×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fake Codec is Mac OS X Trojan

Zonk posted more than 6 years ago | from the search-safely dept.

Security 473

Kenny A. writes "Multiple news organisations are reporting on an in-the-wild Mac OS X malware attack that uses porn lures to plant phishing Trojans on Mac machines. The attack site attempts to trick users into download a disk image (.dmg) file disguised as a codec that's required for viewing the video. If the Mac machine's browser is set to to open 'Safe' files after downloading, the .dmg gets mounted and the Installer is launched. The target must click through a series of screens to become infected but once the Trojan is installed, it has full control of the machine."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

473 comments

It begins (2, Interesting)

JohnPnP (1167497) | more than 6 years ago | (#21201381)

Am I the only one to think 'finally'?

Re:It begins (5, Interesting)

Anonymous Coward | more than 6 years ago | (#21201477)

And by finally I assume you mean that Apple finally has succeeded in luring the coveted dimwit market to its products.

Re:It begins (5, Insightful)

ByOhTek (1181381) | more than 6 years ago | (#21201523)

There are dimwits and every market. If you think otherwise, it's because you are amongst the ranks...

But does it matter? (5, Interesting)

khasim (1285) | more than 6 years ago | (#21201655)

Right now you have to convince people to install the trojan.

Okay, that will give you X% of all the Mac users out there.

Then what? How do you increase X?

With Windows, the trojans scan the hard drive for email addresses and send out links to every address it can find. That depends upon unpatched exploits in IE or you having friends who are as dumb as you.

If the same happens here ... I don't see the growth rate being above the disinfection rate.

Re:It begins (1)

Jennifer York (1021509) | more than 6 years ago | (#21201531)

You are not the only. It's nice to have company.

The question for me is this: Are Mac Users smarter than Windows users? These Trojans, on both platforms, require the user to click through and actively install it. PC users are so numerous a large portion must be this gullible. History shows us it is true.

But what about Mac peoples? They often look down on us lowly MS folks, this will finally test to see if they are, in fact, superior...

Re:It begins (0)

Anonymous Coward | more than 6 years ago | (#21201589)

I would think there will be an even higher percentage of dull bulbs in the Mac community as they have always been told that Mac security is perfect and they don't have to worry about malware or viruses. Those are Windows problems, and if they accidentally install something then they can just drag it to the trashcan to get rid of it.
 

What's the sound of a thousand eyes rolling? (4, Funny)

conner_bw (120497) | more than 6 years ago | (#21201575)

Tech Support: "Ahhh, the porn tojan... This one's a doozy."
User: "No, I wasn't looking at porn!"

It begins? (4, Interesting)

znu (31198) | more than 6 years ago | (#21201581)

Your subject seems to suggest that you believe that now that there's actual a piece of Mac malware in the wild, things with snowball, and there will be more and more. Is there any logical reason to believe that this is the case? In the latter days of pre-X Mac OS, there was some malware program or other released every year or three, but the rate never seemed to climb.

Any Mac haters gleefully hoping that this is the start of a Mac threat environment similar to the Windows threat environment is probably going to be quite disappointed.

Re:It begins? (0)

Pojut (1027544) | more than 6 years ago | (#21201803)

I think they were referring to the fact that as the number of Mac users increase, so will the malware aimed at their systems...

Growing numbers may be good for the stock holders, but that doesn't necessarily mean it's good for the users. Hell, for all we know OSX is just as insecure if not MORE insecure than Windows...people just haven't been making the effort to discover flaws because it wasn't worth the time. With the number of Macs in households growing every day (especially in light of Vista), it is becoming more and more worth the time of malware developers to target Mac systems...

Don't let your love for a product cloud your vision. The more people that use Macs, the higher the chance someone is going to try to release malware for it. Sorry.

Re:It begins (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21201691)

finally what?

Are you suggesting that this puts Mac OSX in the same league as Windows? Think again. This requires a lot of help from the luser behind the keyboard to get installed.

Having spent the entire weekend cleaning up my girlfriend's computer as the result of a drive-by download from a questionable web-site (IE and XP) that didn't even hint that anything was downloading, then downloaded and installed a whole bunch of its spyware buddies, again with no hint that anything was downloading or installing, I still have to think that OSX is much, much better than the steaming pile of feces that is Windows.

