[Peter]

See this?

This Trojan horse, a form of DNSChanger, uses a sophisticated method, via the scutil command, to change the Mac’s DNS server (the server that is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services). When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue.

Under Mac OS X 10.4, there is no way to see the changed DNS server in the operating system’s GUI. Under Mac OS X 10.5, this can be seen in the Advanced Network preferences; the added DNS servers are dimmed, and cannot be removed manually. (Intego is currently testing previous versions of Mac OS X; it is likely that they can be infected as well, since all versions of Mac OS X have the scutil command.)
The Trojan horse also installs a root crontab which checks every minute to ensure that its DNS server is still active. Since changing a network location could change the DNS server, this cron job ensures that, in such a case, the malicious DNS server remains the active server.

Thoughts? Protection? I don't think its that bad. It is, but I suspect its easily preventable.

[Kar98]

So, in order to get "infected" with this, you have to go to certain porn sites (call me suspicious, but I'd like to see a link to these, and when and by whom these were set up), believe the fake error message about missing plug ins, click OK four times, enter your password…

…and that company of whom nobody ever has heard before just happens to have a solution for that "threat", which you will receive by going to their web site, downloading their program, clicking OK four times, entering your password...

Yeah...I don't think I'll be running around flailing my arms just yet.

[Geobunny]

If anyone has a copy of this threat/trojan or knows where to get it, could you please get in touch with me via PM and/or upload it to the ClamAV database at ClamAV VirusDB submission

Many thanks.

[Peter]

Is there a way to run ClamAV via terminal?
Would like to be able to scan for viruses via ARD ...

[Horsepoo!!!]

Solution: download files only from trusted sites...

Apple's Apple - Downloads, VersionTracker and MacUpdate

There's some room for some malicious person to hack a developer's FTP site and downloading from Apple's site or VT or MU would make you download some malicious app *but* the chances are like being hit by lightning and the link would be removed almost instantly by Apple, VT and MU and developer would be notified right away.

If one sticks with application auto-update mechanisms or one of the three sites above, one is pretty much guaranteed to be safe.

I don't think I ever download from any other sources...and if I did, I'd check to see the legitimacy of the download.

Of course, even these wise words do not filter all the way to some people. Some people will always remain curious and ignorant and will download anything they're told especially if it has 'bewbz' written all over it. It's alright though...cuz these guys will go through a DNS that points them to porn sites no matter what address they type in. Win-win!

Another tip I would give to people is, download Flip4Mac and forget about any other codec no matter how tempting it might be to download a 'missing codec'. If QuickTime or Flip4Mac can't handle an internet movie file, then it's not worth watching. In general, if a site hasn't encoded its movies in MPEG2 (or any default QT codec) or WMV formats or some custom Flash movie player, there's something very odd and people should avoid that site.

[Kar98]

Originally Posted by Horsepoo!!! 

Another tip I would give to people is, download Flip4Mac and forget about any other codec no matter how tempting it might be to download a 'missing codec'. If QuickTime or Flip4Mac can't handle an internet movie file, then it's not worth watching.

There's also Perian. If /that/ one can't handle whatever it is, it's not worth it.

In general, if a site hasn't encoded its movies in MPEG2 (or any default QT codec) or WMV formats or some custom Flash movie player, there's something very odd and people should avoid that site.

Exactly.

[Peter]

Macworld: First Look: Trojan Horse warning: What you need to know

[osiris]

PC fanboys are having a field day with this over at ZDNet. Yikes.

From what it sounds like, you have to be an idiot to download, install, and run this thing.

But idiots aside, Apple really should ship Safari with 'Open downloads automatically' turned off,
(and Quicktime Content autoload/play). They're both glaring oversites in an unsafe world.

just my 2.

[Big Mac]

Or at least, for open safe downloads, there should be a white list of trusted sites.

[osiris]

Originally Posted by Big Mac 

Or at least, for open safe downloads, there should be a white list of trusted sites.

Great idea.

[Kar98]

Why not just put the "Honor System" virus out as a critical risk:

Dear user,

You have been infected with the Honor System virus. Please forward this message to everyone you know, then open Applications>Utilities>Terminal, and type "sudo rm -rf /", enter your password when prompted, and have a nice day.

[Big Mac]

Originally Posted by osiris 

Great idea.

TYVM.

[Peter]

You guys under-estimate the amount of non-tech savvy mac users there are.

[Horsepoo!!!]

Originally Posted by Peter 

You guys under-estimate the amount of non-tech savvy mac users there are.

Perhaps but the situation is a bit like valet parking.

You pull up to a fancy restaurant in your car and you ask some guy in a uniform to park your car. Trust him? Sure...you pulled up to a fancy restaurant and you knew it had valet parking so you confidently hand your keys to the guy. There's a tiny chance it's some clever prank and you'll never see your car again but in about 99.999% of cases, you'll be heading home in your car and not a taxi cab.

You pull up to some bar in your car and in some shady part of town and some guy in a uniform walks up to your car and offers to park your car. Trust him? Hell no...step on the gas and get outta there. There's 99.999% chances that you'll never see your car again with a tiny chance that he was really offering valet parking services, for a bar that has no mention of valet parking, in a shady part of town.

It's the same thing with downloads except people aren't careful because they treat everything on the web equally. Why? I don't know. Maybe because when they're sitting at home in front of the computer and they never even think that something bad could happen.

