Get the ECT News Network Weekly Newsletter » View Sample | Subscribe
Welcome Guest | Sign In
Ideoclick eBook

The Quiet Little Pop of the Mac Security Bubble

By Erika Morphy MacNewsWorld ECT News Network
Jun 26, 2008 4:00 AM PT

A Trojan targeting Mac computers in the wild used to be a rarity, but this type of malware is now turning up with alarming frequency. The latest Trojan is rudimentary, at best, although when coupled with a Mac platform vulnerability that came to light earlier this week, it could deliver an extra wallop.

The Quiet Little Pop of the Mac Security Bubble

The Trojan is masquerading as a program for Mac OS X called "PokerGame." A shell script encapsulated in an application, it is distributed in a 65 KB Zip archive; unzipped, it is 180 KB, according to Intego, one of the security firms that flagged it.

After it is downloaded, PokerGame activates an SSH tunnel and sends the user's name, along with the Internet protocol address of the Mac, to a server. It then asks for an administrator's password after displaying this dialog: "A corrupt preference file has been detected and must be repaired." When the user enters the password, the hacker gets remote access to the computer.

Hacking 101

All in all, this Trojan is a straightforward program -- both in the way it installs itself and in how it's executed.

"Years ago, we were seeing the same malware but designed for the PC," Wolfgang Kandek, CTO of Qualys, told MacNewsWorld.

It is a social engineering-designed hack attack at its most basic, in other words.

For that reason, Kandek is not too worried about the malware proliferating among Mac users, who tend to be a savvy IT user group anyway.

Doubling Up

It does have the potential to deliver an additional sting, though, if coupled with a vulnerability in Mac OS X that security firms identified earlier this week, Kandek noted. Specifically, "ARDAgent" within Mac OS X 10.4 and 10.5 can be invoked to execute arbitrary commands with root privileges via AppleScript.

"Then the virus becomes more dangerous, because it won't require the user to type in the password," explained Kandek.

It's likely that malware writers are already exploring this angle.

Root access gives full control, even to other user accounts on the same system, said Mary Landesman, senior security researcher at ScanSafe.

"However, to work, the attacker must be able to either establish a remote connection to the target machine or have local physical access," she told MacNewsWorld.

"In such cases, that means the attacker already effectively owns the machine, which has cast some doubt on the seriousness of this particular disclosure. However, an exploit for the vulnerability in conjunction with a socially engineered Trojan such as PokerGame would satisfy that restriction and could have serious consequences for the victim," Landesman concluded.

Waiting for the Day

Security researchers have been forecasting the day the Mac would become a major target for malware writers for several years now. Despite recent events and louder projections of doom, that day is not yet here.

"This was an immature piece of malware -- we saw this kind of thing many moons ago with Windows," Tyler Reguly, a security research engineer for nCircle told MacNewsWorld. "But going forward, as more people use Macs, we are going to see more and more malware for the Mac that is sophisticated and dangerous."

Some even say that the day of reckoning is at hand. "Malware has finally made Macs a destination of choice, since so many people are now using Macs -- and especially with the onset of the iPhone smartphone device," Christoph Alme, team leader with Secure Computing's antimalware team, told MacNewsWorld.

"It was only a matter of time," he remarked, "and I think we'll see many more attacks aimed at the Mac community the rest of this year and beyond."

With Mac's growing popularity, it is inevitable that scammers will seek to exploit the growing base of systems operated by users who have never had to worry before, said Andrew Klein, senior product marketing manager for SonicWall. But that is no longer the point.

The choice of the platform -- Mac versus PC -- is not the basis of a sound security policy, he told MacNewsWorld.

"The real answer for the home user is the same one adopted by most businesses: to think about security -- and, in this case, virus protection -- in layers. Most only think about protection on the system itself."

Which type of digital advertising is most likely to attract your favorable attention?
Ads based on my interests
Ads designed to grab my attention, e.g. pop-ups, autoplay
Audio ads
Email ads from sources I've authorized to contact me
Informational articles on products/services
Social media ads
Straightforward banner ads
Video ads
Get your contact center ready step-by-step guide
Get your contact center ready step-by-step guide