More Mac Malware...

Just a heads up, there's more incoming Malware in the wild... Then again the Mac owner would have to be crazy to install a Active-X plug-in on OS X... However this happens all the time (such as a fake Flash Player) on Windows.

Sophos

This proves that the gangs are now starting to actively target Macs for larger BotNets that was only nascent at the beginning of the year...

It is a variant of OSX.RSPlug I believe and is found on some of the more shady porn sites. It's been around for almost two years now and was predicted (link) to be the beginning of the end of safe surfing for Mac users. It fizzled. This new variant is more dangerous (log keystrokes) and has a threat rating of Very Low.

Not that I think these posts are not informative, but it's like saying there is contaminated food in Zimbabwe. It won't effect 99.9% of us.

If you engage in high risk activity's it's wise to have protection, or just not do those sorts of things The activities that will heighten your risk with viruses, worms and trojans would be:

High Risk Activities
1. View Porn Online (or download it from things like Limewire)
2. Visit sites promoting illigal activites (ex. hacking)
3. Download/Install pirated software
4. Open e-mails and install/activate attachments
5. Run programs not from official sites (i.e. Adobe, Microsoft & Apple)
6. For Mac - Download plugins not from Apple, Microsoft, Adobe
7. For PC - Download/Install ActiveX plugins not from Adobe or Microsoft

Medium Risk Activities
1. PC - Run without a Firewall & AntiVirus software
2. PC - Disable UAC
3. Apple - Disable Firewall
4. Enter sites with expired certificates (if they are a merchant)
5. Share sofware with friends
6. Surf the Internet without a router based firewall (provides two layers of protection)


I'm sure there are things I'm missing here - but that's the general idea.

Surprisingly, this is how the 'Anti-Virus Pro' software infected so many PCs, it *is* a threat and not a low risk for any system. It's a high risk threat for OS X as most Mac owners don't have the deep distrust of content from the 'Net. In addition they have the 'herd mentality' that's been installed from Apple's adverts about how 'secure' OS X is compared to PCs.

If they do install the Trojan they have little or no defence against it compared to XP, or better still, Vista which was pretty immune to to most of these type of attacks.

This variant of the existing Trojan is concerning a lot of experts in the industry. Especially since it's using tried and tested social engineering techniques that have worked time and time again.

Whilst you mentioned a lot of high risk activities, you forgot one little flaw that blows trusted sites out of the water, there's site injection attacks that embed content on legitimate sites (such as the ZDNet advert attack) which the user is likely to trust. If you got a pop up on a known, regularly visited site you just probably click on it. Power users like ourselves would question it but the average user won't.

In addition Safari has been proven time and time again to be the weak spot in OS X and is woefully prone to hijacking.

This is probably the first in a long evolution of this Trojan. This is what happens on the PC market, they find a succesful Trojan or payload delivery system and then evolve it. It's a old technique hearkening back to early days of Virii. There is nothing new here but the simple fact that many Mac owners are ill prepared to handle or deal with this.

Forgot to mention, this particular Trojan can deliver *any* form of payload it chooses, key logging, BotNet control, Hostage controls and more. It's a Malware installer.

Essentially this Trojan can give the Trojan Controller complete and unfettered access to your computer, data and possibly LAN through the simple installation of the DMG file.

This is standard practice now with Malware, they can evolve depending on the comands given. The only way to really stop them is to take out the controller and that's like playig Whack-A-Mole.

Here's a list of known dialogues that pop up:

HDTVPlayerv3.5.dmg
VideoCodec.dmg
FlashPlayer.dmg
MacTubePlayer.dmg
macvideo.dmg
License.v.3.413.dmg
play-video.dmg
QuickTime.dmg

As you can see some of those are cleverly thought out and would snare the unwary.

Also Apple still haven't patched the Java Data class bug that's been open for 7 months now and is a critical issue unless you disable Java.

Faolan wrote in post #8105901
This variant of the existing Trojan is concerning a lot of experts in the industry. Especially since it's using tried and tested social engineering techniques that have worked time and time again.

Whilst you mentioned a lot of high risk activities, you forgot one little flaw that blows trusted sites out of the water, there's site injection attacks that embed content on legitimate sites (such as the ZDNet advert attack) which the user is likely to trust. If you got a pop up on a known, regularly visited site you just probably click on it. Power users like ourselves would question it but the average user won't.

