Mac Malware - The Definitive Thread - ehMac.ca
Facebook
Twitter
YouTube
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read Advertise


Reply
 
LinkBack Thread Tools Display Modes
Old Dec 9th, 2008, 04:46 PM   #1
krs
Honourable Citizen
 
krs's Avatar
 
Join Date: Mar 2005
Location: Ontario and Quebec
Posts: 9,103
Mac Malware - The Definitive Thread

I thought it would be useful to summarize all known existing Mac malware in one thread and keep it up to date as new malware is discovered or security updates released to address existing malware issues.

I define malware very broadly - anything that can compromise the Mac and is delivered or downloaded using any one of Apples applications even if the user has to install and run it.

Excluded would be malware that depends "social engineering type" malware like phishing attempts.

I think a thread like that would be most useful to newcomers to the Mac, but would also help veteran Mac users - right now the Mac malware discussion always seems to start in some thread that's totally unrelated to malware initially like this one for example:

http://www.ehmac.ca/anything-mac/719...n-macbook.html

Let me start by listing the five "malware" links that were posted in that thread just recently - perhaps people who are familiar with those "Mac threads" can comment on them and also post other known Mac malware.



Leap-A (aka: OS X/Oomp-A, aka: Oompa-Loompa)

Typical report:
First ever virus for Mac OS X discovered

Comment:
Leap-A is not and was not a virus. There is a difference. Story is deliberately misheadlined (notice the source)

Better information: New MacOS X trojan/virus alert - Ambrosia Software Web Board

In summary:
Quote:
You cannot be infected by this unless you do all of the following:

1) Are somehow sent (via email, iChat, etc.) or download the "latestpics.tgz" file
2) Double-click on the file to decompress it
3) Double-click on the resulting file to "open" it
...and then for non-Admin users, it fails to infect most applications.

You cannot simply "catch" the virus. Even if someone does send you the "latestpics.tgz" file, you cannot be infected unless you unarchive the file, and then open it.

A few important points

-- This should probably be classified as a Trojan, not a virus, because it doesn't self-propagate externally (though it could arguably be called a very non-virulent virus)
-- It does not exploit any security holes; rather it uses "social engineering" to get the user to launch it on their system
-- If you're not running as an admin user, it will silently fail to infect most applications
-- It doesn't actually do anything other than attempt to propagate itself via iChat, and then only via Bonjour! (aka "Rendezvous) -- it does not sent itself over the Internet, rather just to your local Bonjour user list
-- It has a bug in the code that prevents it from working as intended, which has the side-effect of preventing infected applications from launching
-- It's not particularly sophisticated
--I'd really be tempted to call this thing a non-event; it's poorly written, can't spread beyond your local network, is unlikely to infect anything on most machines, and needs user interaction to do anything at all--
Fixed in Security Update: Not applicable, social engineering malware

--------------------------------------

YouTube - os x virus
Flash virus that you have to install

Need more info on this

---------------------------------


OSX.RSPlug.A

Typical report:
Mac OS malware targets porn surfers | Apple - CNET News

Quote:
OSX.RSPlug.A is malware best described as a Trojan horse. OSX.RSPlug.A disguises itself as a video codec that would ensure whatever porn video you just stumbled upon will play on your Mac.

But to get infected with the malware, you have to
1. accept the invitation to download "new version of codec,"
2. open up the .dmg (disk image) file,
3. click the installer.pkg file, and
4. enter your administrator's password

Once infected, the malware changes your DNS settings to hijack Web traffic and redirect it to phishing sites or ads for porn. And you still won't get to watch the video.

If you're running Tiger, you might never realize how you were infected, but Leopard's Advanced Network preferences will at least let you recognize that the DNS servers have been changed. You'll be unable to change them back without going through a lengthy process detailed by Macworld's Rob Griffiths.
Fixed in Security Update: Not applicable, social engineering malware

------------------------------------------


Trojan using AppleScript THT

Typical report:
Mac OS X Trojan reported in the wild | Defense in Depth - CNET News

Quote:
On 19 June 2008, security vendor SecureMac reported seeing new variants of AppleScript.THT Trojan horse in the wild affecting users of Mac OS X 10.4 and 10.5.

