mailing list archives
Re: mac trojan in-the-wild
From: Paul Schmehl <pauls () utdallas edu>
Date: Thu, 01 Nov 2007 22:21:58 -0500
--On November 1, 2007 4:53:12 PM -1000 Peter Besenbruch <prb () lava net>
Well, as with anything, YMMV. The point is, this will work for some
percentage of the population, particularly those who have recently moved
from Windows to Linux because "it's more secure!"
There is no need to do that. In both Macs and Gnome or KDE on Unix, if
you try to run rpm -i (of whatever the install paradigm is on your
flavor of OS), you'll be *prompted* for the root password, not asked to
run it as root. Big difference, and one that many users do not
appreciate at all.
Sadly, that doesn't seem to work on Debian. Yes, I have RPM installed.
When an internationally recognized Ph.D psychologist can lose $3 million
US to the 419 scam and be prepared to lose more, is it really a stretch
to think that a fake codec trojan will make inroads on the Mac?
The question is, HAS it made inroads?
Considering it was discovered just 48 hours ago, I think it's too early to
tell. I fully expect to see some Macs trojaned by this. How many is
anybody's guess, but it's merely a matter of time before we start seeing
them show up in botnets.
OSes might be "secure" or "insecure" but people don't change.
From what I read, it hasn't. What are the factors limiting the spread?
The number of naive users who have Macs.
Making inroads on the Mac would be analogous to the Nigerians tricking
many PhDs in psychology.
That wasn't my meaning. In my opinion *any* trojaned Macs would be
newsworthy simply because we haven't seen that before.
As I implied in my last post, the spread of malware is somewhat
proportional to the level of interaction. Even on a Mac, you have to go
through a number of steps to install this stuff.
There are (debatable) hundreds of thousands of bots trojaned with Storm.
As I'm sure you are aware, you get a Storm trojan by clicking on the link
in an email and then downloaded the "greeting card" that it suckers you
into viewing. Yes, it does take advantage of vulnerabilities in Windows
**when those are available**, but it also takes advantage of fully patched
machines when their owners are naive. The same thing will happen with
Macs or with any Unix system.
Furthermore, I think it's naive to say "you have to go through a number of
steps to install this stuff" when you go through *exactly* the same number
of steps to install something that someone you know recommends to you.
For example, a friend emails you and say he/she found this fantastic
utility that allows you to quickly determine all the running processes on
your machine. Curious, you click on the link, download the software and
start the install. Your Mac prompts you for the root password (which is
also *your* password for most Mac users) and you type it in. The program
installs and you start it, eager to see what your friend is raving about.
You just completed *all* the same steps that the trojan compels you to do.
How many people do this sort of thing *every* day, without giving a
second's thought because their friend sent the email and recommended it?
Enough, apparently, to make it worthwhile for criminals to target Macs.
That should give a thinking person pause. It's certainly one more thing
that I will have to worry about at work.
Paul Schmehl (pauls () utdallas edu)
Senior Information Security Analyst
The University of Texas at Dallas
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
Re: mac trojan in-the-wild Jim Harrison (Nov 02)
Re: mac trojan in-the-wild Peter Besenbruch (Nov 01)
Re: mac trojan in-the-wild worried security (Nov 02)