Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: mac trojan in-the-wild
From: Paul Schmehl <pauls () utdallas edu>
Date: Thu, 01 Nov 2007 22:21:58 -0500

--On November 1, 2007 4:53:12 PM -1000 Peter Besenbruch <prb () lava net> wrote:

There is no need to do that.  In both Macs and Gnome or KDE on Unix, if
you try to run rpm -i (of whatever the install paradigm is on your
flavor of OS), you'll be *prompted* for the root password, not asked to
run it as root.  Big difference, and one that many users do not
appreciate at all.

Sadly, that doesn't seem to work on Debian. Yes, I have RPM installed.

Well, as with anything, YMMV. The point is, this will work for some percentage of the population, particularly those who have recently moved from Windows to Linux because "it's more secure!"

When an internationally recognized Ph.D psychologist can lose $3 million
US to the 419 scam and be prepared to lose more, is it really a stretch
to think that a fake codec trojan will make inroads on the Mac?

The question is, HAS it made inroads?

Considering it was discovered just 48 hours ago, I think it's too early to tell. I fully expect to see some Macs trojaned by this. How many is anybody's guess, but it's merely a matter of time before we start seeing them show up in botnets.

OSes might be "secure" or "insecure" but people don't change.

From what I read, it hasn't. What are  the factors limiting the spread?

The number of naive users who have Macs.

Making inroads on the Mac would be analogous to the Nigerians tricking
many PhDs in psychology.

That wasn't my meaning. In my opinion *any* trojaned Macs would be newsworthy simply because we haven't seen that before.

As I implied in my last post, the spread of malware is somewhat
proportional  to the level of interaction. Even on a Mac, you have to go
through a number  of steps to install this stuff.

There are (debatable) hundreds of thousands of bots trojaned with Storm. As I'm sure you are aware, you get a Storm trojan by clicking on the link in an email and then downloaded the "greeting card" that it suckers you into viewing. Yes, it does take advantage of vulnerabilities in Windows **when those are available**, but it also takes advantage of fully patched machines when their owners are naive. The same thing will happen with Macs or with any Unix system.

Furthermore, I think it's naive to say "you have to go through a number of steps to install this stuff" when you go through *exactly* the same number of steps to install something that someone you know recommends to you. For example, a friend emails you and say he/she found this fantastic utility that allows you to quickly determine all the running processes on your machine. Curious, you click on the link, download the software and start the install. Your Mac prompts you for the root password (which is also *your* password for most Mac users) and you type it in. The program installs and you start it, eager to see what your friend is raving about.

You just completed *all* the same steps that the trojan compels you to do.

How many people do this sort of thing *every* day, without giving a second's thought because their friend sent the email and recommended it? Enough, apparently, to make it worthwhile for criminals to target Macs.

That should give a thinking person pause. It's certainly one more thing that I will have to worry about at work.

Paul Schmehl (pauls () utdallas edu)
Senior Information Security Analyst
The University of Texas at Dallas

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]