What a Mac malware attack looks like

What a Mac malware attack looks like

Summary: Remember last month when I showed you a malware attack that was targeting Google Chrome users? In a follow-up post, I wondered whether Macs would be far behind. Today I found one such attack, in the wild, that directly targets Mac users. Here are the screens to prove it.

SHARE:

Well, that didn’t take long.

After I posted my analysis of why the time is right for bad guys to begin attacking the Mac in earnest, I heard from two readers who had encountered in-the-wild attacks on Macs in their respective workplaces. In both cases, the results showed up via Google Image Search. (This is an increasingly common source of malware, as security researcher Brian Krebs points out in a well-timed blog post today.)

I was able to duplicate these results and encountered an identical attempt from this same campaign to convince me to install a rather nasty Trojan on a Mac. (Sophos has an analysis of what this particular species does.) I uploaded the sample—a Mac installer package in a Zip file—to Virustotal.com, which confirmed that it is indeed the same code.

Remember last month when I showed you a malware attack that was targeting Google Chrome users? In a follow-up post, I wondered whether Macs would be far behind. They aren’t.

I just did a search for radioactive tsunami waves on Google and then clicked the Images button. On the second page of search results, I found one that looked legit:

When I clicked it on a PC, it redirected me to a fake AV screen that mimicked a Windows security screen. But when I did the same search on a Mac, clicking the poisoned image took me to this page:

This campaign is obviously preying on the fears of recent Mac converts and technical unsophisticates, who might believe that their Mac really is infected. After that, it tried to convince me to install the program using the same set of social engineering tricks that this sort of attack employs on a Windows PC.

Interestingly, just as on a PC, Firefox showed me a download prompt and asked me whether I wanted to save the file or not. Google Chrome downloaded the dangerous file automatically without any prompts and saved it in my Downloads folder.

It is easy to dismiss this as a crude attempt, and indeed, I don’t think many people are likely to fall for this attack. But dismissing this sample because it's not particularly well done is like dismissing an entire computing platform because of a single poorly written app.

It is possible that this particular poisoned page contained image files or script intended to exploit a known vulnerability in OS X. According to a 2010 Google study of search poisoning, 14% of all the compromised sites they saw included drive-by download attempts in addition to this sort of social engineering. If someone visits this page on a system that doesn’t include all recent updates for OS X and their browser, they could be extremely vulnerable.

And note that the bad guys get better over time. This attack might be crude, but that doesn’t mean the next one will be. I have seen some remarkably effective phishing attempts. In the hands of a skilled gang of thieves, this approach could cull out the weaker members of the Mac herd and create some genuine headaches for the friends or co-workers who have to provide emergency technical support.

Topics: Apple, Google, Hardware, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

262 comments
Log in or register to join the discussion
  • RE: What a Mac malware attack looks like

    Now the question becomes how many threats does it take for Gruber to admit that OS X isn't bulletproof?

    My guess: a lot.
    Rich Miles
    • RE: What a Mac malware attack looks like

      @Rich Miles

      There is no number, Gruber is so far up Jobs' backside he hasn't seen sunlight in a decade.
      rtk
      • RE: What a Mac malware attack looks like

        @rtk
        No doubt you've been down the other side.

        lol...
        blind obedience
      • RE: What a Mac malware attack looks like

        @rtk <br><br>If I know my Mac has no viruses or trojans.<br><br>Why would I trust a random pop up that suddenly pops up to tell me I have?<br><br>Therefore I won't be entering my admin password to install anything.<br><br>Besides I have Bing set as default and couldn't find that image, pretty neat, huh?

        http://www.bing.com/images/search?q=radioactive+tsunami+waves&qpvt=radioactive+tsunami+waves&FORM=Z7FD
        alsobannedfromzdnet
      • Again: the **reality** is 2 attacks on Macs against 40000 on PCs per week

        @rtk: <b>Apple malware: 6 years of crying wolf</b>: starting from at least 2004:

        <i>Eric Hellweg, MIT Technology Review, <b>October 2004: ?Hackers Target Apple?</b> Congratulations!?:

        The Apple community has, since its inception, been largely immune to nefarious hackers bent on spreading harm. If you are a Windows user, as I am, you know the routine. You complain about the latest spyware or virus attack, and Apple devotees respond with good-natured teasing ? they don?t have worry about such nonsense. Well, now they do.