Re:It begins (5, Insightful)

LWATCDR (28044) | more than 6 years ago | (#21201887)

Not really. Is it a security exploit if the user must type in a password and install the program to make it work?
Sorry but there is nothing that an OS can do to prevent someone with admin rights from installing and running a program.
I am not a Mac User but anybody that installs a codec to view porn that they get from the porn site...
As the Honda motorcycle safty ads put oh so well.
Stupid Hurts.

Hmm (0, Troll)

damicatz (711271) | more than 6 years ago | (#21201383)

I thought Macs didn't get viruses or worms and that they "just worked".

Re:Hmm (2, Informative)

sogoodsofarsowhat (662830) | more than 6 years ago | (#21201423)

Um they do. But if you decide to install malicious software on your system as the owner what can we do? What can anybody do? Seriously this is not a virus it is a human (id10T) user weakness...seen on ALL systems regardless of OS.

Re:Hmm (1)

gorgonite (79857) | more than 6 years ago | (#21201485)

It seems that the installation of the trojan requires that the users type in their password. Then, the Macs are supposed to do what their users ask for, even if it's the installation of a Trojan.

Re:Hmm (-1, Flamebait)

damicatz (711271) | more than 6 years ago | (#21201533)

Looks like the Mac fanbois are abusing the moderating system again. And the terminology is semantics. Mac users have been exclaiming that there Macs are immune or resistant to malware for years now and saying that Macs are better than Windows because Macs don't get infected.

Re:Hmm (5, Insightful)

djh101010 (656795) | more than 6 years ago | (#21201619)

Looks like the Mac fanbois are abusing the moderating system again. And the terminology is semantics. Mac users have been exclaiming that there Macs are immune or resistant to malware for years now and saying that Macs are better than Windows because Macs don't get infected.

Actually, the only people claiming that Macs are immune to malware, are people like you claiming others are doing so specifically so you can say these mythical people are wrong. This is a case of a program not being what it claims to be, and using social engineering to get someone to install something, make it executable, authenticate as root, and run it. No different than a year or three ago when someone came out with a fake Office for OSX package they shared on the P2P networks which was really a shell script that removed files. Not a virus - this doesn't install itself.

A "virus" with an install procedure which includes "and then become root and run it" isn't going to have legs.

Re:Hmm (0)

Anonymous Coward | more than 6 years ago | (#21201705)

You'd be hard pressed to find any system immune to idiot users. Time for bad car analogy, my Honda is twice as dependable and prone to few issues as compared to someone's GM right up until i pour sugar in the tank. Then it sucks too.

Also, Macs vs Windows is a personal choice based on preference, however Windows would be worlds better if the programmers at microsoft had any idea how people actually want to use their machines.

Re:Hmm (5, Insightful)

Penguinisto (415985) | more than 6 years ago | (#21201723)

Well, let's see...

You find this "movie codec thingy" at a shady pr0n website (alarm #1), and it asks you to specifically download a .dmg file (alarm #2), install it with admin/root permissions (alarm #3) just to play a non-standard codec (alarm #4).

Meanwhile, by comparison, there are a whole host of Windows nasties you can get just by, say, visiting a website with a rigged IFRAME in the page.

QED: It's not a question of fanboys pooh-poohing something because it's their pet OS - it's a question of simple fucking logic.

Come back and tell us about it when OSX (eventually) has an attack vector that doesn't require the user to be a complete and utter dumbass, please.

/P

Re:Hmm (1)

Bill, Shooter of Bul (629286) | more than 6 years ago | (#21201937)

Unfortunately with the rise in popularity of Macs, more naive users are adopting the platform. Three friends who used to get a virus weekly, by trying to look at "photos" people had emailed them are now on Macs. They won't give it a second thought, they could probably be conned into putting in their credit card number, social security number and sign over their firstborn, if the sketchy web site told them to.

Granted an OS can only do so much to protect such users, but people don't blame themselves when they do stupid things on computers they blame the computers.

Re:Hmm (1)

binary paladin (684759) | more than 6 years ago | (#21201791)

Oh come on. The only thing worse than the fanboys are the haters that think this is the beginning of Apple becoming like Microsoft in terms of malware and security.

If this was something that could, more or less, install itself purely by going to a website then I'd be worried and wonder what was up with OS X. Seriously though, if I download an rpm or deb in Linux and sudo to install it, there is nothing to stop that program from causing massive havoc if the author was malicious. The only way to secure a machine against this kind of attack is to make sure that you can't install software. That's it.

You can't secure someone's account who freely gives out his password. At some point in any security system, people can and often are the point of failure.

