“A new trojan horse designed specifically for Mac OS X systems has been discovered on several pornography websites that can hijack Web traffic, according to security firm Intego. Affected systems are used to hijack some Web requests that lead users to other phishing sites, or simply display ads for other pornographic websites to generate ad revenue. Phishing attacks may lead users to believe they are surfing to eBay, Paypal, or various banks when in fact they are accessing specially-crafted mockups designed to retrieve usernames and passwords for those sites. The trojan, titled OSX.RSPlug.A, is rated as a critical risk by Intego, and is known to affect Mac OS X 10.4 Tiger as well as Mac OS X 10.5 Leopard. Intego is testing prior versions of Mac OS X, but believes them to be vulnerable as well.”
Target OS X users on Obscure porn websites, it’s a known fact that these sorts of sites come with risks anyway.
A trojan is a trojan. It doesn’t matter if it came from some obscure corner of the web or not, it still exists and it can still potentially deal damage to someones system. There are risks to doing anything online. I’m sure you’ve seen plenty of trojans get leaked with trusted software. Anyways, I’m just tired of the excuses. If there’s a trojan, just get it fixed, no reason to be in denial over it if it really exists.
I understand this and so do others but making it news like it’s some kind of dooms day device on the OS is not right. Just the right timing for not long after the Leopard release, got to love OSAlert.
As far as I can recall, this is the first trojan in the wild for OS X – instead of previous alarm bells that were just proof-of-concepts or whatever.
That is what made me publish it on OSAlert today. There is no conspiracy.
Is there another source for this “information” other than from Intego?
As a Linux user I remain highly skeptical of Virus Protection companies. Especially when they mark something as critical that involves Social Engineering.
I completely agree. A social engineered virus is not something that would be “critical”. If it were a simple process of going to a website then boom, you’re infected. Then it should be marked as critical.
As it is, this is just a “If you’re a horny retard, you’ll get infected.”
Out of curiosity, doesn’t Safari have anti-phishing features built-in as well? I know Firefox does. The only other way I can think of to really trick say typing in ebay.com and getting another site would be if there were something in the hosts file itself. Then again, I’m not a virus programmer, so I’m not sure.
Either way, much like a virus that kept popping up a message using the Windows Messenger (I mean the actual windows messenger, not MSN Messenger. The one that is used for Administrators to announce whether servers are going down, etc.) that would say “Pay us 10 dollars and this will go away.” Talk about extortion. Especially since turning off that thing is as easy as going into the services.
“If you’re a horny retard, you’ll get infected.”
What’s the equivalent of “triple-wrapping it” for the internet?
What’s the equivalent of “triple-wrapping it” for the internet?
Non-persistant storage for VMs or booting from a live CD.
Looking back maybe I jump to quick with my remarks, should have took more time to think about it.
.
Edited 2007-11-01 03:10
Ah yes, the “I don’t like this news, so it not news” approach.
MacOS makes a big deal about how their OS does not get viruses:
http://movies.apple.com/movies/us/apple/getamac_ads1/viruses_480x37…
It is therefore newsworthy if they are then affected by them. Simple.
And yes, I am aware of the difference between a virus and a trojan, and it makes no difference.
yes it does… because you still have to agree to install/run the program
So yes, os X gets malware.. but in windows with IE all you have to do is surf a malicious website and suddenly you have malware without agreeing to it. Admittedly SP2 now USUALLY gives the option to install or not but this certainly does not mean OSX is vulnerable to un assisted crapware.
This is just like a malicious wmv codec license, nothing more nothing less.
Just wait till there is one for Ubuntu, then Bill Gates will know his monopoly is over.
[Edit:] TYPO
Edited 2007-11-01 05:43
I don’t think anybody is making excuses, because there is nothing anybody can do against a program that the user deliberately installs. I suppose if Safari automatically downloaded and installed it without the user’s knowledge, then Apple could definitely be taken to task for it.
However, it does highlight the issue (at least to me) that the “Download ‘safe’ files” option should not be checked by default in Safari. Still, even with this option checked all it does is download and mount the image. Though that is definitely scary in itself, it still doesn’t hurt the user’s system until they install the program. This is far different from say, the drive-by download and install BHOs and ActiveX controls that plagued IE on Windows for so long.
The article does say that one thing the user can do to protect themselves is to buy the Intego VirusBarrier X4 which incidentally is available from the company that issued the release
Well at least one company is leveling the playing field and developing virus’s for osx.
