DNS-changing Trojan opens Mac OS X floodgates

DNS-changing Trojan opens Mac OS X floodgates

Summary: Guest Editorial by Gadi Evron "The Mac is going main-stream" is just one of the catch-phrases that we've seen in the past two weeks when reading about the Trojan horse infecting Apple Mac OS X users. This attack has created a lot of controversy in the security realm.


Guest Editorial by Gadi Evron

Mac Trojan editorial - Gadi Evron"The Mac is going main-stream" is just one of the catch-phrases that we've seen in the past two weeks when reading about the Trojan horse infecting Apple Mac OS X users. This attack has created a lot of controversy in the security realm. What's so special about this Trojan horse that everybody is so jazzed up about it? What risk are Apple users facing and is the world going to end?

Today, most Trojan horses allow an attacker to control the infected computer remotely (over the Internet) and do whatever he or she pleases, as if it was their own, from stealing web site credentials and identities to popping the CD tray open or using the now compromised computer for more attacks. They "own" that computer.

While in the past Trojan horses were considered few, mostly used in targeted attacks if at all (anti-virus experts refused to even acknowledge the need for their software to detect these), in the past decade they became widespread. In fact, the vast majority of all malware seen today is, at least in part, a Trojan horse.

[ SEE: Mac Attack: Porn video lures dropping DNS-changer Trojan ]

This Trojan horse attacking Apple users is far from special. It hijacks DNS -- when you access domain name for known sites such as Google, it will redirect you instead to a malicious web site where further exploitation or fraud can be done. It accomplishes infection by what security experts call Social Engineering. When going to a pornographic web page, the user will be asked to download a codec in order to view a video. In turn, he or she will be asked to approve its installation using their administrator password. Then (and only then) will they be infected.

This method of infection isn't sophisticated and it makes us think only complete fools would fall for it. Isn't downloading a new codec to be able to view a video of any sort sound very reasonable? It is something most of us would immediately approve of without a thought? We have to remember most computer users are not technically savvy or aware of security risks. Also, let's be honest, when it comes to porn we are all fools.

User infections happen in many different ways, but the three main ones are a malicious attachment in e-mail, a fake or compromised infectious web site and network scanning. Of these, we can reach a relatively high level of security in e-mail by not opening attachments and using spam filtering and an (updated) anti virus, we can avoid being attached via network scanning by using a firewall and making sure our operating system (say, Windows as an example) is up to date with all updates and patches installed.

[ SEE: Can you really trust your security vendor? ]

Surfing the web is a problem as although exploits are used to infect us through the web browser (some of which we can defend against by using an up-to-date browser with a fully patched operating system), a lot of these attacks are done -- successfully -- by the very same social engineering trick.

Next -->

The bad guys, or more to the point, the cyber-criminals, use rings of thousands of web sites to infect as many people as they can. They collect statistics on what operating systems and browsers site visitors are using, what exploit was successful in attacking them (if one is used), what language were their browsers set to, etc. This way they can maximize their revenue by being as in touch with their target victim population as they can be.

In the past, although constantly under attack by security experts for their lax security policies, Apple OS X users were far more secure than Microsoft users using Windows. Although OS X has security features Windows (up to Vista) did not have, such as users not running as administrator, this supposed immunity is mainly due to past public attacks against the Mac being mostly theoretical, a proof-of-concept of sorts. Times have changed, and Apple now uses x86 CPUs (same as Windows), which makes writing malicious software for its OS X operating system that much simpler. Obscurity can no longer protect Mac users.

[ SEE: Researchers pooh-pooh Mac OS X Leopard security ]

In this new Trojan horse attack, although no inherent software vulnerability was exploited, it was committed by a cyber-criminal group that simply added the Mac to their victim pool. If we were to enter the same malicious web sites from a Windows computer (using a Windows browser User-Agent) we would be served with a Windows Trojan horse instead of an OS X one.

People are falling for social engineering schemes, daily, hourly, if not by the minute, no matter what operating system they use.

But, that is not what's significant about this attack. What's significant is that criminal elements now target Mac users, and once that flood-gate is open, there is no going back.

Apple has a history of unpatched software vulnerabilities that if the history of Windows tells us anything, can potentially later on be utilized to attack its clients. Most Mac users do not run anti-virus software. Without going into the tech-religious debate whether Mac users are smarter than the average user (which I believe to be silly) it is clear that they will be targeted from now on as these criminal elements have revenue goals to meet.