No machine and no OS is immune to someone with admin or root privileges installing bad software. Not Linux and not OpenBSD.

And frankly, anyone who installs any kind of executable from a porn site deserves whatever they get. If you decide to take off your condom and have unprotected sex with someone KNOWN to have herpes and you get herpes... whose fault is it? The condom's? Gimme a break.

Re:Hmm (5, Informative)

sm62704 (957197) | more than 6 years ago | (#21201599)

This is neither a virus or a worm; it's a trojan. A trojan is a program that does or claims to do something useful, which gets you to install it. Once installed, it does something else in addition to or instead of what you installed it for.

No OS is foolproof, and even Mac and Linux users can be fools. Mac and Linux machines can be broken into, can get trojans, theur users can be tricked into giving out passwords, but there are no Mac or Linux viruses in the wold.

It's about CRITICAL MASS... (-1, Troll)

El Lobo (994537) | more than 6 years ago | (#21201667)

People still believe that there are few virii for the Mak/Linuzzz just because those systems are more secure. The truth is that more or less secure, all systems have holes that will be used sooner or later by virii, malware, trojans, etc. The reason why there are few virii for less popular platforms can be described with two words: CRITICAL MASS.

In nuclear physics, critical mass is the mass where there can be an effective chain reaction. If your mass is less than the critical mass, the population of neutrons introduced to a subcritical assembly will exponentialy decrease, until the chain reaction dies. If your mass is bigger than the critical mass, your population of neutrons will exponentially raise until the chain reaction is then unstopable.

The same thing happens here: Firts of all, malware writters are interested in targeting the platform that will give them the more number of users. This way, their porn links, spam letters, etc will get a bigger audience. Becuase the critical mass is bigger with Windows there is a big chance that, when spreading via network, letters, etc, the new target will also be a PC with Windows. With a Mak or Linuzzz, the chance that a virus that sends itself comes to another Mak or Linuzzz machine is minimal: not enough critical mass.

When Maks and Linuzzz gets more and more popular with the time, we will see that those systems will be getting more and more interesting for malware writers. Fortunatly, the critical mass for those systems is not high enough and we will not see chain reactions like the Love letter or something similar. Not in a near future anyway.

It's not a virus . (1)

plasmacutter (901737) | more than 6 years ago | (#21201863)

malware does not equal virus.

virii exploit security holes to install themselves forcibly and covertly.

malware exploits the gullibility of users to gain access to a machine.

virii hack the software or firmware of a given machine
malware hacks the wetware between the monitor and the seat.

Re:It's not a virus . (1)

El Lobo (994537) | more than 6 years ago | (#21201967)

And your point is Einstein....? Both Malware, viriii, worms , trojans can these days (and often will try) spread by sending themselves via network connections or attachments , irc, and even simpleftp. The key words hera are CRITICAL MASS. If the Mak would have 92% of the desktop market, do you think malware and virii writers would ever botter to write for Windows?

Nothing to see here... (5, Funny)

conner_bw (120497) | more than 6 years ago | (#21201395)

No one uses the internet for porn, so we're all safe, right?

Lame excuse for a "trojan" (5, Funny)

monkeyboythom (796957) | more than 6 years ago | (#21201495)

the Mac machine's browser is set to to open 'Safe' files after downloading, the .dmg gets mounted and the Installer is launched. The target must click through a series of screens to become infected

That's like saying that Troy had to put their enemies in the horse, then drag it up to the gate, drag it through and then offer a soft cushy landing spot for warriors coming out of the horse.

Re:Lame excuse for a "trojan" (1)

joeytmann (664434) | more than 6 years ago | (#21201825)

Ummm, I disagree. Troy was presented with a gift, so they thought, and then dragged it into the city. Then when the people of Troy got bored with it, and left it in the middle of the city, probably saying something along the lines of "ehhh lets trash it tomorrow", and went to bed for the night. Little did they know of the nasty little bits inside that would come out at a predetermined time that would royally fuck them up, big time.

Sound kinda familiar doesn't it?

Re:Nothing to see here... (1)

FSWKU (551325) | more than 6 years ago | (#21201499)

No one uses the internet for porn, so we're all safe, right?

"Why you think the net was born?" _________________

Five points for finishing the line, an extra 10 for naming the reference (and no, a certain MMORPG does NOT count).

You get what you deserve. (2, Insightful)

Pahroza (24427) | more than 6 years ago | (#21201403)

If you're stupid enough to go through all of those steps, you deserve to be infected.