How else does Symantec stay in business
Or in this case, Intego…Thank goodness!
If there’s a trojan, just get it fixed, no reason to be in denial over it if it really exists.
It’s not the trojan but the users willingness of bluntly installing anything that pops up. According to the article the user got a message to install something (should ring a bell or two), the user had to give admin credentials (should bring you into defcon 3).
I instructed a lot of users not to install anything unless you downloaded it from a verifyable source and with good reason.
Sex sells and still attracts a lot of people. The internet is just another medium. And as anything that works with files (software) can be abbused and sooner or later will be abbused.
The article is nothing extraordinary. What in my opinion is more remarkable ( mind i’m not an OSX expert in any way) is the lack of adjusting the dns server entries with the known OSX “it just works” userfriendlyness.
How exactly do you plan to fix a problem that is situated between the chair and the monitor?
Edited 2007-11-01 16:22
How exactly do you plan to fix a problem that is situated between the chair and the monitor?
lobotomy?
This is a common ploy to get anything installed on a users machine.
I’ve seen more than just porn sites do this, although I’ve always seen the trojan being offered as a Windows .exe or ActiveX component. Software crack and hack sites have employed this style of attack for years now in the Windows world.
Interesting to see someone putting focus on OS X users.
I am always getting my mac desktop littered with gobs of .exe files from some of the torrent sites and ‘others’ I visit. I assume its from these sites trying to install trojons on windows boxes.
Firefox on Mac does not know what to do with them so it just drops them down on the desktop like an attachment/download.
Uh… how exactly is that happening. I visit some of these types of sites and have never had Safari or Firefox download ANYTHING without my knowledge or consent.
From Intego’s website:
“If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download.”
So tell me, how is different than just going to one’s home folder and deleting all files? Of course, if you go about installing everything every page suggests, there may be trouble, *especially* if this something wants admin privileges.
It’s not like there’s any vulnerability involved where you navigate to a malicious site and get infected automatically. Sheesh!
It never ceases to amaze me that people will just install anything they see. Click click click! Oops, what was that I just installed?
This “Critical” vulnerability is that you can download a program, authenticate yourself as an Administrator, and it doesn’t do what it claims it will.
This is no security flaw in OS X. You could do the same thing for any other Internet-connected OS.
There’s nothing OS developers can realistically do to prevent problems arising when the administrator of a machine can be tricked into something (which you can’t do without preventing them from doing the things they bought the computer to do: the only solution is education).
Anybody claiming this to be a “flaw” in anything but human behaviour is headline-grabbing. Incidentally, who the hell are Intego anyway?
Edited 2007-10-31 21:40
The ones making an anti-virus product for OS X. Does that explain things for you?
Correct: PEBKAC
“””
There’s nothing OS developers can realistically do to prevent problems arising when the administrator of a machine can be tricked into something
“””
Sure they can. The OS could require that all binaries be cryptographically signed by the OS vendor, and refuse to run them if they are not. All programs would have to be certified by the vendor. The hardware could require the same of the OS kernel, and refuse to run a kernel that isn’t signed.
Yes, it *is* a horrid “solution”, and a horrible idea. But it *is* something that could be done.
Signing things cryptographically won’t get you anywhere. If anything it’d only certify that some certain piece of software came from vendor “A”. That doesn’t mean any mailicious code in that software would be automatically disabled.
Unless you want Apple to sign each and every app out there separately after proving internally it doesn’t do any damage – impossible task.
This would not be impossible at all. If malicious code is inserted by the developer, then the software code be un-certified by the OS maintainer. You could then have the option on whether to allow loading a kernal that allows certified or uncertified. For many servers this would be ideal as most software will remain more static throughout the lifetime of the installation.
The vendor could still trojan you though.
As lame as this “Trojan” is, it’s still a potential trend. Perhaps we should be shopping around for a comprehensive solution, because, after all, we are becoming a target.
Duck -[in a]- row?
“The vendor could still trojan you though.”
… or the Country:
Germany Seeks Expansion of Computer Spying:
http://www.latimes.com/news/nationworld/world/la-fg-security30oct30…
http://yro.slashdot.org/yro/07/10/31/1955205.shtml
“The LA Times reports on a proposal to secretly scan suspects’ hard drives which is causing unease in a nation with a history of official surveillance. Along with several other European countries, Germany is seeking authority to plant secret Trojan viruses into the computers of suspects that could scan files, photos, diagrams and voice recordings, record every keystroke typed and possibly even turn on webcams and microphones in an attempt to gain knowledge of attacks before they happen.”
