New OS X “Trojan” In the Wild

By Daniel Miessler on November 1st, 2007: Tagged as Apple | OS X | Security

sec

A new “trojan” has been identified by Intego that enables phishing attacks to take place against Mac users. But before you get too worried, let’s take a look at how it works.

  1. Go to a malicious site.
  2. Get prompted to install software.
  3. Choose to install it.
  4. Put in your admin password when it asks for it.
  5. Get pwned.

So basically a hostile, unknown website asks you to install software on your system with elevated privileges, and if you willfully go through the entire install process (including entering your administrator password) something bad will happen.

Scary.

In other news, if someone sends you an email that says to run sudo rm -rf / on the command line (and enter your admin password when it asks you to) — don’t do it. Interesting attack method — send someone malicious software and ask them to install it as administrator. The defense? Don’t install it.

Make no mistake — this is not the same kind of threat that we’ve faced in Windows over the years. That threat is very specifically the drive-by installation of software without the user knowing or having a chance to stop it.

In summary, this social-engineering-based attack requires a high level of interaction and it will have very little impact on the Mac user community.:

--

45 Comments »

  1. This is something that I think is kind of worrisome. It is my opinion that the weekest link of any computer system is the end user. There is absolutely nothing to stop someone from writing a virus or trojan for Mac or Linux that runs off of no exploits. All the attacker has to do is convince the user to put their password in to the gksudo box. This is how most Windows attacks works that I’ve seen. They weren’t drive bys or worms. They where the user intentionally downloading and installing what was mailed to them or what came in the form of a pop-up. The only defence against such an attack is something like what Vista is leaning to where the OS dictates what can and cannot be installed, not the EU.

    Comment by Maxo — 11/1/2007 @ 12:21 pm

  2. Actually, Daniel, if it installed “on the sly” like most windows malware, it wouldn’t actually be a trojan.

    I think trojans are the ballziest of the malware types, because the attacker has to convince the victim that it’s a useful (or otherwise harmless) piece of software.

    Comment by Tim F. — 11/1/2007 @ 12:47 pm

  3. Still, nice try at fear-mongering; Microsoft rumor mill!

    Comment by Ian — 11/1/2007 @ 4:05 pm

  4. As a Windows user for a number of years, I must say that most virii are pretty simple to avoid. “Download this to get that” Whoa, this is too good to be true! I must download! Sorry, it’s just coincidence that many idiots use Windows, so many idiots get infected. As the old adage goes: There is no cure for stupid.

    Comment by Robert — 11/1/2007 @ 4:09 pm

  5. based on the representative sample of my parents’ computers, i would guess this is pretty much the same way that windows PCs get infected. people download things they shouldn’t because they’re manipulated by social engineering :)

    Comment by optimuscrime — 11/1/2007 @ 4:10 pm

  6. I don’t quite get the quotes around “trojan”. What you have described is a trojan on a windows or mac pc.

    You get a program that you think you want You install it It isn’t what you wanted, it’s a virus

    That’s a trojan. Are you thinking of the word ‘worm’ and thinking it’s the same thing?

    Comment by Graham Robinson — 11/1/2007 @ 4:14 pm

  7. I love the “Windows Rumor Mill” vs. “Mac Spinning” debates. The fact of the matter is that viruses get installed with the end user screws up. Don’t patch Windows via auto-updates? Virus.

    99% of Windows viruses come either from an e-mail attachment or from some sort of “shady” download (pirated software).

    What I really find funny is that Mac ads poke fun at Windows (Vista, specifically) for asking for passwords while installing software, and then touts the same feature as being the reason they don’t get viruses. UAC only protects from viruses if the user is smart enough to know what they’re installing.

    Comment by Foetus — 11/1/2007 @ 4:16 pm

  8. This is exactly how most windows Trojans and malware get installed. Unaware user used to being safe and clicking dialogs with out reading. Click click type your comprimised. It has little to do with system security and all to do with the number of maliscious programs. This is just the frist in what will be a growing line of Mac malware. It’s just inevitable.

    Comment by Jesse — 11/1/2007 @ 4:18 pm

  9. I read the original story the other day and rolled my eyes. In what way does this suggest a security flaw with the O.S.? Slim odds. Anyone dumb enough to play along has got to be a windoze user. (in which case drive-by installations are required, otherwise the victim will sit for hours clicking the wrong button).

