Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > Mac OS X > OS X trojan horse

OS X trojan horse
Thread Tools
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Feb 23, 2012, 08:26 PM
 
     
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status: Offline
Reply With Quote
Feb 24, 2012, 02:09 AM
 
Clever little bugger, isn't it?

"The natural progress of things is for liberty to yield and government to gain ground." TJ
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Feb 24, 2012, 02:45 AM
 
Yup.

We may be at the point where we are doing a disservice in perpetuating the myth that Macs are immune to Malware. Trojan horses have always been possible, it's just that without root access to be running at all times the possible damage was limited. Still, you can do a great deal of harm even if this runs until next logout, this exploit proves that there are ways to gain root access, just as there are ways to do so in ios (jailbreaking).

I'm not sure about recommending anti-virus software, but the whole "sit back and relax, Macs are impervious" thing has to stop.
     
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status: Offline
Reply With Quote
Feb 24, 2012, 03:04 AM
 
Very few if any of us have ever said Macs are completely immune to malware though. Perhaps Apple's simplified marketing messages imply such a view, but informed Mac users have always known that Macs and other Apple products can potentially get hit with malware. It's very unlikely to see Mac malware, but it very rarely is seen. Like many Mac exploits this one principally takes advantage of Java. Apple will doubtlessly add it to the malware definitions soon enough.

As for greater malware vulnerability from jailbreaking, first of all only a small minority of users will jailbreak, and secondly I have yet to hear of any malware spreading through Cydia. And in fact, jailbreaking actually made iOS more secure for a period of time (last year IIRC) when there was a security issue in the stock iOS firmware.

There will always be some threat posed by malicious code as long as people are allowed the freedom to run the applications they want. But after 11 years Mac OS X has proven to be a very secure platform with few real malware threats, and iOS (jailbroken or not) has its own great security record. I also note that despite increasing popularity both platforms have maintained mostly spotless security records; some had claimed in previous years that Apple products weren't popular enough to warrant the creation of substantial amounts of malware. That argument was put to rest decisively long ago.
( Last edited by Big Mac; Feb 24, 2012 at 03:12 AM. )

"The natural progress of things is for liberty to yield and government to gain ground." TJ
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Feb 24, 2012, 12:04 PM
 
Very few MacNNers have said this, but I think this attitude has prevailed... I think Apple themselves even mocked the whole virus thing on Windows with their ads, which I think may have contributed to the belief that Macs can't get viruses. Either way, my sense is that there have always been people that believe this to be true, one way or another.
     
Fresh-Faced Recruit
Join Date: Jan 2012
Status: Offline
Reply With Quote
Feb 27, 2012, 12:13 AM
 
what antivirus program do i need to get for my macbook pro running OS X?
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Feb 27, 2012, 12:18 AM
 
I'm not inclined to recommend any since viruses are still pretty rare, and can be avoided by not entering your admin password unless you understand why you are doing so and why it is necessary to do so.
     
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Feb 27, 2012, 12:55 AM
 
Originally Posted by besson3c View Post
Very few MacNNers have said this, but I think this attitude has prevailed... I think Apple themselves even mocked the whole virus thing on Windows with their ads, which I think may have contributed to the belief that Macs can't get viruses. Either way, my sense is that there have always been people that believe this to be true, one way or another.
You know the differences between a virus and a trojan horse, don't you ?

I'll be really worried the day we actually *have* the first ever OS X virus.

Until then, I feel pretty good about OS X security. Mountain lion is going to make it even harder for trojans to fool people.

-t
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Feb 27, 2012, 01:38 AM
 
Originally Posted by turtle777 View Post
You know the differences between a virus and a trojan horse, don't you ?

I'll be really worried the day we actually *have* the first ever OS X virus.

Until then, I feel pretty good about OS X security. Mountain lion is going to make it even harder for trojans to fool people.

-t

Yes, I do, but the days of self-replicating viruses are pretty much behind us, AFAIK. In Windows the name of the game is trojan botnets invoked via spyware, phishing/social engineering, executables, etc. This malware doesn't need to self-replicate to cause harm anymore, it can redistribute itself to other zombie machines that the botnet, primarily facilitated via IRC, reports as being infected. It doesn't try to infect other machines itself though, it just reports to the botnet.

In OS X, any machine can be zombified by running this malware, but it won't remain running without root privileges. All that would be needed is to trick users into providing their root password though, which is probably easier than one would think.

My information could be outdated though, I don't generally keep up-to-date with this sort of stuff, but I'm pretty sure that self-replicating viruses is pretty old school, and that trojans are what all the cool kids are into these days.
     
Addicted to MacNN
Join Date: Oct 2001
Location: Automatic
Status: Offline
Reply With Quote
Feb 27, 2012, 11:08 AM
 
Intego Blog: Further Information About the Flashback.G Malware

" It is important to note that this version of the Flashback Trojan horse does not present an installer, as previous versions did. If a user visits a web page, and their Java is not up to date, the installation will occur without their intervention.

