The Author – Bart Busschots
Creative Commons
Unless otherwise stated, the content on this site is licensed under Creative Commons Attribution, Noncommercial, No Derivative Works 3.0 License
Nov
1
Trojan in the Wild Exploiting Naive Mac Users
Filed Under Computers & Tech, Security on November 1, 2007 at 6:18 pm
There’s a lot of buzz around the place today because something we all knew would happen eventually, has finally happened. There is malware out there actively going after Mac users. Is this malware exploiting some flaw in the Mac OS? Nope, it’s exploiting the innocence of many Mac users when it comes to security matters. The exploit actually requires the user to not only run an installer, but also to enter their password to give the installer administrative privileges! The only way this could ever work would be if there were a lot of naive Mac users out there so convinced of their security that they’ll happily install any random crap from internet. Uh oh ….
[tags]Trojan, Apple, OS X[/tags]
So how does this attack work? Well, the process starts by luring the victim to a porn site and promising them a hot and steamy video clip. Then a message is displayed by the site telling the user they need to install a codec to view this aforementioned video and offering them a .dmg file to download. This disk image file contains a package called MacCodec.pkg which the user must then double-click to install. When they do this they are asked to enter their password to grant the installer administrative access. The installer then uses this administrative access to have some fun with the victim’s DNS settings pointing them at a malicious DNS server that will serve them up phishing sites, ads and porn as well as installing a service to re-set the DNS settings every hour to make sure you can’t recover simply by correcting your DNS settings.
You can find out more about this trojan at the links below:
This trojan is very clever because it exploits the weakest link in OS X security, those smug mac users who brag about how safe and secure they are to their unenlightened Windows brethren. I think it’s fair to say that the average Mac user labours under the illusion that you don’t have to worry about security on the Mac. Well, today’s news proves what I’ve been saying for ages, Mac users need to be aware of security issues too, just like everybody else.
So, what can you do to protect yourself? Well, you could go out and buy yourself some anti virus software that will protect you from known threats and eat up your resources, or you could apply some common-sense to your daily computer use, or both. Personally, I’m a big fan of the common-sense approach. Here are some simple steps I’d suggest:
- Keep your OS up-to-date at all times
- Keep all your programs up-to-date at all times, especially any that use the internet like browsers, mail clients, iTunes, chat clients, RSS Aggregators, etc..
- Don’t install anything you didn’t get from a trusted source.
- Don’t open any attachments you weren’t expecting to get, particularly if they contain password protected zip files or any sort of executable file
- Be suspicious of all installers that ask for administrative access
- Keep an eye on the US CERT Current Activity page or better yet, subscribe to their feed.
If you’re a Mac user it’s time to stop taking security for granted and to apply some simple precautions.
Couple of questions, Bart:
1) don’t ALL installers have to request administrator privileges on OSX, in which case you’ve said to be suspicious of all installers? (which might be exactly what you meant to say)
2) it would seem to me that this concept was always possible – if I actively download and install an app, I would expect it to be able to do just about anything it wants. Is this exploiting a specific hole in OSX or just a specific hole in our naivety?
3) it always bugs me when people say “trusted sites” – what’s a trusted site? sony.com? You see what I mean, right? Obviously porn sites as a whole should be on the untrusted site list, but let’s say I’m looking (like I was last nite) for a .mov to .wmv converter. I’ve tried all the usual suspects, so how do I tell if the sites I’m going to are “trusted”?
good article,
Allison
NosillaCast at http://podfeet.com
A technology geek podcast with an EVER so slight Macintosh bias!
Hi Allison,
1) Most OS X software installs are drag-and-drop. If you’re installing something simple and it comes as an installer rather than a drag and drop install you have to wonder why. I think twce before running any installer and would never run one I was offered by a gambling site or a porn site or similar.
2) No hole in OS X, just in the organic bit between the keyboard and the chair 🙂
3) There is no sure way to tell but generally the best thing is to stick to trusted publishers or to recommendations from trusted sources. It’s a pure judgement call though, so no easy answer.
Ultimately we just need to addapt a more cautious attitude to installing software on the Mac. Keeping informed about the attacks that are out there is also a good idea so you know what in particular to be extra suspicious of.
Bart.