Give something your admin password…
http://refit.sourceforge.net/
Wiki, Google: EFI, Trusted Computing. It’s been a very hot topic and a cause for concern.
Basically you don’t own your own machine anymore. You don’t have control. The indusry does.
is macdude. EFI “trusted computing” gave you away.
No, the problem is idiots who blindly run a file from an untrusted source. If you think you trust a random porn site, then there’s not much Apple, Microsoft, or the freakin’ FBI can do about it.
Apple allowed the conditon to exist with developers that users get used to giving their admin password to anything.
Because so many normal applications demand “absolute power” to install, this set up a condition of false trust and allowed trojans like this to happen.
There should be a true “admin level” where a OS is NOT altered, but non-system altering apps can be installed safely across users etc.
The “root” password should be used for system altering apps and OS updates only. With a huge warning of the consequences, verification of the source etc.
Even then Mac OSX should be able to monitor itself from safe encrypted partition to watch for malicious behavior after the code install and revert the hard drive back to the previous state if it was malicious.
Deep Freeze and VMware Fusion does this already, just in case OS X or Windows gets corrupted or altered. A simple reboot and everything is back to normal.
@ justin-with-a-little-j: Are you talking about MAC sandboxing? See here and here. And don’t forget the new support for digitally-signed apps.
@ Jill. I guess I’m in the minority then, because when I see that “Admin Password” box pop up, alarms go off in my mind, especially if unexpected. And, yes, I’m a shareware junkie.
My point is this: the user is the weakest link in the security chain. Social engineering attacks will continue to succeed because the attack is not so much against the computer itself, but the user. And if the user thinks they want something on the computer, they’re gonna install it without considering the consequences. In other words, “Its my computer, I’ll do what I want.” Not much any software can do about that without seriously hobbling usability — like Vista UAC. Ugh.