Re:You get what you deserve. (3, Funny)

C0rinthian (770164) | more than 6 years ago | (#21201443)

Or smart enough. Stupid people wouldn't make it through the install process. "Next" buttons are hard.

Re:You get what you deserve. (5, Insightful)

FauxPasIII (75900) | more than 6 years ago | (#21201467)

> If you're stupid enough to go through all of those steps, you deserve to be infected.

And does everyone else that your zombied machine spams or DDoS's deserve it?

Re:You get what you deserve. (0)

Anonymous Coward | more than 6 years ago | (#21201567)

kind of like all the windows users who get infected?

Re:You get what you deserve. (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#21201593)

Wait, wait, I thought blaming the end user was a Linux thing? I thought OS X kept end users out of trouble? I guess it really doesn't live up to all the hype.

Re:You get what you deserve. (0, Flamebait)

kuzb (724081) | more than 6 years ago | (#21201725)

You mean, like all the people who couldn't be stupid enough to open unknown email attachments on their Windows boxes? Then later bought Macs because Macs "don't have those kinds of problems"?

Re:You get what you deserve. (4, Insightful)

Niten (201835) | more than 6 years ago | (#21201899)

That's an interesting straw man you've drawn up. Personally, I don't know anybody who purchased a Mac because he or she thought it was somehow immune to all forms of malware.

I agree with the parent poster in a sense. OK, they don't really "deserve" to be infected, but there is a fundamental limit to what current computer security models are able to achieve. This infection doesn't occur through the exploit of some flaw in the web browser or OS X, it's pure social engineering. The malware gets installed just like any valid software package would; if the computer's administrator cannot be relied upon to intelligently differentiate between trustworthy and untrustworthy software, then all other technical countermeasures aside, there is absolutely no hope of keeping that system secure.

Windows users are as bad. (0)

Anonymous Coward | more than 6 years ago | (#21201751)

People I did "tech support" for after hours would often call me because their computers were infected with a virus. I repeatedly suggested they avoid the pr0n sites, or at least not click "OK", "Yes", "Accept" or whatever to every popup they encountered. It was a waste of my time and they continued to infect their computers. Eventually I just told those people not to call me again, so now they have to haul their systems into the nearest town and pay some guy to wipe their drives and reinstalls the OS (no backups, or recovery attempts, he just wipes the HDD...I don't think he knows how to do anything else).

Re:You get what you deserve. (0)

Anonymous Coward | more than 6 years ago | (#21201753)

Oh please. It's not like the installer says "Installer for NastySoft(tm) Computer-screwing Trojan Software" and people keep going. People go through "all those steps" because they think that they're installing some useful software (see: definition of "Trojan"). "Those steps" are exactly the steps which are necessary for installing useful software every other time too.

You're an idiot. (1, Insightful)

Americano (920576) | more than 6 years ago | (#21201871)

If you're stupid enough to go through all of those steps, you deserve to be infected.
One more time. You're an idiot.

  1. This is an *insecure* default setting. I don't care if it asks you for an admin password, automatically running things downloaded from the internet shouldn't ever be a "default".
  2. This is not a NEW "exploit", I remember hearing about this same exploit in a different form at least a year and a half ago. Apple had plenty of time to disable this feature (or at least turn it off so people would HAVE to do the "dumb" thing and re-enable it) and they have not.
  3. The asshats who write these trojans cost EVERYBODY time, money, and effort. If it were limited in effect to the dumb user, a la "oops, I deleted some files I didn't want to delete!", it would be *slightly* better. But identity theft, break-ins, DDoS attacks, spam, etc. are all costly effects of these "dumb" users "getting what they deserve."
I'm an apple user. I own several of their systems, and find them -- on the whole -- to be incredibly fun and easy to use. But Apple shouldn't get a free pass on this (nor should Microsoft, nor should Canonical or any other Linux distro). By setting this trivial "convenience" up by default, they've made their system more insecure. Yes, there are still people who will double-goddamn-click on anything and everything, but let's at least make it harder for the simpletons to inconvenience all of us. It would be a fairly simple fix for them to make, and one which they should have made a long time back.

news? (1)

gspawn (703815) | more than 6 years ago | (#21201409)

Err... why is this news? Sites have been trying to do this to all variety of computer for some time now. Did I miss something?

Idiocy cannot be prevented (5, Insightful)

jeffasselin (566598) | more than 6 years ago | (#21201421)

The only cure to stupidity is intelligence.

