UNSW Mac caught serving fake Microsoft patch

UNSW Mac caught serving fake Microsoft patch

Summary: The School of Media, Film and Theatre at the University of NSW has admitted that one of its Mac servers has been compromised and used to host a potentially malicious file, which was disguised as a Microsoft security patch.The central IT services organisation for the UNSW discovered an issue with one of its servers on Tuesday morning and alerted the department affected.

SHARE:

The School of Media, Film and Theatre at the University of NSW has admitted that one of its Mac servers has been compromised and used to host a potentially malicious file, which was disguised as a Microsoft security patch.

The central IT services organisation for the UNSW discovered an issue with one of its servers on Tuesday morning and alerted the department affected. The server was immediately taken offline, according to network engineer Tim Eden.

"I have basically just blocked the machine that was the target of that link. As to what is on the machine and how it got compromised, I do not have any idea at all," Eden told ZDNet Australia.

Sam Costello, system administrator and computer support for the School of Media, Film and Theatre, told ZDNet Australia that an engineer will be looking at the server to try and establish how and when it was compromised.

Costello said it was "weirder" because it was a Mac system running Apple's latest server operating system.

"That is one of my Mac servers," said Costello. "We haven't had a chance to look at it yet because it just came to our attention this morning. We are leaving it where it is for the comms guy to come and have a look at tomorrow."

Users were directed to the server because of a link contained in an e-mail that was spammed overnight.

One version of the spam seen by ZDNet Australia arrived with the subject line: "Microsoft Windows TCP/IP Protocol Security Issue -- Patch Required" and the "from" address is spoofed to read "support@microsoft.com".

The body of the message claims that Microsoft has discovered a zero-day vulnerability and warns the recipient to follow the link and apply the patch within 24 hours in order to reduce the chances of being exploited.

The link contained in the e-mail appears to point to a file on Microsoft's Web site but actually links to the recently removed UNSW server, which is located in Sydney.

Topics: Apple, Hardware, Malware, Microsoft, Operating Systems, Security, Servers, Windows

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • RE: UNSW Mac caught serving fake Microsoft patch

    I am genuinely surprised at how easy the system admin was spoofed by the email. I thought he would have known that Microsoft never sends out direct emails for particular patches (at least ones which are in the subject line). As well, the subject line for genuine Microsoft security emails say 'Microsoft Security Advisory Notification'.
    eric_lam20009
  • Compromise not a Mac fault.

    The compromise was not a fault of the Mac or OSX, but a fault of an application hosted on the server.

    As usual AusCERT was on the ball and notifying those who needed the information as soon as the alert was raised.
    anonymous
  • Security on Mac Server

    This is very interesting....considering if it was runing OS X...it can only be a G5 server...well, i guess it would be a G4....and that code would have to be written in the proper way for a PowerPC chip could understand....It's 10-16-06 and this is the first I have heard about this....Interesting....and just would microsoft be sending out something for Apple......only if microsoft did some application that was being used....but I don't know of any....????...Interesting....
    anonymous
  • "Virus" Alert ... or "Bad Reporting" Alert

    uh... From my understanding this is a Spam / Phishing email that pointed to a malicious .exe file on an OS X System. This simply means the administrator allowed someone to put a file on the server.......

    You can drop an virus .exe right now in my shared drop box on my OS X machine if you want.

    This is very very different from an Application being remotely loaded onto the OS X Server without the specific ports being opened prior by a Server administrator and without proper security.

    Furthermore, this is a lot different from malware or a virus running as an application on the OS X Server that wasn't specifically loaded by someone administering the computer.

    So I think there is some follow up needed on this matter in regards to the fact checking.

    Cheers
    anonymous
  • "Virus" Alert ... or "Bad Reporting" Alert

    uh... From my understanding this is a Spam / Phishing email that pointed to a malicious .exe file on an OS X System. This simply means the administrator allowed someone to put a file on the server.......

    You can drop an virus .exe right now in my shared drop box on my OS X machine if you want.

    This is very very different from an Application being remotely loaded onto the OS X Server without the specific ports being opened prior by a Server administrator and without proper security.

    Furthermore, this is a lot different from malware or a virus running as an application on the OS X Server that wasn't specifically loaded by someone administering the computer.

    So I think there is some follow up needed on this matter in regards to the fact checking.

    Cheers
    anonymous
  • So?

    I've witnessed UU technicians in the old days hunt down default Unix web server installations and root out hidden caches of malware put there. If RMS can destroy all passwords on accredited systems it's certainly possible for idiots 'thinking' they're so bloody secure with a 'Mac' to get rooted or worse. But as long as OS X retains a semblance of Unix - which it just about does - it's going to be better than anything M$ can come out with, and any security engineer knows that already.
    anonymous