Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

(Not the) First OS X Malware Spreading in the Wild

In the words of many Windows antimalware developers, OS X users can feel a little less smug about their security after a new piece of OS X malware was discovered circulating on various fake codec sites. As would be expected, this news is beginning to receive fairly widespread coverage across the Internet, though more coverage has been received in recent days on arguments about whether the Leopard firewall is fundamentally flawed or not (probably not).

Much like its Windows brethren (the Zlob family of trojans), the OS X version of Puper (currently dubbed OSX.RSPlug.A) initially appears as a download link that encourages the user to download a new QuickTime codec to view the video (usually porn) that the user has tried to view. If the unfortunate user follows the link, they find that a .dmg file is downloaded which, when opened and the package within run, will find that an application called 'MacCodec' installs itself (with appropriate prompting for the Administrator's password) on their system. Although at this stage the malware has full access to the system and can do anything it wants, all it does is install a DNS Changer that changes where DNS queries are sent - to a set of servers that the malware authors control. The result of this is that the malware authors are able to silently redirect queries for websites to anything they want. The example most often given is redirecting queries for to a phishing site. As far as the user is concerned, renders as normal and the URL is correct.

According to Intego, the company responsible for finding the trojan, the malware installs a cron job that checks every 60 seconds to make sure that the redirected DNS records are still in place - and if not, to replace them. Probably of most interest with the report of the malware is that on systems prior to OS X 10.5, it is not possible to readily identify from the GUI that the DNS queries are being redirected.

Despite claims that OS X will become a stronger target for attack with greater popularity, and that it is just as porous as the other major Operating Systems, this still marks one of the very few pieces of malware available for OS X. With the several steps required for infection (Download -> Mount .dmg file [may be automated with some browsers] -> Double click package -> Supply Administrator account password -> Be infected), observers will have to wait for some time to see how the infection rates for this malware compare with those for the Windows fake codec equivalents (that also require at least a couple of user steps). Assuming that OS X users are equivalent to Windows users in terms of susceptibility to infections that require user involvement, it should be that infection rates are proportionally equivalent.

This is also not the first piece of malware that has targeted OS X, as some have claimed, with at least one 'in the wild' trojan having been seen before. If your resident 'Mac guru' isn't aware of Inqtana (POC) or Leap (POC + in the wild), you need a better Mac guru. Claims by some 'security experts' that OS X is the new Windows 98 as far as security goes remain to be proven, though it has been six years and counting since OS X was first released.

Antimalware providers are slowly updating their systems to identify and remove this malware, but it is important that users are aware of the risks if they are prompted to download and install extra QuickTime codecs. Linux users will be just as susceptible to infection from this type of trojan, as it uses simple shell programming to achieve its goals of infection. It could be said that Linux users are more susceptible, due to the varied multimedia codec support that many distros have, but they are generally more suspicious of randomly downloaded software demanding Administrator / root access to their systems.

If nothing else, it shows again that it is the drive to view adult entertainment products that is helping push technology forward (though not necessarily in a good way).

1 November 2007

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.