If someone is stupid enough to download something, run it and give it the admin password, it will obviously be able to take control of the machine. No operating system or security software will stop that.

Re:Idiocy cannot be prevented (0)

Anonymous Coward | more than 6 years ago | (#21201817)

The only cure to stupidity is education.

Fixed that for ya.

Re:Idiocy cannot be prevented (1)

sqlrob (173498) | more than 6 years ago | (#21201901)

Education is the cure for ignorance. There isn't a cure for stupidity.

Re:Idiocy cannot be prevented (0)

Anonymous Coward | more than 6 years ago | (#21201957)

There isn't a cure for stupidity.
shotgun ...

Re:Idiocy cannot be prevented (0)

OctoberSky (888619) | more than 6 years ago | (#21201885)

No precedence. Mac users have no fear of trojans entering thier computers, so why worry now? They will just click click click with no fear.

fanboys unite (0, Flamebait)

Pliep (880962) | more than 6 years ago | (#21201429)

I've seen this story on several Apple/Mac related news sites yet, and the majority of the comments consisted of Apple apologists telling each other "nothing to worry about, because you still have to enter your admin password".

I wonder if the /. crowd will be any different.

Re:fanboys unite (1)

Drakin020 (980931) | more than 6 years ago | (#21201503)

Isn't that why they put that into Vista? The whole "Prompt for admin rights" yet people flipped a bitch about that one.

Re:fanboys unite (1)

falcon5768 (629591) | more than 6 years ago | (#21201797)

there is a distinct difference between Apples administrator authorization, and Vista's prompt. Vista has a habit of prompting for even innocent non-vital changes that could in no way damage the system, while Apple's prompts only when something that is trying to access the System library directory.

Re:fanboys unite (5, Insightful)

Anonymous Coward | more than 6 years ago | (#21201527)

Name an operating system that can't be infected when a user gives an admin password.

Re:fanboys unite (0)

Anonymous Coward | more than 6 years ago | (#21201695)

Ubuntu linux?
Because even the trojan writers have standards...

Re:fanboys unite (2, Insightful)

MyDixieWrecked (548719) | more than 6 years ago | (#21201727)

I've seen this story on several Apple/Mac related news sites yet, and the majority of the comments consisted of Apple apologists telling each other "nothing to worry about, because you still have to enter your admin password".

The type of people who will be infected by this will be similar to the types that get caught up in the 419 [419eater.com] scam.

The only real reason this is news is because it's the first occurrence of an OSX trojan in the wild. Much like Crispus Attucks [wikipedia.org], it's only getting exposure because it's the first.

This really isn't any different than someone creating an applescript called FreePr0n.app that erases a user's harddrive, and as other commentors have pointed out, it requires a bit of user interaction to actually get itself installed. Although I'm sure people who jumped ship to OSX thinking that the mac is virusproof are going to run anything and everything they come across on the internet thinking their safe.

Good thing Leopard adds an extra layer of protection.

and why does safari have the Open "safe" files on by default, again? I don't get that.

Re:fanboys unite (1)

joeytmann (664434) | more than 6 years ago | (#21201965)

But if you think what you are installing is legit software, most of the "stupid/gulible" users out there are going to type in the admin password. Social engineering is just as important as the trojan itself.

first post (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21201441)

WOO HOO

Macs... (1)

ZiakII (829432) | more than 6 years ago | (#21201449)

I don't know anything about the Mac OS X but is all the extra steps the article points out. Are they normally needed to install lets say a normal codec? Vista reminds me of the same thing that while it may actually be more secure then previous versions users are still going to think that after seeing these screen after many times while trying to install other "normal" programs they will not take it as a caution any more but just enter in their information as soon as the login screen pop-up.

Re:Macs... (1)

aliquis (678370) | more than 6 years ago | (#21201509)

Normal apps doesn't require a rootuser (thought I find it's weird and probably more insecure that they don't.)

Somehing like a codec or system utility does. Or well, actually I don't know what apps does or not, but a few does ;D

Re:Macs... (2, Informative)

plasmacutter (901737) | more than 6 years ago | (#21201737)

not quite, the only player i've come across which needs root access for install was real player (assumably for the DRM)

mplayer, vlc, and even flip4mac wmv codec do not require root permissions.

the reason this is not required is the way mac apps access libraries.

the codecs in mplayer and vlc (much like the libraries in most other mac apps) are combined into the app, and therefore not shared among all users. each user has his own set (and configuration) and they operate in user space.

quicktime works similarly. While you can drop your components (codecs) into the root library directory, each home folder has one of its own, again allowing each user to customize the codecs used.

