Mac OS X malware posing as fake video codec discovered

Mac OS X malware posing as fake video codec discovered

Summary: Researchers from ParetoLogic are reporting on a newly discovered Mac OS X malware variant posing as fake video ActiveX object found at a bogus Macintosh PortTube site.The use of fake video codecs is a social engineering tactic exclusively used by malware targeting Windows, and seeing it used in a Mac OS X based malware attack proves that successful social engineering approaches remain OS independent.

SHARE:

Researchers from ParetoLogic are reporting on a newly discovered Mac OS X malware variant posing as fake video ActiveX object found at a bogus Macintosh PortTube site.

The use of fake video codecs is a social engineering tactic exclusively used by malware targeting Windows, and seeing it used in a Mac OS X based malware attack proves that successful social engineering approaches remain OS independent.

Prior to PareteLogic's sample, SophosLabs appear to have received an email from the author of last month's discovered OSX/Tored-A sample, allowing them to add generic detection for any upcoming releases.

Here are some of the PornTube templates used in the social engineering attack, a description of the malware, as well the descriptive filenames used in some of the campaigns:

OSX/Jahlav-C is described as:

"OSX/Jahlav-C is a Trojan created for the Mac OS X operating system. The initial malicious installer is distributed as a missing Video ActiveX Object.

As a part of the installation a malicious shell script file AdobeFlash is created in /Library/Internet Plug-Ins folder and setup to periodically run. The script contains another shell script in an encoded format which in turn contains a Perl script with the main malicious payload. The perl script uses http to communicate with a remote website and download code supplied by the attacker."

The campaign is also using descriptive files such as, HDTVPlayerv3.5.dmg; VideoCodec.dmg; FlashPlayer.dmg; MacTubePlayer.dmg; macvideo.dmg; License.v.3.413.dmg; play-video.dmg, and QuickTime.dmg.

What's Apple's take on this emerging trend?

Earlier this week, in a rare comment of potential Mac OS X related insecurities in the face of malware, the company not only acknowledged OS X Malware, but also pointed out that :

"The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100 percent immune from every threat, antivirus software may offer additional protection."

Is the company finally taking the right decision to generate security awareness on a threat that is prone to become a daily routine in the long term, or was it too slow to stop using the Mac's massively advertised immunization to malware as a key differentiation factor?

What do you think?

Talkback.

Topics: Apple, Hardware, Malware, Operating Systems, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

80 comments
Log in or register to join the discussion
  • The Apple dilemma

    Apple is actively using the perceived security (lack of attacks) in their PR campaign.

    Publicly admitting that OSX is far from immune to malware will muddle the simplistic PR message that ?macs don?t get virus?.

    They are unscrupulously balancing that act at the moment. They know that it is only a matter of time before something serious hits the OSX community. From there on they cannot use that PR tool any more.

    The criminals behind this fake codec have clearly demonstrated intent. They have the malware code prepared. Rest assured that the Java Data class deserialization bug has their attention.

    Compared to a fake codec, exploiting the Java bug is just a short jump.

    honeymonster
    • But

      Like I have found with Vista/7, to get infected you have to agree to install something first.
      jdbukis@...
      • That's true. And as we've seen with Windows people are all too trusting...

        ...of software they find on the Internet. The days of browsing the Internet and being infected by a system level compromise are essentially gone. Today the primary threat is trojans. And, currently, there's only two ways to avoid becoming infected:

        1. Use safe computing habits including knowing the source of the software you're about to install.
        2. Use A/V software.

        Unfortunately the reality is option one is asking too much from users so option two is typically employed.
        ye
        • Your right.

          I think its only a matter or time for this sort of thing to happen, as soon as your average end user gets on a system they will find a way to break it.
          jdbukis@...
          • The problem...

            ...as I see it, and as alluded to by honeymonster, is that Apple has conditioned Mac users to believe they're immune to malware on the platform. Therefore they're naively going to install any piece of software assuming they can never become compromised.
            ye
          • hmm...

            [i]The problem...as I see it, and as already pointed out by honeymonster, is that Apple has conditioned Mac users to believe they're immune to malware on the platform.[/i]

            Isn't that the implied result of honeymonster's OP?
            Badgered
          • Why yes, yes it is. Which is why I said:

            "The problem...as I see it, [b]and as already pointed out by honeymonster[/b].."
            ye
          • @ye

            Well, I'll be. My fever must be worse than I thought... I completely misread that. I read "already" as "rarely"... LOL. My bad.
            Badgered
          • That is not what I said

            I don't believe for a second that the average OSX user will blindly click anything. A small minority will certainly do so - likewise on Windows. Same problem.

            But I do believe that many OSX users have grown complacent as a result of Apple marketing. There's plenty of evidence of that in the comments sections on this site.

            What is interesting about this attack - as opposed to the previous ones - is that it appears that the attacker(s) actually invested some time in this. The previous attacks has all the marks of being amateurish attempts.