[from Slashdot]
If they’re asking permission it’s already happening, this could have ramifications for the US Military/Citizens in Germany.
They recently outlawed all “hacking tools” [ping to Nmap?] from use, even by security professional.
… unarmed peasants anyone? If your copy of Nortons has the Disk Editor [or similar] included you could be taken in for a new portrait.
hylas
“this could have ramifications for the US Military/Citizens in Germany.”
This would have no impact what so ever on the US military, as German laws such as this do not intersect with US law. Although US bases are not “sovereign” territory such as an embassy, the US military is there after all as an occupying force. To put it bluntly and as nicely as I can, Germany really does not have any say. US citizens not employed through either the government or military are of course the same as any other citizen of a foreign nation.
Condi?
I’d file a bug report against the human hormonal system, but I don’t think I can do that.
We all know whether we are pro mac, Linux, or windows that this is by no means a vulnerability. If you download a file, run the installer, and authenticate with admin credentials you are installing applications.
Whether it is office itunes, or “planet of the freakin ape’s. This is complete BS and we should all be insulted by the sure thought that Intego would attempt to put this out.
This is not news it is a attempt to capitalize on a newly released platform by a company selling antivirus.
besides, who cares about such things you are never going to catch.. now.. if apple instead would focus on changing behavior on their string parsers from:
“hey, i see an url, i better try download and EXECUTE whatever it points to”
to
“hey, a string, well, ill pass it along to whichever app needed it”
osx would be a hell of alot more secure
To say OS X is less secure because of it is rubbish.
So you need to visit the actual site with the infected sites. Ok, might be hard, depends on your surfing habits.
After you find it, you’ll need to download it, and then mounts the DMG, then runs, put in your password and your infected.
If you have the Safe files off you have to go do all that manually.
Worse yet, in Leopard, anything you download seems to pop up an additional Window saying “You’ve opened this off the Internet at <blah> time and are you sure you want to open it, Internet Files can be dangerous” or something very close to that effect.
So you have to click Open again.
I wouldn’t exactly panic when you have to perform half a dozen steps to actually get it installed, and it depends on if you actually hit a site with this exploit, so the chances would be extremely low.
Unlike the Windows Counterpart when some Virus’s and Trojans, all you needed to have your computer turned on and connected to the Internet.
There’s a limit as to how much safety you can put into a computer without it affecting other users.
Sure you could prevent heaps of things from happening, but then it annoys the hell out of the Power users who already know to avoid this crap and now they have a locked down OS they cant’ do what they want with because it’s been dumbed down behind comprehension.
It’s just good news I suppose.
Regardless to Antivirus people have, and Spyware tools and every other prevention tool on the Internet.
If you practice safe hex, you’ll be fine
Edited 2007-10-31 22:24
Mac users aren’t trained by default to let anything that wants the Admin password needs to have it.
Or, more specifically, Mac users basically don’t run in admin mode at all.
Historically, most Mac programs require no special privileges at all, so when something asks for privileges, it sets off at least some alarm bell to think twice before entering your password.
But window users have for many years run in “admin” mode by default, thus alleviating that “annoying” popup. It seemed EVERYTHING you downloaded for Windows wanted admin privileges.
Hell, back in the day you couldn’t play WarCraft 3 without being an admin (which is, you know, insane).
Anyway, since legit software tends to be much better behaved on the Mac than on Windows, that kind of training will reduce the impact of having a “Trojan in the wild”.
Each first user on a Mac is an admin.
Each first user on a Mac is an admin.
Yes, but being an admin is not the same as running in admin mode. By comparison, we have a lab of Windows-based computers at work, and on those computers being admin means running in admin mode. I don’t have to retype my password every time I want to install software that mucks around with the system.
Each first user has admin privileges, comparable to being in the sudoers file on Linux.
// back in the day you couldn’t play WarCraft 3//
Warcraft 3 was “back in the day”?!!?
Ah, grasshopper … you have so much to learn …
This company is so full of shit it hurts. They like to scare the Mac community into thinking there are threats everywhere.
Their own software does not work with Leopard. Hello Intego! How about fixing the damned software I purchased so it works with Leopard? You have had long enough!
Edited 2007-11-01 01:31
Their own software does not work with Leopard. Hello Intego! How about fixing the damned software I purchased so it works with Leopard? You have had long enough!
They didn’t get the final bits until you did. Less than a week is long enough? Go take it up with Apple…
And that tripe got modded up? WTF?
