Mac Malware - The Definitive Thread

krs · Dec 9th, 2008, 04:46 PM

I thought it would be useful to summarize all known existing Mac malware in one thread and keep it up to date as new malware is discovered or security updates released to address existing malware issues.

I define malware very broadly - anything that can compromise the Mac and is delivered or downloaded using any one of Apples applications even if the user has to install and run it.

Excluded would be malware that depends "social engineering type" malware like phishing attempts.

I think a thread like that would be most useful to newcomers to the Mac, but would also help veteran Mac users - right now the Mac malware discussion always seems to start in some thread that's totally unrelated to malware initially like this one for example:

Sell my Woman a MacBook

Let me start by listing the five "malware" links that were posted in that thread just recently - perhaps people who are familiar with those "Mac threads" can comment on them and also post other known Mac malware.

Leap-A (aka: OS X/Oomp-A, aka: Oompa-Loompa)

Typical report:
First ever virus for Mac OS X discovered

Comment:
Leap-A is not and was not a virus. There is a difference. Story is deliberately misheadlined (notice the source)

Better information: New MacOS X trojan/virus alert - Ambrosia Software Web Board

In summary:

	Quote:
	You cannot be infected by this unless you do all of the following: 1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file 2) Double-click on the file to decompress it 3) Double-click on the resulting file to "open" it ...and then for non-Admin users, it fails to infect most applications. You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it. A few important points -- This should probably be classified as a Trojan, not a virus, because it doesn't self-propagate externally (though it could arguably be called a very non-virulent virus) -- It does not exploit any security holes; rather it uses "social engineering" to get the user to launch it on their system -- If you're not running as an admin user, it will silently fail to infect most applications -- It doesn't actually do anything other than attempt to propagate itself via iChat, and then only via Bonjour! (aka "Rendezvous) -- it does not sent itself over the Internet, rather just to your local Bonjour user list -- It has a bug in the code that prevents it from working as intended, which has the side-effect of preventing infected applications from launching -- It's not particularly sophisticated --I'd really be tempted to call this thing a non-event; it's poorly written, can't spread beyond your local network, is unlikely to infect anything on most machines, and needs user interaction to do anything at all--

Fixed in Security Update: Not applicable, social engineering malware

--------------------------------------

YouTube - os x virus
Flash virus that you have to install

Need more info on this

---------------------------------

OSX.RSPlug.A

Typical report:
Mac OS malware targets porn surfers | Apple - CNET News

	Quote:
	OSX.RSPlug.A is malware best described as a Trojan horse. OSX.RSPlug.A disguises itself as a video codec that would ensure whatever porn video you just stumbled upon will play on your Mac. But to get infected with the malware, you have to 1. accept the invitation to download "new version of codec," 2. open up the .dmg (disk image) file, 3. click the installer.pkg file, and 4. enter your administrator's password Once infected, the malware changes your DNS settings to hijack Web traffic and redirect it to phishing sites or ads for porn. And you still won't get to watch the video. If you're running Tiger, you might never realize how you were infected, but Leopard's Advanced Network preferences will at least let you recognize that the DNS servers have been changed. You'll be unable to change them back without going through a lengthy process detailed by Macworld's Rob Griffiths.

Fixed in Security Update: Not applicable, social engineering malware

------------------------------------------

Trojan using AppleScript THT

Typical report:
Mac OS X Trojan reported in the wild | Defense in Depth - CNET News

	Quote:
	On 19 June 2008, security vendor SecureMac reported seeing new variants of AppleScript.THT Trojan horse in the wild affecting users of Mac OS X 10.4 and 10.5. The new variations exploit a vulnerability within the Apple Remote Desktop Agent, and can avoid detection by opening ports in the firewall and turning off system logging. The new Trojans can log keystrokes, take screen shots, take pictures with the Apple iSight camera, and enable file sharing, according to SecureMac. The Trojans are using an AppleScript called ASthtv05 and/or may be bundled as an application. You must download and execute the file for your Mac OS X system to become infected.