No one is immune. That's why on PC's I always recommend people get McAfee or Kaspersky full suite which detect and intercept just about any threat out there. I just cannot justify getting too worked up about Mac threats though. I have yet to surf across anything vaguely threatening and I'm a very heavy surfer. I've even purposly tried to infect my Mac (watching scrips and Little Snitch) and never found anything credible save one site (which I will not mention) which did try to hijack Firefox and almost did had I not been blocking scripts.

Faolan wrote in post #8105901
This is probably the first in a long evolution of this Trojan. This is what happens on the PC market, they find a succesful Trojan or payload delivery system and then evolve it. It's a old technique hearkening back to early days of Virii. There is nothing new here but the simple fact that many Mac owners are ill prepared to handle or deal with this.

I don't think so. I think it was just hype or an isolated event that people focused on because it's just so rare. This family of worms (and attacks) have been around for more than four years on PCs and two for Mac's and I haven't seen any threat increases by the AV threat boards. I'm sure someone out there is infected, maybe even a hundred, but they are hard to find.

I'll agree on your last point though. When someone does get serious about infecting Mac's (or iPod's) and find that easy delivery system that can port across PC's (let us remember that PC's buffer Mac's too) then yes, Mac owners are going to be caught with their pants down

Edit: Oops, looks like I erased the first two pieces... I'll sum up. People are saying this new virus is hyped up. Here's the link.

Here are some interesting things to think on... Keep your Windows system's up to date! Use a firewall!

Blaster Worm - Infected millions of PCs. Nothing was required by the end user to be infected as the worm entered an open port on your computer. The lucky ones that avoided infection were those with smart ISPs who blocked the vulnerable ports and those who updated Windows regularly.

Conficker - Infected millions of PCs. Again, required no end user activity. Slips in through a common port and actually tries three methods of attack. All unpatched Windows machines remain targets.
SQL Slammer - Actually slowed down the Internet! Exploited MS SQL servers.

Nimba - Infected millions of PCs. Heralded in the erra of passive user infection.

I could go on... and on...

You see, Window's networks require certain ports to remain open for many services to function and most of these viruses exploit these openings. It's like being in your own home and locking all your windows and doors with approved keys and locks just to find out that there is a flaw in the protection.

Every time MS puts out an update black hats start to take appart the code. If they find something nice they'll make a virus/worm/trojan to exploit it. If they are fast enough they can get a good spread across the Internet. This is going to keep happening to PCs over and over.

As of yet, of the more than 3000 Mac's in my district, not one has been infected nor attacked. Yet, every day I get a warning message from my Admin CA consol that a threat (infection) has been found within the network.

The blaster worm happened right after summer break so we had not updated the entire network against the worm. It took us down for nearly a month because someone within the network had brought an infected PC and hooked it up to the network. Since it only required port 135 (or two others I forget) and MS Active Directory also requires that port open - we had 8,000 computers infected within a week. We had to detach all the networks to isolate it but it was too late. Luckily, we had Mac's to fall back on.

Let's see, out of all those infections what OS did they target? Mostly Pre-Vista. XP is now in what's called maintenance mode, this means only critical updates get applied to the OS and no new features added. Whilst it's the dominant OS at present the demographics of the Windows share will shift as PCs get upgrdaded and Win 7 comes out.

Conficker is relatively unique in that there had been a patch available for several months before the attack, so Microsoft can't be held responsible for the lack of security of individuals. In any case Vista SP2 resolved this for Vista.

Vista has had less attacks than XP despite having a large user base and at the end of the day over 90% of Malware could be stopped dead in Wndows if people didn't run as a Admin user!

However this wasn't the point of the post was to highlight a threat to Mac OS X, as most people have AV/Malware security on a PC and Macs don't. Plus it's been proven that people are click happy otherwise the Trojan Malware that's now so popular would never gain traction hold.

Also port vulnerabilities are rare, very rare. Linux has had it's fair share and there's a few on OS X that's not been closed, but may have in Snow Leopard as they needed a driver stack rebuild. Then again, OS X like Vista comes with a firewall.

It's bad security to have Port 135 Open to the 'Net, even Microsoft stated this that for any 'Net facing PCs that this port should be hidden long before the Worm appeared. This is detailed in the MSCE/MCSA training when you do the AD modules.