No, developers have had Leopard for quite some time. Do developers wait for final code release to start working on compatible versions? I sure don’t.
I’m going to suggest that this is a critical security flaw, for one simple reason: there is no good reason for software to use an installer, never mind one that requires administrative access, in order for it to be operable. Like it or not Apple, and other vendors, have made the practice of installers that demand administrative access the norm. Because of this, users see responding to requests for administrative access as normal.
If that wasn’t the case, Apple could create an effective and user friendly wrapper that all programs would have to go through. That wrapper would allow bar resource access unless the user explicitly allowed for it. And that wrapper doesn’t have to be complex (from the user’s perspective) either. It may simply pop-up with a dialog box on the first run and ask what the program is allowed to do. It could give convenient answers like: “access the internet”, “access files in my directory”, “access any file on my computer”. Security experts could figure out the most effective way to present these options, so that the user realises that it is not normal for certain types of programs to access certain types of resources.
[T]here is no good reason for software to use an installer, never mind one that requires administrative access, in order for it to be operable… If that wasn’t the case, Apple could create an effective and user friendly wrapper that all programs would have to go through.
Maybe I misunderstand you, but I don’t have to run an installer every time I want to install new software. When I want to install Firefox or Lyx or some other program, I simply plop it into the Applications directorydone.
I’m not sure I agree with the second part of what you describe. It seems silly that I should have to give a browser that I download off the internet the explicit permission to access the internet, or even to access files in my directory.
“””
“””
Really? I’d say that a promiscuous app like a browser, making connections to sites we don’t even know about (think banner ads, etc.) should be sandboxed. We should have an “Internet home dir” and a “Regular home dir”. The browser should be chrooted to the sandboxed dir. The file manager would have access to both, so you can move files between them.
OK. Maybe not chrooted, since on Linux, at least, a chroot is not really a jail. But locked into that directory in such a way that escape is not trivial.
I don’t want to have to download several, or even hundreds, of files to an internet home directory, then sort the files that I want to move out of that directory. I’m very happy downloading files into the directory I want them to be, and I don’t need a nanny OS scolding me and telling me I can’t do that. Even if it did, I would be no less vulnerable to the trojan horse cited in this story than I am now. Hmm… I want to view a film that requires a new codec, and installation requires the admin password?
If you are talking about forbidding the browser from running a script that reads files outside its cache (to avoid snoopers) that’s another story, but I don’t believe that we need the kind of system stated here to do that.
Your point about installers being awful, particularly on OS X, where you are trained to think that there’s nothing special about app files, is accepted.
However, this is a really bad trojan horse implementation. I’m pretty sure you could design a trojan horse for OS X that doesn’t require either an installer or admin privileges to work correctly — anything that has the ability to execute code on the CPU should be sufficient. The majority of the data a trojan wants to capture is available to non-admin users.
The real solution to this problem should be some sort of MAC or RBAC, coupled with cryptographically signed binaries. Unfortunately, making a UI for this type of system is extremely difficult and you need to make sure to avoid the Vista “Allow or deny” type problems, while still allowing for appropriate security.
Package management on Linux makes this sort of system far easier to manage, so long as you trust the distribution’s package repository and signed packages.
I’d like to see a site which this is running on? can anyone confirm this exists?
I’m not saying it doesnt exist but I am rather dubious of the source.
There is no market of anti-virus products on Mac OS X or Linux, so all these companies have is some lame propaganda. How pathetic is that, just because no Operating System is perfect it would vulnerable like Windows is a little preposterous imho.
That’s because Firefox did it right. At least on the Mac. But think of a program like NeoOffice, which does have an installer. It’s probably easy enough to circumvent that installer if you have the technical knowledge (IIRC, installer bundles are just gzipped pax files), but the average computer user won’t have a clue how to do a manual installation.
Alas, we don’t live in 1977 anymore (or 1997, for that matter). The average piece of software will connect to a remote serve, even if it does not have a particularly good reason to do so. The typical person now uses a multitude of programs and those programs are regularly upgraded, which makes them hard to vette. We store more valuable data on networked computers, which makes us more appealing targets. Programs like Firefox, IE, and Opera run code indiscriminantly; and while it is possible to turn off things like ActiveX and Java, it is nearly impossible to turn off JavaScript and Flash. Particularly for the user who wants things to just work.
