OS XXX? Mac-Attacking Malware Targets Porn Surfers
Mac users who've steered their computers toward the Net's red light district may wake up to find a nasty surprise if they've hooked up with the wrong site. Malware targeting the Mac OS X platform, a rare find, has been spotted in the wild. The malware relies on tricking the surfer into granting certain permissions, however, meaning it doesn't exploit a flaw in the OS X; rather, it exploits a flaw in user behavior.
Nov 1, 2007 2:43 PM PT
Researchers at Intego, a maker of Mac-based security software, have announced they have recently discovered malware targeting the Mac OS X on some adult-oriented Web sites. The company dubbed the malicious Trojan software "OSX.RSPlug.A."
"A malicious Trojan Horse has been found on several pornography Web sites, claiming to install a video codec necessary to view free pornographic videos on Macs," Intego said.
The warning is significant because the find is relatively rare. Security researchers have unearthed a miniscule number of Mac exploits in the wild compared to the legions designed to attack more widely used operating systems like Windows.
"It is unusual. The number of malicious code samples for the Mac is lower than its market share might suggest it should be. The number of malicious code threats for Mac is in the low hundreds, most of them for versions of the OS that predate OS X," said Andrew Jaquith, a Yankee Group analyst.
Categorized as critical by Intego, OSX.RSPlug.A passes from porn sites to Macs when users are told they need to download a new Quicktime codec.
"A great deal of spam has been posted to many Mac forums in an attempt to lead users to these sites. When the users arrive on one of the Web sites, they see still photos from reputed porn videos, and they click on the stills, thinking they can view the videos, they arrive on a Web page that says the following: 'Quicktime Player is unable to play movie file. Please click here to download new version of code,'" Intego explained.
The deception continues when the phony program download requires users to consent to a fake license agreement. Once users have agreed, they then must give permission for the program to install, done by entering their user name and password. Files are delivered as a Disk Image (DMG) file.
Once installed, the malware changes DNS server entries in order to direct Internet users to phony Web sites where they will unwittingly divulge user names, passwords and other sensitive information. Criminals could then take the data and use it to commit phishing schemes, identity theft or "drive traffic to alternative Web sites," according to Sophos.
Testing by Sophos has found that the Trojan changes DNS server settings -- used to match up domain names with IP addresses and request information from that Web site -- to point to "ones located in Belarus." On the other end, hackers are notified that they have a new victim, the OS version and that it is a Mac user.
Mac OS X 10.4, or Tiger, users will have no way to tell that their DNS server has been changed. Leopard users can go to their Advanced Network preferences, Integro advised. The newly added servers are "dimmed and cannot be removed manually."
The Trojan also installs a root crontab that checks every minute to verify that the DNS server is still active.
Your Worst Enemy
The problem, however, in this instance is not a deficiency or flaw in the Mac operating system but more a case of human error. Users should never download content from an unknown source. Since the Trojan is only downloaded from porn sites, security experts said it actually poses little risk to the bulk of Mac owners.
"This is relatively low risk. It's distributed by porn sites, apparently, so it's really only a risk to porn-surfers who are also susceptible to social engineering. It requires the user's consent to install," Jaquith explained.
The Trojan has larger implications for Mac users who up until now have only had to deal with a small fraction of the malicious malware PC users contend with. However, as Apple's share of the computer market continues to increase, Macs have been besieged by a growing number of exploits.
"This signals that Web threats and specifically Web exploits are going to be cross-platform or cross-operating system. So there really isn't a user group out there that is impervious to user threats," Mike Haro, senior security consultant at Sophos, told MacNewsWorld.
"As Apple increases their market share you'll probably see a lot more hackers and malware developers develop Trojans and viruses that will affect Mac users," Terrence Brewton, a Frost & Sullivan analyst, told MacNewsWorld.