Fixed in Security Update: Not applicable, social engineering malware

-------------------

F-Secure Malware Information Pages: Trojan:OSX/DNSChanger
DNS Changer

kb244 · Dec 9th, 2008, 04:48 PM

I sense a hint of sour grapes.

krs · Dec 9th, 2008, 05:04 PM

	Quote:			Originally Posted by kb244
	I sense a hint of sour grapes.

No clue what you're talking about.

When I looked at the first "malware" link that was posted, it goes back to Feb. 2006.
My question would be - was what was described then really correct (I have read over and over again that in many cases when Mac malware was initially reported it was only half the story) and secondly - is this "malware" (after it has been identified correctly) still a threat today, and (hopefully), perhaps someone knows which Security update eliminated the threat assuming it was there in the first place.

I really have no idea where the "sour grapes" comes from and don't really want an explanation.

But if you can contribute and post more Mac malware, or comment and update us on the five items listed above - please be my guest.

That's what this thread is for.

broken_g3 · Dec 9th, 2008, 09:54 PM

Hahaha! All you fools on OS X! You have a grand total of 14 viruses! that can destroy your system and livelihoods!

No, seriously, you've got like nothing to contend with... especially verus Windows' 114,000 viruses.

The only Mac OS Classic virus I've ever seen was one that played the Butcher's line from Diablo every time the computer would start up. Every time the desktop finished loading, as sound would go "Ahhhhhh... Fresh Meat". I still haven't discovered what it is...

chas_m · Dec 10th, 2008, 06:40 AM

I realise you are not responsible for the headline in that first "virus" report, but it's not really a virus. Neither is the second one. This should be noted.

Better information on Leap-A:
New MacOS X trojan/virus alert - Ambrosia Software Web Board

So, while it's true there is malware out there for OS X, to date a brief summary of the available information might be:

There's really nothing out there you need concern yourself with. Don't install any packages that you don't know what they are and you'll be fine. No viruses, still. If they ever turn up, you'll hear about it from legit Mac news sources or this forum LONG before you have even a remote chance of suffering from it.

EvanPitts · Dec 10th, 2008, 07:06 AM

	Quote:			Originally Posted by broken_g3
	You have a grand total of 14 viruses!* that can destroy your system and livelihoods! No, seriously, you've got like nothing to contend with... especially verus Windows' 114,000 viruses.*

And that's just viruses - the Windoze universe went over the million mark a few months ago when it comes to trojans and malware that are in active circulation. Not only that, logging onto a web site or reading an e-mail can easily trash a Windoze system. OSX users are so retrograde, what, with the three Codec cum trojans in circulation, and a few obscure ways that specially written viruses can trash OSX through virtualizers like VMFusion. There is just not enough excitement for the OSX user in this regard.

G-Mo · Dec 10th, 2008, 07:21 AM

I listed these previously here...

a little over a year ago (Halloween 2007) there was an OS X Trojan:

New Apple Trojan Means Mac Hunting Season Is Open

Mac Users Get A Credit Card Stealing Trojan for Halloween, Security Company Reports | Threat Level from Wired.com

Trojan targets Mac users - SC Magazine US
Intego Security Memo

Then there were two issues earlier this year, rogue application MacSweeper in January (2008):
Security reseacher issues warns against rogue MacSweeper | News Blog - CNET News

And trojan application Imunizator in March (2008)
http://www.informationweek.com/blog/...er_trojan.html

And the AppleScript.THT trojan this summer (June 2008):
AppleScript.THT Trojan Horse - Mac OS X Trojan Horse

mc3251 · Dec 10th, 2008, 09:58 AM

	Quote:
	And that's just viruses - the Windoze universe went over the million mark a few months ago when it comes to trojans and malware that are in active circulation. Not only that, logging onto a web site or reading an e-mail can easily trash a Windoze system

GOOD LORD!! Why do so many threads on this board wind up being about the "I hate Windows" soapbox. This is so tiring, honestly.

I totally get that this is a Mac site, and that lots of folks on it hate Windows, but do we have to keep hearing about it again and again? If you really hate Windows so much, then why are you renting it time in your head?

Could we please talk about something else?

Someone should start a sticky thread called I Hate Windoze, Bill Gates, and the Microsoft Evil Empire. Or, perhaps we could have an Everything I hate about Windoze, Eh? Subforum.

krs · Dec 10th, 2008, 10:16 AM

	Quote:			Originally Posted by mc3251
	GOOD LORD!! Why do so many threads on this board wind up being about the "I hate Windows" soapbox. This is so tiring, honestly.