And while it is fine to say that we should educate people to avoid social engineering, so that technical solutions aren’t needed for this more complex computing world, most of the education either falls into the category of “don’t do that stuff”, which leaves them out of the technology loop when they dearly want to be a part of it. The rest of that advice is so dynamic and broad ranging, because the criminals are adapting so quickly and use a lot of different tactics, that most people just cannot keep up.
Well, as far as I know, software that requires an installer are those that also installs libraries on a system level – like the iWork and iLife suites, Adobe CS and such, all of them complex applications.
I can perfectly well understand this requirement for some types of software, and I’ve not come across any application that asked for my admin password when i thought it shouldn’t.
<quote>Well, as far as I know, software that requires an installer are those that also installs libraries on a system level – like the iWork and iLife suites, Adobe CS and such, all of them complex applications.</quote>
This is where I whole-heartedly disagree with you. Applications like iWork, iLive, and Adobe CS may be complex but they are fundamentally user-level applications.
Even breaking up an application into libraries, to share resources or reduce resource usage, is not really an excuse for forcing a user to use admin level access. IIRC, Mac OS X application bundles are versatile enough to have libraries bundled within them, which means that software can remain modular. IIRC, the ~/Library directory can also contain libraries. That means that it is possible to have shared libraries that are not installed at the system level. And that should be the case, because Apple made a fundamental mistake when they designed Mac OS X: the only administrative account allows the user to gain root level privileges.
Even things that need background processes need not be installed with administrative privileges. Developers could follow a practice that Microsoft used in the past: have a first-run script that asks the user to install certain files (including scripts that run in the background). If a user wants to let a user do so, then they can. If not, then they don’t.
Is all of this a little inconvenient. Probably. It could even end up resembling Vista’s UAC. Alas, we live in an age where computers store a lot of information that can make us more vulnerable to predators (or criminals). And some of us are even concerned about legitimate software doing things behind our back. (I forget whether it was iWeb or Garage Band, but one of them turned into a “telemarketer” when the new release of Garage Band came out.)
I see your point, but i still understand the need for some software having to be installed with admin privileges.
One solution would be to have applications that require admin privileges be digitally signed by Apple, as most applications don’t.
This would also push developers to create software that keeps itself on a user-level.
Edited 2007-11-02 13:19
A not very sophisticated trojan. Still a lot of user intervention is required. Would have been more interesting if no user intereaction would be required.
What strikes me is (if true) is the following:
What’s more, under Mac OS X 10.4 Tiger there is no way to see the changed DNS server in the operating system’s graphical user interface, although in Mac OS X 10.5 Leopard users can see the change in the Advanced Network preferences; the added DNS servers are dimmed and cannot be removed manually.
I don’t see how this “trojan” is harmful in anyway ? Its an app written that you have to download, open and then AUTHENTICATE yourself.
That could be done by anyone.
Theres nothing new here. People just made up a story cause this was found in a porn site, therefore making it more “alarming” to the newbs.
It’s also a good opportunity to make some easy headlines, and money from adds as any “MAC VIRUS” article will generate lots of clicks.
Yeah, well, uhm, that’s the definition of a Trojan. Something that poses as Glorious Application A, but is in fact Malware B. The fact that it requires social engineering is, well, more or less a given when it comes to Trojans.
Yeah, this article will make us all rich. Maybe we can replace the company DB9 with a DBS after the massive wealth coming our way from this very article!
Hey! Maybe you could even get a rack of them Xserves! And a free mini for every reader! That would be grand!
Isn’t this exactly what a Trojan is supposed to protect you from?
Is this a Web 2.0 trojan written using Ajax “technology”? I was really hoping to take advantage of this synergistic paradigm.
– chrish
Does anyone know if this trojan affect PPC Macs?
Ha, good point…
It was worth investing the PPC mac mini afterall…
Why wouldn’t it? It doesn’t not rely on any flaws specific to the x86 build of OS X.
I really personally am not a fan of AV software because it harms the performance of your machine all the time to solve a problem that happens only some of the time (namely, when you’re installing new programs). And the purveyors of AV sell fear, which makes people even more irrational about computers.
After the page loads, a disk image (.dmg) file automatically downloads to the user^aEURTMs Mac. If the user has checked Open ^aEURoeSafe^aEUR Files After Downloading in Safari^aEURTMs General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.
Leopard won’t automatically execute this package by default. In fact it will tell you at first execution “You downloaded this program from the internet, do you still want to execute it ?” What more do you want, if a user wants to run a program who’s the OS to prevent him from doing that ?