At the very least many of Apple's users have a sense of security with the operating system they use, false or otherwise, they do not expect attacks. In this regard I'd go as far as to compare OS X to Windows 98: "OS X is the new Windows 98". OS X has better security and doesn't let users run as Admin -- it is a superior operating system. Why then do I make such a crude comparison? The eco-system of unpatched vulnerabilities, criminal elements targeting an unwitting user population are comparable to what used to happen with Microsoft users back when Windows 98 came out. The one main difference is the backlog of unpatched vulnerabilities Apple needs to cope with.

Security for a corporation is a business process with business decisions. Although, stuck in my niche, I am far from happy with some of Apple's choices in regard to security in the past; I can't ignore the business validity of these same choices. Investing in security when there is no commercial incentive is not financially smart. That being said, the lesson Apple is now going to learn is that not investing in security ahead of time means the losses are much higher than they could have been.

From a technical security perspective this Trojan horse attack is nothing special. From a business perspective it means upcoming losses and from an operation security perspective it means it's now Apple season.

The world is not going to end; the Sun will in fact rise tomorrow. That does not mean Apple's day has not come -- as far as the underground economy is concerned. The next two years are going to be interesting.

* Gadi Evron is Security Architect for Afilias global registry services and recognized globally for his work and leadership in Internet security operations. He is the founder of the Zero-Day Emergency Response Team (ZERT), organizes and chairs worldwide conferences, working groups and task forces. He is considered an expert on corporate security and counterespionage, botnets, e-fraud and phishing.

Topics: Operating Systems, Apple, Browser, Hardware, Malware, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It doesn't self-propagate and a user can't be "infected" simply by...

    It doesn't self-propagate and a user can't be "infected" simply by visiting the website.

    In short, the trojan is going nowhere.
    • Completely missing the point

      The point is not that malware writers have managed to push code onto the Mac OS. It is that they are actually bothered about trying.

      Yes this is a particularly weak attempt in terms of its ability to be prevented by the user, however it probably also required very little effort on their part to create in the first place.

      It is the very fact that they even created it that is the important point. It signals that a least one bunch of malware producers are now interested in attacking Macs.
      • You have a point, but I have my concerns...

        You have a point, but I have my concerns that only Integro knew about it, and only Integro has a virus definition for it.

        I'd be real money they made it and gave it to those people, or at the very least, told them how to do it. It'd be a win/win situation. It's like Symantec releasing proof-of-concept exploits and trying to scare people into buying their software.

        Incidentally, none of those companies are worth a dime. Their software is bulky, requires a huge memory footprint, and take up too much of your CPU for something that should be a relatively simple task.

        If anyone has to buy antivirus software for their Mac, you should get Sophos. It's a little more expensive than Symantec, McAfee, or Integro, but more importantly, you won't even know it's running unless it catches something. THAT is how an antivirus should work, not popping up stupid dialogs every 3 seconds with blinking animations and alarm sounds just because I attached a USB drive.
      • This is not the first attempt.

        "It is that they are actually bothered about trying."

        They have been 'bothered about trying' for a long time. This isn't the first attempt at a social-engineering attack. This isn't even the first SUCCESSFUL attempt. There have been malware authors "interested in attacking Macs" for some time.

        It sounds like you're trying to imply that "now the Mac has made it" we're going to get the same flood of exploits that Windows has suffered. It's possible, but unlikely... Windows didn't suffer from floods of exploits until 1997, when Microsoft changed the way Internet Explorer worked with "Active Desktop". Before Active Desktop, it was almost entirely social-engineering exploits. After that, remote code execution attacks were the norm.
        • If I have the story right...

          The Apple ][ had the very first virus,
        • Not the point

          The past "attacks" you refer to have already been mentioned. But apparently you didn't read the article thoroughly. Most of these attacks were merely Proof of Concept (PoC) attacks. The DNS-changing Trojan is not; it's In the Wild (ItW). The first ItW Mac attack was in February of last year: http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html

          What you also might not have read is that Windows Vista has tighter security than OS-X. And apparently Leopard is actually less secure than Tiger was, since they decided to disable the firewall by default. As it were, social engineering is all that works on Vista to my knowledge.

          If cybercriminals start to panic because Windows is shutting them out, they'll look for the largest platform with exploitable vulnerabilities, then hit it with full force. And since Apple has been less than proactive in patching known vulnerabilities, and most Mac users aren't any more proactive (they don't even think they need antivirus, the bad guys already know what to aim for. Have fun!
      • Right

        "The point is not that malware writers have managed to push code onto the Mac OS.
        It is that they are actually bothered about trying."

        And to a group that has been conditioned to not have to worry about malware on
        their platform.

        The challenge is to educate Mac users without the pain windows users went through
        before learning (some at least) not to open every attachment or activeX component.
        Richard Flude
    • It is exactly that complacency ....