Where do you read "I hate Windows" in this thread?

All I see is a comment about how much exists for Windows compared to that "14 virus" number for the Mac which is just a joke.

Anyway - this is not intended to be a OS X vs Windows thread - all I want to do is to get the true story about each one of the OS X malware reports people dig up everytime this subject comes up.
I'm interested in that and so are many newcomers to the Mac.

If you have something to contribute on that subject, please do - I will try to summarize everything relevant that's posted and keep updating the first post.

krs · Dec 10th, 2008, 10:34 AM

I just updated the first post with the type of infromation I would like to collect on each one of these OS X malware threats.

Any comments on the information and the format?

Dec 9th, 2008, 04:48 PM	#2
kb244 Honourable Citizen Join Date: Apr 2002 Location: Michigan, US Posts: 1,666	I sense a hint of sour grapes. __________________ -Karl Blessing http://www.karlblessing.com iPodTouchAnswers.com

Dec 10th, 2008, 06:40 AM	#5
chas_m Honourable Citizen Join Date: Dec 2007 Location: Victoria BC Posts: 11,323	I realise you are not responsible for the headline in that first "virus" report, but it's not really a virus. Neither is the second one. This should be noted. Better information on Leap-A: New MacOS X trojan/virus alert - Ambrosia Software Web Board So, while it's true there is malware out there for OS X, to date a brief summary of the available information might be: There's really nothing out there you need concern yourself with. Don't install any packages that you don't know what they are and you'll be fine. No viruses, still. If they ever turn up, you'll hear about it from legit Mac news sources or this forum LONG before you have even a remote chance of suffering from it. __________________ Cheers chas_m Evangelist, ACDSee Pro for Mac: Get the beta! Join the community! Help us build the next great Mac photo manager! Our life in Victoria BC • Music blog • My Podcast • Film blog Victoria Macintosh Users Group

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
First builds of Apple's Mac OS X 10.5.2 Leopard Update due shortly	Ottawaman	Anything Mac	3	Dec 18th, 2007 10:05 PM
Good quality Mac games are seriously lacking.	Lars	Anything Mac	44	Apr 16th, 2007 12:42 AM
My specs for a Mac Apple should make	Phoboga	Anything Mac	14	Aug 13th, 2006 01:12 PM

Dec 9th, 2008, 09:54 PM	#4
broken_g3 Full Citizen Join Date: Jun 2008 Location: London, Ontario Posts: 918	Hahaha! All you fools on OS X! You have a grand total of 14 viruses! that can destroy your system and livelihoods! No, seriously, you've got like nothing to contend with... especially verus Windows' 114,000 viruses. The only Mac OS Classic virus I've ever seen was one that played the Butcher's line from Diablo every time the computer would start up. Every time the desktop finished loading, as sound would go "Ahhhhhh... Fresh Meat". I still haven't discovered what it is...

Dec 10th, 2008, 07:21 AM	#7
G-Mo Honourable Citizen Join Date: Sep 2007 Location: Toronto Posts: 1,657	I listed these previously here... a little over a year ago (Halloween 2007) there was an OS X Trojan: New Apple Trojan Means Mac Hunting Season Is Open Mac Users Get A Credit Card Stealing Trojan for Halloween, Security Company Reports \| Threat Level from Wired.com Trojan targets Mac users - SC Magazine US Intego Security Memo Then there were two issues earlier this year, rogue application MacSweeper in January (2008): Security reseacher issues warns against rogue MacSweeper \| News Blog - CNET News And trojan application Imunizator in March (2008) http://www.informationweek.com/blog/...er_trojan.html And the AppleScript.THT trojan this summer (June 2008): AppleScript.THT Trojan Horse - Mac OS X Trojan Horse

Dec 10th, 2008, 10:34 AM	#10
krs Honourable Citizen Join Date: Mar 2005 Location: Belleville, Ontario Posts: 5,973	I just updated the first post with the type of infromation I would like to collect on each one of these OS X malware threats. Any comments on the information and the format?