        Predictably, posts on various Apple-related message boards have been offering varying levels of concern, ranging from mild disappointment to utter gloom. I think this reaction is fundamentally misguided. MAC users should not be upset about this malware news; they should rejoice.
        </i>

        Full list of these "doom and gloom" predictions that never stopped each year:
        http://daringfireball.net/2011/05/wolf
        DDERSSS
      • RE: What a Mac malware attack looks like

        @rtk - Straw man attack there. As Gruber points out, these hysterical hair-on-fire reports of imminent attacks on Macs are an annual event. Every year the dire warnings are issued, back to about 2004. Just like this one. <br><br>And they have yet to materialize other than a few Trojans with weak attack vectors. ZERO viruses. (You do know the difference, right?) and yet Mac users, who do run anti-virus and malware checks regularly - such as myself - are the ones who are accused of being naive. Or sycophantic tools of Apple. <br><br>It's patheiic, and proves people like yourselves are not interested in the facts.
        ewelch
      • There's a definite trend.

        @denisrs <br><br>In 2004, there was only speculation. Since 2007, there have been more concrete reports of vulnerabilities and exploits. The first Mac botnet was reported in 2009. It's the difference between residents of a floodplain being told that there could be flooding and being told that floodwaters are rising and they should get some sandbags. Yet Gruber and his followers just keep insisting that the water could never reach their doorstep.

        @ewelch

        A Trojan is one delivery vector for malware, one subset of which is viruses. Do you know the difference between a virus and a worm? Probably not.
        Lester Young
      • RE: What a Mac malware attack looks like

        @denisrs <i>Again: the **reality** is 2 attacks on Macs against 40000 on PCs per week</i><br><br>Again: it only takes one.
        Badgered
      • &quot;There's a definite trend.&quot;

        @Lester Young<br><br>Yes, there is a very definite trend. It is the trend of MS Windows apologist drooling at the thought that OS X will have the same security issues that they have enjoyed for 2 decades.<br><br>It has taken Ed, no doubt frantically searching, over a week to find this example of one of the most stupid trojan attempts I could even imagine.<br><br>Further, this and even more sophisticated (read here "credible") exploits still require the user to agree to being exploited, just like Windows trojans.<br><br>Having lived quite dry and happily in the flooded flood plane of Windows malware for over 20 years, I find your prognostications to be no longer amusing, but quite tiresome instead.<br><br>Ed still keeps ignoring the most rapidly and ripening source of web traffic growth, namely tablets and smart phones sporting brand new OS systems, that the economics of malware profits will most likely target. That's IS THE trend we should be watching for most closely, not this nonsense.<br><br>I guess he hasn't yet bought one of these and is still drying to milk his Mac mini for every click he can get.
        jacarter3
      • RE: What a Mac malware attack looks like

        @rtk It always amuses me how the MS "community" seems to rejoice anytime a Mac or Linux "vulnerability" gets reported. As if an attack on Mac or Linux somehow justifies the fact that Windows is so "mistreated" by attackers.

        But hearing again the same old tirade about how Mac and Linux user falsely claim to be "immune", is no longer amusing. Linux and Mac users have never made that claim. What they do claim, with total justification, is to be "relatively immune". "Relative" to Windows, both are practically bulletproof.
        lewmur
      • RE: What a Mac malware attack looks like

        @jacarter3 Well, well well... I was wondering where you had been to. I note that you did not refute anything Ed has said just attempted a misdirect as usual... you mac fanbois are taking this way to personally and coming up with excuses, insults, and FUD when the man is simply trying to warn you. And yet you cast stones while living in your straw house presenting straw man arguments. Whatever dude, I sincerely hope this does not happen to you but I have to admit I'd love to be a fly on the wall when it does so I can watch you blubber about it and ask why you didn't listen to Ed when you had the chance...
        athynz
      • I wish you could be a fly on the wall too