            When the well-established and highly skilled attackers start migrating over from the Windows platform, that's when the disaster will strike. Certainly the Java bug has the potential for that.
            honeymonster
          • Is that not the conclusion you were attempting to imply?

            If not my apologies. I went back and modified my original statement.
            ye
        • Problem is....

          Mac users don't employ option 2 either so they are even easier to target these days. Everyone should take notice and atleast employ option 2 but they won't. Heck alot of Windows users still don't and they are the most targeted. Its not perfect but it sure can help mitigate the problems.
          OhTheHumanity
          • See this post of mine:

            http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=65519&messageID=1226206
            ye
          • I agree.....

            My idea of a good system is keep it simple and use simple programs that don't try to impress the user with useless features. Personally I have been happy with Mcafee Enterprise on our desktops as it has AV and some access controls that prevent remote changes to the systems. No complaints of performance after installing it and seems to be a success in my view. You just have to find the one that best fits your needs and ability to not compromise performance. I have installed Mcafee on very old XP systems and its not been a problem. Find what works.
            OhTheHumanity
          • We're moving to McAfee and...

            ...I'll end up having to replace my laptop as a result.I was part of the evaluation and it significantly decreased the performance of my laptop (though it is four years old). My preference would be to do without. But it's company policy so I have no choice.
            ye
          • I'm a Mac user...

            and I practice safe computing AND use A/V software. Not all Mac users are as inept as you think.
            lostark98
          • Speaking for Mac users??

            I'd venture a guess, you aren't a Mac user. So how is it you know what Mac users don't do? Personally, I know what I do and very little of what others do.
            I never download anything unless, I go to a site I trust, which is few. Messages to update, only serve to motivate me, to go to the appropriate site without clicking on an automatically generated message to begin a download.

            When web surfing, I pay attention to my hard drive. If it becomes active when I don't think it should be, I quit the browser. If the browser won't quit, I'll pull the plug. As often as possible, I also spend the extra money for a disk, instead of downloading updates.

            I don't consider myself 100% impervious to these problems, but in 24 years, I've never had a virus or Trojan. Perhaps it's because some of use Mac users actually are quite careful.
            23Tracy
          • Human Behavior

            We are talking about human Behavior, you are implying that Mac Users are some how smarter than PC users. People on the board are saying Mac users in general might have become more apathetic than general PC users on security. Why? Apple has had very few security issues to date compared to windows users. Plus Apple prompts a OS system that unlike windows has no security flaws (they imply none not few in there marketing). These lead people to feel they have a false sense of security unless they are otherwise educated correctly.

            You are right in implying one would need to do a poll to prove poor security behavior of mac users. You would also have to do a poll to prove the average Mac users are more computer literate than the average PC user. With-out proof of either, the typical human behavior must assumed to be true. Your argument is based on an average persons behavior being different than behavior that has a widespread proven track record. The burden of proof is on you to prove a difference in behavior of mac users over PC. You need to show why the proven track record is incorrect. In this case present some evidence the average Mac users behavior is different in security practices than the average PC user. Otherwise the underlining argument that there is are huge security land mines waiting to go off on Macs stands true.
            bcclendinen@...
        • Consider using SRP

          "Today the primary threat is trojans. And, currently, there's only two ways to avoid becoming infected:"

          And then you list using safe computing habits / user education, and security software.

          Here's another: use low-rights user accounts in combination with Software Restriction Policy, if your version of Windows features SRP. XP Home and Vista Home editions don't have SRP, but XP Pro/MCE and Vista Business/Ultimate/Enterprise do. With SRP set to disallowed-by-default, the only executable files your users can execute, are the ones the Admin put on the system. And if they don't have Admin rights, that pretty much settles things: Trojans will be arbitrarily prevented from execution. So will exploit payloads. So will AutoRun malware. So will unauthorized portable apps. No license fees, no renewals, no signature updates, and in an AD domain, no need to go set it up manually. Just configure it via Group Policy.

          Here's one way you can set up SRP: http://www.mechbgon.com/srp If you want the official Microsoft page for further options, see http://technet.microsoft.com/en-us/windows/cc507878.aspx
          mechBgon
      • Not entirely true

        There is plenty of damage an attacker can do with just logged-in user access. He can change browser preferences ? e.g. redirect the start page to ensure re-infection on every start ? before redirecting back to the original start page to avoid raising the users? suspicion.

        The attacker can also "blend" with a local privilege escalation bug and then he has root. No questions asked. There have been plenty of privilege escalation bugs and there are probably many more.

        This is far easier on operating system / browser combinations without sandboxing. OSX doesn?t feature sandboxing. Chrome will probably have a sandbox when launched for OSX.
        honeymonster
    • Not really

      It's been years, and all we're hearing is that "The Mac is going to face a malware wave" etc.
      Well, where is it? A couple of fake trojans aren't going anything.
      You have to realize that a large number of Mac users are switchers, and coming from Windows they do have the basic experienced required to avoid this simple kind of malware. Fortunately, malware under OS X is not as automated as it is for Windows.
      EmperorDarius