Too much security can breed complacency (3, Insightful)

Shivetya (243324) | more than 6 years ago | (#21201869)

One thing I noticed was that the more times a user has to enter their security password the more likely they become complacent and assume that any install is going to require it and any install that occurs is going to be safe.

Basically what sunk later attempts by Microsoft to patch security. As soon as they added "warnings" (aka popups) people got into the habit of clicking yes and thereby undoing any chance the programmers had at protecting users from being stupid. You can even blame this behavior on EULA's which require click through - people do this automatically.

As the Mac gains in popularity the numbers of careless people will go up and infections like this will occur more often. The key is finding a way to train the user that its WRONG. That or finding a way to have the OS run objects installed in some form of "safe mode" for a time without letting the user in on it.

Tagging (2, Funny)

Anonymous Coward | more than 6 years ago | (#21201457)

Where is the "haha" tag for this post? WHERE?!

DNS (4, Informative)

Anonymous Coward | more than 6 years ago | (#21201461)

The summary is misleading, it does not give full control of the computer to the attacker, but changes the DNS server for phishing.
It could just as easily install a VNC server I suppose.

Re:DNS (1)

emj (15659) | more than 6 years ago | (#21201713)

You can do an awfull lot when you change someones DNS, it's not like people notice that they aren't using HHTPS. So they might not control the machine but they control everything the user does on the net.

Re:DNS (1)

Poppler (822173) | more than 6 years ago | (#21201921)

VNC? Nah. If the attacker wanted control, they'd just replace the ssh server with one that gives them a backdoor.

its not a trojan its a phishing attempt .... (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#21201469)

and you have to actively click and approve the install and grant it privileges so there little you can do to cure the human race of stupidity....

But... (0)

Anonymous Coward | more than 6 years ago | (#21201473)

Does it work on Vista?

"full control of the machine"??? (0)

Anonymous Coward | more than 6 years ago | (#21201479)

Um, no.

The trojan directs all DNS traffic to DNS servers that will route traffic to phishing sites or porn sites...

Not really "full control of the machine" *rolls eyes*

Much like the default QuickTime setting to "autoplay" content, long after the autostart worm came and went (MacOS 8-9 days), the continued default to open "Safe" files is something I have on my new Mac set-up checklist to turn off..

The only news here is that even in 10.5, Apple has refused to get rid of this default... sigh.

Full Control? (2, Informative)

yroJJory (559141) | more than 6 years ago | (#21201491)

Full control of DNS, yes. As far as I've seen, it's not a remote root exploit or anything. It just installs global DNS servers that cannot be easily removed or even noticed.

Steps to get infected (5, Informative)

giminy (94188) | more than 6 years ago | (#21201543)

To get infected, you have to:

1) Go to a porn site
2) Download a plugin from the porn site
3) Click "OK" that you are downloading a .DMG file.
4) Mount the .DMG
5) Go back to the Finder
6) Double-click the installer
7) Type in your account password
8) Click next a few times

Calling this, "In the Wild," is laughable. How did the porn site "get infected"? I'll bet anything that the porn site(s) in question know exactly what they are doing...

Re:Steps to get infected (1)

QuantumG (50515) | more than 6 years ago | (#21201639)

How did the porn site "get infected"? I'll bet anything that the porn site(s) in question know exactly what they are doing...
Uhhh, no shit.

What were you thinking?

Re:Steps to get infected (5, Insightful)

advocate_one (662832) | more than 6 years ago | (#21201717)

and with windows... 1) Go to a porn site....

So much more user friendly (2, Insightful)

blueZ3 (744446) | more than 6 years ago | (#21201943)

The Windows way. None of this download, mount, open, click, password, click, click nonsense.

Who says Macs "just work"? Obviously they don't for trojans!

Re:Steps to get infected (4, Insightful)

mhollis (727905) | more than 6 years ago | (#21201819)

You are assuming something here: There is no incentive.

Lots of Mac users are looking for the ultimate codec toolkit. Apple's Quicktime comes with a number but there are more out there and many are really hard to find and/or are Windows-specific. I downloaded and installed Divx and the Divx encoder for some things I do. I use Flip4Mac's WMV codec as well as their professional tools (for things like MXF files). And lots of Mac users have as well to get Quicktime to work with .WMV files as Microsoft stopped supporting us with their .WMV player.