The new variations exploit a vulnerability within the Apple Remote Desktop Agent, and can avoid detection by opening ports in the firewall and turning off system logging. The new Trojans can log keystrokes, take screen shots, take pictures with the Apple iSight camera, and enable file sharing, according to SecureMac.

The Trojans are using an AppleScript called ASthtv05 and/or may be bundled as an application. You must download and execute the file for your Mac OS X system to become infected.
Fixed in Security Update: Not applicable, social engineering malware

-------------------

F-Secure Malware Information Pages: Trojan:OSX/DNSChanger
DNS Changer

Last edited by krs; Dec 12th, 2008 at 07:32 PM.
krs is offline   Reply With Quote
Sponsored Links
Advertisement
 
Old Dec 9th, 2008, 04:48 PM   #2
 
Join Date: Apr 2002
Posts: 1,662
I sense a hint of sour grapes.
kb244 is offline   Reply With Quote
Old Dec 9th, 2008, 05:04 PM   #3
krs
Honourable Citizen
 
krs's Avatar
 
Join Date: Mar 2005
Location: Ontario and Quebec
Posts: 9,103
Quote:
Originally Posted by kb244 View Post
I sense a hint of sour grapes.
No clue what you're talking about.

When I looked at the first "malware" link that was posted, it goes back to Feb. 2006.
My question would be - was what was described then really correct (I have read over and over again that in many cases when Mac malware was initially reported it was only half the story) and secondly - is this "malware" (after it has been identified correctly) still a threat today, and (hopefully), perhaps someone knows which Security update eliminated the threat assuming it was there in the first place.

I really have no idea where the "sour grapes" comes from and don't really want an explanation.

But if you can contribute and post more Mac malware, or comment and update us on the five items listed above - please be my guest.

That's what this thread is for.
krs is offline   Reply With Quote
 
Old Dec 9th, 2008, 09:54 PM   #4
Full Citizen
 
broken_g3's Avatar
 
Join Date: Jun 2008
Location: London, Ontario
Posts: 942
Hahaha! All you fools on OS X! You have a grand total of 14 viruses! that can destroy your system and livelihoods! No, seriously, you've got like nothing to contend with... especially verus Windows' 114,000 viruses.

The only Mac OS Classic virus I've ever seen was one that played the Butcher's line from Diablo every time the computer would start up. Every time the desktop finished loading, as sound would go "Ahhhhhh... Fresh Meat". I still haven't discovered what it is...
broken_g3 is offline   Reply With Quote
Old Dec 10th, 2008, 06:40 AM   #5
Honourable Citizen
 
chas_m's Avatar
 
Join Date: Dec 2007
Location: Victoria BC
Posts: 11,953
Send a message via AIM to chas_m
I realise you are not responsible for the headline in that first "virus" report, but it's not really a virus. Neither is the second one. This should be noted.

Better information on Leap-A:
New MacOS X trojan/virus alert - Ambrosia Software Web Board

So, while it's true there is malware out there for OS X, to date a brief summary of the available information might be:

There's really nothing out there you need concern yourself with. Don't install any packages that you don't know what they are and you'll be fine. No viruses, still. If they ever turn up, you'll hear about it from legit Mac news sources or this forum LONG before you have even a remote chance of suffering from it.
chas_m is offline   Reply With Quote
Old Dec 10th, 2008, 07:06 AM   #6
Honourable Citizen
 
EvanPitts's Avatar
 
Join Date: Mar 2007
Location: Hamilton, ON
Posts: 6,427
Quote:
Originally Posted by broken_g3 View Post
You have a grand total of 14 viruses! that can destroy your system and livelihoods! No, seriously, you've got like nothing to contend with... especially verus Windows' 114,000 viruses.
And that's just viruses - the Windoze universe went over the million mark a few months ago when it comes to trojans and malware that are in active circulation. Not only that, logging onto a web site or reading an e-mail can easily trash a Windoze system. OSX users are so retrograde, what, with the three Codec cum trojans in circulation, and a few obscure ways that specially written viruses can trash OSX through virtualizers like VMFusion. There is just not enough excitement for the OSX user in this regard.
__________________
Powered By Acer AMD NEO II & Windows 7 - Legacy Apple Systems Are OSX Panther Powered!
EvanPitts is offline   Reply With Quote
Old Dec 10th, 2008, 07:21 AM   #7
Apple Certified
 