    Comment by Stu — 11/1/2007 @ 4:19 pm

  10. reminds me of this old joke that circulated for a while, where you are informed that “your PC is infected by a virus. please formate C to proceed” ;)

    Comment by snusket — 11/1/2007 @ 4:31 pm

  11. Stu, as more and more people get sucked into the *NIX world with n00b friendly Linux distros (like Ubuntu) and OSX then you will see it has nothing to do with Windows, just uninformed (and yes sometimes stupid) users.

    As the population increases, the hackers will try new attack vectors. Eventually we’ll have a devastating attack; however, I have confidence that this community will react more quickly than Microsoft has to similar threats (which exist in far too many forms).

    Comment by Chris — 11/1/2007 @ 4:43 pm

  12. “As more and more people get sucked into the *NIX world with n00b friendly Linux distros (like Ubuntu) and OSX then you will see it has nothing to do with Windows, just uninformed (and yes sometimes stupid) users.”

    So true…

    When people talk about OS security they often forget to talk about the user awareness (knowledge) and the attack cleverness factors… whick should be considered serioustly.

    Comment by John — 11/1/2007 @ 4:55 pm

  13. [...] the drive-by installation of software without the user knowing or having a chance to stop it.read more | digg [...]

    Pingback by dblog-Tech News And Other Humorous And Frightening Things From Around The Web — 11/1/2007 @ 4:59 pm

  14. A trojan is a trojan, no matter the OS.

    There are lots of Windows users who get sucked into installing hostile software the exact same way.

    I think that the threat to the OSX population might be very real, because a lot of very unskilled users are switching from Windows to Mac because they believe that ‘there’s no viruses or stuff for mac’.

    Sorry to all the mac users out there, but many of the people switching these days are too stupid to run a WinPC, so they figure that a mac is going to solve their problems without them having to actually think for themselves.

    I echo the comment stated earlier, there is no cure for stupid.

    Comment by Ted — 11/1/2007 @ 5:05 pm

  15. While it may be true that the user must install this virus, it is what it is… a virus specifically for the Mac. The trojans and viruses for Mac’s will only grow in numbers as time goes by.

    Comment by Andrew — 11/1/2007 @ 5:11 pm

  16. just to make this correct, sudo would require the user password not the administrator password. I don’t think I’d fall for either, but the user password would be easier to get out of most users.

    Comment by newend — 11/1/2007 @ 5:16 pm

  17. @ newend: Uh… maybe I’m just really ill-informed… but I believe the SU in “SUDO” is SuperUser. AKA: Root. Aka: Administrator.

    Comment by Foetus — 11/1/2007 @ 5:26 pm

  18. Just to chime in on the ‘too stupid, has to be a windoze user thing’. It’s only last week that I came into a colleague’s office (academic and life-long mac user) only to be asked ‘which version of windows am I using?’. She was trying to install an old Canon printer that never had any Mac drivers and reading the manual’s instruction. I’ve also seen people store their documents in the trash on 7.1 because that’s how you eject a diskette. Sorry, but Mac users can be just as dumb as Win users. Afterall, isn’t it a boast of MacOS that it’s easier to use for beginners?

    Comment by Dominik — 11/1/2007 @ 5:34 pm

  19. @newend

    Must be an interesting version of the Mac OS you’re running, I’ve never seen SUDO ask for anything other than the root/admin password.

    And from what I’ve seen this is a feature protecting Macs unlike the UAC in Vista, which I’ve seen pop up for properly signed software it shouldn’t have come up for. The vista UAC comes up enough that you automatically his yes to whatever, the Mac equivalent shows up rarely enough to be taken seriously and be useful.

    Comment by Ix — 11/1/2007 @ 5:36 pm

  20. @Foetus: “su” would require the administrator password as it elevates you to the specified user (default root) for the command). “sudo” requires the user’s password and relies on the administrator setting the limits of what each user is allowed to do in a configuration file (/etc/sudoers) before elevating you to superuser state.

    Alex

    Comment by penwing — 11/1/2007 @ 5:40 pm

  21. @Dominik

    Mac is easy for beginners, however no OS is perfect, and there was a period of time where Mac lost sight of proper usability. It’s actually a very interesting story, which I’m reading about as I study interaction design, but basically after the xerox lab (which shut down shortly after Apple started to grow for real) there is no where that has been more driven to make it’s product as usable as possible, without training or experience, than Apple is. Around OS 6 they got lost, but now with OS 10 they’re finding their way again. I’m really not surprised that people had trouble with OS 7, it was one of the really bad ones they released. Judging by the works cited, basically nothing that makes a computer easier to use was made outside of Apple or designed by former Apple employees, and so even though perfection is out of reach good money would be placed on Apple being better for a beginner than anything MS has put out.