If their Java is up to date, they will only see the certificate alert that we show above: they will never be asked for a password, and won’t have to launch any other software to allow the installation to take place.

While we’re still calling this the Flashback Trojan horse, because the actual malware code is similar to the first version of Flashback, its actions are different. In this case, the initial code that is installed on a Mac then downloads more code from a remote server, and deletes the original.

What we see here is an exploit, which installs a downloader, which then downloads a backdoor, which in turn injects code into applications. "
     
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Feb 27, 2012, 04:43 PM
 
That's actually much more scarry.

But I'd still like to understand how the installation will occur w/o user credentials.
Is this a root exploit ?

-t
     
P
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status: Offline
Reply With Quote
Feb 28, 2012, 04:16 AM
 
Not sure if what they do require root, but that would be a privilege escalation exploit if so. Privilege escalation from an admin user to root is likely not especially hard to achieve - I have (completely by accident) found one such hole that went unpatched for years after reporting it. Lion comprehensively fixes it, but I included a very simple proposed fix in my report that could have been applied in a point update. I think Apple gives low priority to escalation flaws like that.
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
     
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Feb 28, 2012, 12:50 PM
 
I agree, privilege escalation from admin to root is not particularily scary, but a general privilege escalation exploit would be.

As always, I don't trust Intego or any other Antivirus company to report things factually. They have ulterior motives.

-t
     
Moderator
Join Date: Aug 2001
Location: Location: Location:
Status: Offline
Reply With Quote
Feb 28, 2012, 01:17 PM
 
Originally Posted by idontlikelionosx View Post
what antivirus program do i need to get for my macbook pro running OS X?
I've been happy with ClamXAV. It's free. I have it on my iMac and my wife and daughter's MacBooks.
     
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Feb 29, 2012, 01:15 AM
 
Yeah, the nice thing about ClamAV, to address Turtle777's point, is that the underlying code is open source, so it's probably harder to have the same sort of ulterior motives you'd have with one of the companies turtle777 mentioned.

In fact, I don't know why open source anti-virus stuff on Windows hasn't really caught on, it seems to be an obvious area where open source software would shine?
     
Moderator
Join Date: Aug 2001
Location: Location: Location:
Status: Offline
Reply With Quote
Feb 29, 2012, 05:48 AM
 
Probably because the Windows side is so chock full of no-name, malware-posing-as-AV-software, that sticking with the name brands makes more sense.

Famously, of course, we on the Mac side have had our very own malware-as-AV problem with Mac Defender.
     
Grizzled Veteran
Join Date: Feb 2003
Status: Offline
Reply With Quote
Feb 29, 2012, 08:40 AM
 
Originally Posted by angelmb View Post
" It is important to note that this version of the Flashback Trojan horse does not present an installer, as previous versions did. If a user visits a web page, and their Java is not up to date, the installation will occur without their intervention.

If their Java is up to date, they will only see the certificate alert that we show above: they will never be asked for a password, and won’t have to launch any other software to allow the installation to take place.
So, this is a Java exploit, right? We had trouble with Java vulnerabilities under Mac OS X in the past and since then I have disabled it in all the machines under my control.
     
P
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status: Offline
Reply With Quote
Feb 29, 2012, 10:36 AM
 
It tries two different Java exploits first, and if they have both been patched, it throws up a sneaky dialog box to tricky you into installing it anyway. Don't underestimate social engineering - I just got one to my work mail posing as a message from a delivery company, asking me to open an HTML file and print it out. I didn't, but if I were expecting a package and was in a hurry, I might have.
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
     
Addicted to MacNN
Join Date: Oct 2001
Location: Automatic
Status: Offline
Reply With Quote
Mar 7, 2012, 02:30 PM
 
So, this just in… it does inject code in Safari once the browser is launched. I don't know jack about trojan horses but doesn't this start to smell like a serious issue.?

New Flashback Variant Changes Tack to Infect Macs - The Mac Security Blog

"Flashback forces Safari to quit, installs a file at /tmp/Software Update, then installs two invisible files in Safari’s resources, taking advantage of the root rights it obtained when the user entered his or her administrator’s password.

Next, Flashback injects code in Safari when the browser is launched. The .COAAShipPlotter.png file is the malware, and the .COAAShipPlotter.xsl is the file that injects code in Safari, in conjunction with Safari’s info.plist file which has been modified."
     
P
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status: Offline
Reply With Quote
Mar 7, 2012, 03:46 PM
 
It's getting nastier, but it's not too bad yet - compared to some of the garbage I have to clean of my cousins' Wintel boxes every now and then. It's still a trojan unless it spreads by itself.
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
     
   
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Top
Privacy Policy
All times are GMT -5. The time now is 05:16 AM.
All contents of these forums © 1995-2013 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.7 © 2000-2013, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2