Featured Article: Podcast - Apple Weekly Report #135: Apple Lawsuits, Banned iPhone Ad, Green MacBook Ad
Intego Warns of Mac OS X Trojan Horse
by , 2:20 PM EDT, November 1st, 2007
Intego warned of a new Trojan Horse on Wednesday that affects Mac OS X and has been found on several pornography Websites. The Trojan Horse installs a modification to the Mac's DNS server that allows it to redirect Web requests to alternate servers, phishing sites. Personal data can then be stolen at the redirected site. However, a long series of poor decisions by the user is required for it to become active.
Intego described the process of infiltration as follows:
When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:
Quicktime Player is unable to play movie file. Please click here to download new version of codec.
After the page loads, a disk image (.dmg) file automatically downloads to the user’s Mac. If the user has checked Open "Safe" Files After Downloading in Safari’s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.
If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download.
This Trojan horse, a form of DNSChanger, uses a sophisticated method, via the scutil command, to change the Mac’s DNS server (the server that is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services). When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue.
TMO notes that this is not a reportable security weakness in Mac OS X. Rather, it is a carefully orchestrated sequence of events that, while specific to Mac OS X, could be replicated on any other OS.
The installation, in fact, depends on a long series of catastrophic failures of judgment by the user. The user must download an unknown file from a pornography Website, have Safari's general settings set to "Open 'safe' files after downloading," and then enter an administrator password for the installation of an untrusted package.
There have been previous discussions of such destructive packages, for example, a disguised shell script that contains an "rm -rf" command, which would erase the user's disk when double-clicked. This falls in the same category.
Intego suggested that one way to protect against this is to buy their VirusBarrier X4. However, it's always good to have a well planned personal security policy for a Mac exposed to the Internet. That includes not double-clicking downloaded files or attachments unless they are trusted, and just say no to installers that ask for an administrator password unless you really trust the commercial software vendor and inspect a provided list of what will be installed and where. Trustworthy companies also supply de-installers in case something goes wrong. Finally, deselect that Safari General preference regarding the opening of 'safe' files -- if it's on. It's wise to leave it deselected unless there's a compelling reason not to.
 |
|---|
Observer Comments
Thu Nov 01, 2007 3:12 pm Subject: In other words ...
"The installation, in fact, depends on a long series of catastrophic failures of judgment by the user."
In other words, John, only true dumbasses will be caught by this. (We can tell you worked for NASA. 
)
"Intego suggested that one way to protect against this is to buy their VirusBarrier X4."
Of course, they would. Why else would they bother making such a big deal about a Trojan Horse that will affect only a few people? It's about the only way they can get people to buy their Mac products. Throwing a bit of FUD at the user works for Intego as well as for Bush & Co.
Thu Nov 01, 2007 3:54 pm Subject: Not FUD in this case
Quotegslusher wrote:
"The installation, in fact, depends on a long series of catastrophic failures of judgment by the user."
In other words, John, only true dumbasses will be caught by this. (We can tell you worked for NASA.
"Intego suggested that one way to protect against this is to buy their VirusBarrier X4."
Of course, they would. Why else would they bother making such a big deal about a Trojan Horse that will affect only a few people? It's about the only way they can get people to buy their Mac products. Throwing a bit of FUD at the user works for Intego as well as for Bush & Co.
I'm against FUD, but this is not it. People can be tricked into installing this because they want the end result (free porn). When people are in this mindset, they'll click through anything and put their password in as well if they believe that it is necessary.
This is a good chance to point out what can be done by unscrupulous websites. No, you don't have to run out and by Antivirus (yet... maybe someday, though). But you do have to practice safe computing.
It is also important to note that you don't need your password to create problems. If someone wanted to, they could write a simple program that would just delete all of your (user) files. You don't need a password for that. Be careful where you surf, and be sure to follow the tip on disabling "Open safe files after downloading".
Thu Nov 01, 2007 3:59 pm Subject: Thanks for the credit?
I actually posted this report in the TMO Forums yesterday (http://www.macobserver.com/forums/viewtopic.php?t=59662). I did not see any credit or thanks for the tip in the story. In fact, I was surprised that TMO did not have the report before I found it on Yahoo.
~aviduser
A Trojan Horse gets its name because it rides on teh back of something want to install on your computer. In this case it is a "codec." So anyone who visited a website that offered the software to install that codec and then followed all of those steps would get infected. Many Windows viruses are not worms (self replicating)... they spread by good ol' social engineering.
You know eventually things become automatic for a lot of people. That is why many bash Vista's user account control - not so much for its "in your face" process, but the fact that eventually you'll just click through those prompts as second nature. If Joe the Mac user wants this "codec" to view his p0rn, he will just fill in his password just like any other software installation procedure.
Even if this trojan ends up a dud, it shows one thing... the Mac is starting to get the attention of the virus writers.
