[Full-disclosure] mac trojan in-the-wild

Paul Schmehl pauls at utdallas.edu
Fri Nov 2 03:21:58 GMT 2007 

--On November 1, 2007 4:53:12 PM -1000 Peter Besenbruch <prb at lava.net> 
wrote:
>>
>> There is no need to do that.  In both Macs and Gnome or KDE on Unix, if
>> you try to run rpm -i (of whatever the install paradigm is on your
>> flavor of OS), you'll be *prompted* for the root password, not asked to
>> run it as root.  Big difference, and one that many users do not
>> appreciate at all.
>
> Sadly, that doesn't seem to work on Debian. Yes, I have RPM installed.
>
Well, as with anything, YMMV.  The point is, this will work for some 
percentage of the population, particularly those who have recently moved 
from Windows to Linux because "it's more secure!"

>> When an internationally recognized Ph.D psychologist can lose $3 million
>> US to the 419 scam and be prepared to lose more, is it really a stretch
>> to think that a fake codec trojan will make inroads on the Mac?
>
> The question is, HAS it made inroads?

Considering it was discovered just 48 hours ago, I think it's too early to 
tell.  I fully expect to see some Macs trojaned by this.  How many is 
anybody's guess, but it's merely a matter of time before we start seeing 
them show up in botnets.

OSes might be "secure" or "insecure" but people don't change.

> From what I read, it hasn't. What are  the factors limiting the spread?

The number of naive users who have Macs.

> Making inroads on the Mac would be analogous  to the Nigerians tricking 
many PhDs in psychology.
>
That wasn't my meaning.  In my opinion *any* trojaned Macs would be 
newsworthy simply because we haven't seen that before.

> As I implied in my last post, the spread of malware is somewhat
> proportional  to the level of interaction. Even on a Mac, you have to go
> through a number  of steps to install this stuff.

There are (debatable) hundreds of thousands of bots trojaned with Storm. 
As I'm sure you are aware, you get a Storm trojan by clicking on the link 
in an email and then downloaded the "greeting card" that it suckers you 
into viewing.  Yes, it does take advantage of vulnerabilities in Windows 
**when those are available**, but it also takes advantage of fully patched 
machines when their owners are naive.  The same thing will happen with 
Macs or with any Unix system.

Furthermore, I think it's naive to say "you have to go through a number of 
steps to install this stuff" when you go through *exactly* the same number 
of steps to install something that someone you know recommends to you. 
For example, a friend emails you and say he/she found this fantastic 
utility that allows you to quickly determine all the running processes on 
your machine.  Curious, you click on the link, download the software and 
start the install.  Your Mac prompts you for the root password (which is 
also *your* password for most Mac users) and you type it in.  The program 
installs and you start it, eager to see what your friend is raving about.

You just completed *all* the same steps that the trojan compels you to do.

How many people do this sort of thing *every* day, without giving a 
second's thought because their friend sent the email and recommended it? 
Enough, apparently, to make it worthwhile for criminals to target Macs.

That should give a thinking person pause.  It's certainly one more thing 
that I will have to worry about at work.

Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 3701 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071101/4bbfbf2e/attachment.bin

Full-Disclosure is hosted and sponsored by Secunia.