The Quiet Little Pop of the Mac Security Bubble
Jun 26, 2008 4:00 AM PT
A Trojan targeting Mac computers in the wild used to be a rarity, but this type of malware is now turning up with alarming frequency. The latest Trojan is rudimentary, at best, although when coupled with a Mac platform vulnerability that came to light earlier this week, it could deliver an extra wallop.
The Trojan is masquerading as a program for Mac OS X called "PokerGame." A shell script encapsulated in an application, it is distributed in a 65 KB Zip archive; unzipped, it is 180 KB, according to Intego, one of the security firms that flagged it.
After it is downloaded, PokerGame activates an SSH tunnel and sends the user's name, along with the Internet protocol address of the Mac, to a server. It then asks for an administrator's password after displaying this dialog: "A corrupt preference file has been detected and must be repaired." When the user enters the password, the hacker gets remote access to the computer.
All in all, this Trojan is a straightforward program -- both in the way it installs itself and in how it's executed.
"Years ago, we were seeing the same malware but designed for the PC," Wolfgang Kandek, CTO of Qualys, told MacNewsWorld.
It is a social engineering-designed hack attack at its most basic, in other words.
For that reason, Kandek is not too worried about the malware proliferating among Mac users, who tend to be a savvy IT user group anyway.
It does have the potential to deliver an additional sting, though, if coupled with a vulnerability in Mac OS X that security firms identified earlier this week, Kandek noted. Specifically, "ARDAgent" within Mac OS X 10.4 and 10.5 can be invoked to execute arbitrary commands with root privileges via AppleScript.
"Then the virus becomes more dangerous, because it won't require the user to type in the password," explained Kandek.
It's likely that malware writers are already exploring this angle.
Root access gives full control, even to other user accounts on the same system, said Mary Landesman, senior security researcher at ScanSafe.
"However, to work, the attacker must be able to either establish a remote connection to the target machine or have local physical access," she told MacNewsWorld.
"In such cases, that means the attacker already effectively owns the machine, which has cast some doubt on the seriousness of this particular disclosure. However, an exploit for the vulnerability in conjunction with a socially engineered Trojan such as PokerGame would satisfy that restriction and could have serious consequences for the victim," Landesman concluded.
Waiting for the Day
Security researchers have been forecasting the day the Mac would become a major target for malware writers for several years now. Despite recent events and louder projections of doom, that day is not yet here.
"This was an immature piece of malware -- we saw this kind of thing many moons ago with Windows," Tyler Reguly, a security research engineer for nCircle told MacNewsWorld. "But going forward, as more people use Macs, we are going to see more and more malware for the Mac that is sophisticated and dangerous."
Some even say that the day of reckoning is at hand. "Malware has finally made Macs a destination of choice, since so many people are now using Macs -- and especially with the onset of the iPhone smartphone device," Christoph Alme, team leader with Secure Computing's antimalware team, told MacNewsWorld.
"It was only a matter of time," he remarked, "and I think we'll see many more attacks aimed at the Mac community the rest of this year and beyond."
With Mac's growing popularity, it is inevitable that scammers will seek to exploit the growing base of systems operated by users who have never had to worry before, said Andrew Klein, senior product marketing manager for SonicWall. But that is no longer the point.
The choice of the platform -- Mac versus PC -- is not the basis of a sound security policy, he told MacNewsWorld.
"The real answer for the home user is the same one adopted by most businesses: to think about security -- and, in this case, virus protection -- in layers. Most only think about protection on the system itself."