So, if one fools one's dupe with the come-on: "It's a codec you need to view these files," it's a pretty good scam. All of the additional clicking and password-entering will be motivated by the same reason why the user downloaded and installed the codecs I mentioned above.

I suppose the moral of this story is that one should not trust anything on a porn site. But in the Mac user environment where Mac users usually struggle to keep up with the proprietary Microsoft stuff, a codec download "to see this" is not too far off-base.

You misunderstand what "in the wild" means (1)

KWTm (808824) | more than 6 years ago | (#21201861)

"In the Wild," is laughable. How did the porn site "get infected"?
I don't think "in the wild" means that the porn site accidentally got infected. "In the wild" means that it is not within a controlled experiment or was not created specifically to be used within a controlled environment. The opposite would be a "proof of concept" trojan that someone might use to demonstrate at a computer security conference.

If it's possible for a Mac to get infected without the user's knowledge, then that qualifies as "in the wild".

The percentage of infections will be telling (1)

Colin Smith (2679) | more than 6 years ago | (#21201873)

If it barely spreads then the security model is relatively successful. If it spreads like wildfire, creating a 50 million machine monster supercomputer at the hands of international criminal cartels, then the security model could be said to have been less than successful.

 

Re:Steps to get infected (1)

aberkvam (109205) | more than 6 years ago | (#21201881)

To get infected, you have to:

1) Go to a porn site
2) Download a plugin from the porn site
3) Click "OK" that you are downloading a .DMG file.
4) Mount the .DMG
5) Go back to the Finder
6) Double-click the installer
7) Type in your account password
8) Click next a few times

Calling this, "In the Wild," is laughable. How did the porn site "get infected"? I'll bet anything that the porn site(s) in question know exactly what they are doing...

If the user is using Safari with the default settings, steps 4-6 aren't needed (which is mentioned in the article summary).

"In the wild" means that it isn't limited to just researchers' labs. Of course the porn site knows exactly what it's doing. That's not the point. The point is that an average user has a chance of encountering this trojan.

First Remedy Apple Should Implement (3, Insightful)

Apple Acolyte (517892) | more than 6 years ago | (#21201553)

If Apple really wants to continue to provide users with the "Open Safe Files" option in Safari, it would make a whole lot of sense to associate that feature with a white list of approved domain names like apple.com, adobe.com, etc.

Re:First Remedy Apple Should Implement (5, Insightful)

znu (31198) | more than 6 years ago | (#21201769)

As a result of "Open Safe Files" in this instance, the user has to perform something like six manual steps instead of eight. Anyone gullible enough to go through those six steps would be gullible enough to go through eight, so "Open Safe Files" isn't really making anyone less safe here.

What goes through the mind of the designer - ? (1, Funny)

Anonymous Coward | more than 6 years ago | (#21201603)

"Sure, Russian porn site offering me 'free' videos ripped from US porn producers ... I trust you to give me software to install in order to watch your video. Wait, I'm using a Mac - which ships with nearly every conceivable video codec I'd ever need to produce and edit professional video because It Just Works. What are the chances that Russian Mafia are one-up on Apple for a video codec I'd need?"

This is not a virus, it's a "wetware" exploit. (3, Informative)

plasmacutter (901737) | more than 6 years ago | (#21201605)

Malware does not equal virus, iit does not "break" into a machine through security holes, it hacks the wetware between the monitor and the seat, convincing them to consent to the install.
It's impossible to make a machine fully idiot proof, but in the past couple versions apple has added 3 new "nag" boxes to safari in attempts to warn people.
Anyone who goes through that many screens deserves to have it installed.

I don't install any media player or codec if it asks for root permission.

even flip4mac doesn't require full permissions.

you drop the free component into your home's library folder and it runs in user space when websites call for wmv decoding.

ObObi (0, Flamebait)

McDutchie (151611) | more than 6 years ago | (#21201625)

I feel a great disturbance in the Reality Distortion Field. As if millions of Mac Fanboys cried out in terror, and were suddenly silenced.

PC vs Mac (0, Flamebait)

jt2377 (933506) | more than 6 years ago | (#21201693)

Isn't security is the main feature in the PC vs Mac campagin. Look Mac is so cool. There are no security threat! Ha!