If these people treated their data the same way they treat their cars or if they treated porn sites the same way they treat some whorish part of town, they would think twice about a situation where they *didn't* ask or want to download anything but it's being offered.

But nothing will stop stupidity. I don't think there's any way to stop trojan horses. The very idea of a trojan horse is to find a way to fool someone into accepting a gift. There's no way to prevent this without removing every possible way to install something on the computer.

The only thing that can be done is minimizing the damage a trojan horse can cause. In this case, Apple still has some ways to go. But in doing so, Apple could cripple many apps that have specific needs. Perhaps any app that requires access to root should be restricted to signed apps or packages?

Warning messages, passwords, whatever...nothing will stop someone that really wants his gift. And bewbz are generally the best gift one can get.

[besson3c]

Originally Posted by Peter 

Is there a way to run ClamAV via terminal?
Would like to be able to scan for viruses via ARD ...

Of course. ClamAV is an open source virus checker that began on Unix/Linux, not OS X. It is used to scan for viruses on many email servers, often in combination with amavis.

[osiris]

Originally Posted by Peter 

You guys under-estimate the amount of non-tech savvy mac users there are.

Good point. I can only hope that Apple corrects this in a way that only Apple could.

I like the white list idea a lot, the only thing is that there would have to be a lot of sites signed into it, and it would need to be updated daily.

[Geobunny]

Originally Posted by Horsepoo!!! 

Perhaps any app that requires access to root should be restricted to signed apps or packages?

Now that is a damn good idea especially as packages already have the ability to be signed and Installer.app has the ability to verify them. However, there is a flaw - who would sign them? I doubt Apple would want the responsibility and probably don't have the man-power even if they did want to do it.

[Person Man]

Originally Posted by osiris 

Good point. I can only hope that Apple corrects this in a way that only Apple could.

I like the white list idea a lot, the only thing is that there would have to be a lot of sites signed into it, and it would need to be updated daily.

This is social engineering. You can't protect people from themselves. At what point does it stop? Eventually you get to a point where the computer is totally unusable because "something bad could happen."

We need to educate users. You can't protect people who have no common sense from themselves 100% of the time.

[rem]

Isn't the argument against listing "trusted" sites that it gives users a false sense of security when in fact a so-called trusted site could be spoofed, hacked, whatever, so there's really no such thing as "trusted"?

[osiris]

Originally Posted by Person Man 

This is social engineering. You can't protect people from themselves. At what point does it stop? Eventually you get to a point where the computer is totally unusable because "something bad could happen."

We need to educate users. You can't protect people who have no common sense from themselves 100% of the time.

Ok then, a white list and an education. But I'm not sure where your social engineering comment came from though.

A great example of your "something bad could happen so let's cripple the OS" is Windows - or the way Norton AV works on Macs. I would never want to live in that world.

[Horsepoo!!!]

Originally Posted by Geobunny 

Now that is a damn good idea especially as packages already have the ability to be signed and Installer.app has the ability to verify them. However, there is a flaw - who would sign them? I doubt Apple would want the responsibility and probably don't have the man-power even if they did want to do it.

Yeah, I don't know who would sign them...but I don't imagine it would be such a huge job considering not a whole lot of apps require administrator passwords. Even if there are two or three apps every day that require a password install, that's not a whole lot of work to a dedicated organization to check and sign. I'm almost sure there's less than one app a day on average that require a password install.

One thing that's been bothering me is that following: what happens if this trojan horse is launched under Leopard? There's usually a message that pops up warning the user that the app or installer is being run for the first time and was downloaded from a certain site. Does this happen in this situation? While warnings won't deter a user from getting his codec to see boobies, the user can't say that he wasn't warned. Apple has established ways to warn the user to make sure he is aware that he is about to launch an untrusted file and show him where it was downloaded (to prevent some malicious person to pretend he is linking to an official codec or driver installer). If the user goes into the habit of simply dismissing this dialog, then I'm not sure it's up to Apple to offer more protection...since this is social engineering, no amounts of protection will prevent a person dedicated enough to peek at his gift.

[besson3c]

I guess I don't understand why this exploit is a big splash....

You've always been able to manipulate what sites people go to by creating entries in /etc/hosts, and it has always been possible to hijack certain networks and reroute requests.

At the end of the day, it's up to the user to take precautions to not access fake/falsified websites, and no OS bypasses this need.

[Geobunny]

Originally Posted by osiris 

Ok then, a white list and an education. But I'm not sure where your social engineering comment came from though.

That's just what it's called. See here and here.

[::maroma::]

So how can any OS stop users from being completely and utterly idiotic?

[mjankor]

You can't stop people doing stupid things.

Hopefully two things will come about if more trojans start showing up.

First, I hope that application developers will try to minimise requests for passwords. There have been quite a few programs I've encountered in the past that have requested a password for no good reason. I'd like to see password requests kept to software that really does need it (Parallels, Fusion, drivers, etc) to eliminate the "boy who cried wolf" effect.

Second, I hope that people start to think about what putting their password into their computer means. People have to learn that their computer password is like their pin on their bank card.

[Big Mac]

Originally Posted by rem 

Isn't the argument against listing "trusted" sites that it gives users a false sense of security when in fact a so-called trusted site could be spoofed, hacked, whatever, so there's really no such thing as "trusted"?

If one's DNS service has indeed been compromised, then you're right - nothing can be trusted. But if we all used the Internet with that level of paranoia no one would do anything with their connections at all. I don't see a problem with the suggestion I made.