        @athynz<br><br>then soon you would just be a fly speck on the wall.<br><br>Seriously, what is it,exactly, that I am supposed to do about Ed's prediction that the sky is falling for Mac users?<br><br>Sophos scans for Windows malware (thousands and thousands of them actually and these things that can't attack my Mac) and what very little Mac malware that might be known.<br><br>It will not protect me from agreeing to install malware trojans just like Windows won't.<br><br>As for Ed's very lame attempt to "demonstrate" that Mac malware exists in the wild. Well, sure it does just like it does for Windows. What's to refute about that? I did however find his example to be so completely lame that it defies any reasoned claim as a valid example.<br><br>I also find your post and every other Windows apologists' post to be completely without merit or cause for any real concern regarding the "flood" of malware coming to the Mac.<br><br>Why don't you worry instead about not getting your OS infected. It has the exact same vulnerability to malware that pretends to be something other than what it is and gets the user to agree to install it.<br><br>If you have a smart phone, you might wish to start worrying about the flood of malware coming to it real soon too.
        jacarter3
      • RE: What a Mac malware attack looks like

        @rtk LMAO :D
        MrElectrifyer
      • Message has been deleted.

        MrElectrifyer
      • RE: What a Mac malware attack looks like

        @rtk that's pretty weak.

        @Lester Young :

        Please, PLEASE point me to the post, and post, where John Gruber states that there will Never be a threat to Mac OS / OS X!

        Your comment that Gruber and his followers insist that the "waters could never reach their doorsteps" is accusing just that--that people believe it's impossible? Please, show me a single example of what you accuse.
        lelandhendrix@...
      • RE: What a Mac malware attack looks like

        Its amazing how reading posts like this wake me up being a mac user, as i have easliy fallen in to that trap of im a mac im safe - which clear is not teh case now a days, and really does make me have to think about alot of hgings, as i work on my mac 24/7 and its my tool for an income - so really has opened up my eyes.


        <br><br>Regards the flash talk , i now a days dont have it running on my mac, like people have said about using it with chorome for those needs, to me its just slwoing my day to day activicues with <a href="http://brighteyesdrops.com/glaucoma-symptoms/" style="color: #353535">glaucoma symptoms</a> it just becomes a pain in the butt.. reading now about it has securty risks has just made me not wanna even run it in the lesser times that i " have " to use it. For me, websites now a days should all take in the fact that html5 is here and is going to remove flash totally from the need to even have flash on a website - that you want to be interactive ( off course including the goodness of css3 ).<br><br>I think by the sounds of it in terms of flash - dont use it u really dont have to, and enjoy life that html5 is bring to our great industry for the users and developers of course, and this improving the risk of infections to our macs
        deanouk
      • RE: What a Mac malware attack looks like

        Its amazing how reading posts like this wake me up being a mac user, as i have easliy fallen in to that trap of im a mac im safe - which clear is not teh case now a days, and really does make me have to think about alot of hgings, as i work on my mac 24/7 and its my tool for an income - so really has opened up my eyes.<br><br>Regards the flash talk , i now a days dont have it running on my mac, like people have said about using it with chorome for those needs, to me its just slwoing my day to day activicues with <strong><a href="http://brighteyesdrops.com/glaucoma-symptoms/" style="color: #353535">glaucoma symptoms</a></strong> it just becomes a pain in the butt.. reading now about it has securty risks has just made me not wanna even run it in the lesser times that i " have " to use it. For me, websites now a days should all take in the fact that html5 is here and is going to remove flash totally from the need to even have flash on a website - that you want to be interactive ( off course including the goodness of css3 ).<br><br>I think by the sounds of it in terms of flash - dont use it u really dont have to, and enjoy life that html5 is bring to our great industry for the users and developers of course, and this improving the risk of infections to our macs
        timmyuk
    • RE: What a Mac malware attack looks like

      @Rich Miles my question is with apples update schedule, how long will it be before they start patching these holes? will they start going to a patch tuesday like M$? and how will this effect apple trying to enter the enterprise?
      nickdangerthirdi@...
      • RE: What a Mac malware attack looks like

        @nickdangerthirdi@...

        This isn't a hole. It is a web page that asks the user to install the Trojan. You are reacting like this is an automatic piece of malware, like you are used to on Windows. It isn't.

        the proper approach to take would be for Apple to enable the BSD user/admin model that is there under all the glitz. But, that might make the Apple users have to think. It'll never happen.
        YetAnotherBob
      • Message has been deleted.

        banned from zdnet