Malware writers are usually quick to exploit hot news topics such as royal weddings and the assassination of terrorists, and Osama Bin Laden's death is no exception. In this case, malware events include the exploitation of Sohaib Athar's website -- he's the man who live-tweeted the US attack in Abbottabad without knowing it -- and scareware attacks on Mac OS X via the usual poisoned search engine results.
Websense Security Labs has reported the exploitation of Sohaib Athar's website in a post by Patrik Runald headed Bin Laden Twitter Witness Site Hacked – Link Forwarded Around Major News Sites. It says that the site, which has a link from Sohaib Athar's @ReallyVirtual Twitter page, "has been compromised by hackers and leads to the Blackhole exploit kit".
People understandably turned to @ReallyVirtual for news -- his follower count exploded from 751 on April 30 to 92,827 on May 3 -- and many more could have gone to the site, where Blackhole attempts to install a rogueware system tool called Windows Recovery. Websense illustrates the attack in another post, Osama bin Laden's death, Twitter fame and malware.
Usually, such attacks target Microsoft Windows users, since these make up more than 90% of the market. As I've explained recently, the "Blackhole attack (PDF) attempts to exploit flaws in Microsoft Help Center (CVE-2010-1885), MDAC (CVE-2006-0003), five flaws in Java, and two buffer overflows in Adobe Reader", so it is Windows-oriented, and so is the payload. However, it seems there are now enough Mac users to start attracting malware writers, even if they're not yet taking the platform seriously.
As Kaspersky Labs' Fabio Assolini reports in Rogueware campaign targeting Mac users at Securelist: "During our research about Osama Bin Laden's death we saw the same malicious domains serving two rogueware applications specific to Mac OS X, called Best Mac Antivirus and MacDefender."
The domains check for the browser agent (Safari), the IP address (US only) and the source (eg Google) before showing the usual fake scan screen. The attackers fail badly here by showing a fake Windows screen, but Assolini says: "the file offered will be a .mpkg". As with Windows attacks, the ultimate aim is to get the user to install (say) MacDefender and pay from $59.95 to $79.95 for the pleasure. This does require the Mac user to enter their password, but those who have chosen to install MacDefender presumably will.
Attacking Mac OS X is relatively hard work, partly because there aren't any off-the-shelf kits like Blackhole that require no technical knowledge. Or at least, there weren't. However, the Copenhagen-based CSIS Security Group says:
The first advanced DIY (Do-It-Yourself) crimeware kit aimed at the Mac OS X platform has just been announced on a few closed underground forums. Detailed information about this crimeware kit is not being leaked publicly and the authors of the kit are obviously trying to stay below the radar allowing only vetted users of the forums to see most of the content.
The kit is being sold under the name Weyland-Yutani BOT and it is the first of its kind to hit the Mac OS platform. Apparently, a dedicated iPad and Linux release are under preparation as well.
There are certainly plenty of security holes to exploit in Mac OS X and its bundled applications. And as ZD Net's Ed Bott points out in Coming soon to a Mac near you: serious malware: "Only a tiny percentage of Macs run antivirus software, and Mac users have been conditioned to believe they’re immune from Internet threats. That’s a deadly combination."
The threat to Macs is still extremely small, so it will be interesting to see how it develops.
Form grabber for Mac OS X -- Copyright KrebsOnSecurity.com http://www.youtube.com/watch?v=lD3l_nqmE6w