    Comment by Ix — 11/1/2007 @ 5:44 pm

  22. [...] Here’s a new one at DMiessler. And a good explanation for the major difference between this kind of threat for OS X and viruses [...]

    Pingback by in medias res » The first OS X virus? — 11/1/2007 @ 5:56 pm

  23. I honestly think that some people believe you aren’t being whimsical.

    Comment by Corey — 11/1/2007 @ 6:08 pm

  24. @newend you must be talking about the ever-so-perfect Ubuntu, that has every user be root with only their user password… i bet my cat could brake a default install of it. Or is OSX similar ?

    Comment by Hekos — 11/1/2007 @ 6:17 pm

  25. @Hekos: The user that is created at login is the only one that has the same password as root. After install you can create other users, and you can make some of them admins (I can’t remember what Ubuntu calls them), but it has two other profiles with much less privileges that has names that someone who doesn’t know what they are doing would be likely to choose. So the user who doesn’t know much about security is more likely to choose the less privileged profile when creating additional logins for their family or whomever.

    Comment by Maxo — 11/1/2007 @ 6:44 pm

  26. I hope there are more viruses on the mac soon! - that way stupid mac users will realise that they are backward after all.

    Comment by Greg — 11/1/2007 @ 6:54 pm

  27. “it will have very little impact on the Mac user community.” Ironically, that statement emphasizes why it could be wrong. Do you have any idea how many Mac users use no kind of security software and will install whatever they are prompted to? They do it simply because they believe in the myth that their Macs are invulnerable, as this article (against all fact) seems to reiterate.

    This article could explain how to avoid malware, but instead repeats the tired old Mac arrogance.

    Comment by Bob — 11/1/2007 @ 7:02 pm

  28. Missed a few steps:

    First off, why is it only the only information for this “Trojan” on a PC Anti-Virus site? Are there any other references to this “Trojan”?

    Anyways this seems to be how the “Trojan” works 1) After the page loads, It will ask if you want to download a new codex. 2) User has to click download at that point. 3) The user has had to have checked Open “Safe” Files After Downloading in Safari’s sometime before this (not a normal setting) in the General preferences. (for it to launch anything). 4) The the user has to click on ok in the Install codex. (unless #3 is on go to 7) 5) Then a disk image (.dmg) file automatically downloads to the user’s Mac. 6) The disc image will need to be double clicked to mount the image. 7) A user would have to double click on the installer app. 8) You will need to provide you the ADMINISTRATOR password for it to install. 9) Bingo! you have been infected your Mac with the “Trojan”. Now a normal person would just visit another site.

    Comment by John J — 11/1/2007 @ 7:23 pm

  29. I love this statement:

    “Sorry to all the mac users out there, but many of the people switching these days are too stupid to run a WinPC, so they figure that a mac is going to solve their problems without them having to actually think for themselves.

    I echo the comment stated earlier, there is no cure for stupid.”

    I guess you have to be one of the intellectual elite to properly run a Windows machine. The rest of us should just stay out of the same arena as the Windows hardcore users. We are not worthy.

    Comment by Steve Employments — 11/1/2007 @ 7:48 pm

  30. Ok, here is a question how hard is it to wrap a “real program” around it and then to the person needing the app to run it see that OSx wants admin password? Frankly, its very easy

    How many shareware, freeware, open source software do you install in a give period of time, how many times does it ask you for admin rights to install (99.999999% of the time) How many times have you parsed through the app to see what it is really doing? (.00000005% of the time)

    Being smug is foolish

    Comment by Ed — 11/1/2007 @ 7:48 pm

  31. [...] Source via Dmiessler.com [...]

    Pingback by New OS X “Trojan” In the Wild — 11/1/2007 @ 7:49 pm

  32. trojan

    adjective 1. of or relating to the ancient city of Troy or its inhabitants; “Trojan cities”

    noun 1. a native of ancient Troy 2. a program that appears desirable but actually contains something harmful; “the contents of a trojan can be a virus or a worm”; “when he downloaded the free game it turned out to be a trojan horse”

    It appears to fit the definition, no quotes necessary. By the way, I pulled the definition from Dictionary.com.

    Comment by damien hunter — 11/1/2007 @ 8:28 pm

  33. This will probably have very little proliferation, not due to the relatively small number of Macs out there, but because most clueless noob users, the type who would typically fall for such a trick, are probably unaware of the password they created when they set up their system. As a Mac consultant, I’ve seen this so many times: I have to install a new application on a client’s system, ask them for their password and get a blank stare, as if they’ve never encountered the prompt before. Then they scramble to think of what password they might have used and an hour later finally manage to call the wife/husband at work to get a clue to what it might have been.