P0rn is FREE!!! (-1, Flamebait)

erroneus (253617) | more than 6 years ago | (#21201709)

Why are people always being suckered in when p0rn is free?! It's almost as if people are responding to a rare commodity, but it's not. P0rn is FREE! Every time I see someone pay for p0rn on their credit card, I feel a little queezy. P0rn is free!! I knew a guy from childhood who I had heard was recently arrested. He had used his roommate's credit card for access to p0rn on the internet! p0rn is free!??!

I'm not going to argue for or against whether or not p0rn is bad or if there is an addictive property or anything like that. I just can't believe people are wasting money on it! It'd be like free drugs, but people still think they should pay money for it.

You p0rn addicts get what you deserve. P0rn is FREE! You don't have to be tricked into accessing it. And if you need a "special codec" then it's probably crappy p0rn anyway!

BTW, I have an e-card for you at: http://127.0.0.1/ecard.htm [127.0.0.1] and you will need to download a "special player" to see it...

Insecure settings (2, Informative)

xouumalperxe (815707) | more than 6 years ago | (#21201715)

We're simply talking about social engineering. Windows, OS X, *BSD, Linux (and probably most other operating systems out there) are all vulnerable to this sort of attack, there's just little in the way of motivation to actually do it.

The part where the dmg is automatically opened is the only thing that even resembles a vulnerability as such, though it should actually be filed under "insecure default settings" rather than a vulnerability per se. This said, both linked articles are quite sparse with information regarding the actual installation. From my experience Safari should say something about the archive/disk image containing an application before actually mounting the dmg, and then prompting for an administrator password for the package to be installed. If either of these steps are compromised, you can call this interesting, because there's an exploit at work. If not, then it's a bog standard social engineering attack, to which every platform is vulnerable. The only news here are that you can't browse the web with your Mac in a completely carefree manner anymore, because there are some Bad Things out there targeting you.

Mother May I? (0)

Anonymous Coward | more than 6 years ago | (#21201735)

Before the installer is launched, I'm fairly certain the user is first prompted with, `".dmg" contains an application. Are you sure you want to continue download ".dmg"?` Unless that was cleverly disabled on their half. Regardless, you still have to give the installer permission by typing in your admin login and password.

If you've gotten that far with your randomly downloaded file from some random untrusted porn site, I hope it bricks your computer as a valuable lesson.

On the bright side, at least it isn't a "run the installer with root privileges and kernel/driver access even though the user isn't an admin" issue, like another operating system I read [zdnet.com] about...

Intego (1, Redundant)

eclectic4 (665330) | more than 6 years ago | (#21201875)

Yes, but hasn't Intego tried to scare Mac users into purchasing their virus protection before? In fact, they've done this quite a bit. Check out their report and pay close attention to the "Means of protection" paragraph at the end of the article.

The news is Intego attempting to scare up business, this is not a Mac virus, especially when you have to do quite a few stupid things along with giving permission to install from an admin. My goodnes...

"Target" must have administrative rights... (1)

neuroklinik (452842) | more than 6 years ago | (#21201883)

The "Target" here must be a user with administrative rights to the console. No admin rights, no install.

A simple question answers it all. (1)

kanweg (771128) | more than 6 years ago | (#21201893)

So Windows fan-bois, ask yourself the question: Would Mac-users now want to switch with you when it comes to malware? 1 troyan versus tons of bad stuff? That is a no-brainer except for no-brainers. But is this troyan a problem for Mac-usin', Porn-surfin' slashdotters (now you know why Apple promotes big 30" screens, right? Never seen an add that bigger is better?)? No. When surfing for those pictures that sneakily attempt to promote that breast-milk is best, Safari's Private browsing setting can be used. No stuff is downloaded to the hard disk. That includes no malware.

Bert

Full Control of the Machine? (5, Informative)

His Shadow (689816) | more than 6 years ago | (#21201925)

Bullshit. It appends the DNS servers to point the user to phishing and porn sites and runs a cron job to make sure the changes are modified. Does it then email everyone in your address book and infect every other machine on your network? No. It can't even install itself without the Admin password. It's a social hack.

Nice Try tho...

Intego at it again (2, Informative)

eclectic4 (665330) | more than 6 years ago | (#21201971)

Yes, but hasn't Intego tried to scare Mac users [daringfireball.net] into purchasing their virus protection before? In fact, they've done this quite a bit. Check out their report [intego.com] and pay close attention to the "Means of protection" paragraph at the end of the article.

The news is Intego attempting to scare up business, this is not a Mac virus, especially when you have to do quite a few stupid things along with giving permission to install from an admin. My goodnes...
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...