G-Mo's Avatar
 
Join Date: Sep 2007
Location: Auckland
Posts: 2,726
I listed these previously here...

a little over a year ago (Halloween 2007) there was an OS X Trojan:

New Apple Trojan Means Mac Hunting Season Is Open

Mac Users Get A Credit Card Stealing Trojan for Halloween, Security Company Reports | Threat Level from Wired.com

Trojan targets Mac users - SC Magazine US
Intego Security Memo

Then there were two issues earlier this year, rogue application MacSweeper in January (2008):
Security reseacher issues warns against rogue MacSweeper | News Blog - CNET News

And trojan application Imunizator in March (2008)
http://www.informationweek.com/blog/...er_trojan.html

And the AppleScript.THT trojan this summer (June 2008):
AppleScript.THT Trojan Horse - Mac OS X Trojan Horse
G-Mo is offline   Reply With Quote
Old Dec 10th, 2008, 09:58 AM   #8
Unreasonably Happy Man
 
mc3251's Avatar
 
Join Date: Sep 2007
Location: Victoria
Posts: 1,059
Quote:
And that's just viruses - the Windoze universe went over the million mark a few months ago when it comes to trojans and malware that are in active circulation. Not only that, logging onto a web site or reading an e-mail can easily trash a Windoze system
GOOD LORD!! Why do so many threads on this board wind up being about the "I hate Windows" soapbox. This is so tiring, honestly.

I totally get that this is a Mac site, and that lots of folks on it hate Windows, but do we have to keep hearing about it again and again? If you really hate Windows so much, then why are you renting it time in your head?

Could we please talk about something else?

Someone should start a sticky thread called I Hate Windoze, Bill Gates, and the Microsoft Evil Empire. Or, perhaps we could have an Everything I hate about Windoze, Eh? Subforum.
__________________
Michael

24" 2.4 Ghz iMac
15" 2.4 Ghz MBP

Life is 23
mc3251 is offline   Reply With Quote
Old Dec 10th, 2008, 10:16 AM   #9
krs
Honourable Citizen
 
krs's Avatar
 
Join Date: Mar 2005
Location: Ontario and Quebec
Posts: 9,103
Quote:
Originally Posted by mc3251 View Post
GOOD LORD!! Why do so many threads on this board wind up being about the "I hate Windows" soapbox. This is so tiring, honestly.
Where do you read "I hate Windows" in this thread?

All I see is a comment about how much exists for Windows compared to that "14 virus" number for the Mac which is just a joke.

Anyway - this is not intended to be a OS X vs Windows thread - all I want to do is to get the true story about each one of the OS X malware reports people dig up everytime this subject comes up.
I'm interested in that and so are many newcomers to the Mac.

If you have something to contribute on that subject, please do - I will try to summarize everything relevant that's posted and keep updating the first post.
krs is offline   Reply With Quote
Old Dec 10th, 2008, 10:34 AM   #10
krs
Honourable Citizen
 
krs's Avatar
 
Join Date: Mar 2005
Location: Ontario and Quebec
Posts: 9,103
I just updated the first post with the type of infromation I would like to collect on each one of these OS X malware threats.

Any comments on the information and the format?
krs is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
First builds of Apple's Mac OS X 10.5.2 Leopard Update due shortly Ottawaman Anything Mac 3 Dec 18th, 2007 10:05 PM
Good quality Mac games are seriously lacking. monokitty Anything Mac 44 Apr 16th, 2007 12:42 AM
My specs for a Mac Apple should make Phoboga Anything Mac 14 Aug 13th, 2006 01:12 PM


All times are GMT -4. The time now is 06:41 PM.



Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 1999 - 2012, ehMac.ca All rights reserved. ehMac is not affiliated with Apple Inc. Mac, iPod, iTunes, iPhone, Apple TV are trademarks of Apple Inc. Content Relevant URLs by vBSEO 3.6.0 RC 2

Tribe.ca: Urban living in Toronto!