      ... that will be Apple users downfall. The article is a wake up call. Ignore it at your own peril!
      • No amount of security can protect against social engineering...

        No amount of security can protect against social engineering. The OS could be 100% secure and include the best anti-spyware and anti-virus software, but no matter of security can protect against stupid.
        • You are correct!

          The only way to stop these attacks would be to deny users Admin access. If the OS
          X box was in a corporate setting and the user had no access to Admin this malware
          would be a non-issue.

          Should Microsoft and Apple take the route Apple tried with the iPhone and close it
          so tight that nothing can be altered? What flak would they take for such a closed

          As a side point does this actually fit the term Trojan? It is not hidden in a legit
          piece of software. Trojans usually are hidden in legit application installers such as
          in the old days when Gator and Weather Bug were side-car installed with
          supposedly free games. Or worse yet installers for things like Photoshop
          downloaded from file sharing sites that have been altered to install various back-
          doors and virii, Malware installed via Social engineering will continue to be a
          problem for users that have Admin access and little to no understanding of the
          risks that are out in the world. Social Malware will always be a few steps ahead of
          any antivirus or spyware dat files and once one gets on like Virtumondo that turns
          off firewalls, antivirus software and hijacks the Hosts file, resets system restore and
          injects itself into Spybot and Adaware it is game over for that user without going to
          the trouble of a wipe and reinstall. Although Virtumondo, Zlob and Smitfraud can
          be cleaned it is time consuming and needs a deeper understanding of the OS that is
          infected than most home users command and you can never be sure of a totally
          secure system after the hijacking has occurred
        • You got that right

          As long as software can be installed, so can malicious software. The real problem is that average users don't have good judgment. Some of them are just naive, or think the only thing they need is antivirus. They know nothing about keeping it or any other program up to date, and neglect antispyware, firewall, and other available layers of security. The rest are addicted to porn and file sharing, and don't use a sandbox.

          Funny; I was watching this stand up the other night. The guy says you can get a face lift, you can get a tummy tuck, you can get implants, you can get a hearing aid, you can dye your hair, etc. But you can't fix stupid.
        • How true

          I am a technician and just cleaned my first Vista machine. The PC is 3 weeks old had McAfee running. Internet history had links to Utube and Porn vids. The malware got through IE security, Vista security and McAfee security all were granted permission to install. McAfee had it in the allow list...Now I installed Haute Secure and the user will have to type the scrabled graphic key to get it installed. One more layer of protection. A good rule of thumb, "It is not always ok to click ok".
          Uncle Buck
          • "Uncle Buck"

            Why was the user running as Admin? I would have created a plain old user level account for him to surf his porn with.
        • [b]True that![/b]

          Its like in the ancient days. When the enemy could not break inside the fortified city, he fooled the insiders to open for him (e.g Troy).

          The same principle is being used today by intruders. If they can't get in they fool you to open for them. Security eventually rests much on a user's common sense.
        • With the 'Cult of Mac'

          maybe they should have had people click on a video of 'the cool one' - Jobs launching a new product - I don't think pr0n means too much to most Mac users
          Paul Fletcher
  • Pure nonsense

    This is a story with no substance...just sensationalism.

    The user has to go through a series of overt steps to install the trojan which creates a DNS cache poison.

    It's not a scenario that I am concerned about because you have to make the decision to install and 'trust' that what you install is legitimate.

    This not the same as exploits which transparently install trojans onto [url=http://uncyclopedia.org/wiki/Windows]Windows[/url] based machines totally unbeknownst to the user! Good Gawd Yaw!

    At least with [url=http://uncyclopedia.org/wiki/Linux]Linux[/url], buffer overruns get nowhere if you run your Firefox session in an [url=http://en.wikipedia.org/wiki/Apparmor]AppArmor [/url] 'sandbox'. Stopped cold.

    Thanks for the FUD factor but [url=http://uncyclopedia.org/wiki/Mac]Mac[/ur] and Linux users don't buy into it.

    There is nothing to stop people from doing stupid things.

    I've surreptitiously inserted references back to Uncyclopedia to keep everyone on all sides in a 'good humor'.

    Habbaguhday! :)
    D T Schmitz
    • look i can...

      ... link to Unecyclopedia.com in my argument, further fortifying my position as someone who is seriously arguing with some maturity.
      • all your computer are belong to us

        D T Schmitz
    • look i can...

      ... link to Unecyclopedia.com in my argument, further fortifying my position as someone who is seriously arguing with some maturity.

      It was really badly placed, and not all that funny, because the MS$ references are OVERUSED. Even I laughed at them the first couple times. Now its just irritating
      • Oh come on, you're just saying that...

        D T Schmitz