Thu Nov 01, 2007 5:36 pm Subject: this is not a computer security issue, it's a human one
Thu Nov 01, 2007 5:40 pm Subject: Credit
I received the Intego press release yesterday, but didn't have time to write it up before 5 PM ET. I wasn't in the forums last night, so I didn't see the link by aviduser.
I recommend that readers with hot tips (and typo alerts) contact me directly,
marty@macobserver.com I live in my e-mail!
Quotej.martellaro wrote:
I received the Intego press release yesterday, but didn't have time to write it up before 5 PM ET. I wasn't in the forums last night, so I didn't see the link by aviduser.
I recommend that readers with hot tips (and typo alerts) contact me directly,
marty@macobserver.com I live in my e-mail!
Maybe a Tip link on the TMO homepage.
BTW, no hard feelings. Just want to make sure my favorite mac site has all the important news FIRST.
~avid
Sat Nov 03, 2007 9:46 pm Subject: How did this happen?!
Sat Nov 03, 2007 10:06 pm Subject: Re: How did this happen?!
Quotegulmatan wrote:
Hi all,
Humor me on this one. If OS/X is developed in UNIX and UNIX is security-laden language and thus, impossible or impervious to writing viruses in, just how did this Trojan Horse come about?
A Trojan Horse is NOT a "virus" nor a "worm." It is an application that is purported to do one thing but does something else, instead. If you read the linked article, you'll see just what it does. Trojan Horses can be written for ANY OS, regardless of how "secure" the OS is, as they are real applications. Trojan Horses do not replicate nor propagate on their own: they require that the user do something. In this case, the user has to do several things that are generally ill-advised. Trojan Horses involve "social engineering," exploiting weakness and vulnerability of people (gullibility, credulity, ignorance, stupidity), rather than vulnerabilities in software.
Webopedia has a good article explaining Trojan Horses, viruses, and worms.
Recent Headlines - Updated Saturday, November 29th, 2008
- Sat., 9:00 PM
- Podcast - Apple Weekly Report #135: Apple Lawsuits, Banned iPhone Ad, Green MacBook Ad
- Fri., 12:45 PM
- Podcast - Mac Geek Gab #178: Batch Permission Changes, Encrypting Follow-up, Re-Enabling AirPort, and GigE speeds
- Thu., 1:30 PM
- iPO Review - Scosche kickBACK iPhone case
- 7:00 AM
- Happy Thanksgiving from TMO!
- Wed., 6:00 PM
- TMO Appearances - Nancy Gravley Joins MacJury Gift Guide
- 5:15 PM
- TMO Visits The Bay, a Premium Apple Reseller in New Zealand
- 3:25 PM
- iPO Oh the Games You'll Play - iPhone: The Wii of Handheld Gaming Devices?
- 2:15 PM
- Sonnet Releases Simply Fast FireWire 800 to 400 Adapter
- 1:10 PM
- Mac Gaming News - Disney Plans 1st Annual PotC Online Thanksgiving Event
- 12:05 PM
- iPodObserver - UK Shuts Down iPhone 3G Ad
- 11:15 AM
- TMO Appearances - Jeff Gamet on MacJury Gift Guide
- 10:30 AM
- TMO Contest - TMO Announces Macworld Expo Pass Winners
- 9:50 AM
- PhotoCopy 1.1 Adds iPhoto Event Support
- 9:15 AM
- Acclivity Buys MYOB US
- 8:30 AM
- Review - Bento 2 Holiday Pack
- 7:50 AM
- Microsoft Offers Black Friday Office Discount
- 7:30 AM
- iPO Quick Tip - iPhone: Google Street View
The Mac Observer Reader Specials
- Download Typestyler, still the Ultimate Styling Tool for Internet, Print and Video Graphics. Works great in Classic with a Native OS X Version on the way. Free Tryout: www.typestyler.com
New MacPro Memory 800Mhz With Apple Spec Heat Sink - 2GB $72 / 4GB $104 / 8GB $204. Click to Maximize your Macs...
Mac observers can now play Party Poker for Mac as well as Mac casino games by going to MacPokerOnline.com.
RamJet Memory: Mac Pro FB-DIMMs: 2Gig kit $95, 4Gig Kit $179, 8Gig Kit $355! MacBook 2Gig Kit $78, 4Gig Kit $149! Click hereFor the latest Apple products use Ciao a comparison website to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate cell phones.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
Marshmallow Popper Gun Shooter: $9.99 Delivered - Make the Yam Side Dish a Sporting Event 
OnSale's ThanksGiving Day/Black Friday Combo Sale - Turkey, Deals, and LeftOvers - The Holiday Trifecta! 
Fall Knuckle Deep into Dell Small Business's Black Friday Sale - Going on Now!!!!! 
File Your Nails Now - Overstock's Black Friday Sale is Coming! Get Great Gifts at Great Prices 