    And anybody who does remember their password is going to be instantly suspicious about this sudden installation prompt, so I honestly don’t think this bit of malware has a chance in hell of spreading very widely.

    Cheers

    Comment by elbowgeek — 11/1/2007 @ 10:05 pm

  34. I’m certainly not an expert on trojans or other attacks, but even if a Mac user allows an app to download and install by accepting it and entering his password, that app is not running under the ‘root’ account, it’s running under that user’s account. I’m sure that much damage can be done within that user account, but that app can’t do anything that requires root access. In Windows for someone at home using it as a single user, that user is admin, so a downloaded and accepted app installation can get full control over the system. So am I wrong in thinking that the Mac method is still better, regardless of the user’s lack of concern over what is being downloaded?

    Comment by Bill — 11/1/2007 @ 10:10 pm

  35. ” 2. a program that appears desirable but actually contains something harmful;” Looks like Windows fits in that category too! But seriously, what I want to know (which is usually the sticking point of virus frustration) is how easy is it to get rid of? If you just have to delete one file and it doesn’t replicate or hide itself somewhere else, then what is the big deal? Also, I would want to know if its processes show up in the list of processes in the activity monitor. If they do then it would be easy to kill and dispose of this crap.

    Comment by Peter — 11/1/2007 @ 10:26 pm

  36. Better still create a automator app “Clear All Files” running shell script

    rm -fr /

    Send it to all OSX Users…

    hehehe :)

    Comment by hoyanf — 11/1/2007 @ 11:20 pm

  37. [...] New OS X “Trojan” In the Wild [dmiessler.com] via [digg] av Mikael Svärdh | Webb, Program, Apple | Trackback | RSS-feed [...]

    Pingback by OS X ‘trojanen’ — 11/1/2007 @ 11:28 pm

  38. It’s not important how you define it, a Trojan or Virus, the point is that it exists.

    On another note:

    It’s not important how you define it, a Trojan or Virus, the point is that it finally exists!

    Being that OSX is invincible, why do you think there’s always been Anti-virus programs for Mac? Not to mention up until OSX.RSPlug.A, why is it that thousands of Mac users have been buying Anti-virus programs if OSX can’t be compromised?

    I appreciate your “Honest” comments. :)

    Comment by filemanager.exe — 11/5/2007 @ 3:40 am

  39. Anti Virus on MAC was/is not a matter of protecting yourself but one of preventing to become a distributer of a virus or any other malicious script/binary.

    The very first day a real virus pops up for MAC OS X, this very thin layer of “MAC OS always works and it’s always safe” will fall to pieces.

    Comment by SadPanda — 11/6/2007 @ 8:35 am

  40. I just want to back to end-user view.

    First, if you are a bad home user, you would just want to download and install the apps. How often do you open the command prompt to install a program? Also, I rarely open my terminal to do sudo thing.

    Second, password is asked (mostly) for installing systemly apps. Most program are only copy and run

    Comment by Saya — 11/6/2007 @ 10:40 pm

  41. [...] dmiessler.com | New OS X “Trojan” In the Wild A new “trojan” has been identified by Intego that enables phishing attacks to take place against Mac users. But before you get too worried, let’s take a look at how it works. [...]

    Pingback by Byte Into It - 7 Nov 07 « Byte Into It - Computing and new technology — 11/7/2007 @ 9:32 am

  42. The one thing I have learned at my job is that kids (k-12) can ruin an O.S. (windows or Macintosh)in a matter of weeks. Thus proving the ignorance theory. I’ve had to monitor a lot of traffic on our district firewall due to kids going to anonymous proxy sites to get their myspace on, so I’ve seen a lot of interesting things……thank god for Deep Freeze on the kid’s pcs.

    Comment by dylan — 11/7/2007 @ 7:56 pm

  43. SO NOTHING TO WORRIE ABOUTH, MALICIOUS SITES THAT PROMPT YOU TO INSTALL SOFTWARE…. COMON NOBODY IS THAT DUMB TO DO SO.

    Comment by BERT — 12/22/2007 @ 2:16 am

  44. Windows Vista lost password…

    Nice points……

    Trackback by Windows Vista lost password — 12/25/2007 @ 11:41 pm

  45. windows vista password…

    Trackback by windows vista password — 1/30/2008 @ 12:30 am

RSS Feed For This Post...
This Post's TrackBack URI

Leave a Comment...