What a Mac malware attack looks like

Summary:Remember last month when I showed you a malware attack that was targeting Google Chrome users? In a follow-up post, I wondered whether Macs would be far behind. Today I found one such attack, in the wild, that directly targets Mac users. Here are the screens to prove it.

Well, that didn’t take long.

After I posted my analysis of why the time is right for bad guys to begin attacking the Mac in earnest, I heard from two readers who had encountered in-the-wild attacks on Macs in their respective workplaces. In both cases, the results showed up via Google Image Search. (This is an increasingly common source of malware, as security researcher Brian Krebs points out in a well-timed blog post today.)

I was able to duplicate these results and encountered an identical attempt from this same campaign to convince me to install a rather nasty Trojan on a Mac. (Sophos has an analysis of what this particular species does.) I uploaded the sample—a Mac installer package in a Zip file—to Virustotal.com, which confirmed that it is indeed the same code.

Remember last month when I showed you a malware attack that was targeting Google Chrome users? In a follow-up post, I wondered whether Macs would be far behind. They aren’t.

I just did a search for radioactive tsunami waves on Google and then clicked the Images button. On the second page of search results, I found one that looked legit:

When I clicked it on a PC, it redirected me to a fake AV screen that mimicked a Windows security screen. But when I did the same search on a Mac, clicking the poisoned image took me to this page:

This campaign is obviously preying on the fears of recent Mac converts and technical unsophisticates, who might believe that their Mac really is infected. After that, it tried to convince me to install the program using the same set of social engineering tricks that this sort of attack employs on a Windows PC.

Interestingly, just as on a PC, Firefox showed me a download prompt and asked me whether I wanted to save the file or not. Google Chrome downloaded the dangerous file automatically without any prompts and saved it in my Downloads folder.

It is easy to dismiss this as a crude attempt, and indeed, I don’t think many people are likely to fall for this attack. But dismissing this sample because it's not particularly well done is like dismissing an entire computing platform because of a single poorly written app.

It is possible that this particular poisoned page contained image files or script intended to exploit a known vulnerability in OS X. According to a 2010 Google study of search poisoning, 14% of all the compromised sites they saw included drive-by download attempts in addition to this sort of social engineering. If someone visits this page on a system that doesn’t include all recent updates for OS X and their browser, they could be extremely vulnerable.

And note that the bad guys get better over time. This attack might be crude, but that doesn’t mean the next one will be. I have seen some remarkably effective phishing attempts. In the hands of a skilled gang of thieves, this approach could cull out the weaker members of the Mac herd and create some genuine headaches for the friends or co-workers who have to provide emergency technical support.

Topics: Apple, Google, Hardware, Malware, Security

About

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications. He has served as editor of the U.S. edition of PC Computing and managing editor of PC World; both publications had monthly paid circulation in excess of 1 million during his tenure. He is the a... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.