"A new trojan horse designed specifically for Mac OS X systems has been discovered on several pornography websites that can hijack Web traffic, according to security firm Intego. Affected systems are used to hijack some Web requests that lead users to other phishing sites, or simply display ads for other pornographic websites to generate ad revenue. Phishing attacks may lead users to believe they are surfing to eBay, Paypal, or various banks when in fact they are accessing specially-crafted mockups designed to retrieve usernames and passwords for those sites. The trojan, titled OSX.RSPlug.A, is rated as a critical risk by Intego, and is known to affect Mac OS X 10.4 Tiger as well as Mac OS X 10.5 Leopard. Intego is testing prior versions of Mac OS X, but believes them to be vulnerable as well."
Post a Comment
Member since:2007-06-24
Fans: 0
A trojan is a trojan. It doesn't matter if it came from some obscure corner of the web or not, it still exists and it can still potentially deal damage to someones system. There are risks to doing anything online. I'm sure you've seen plenty of trojans get leaked with trusted software. Anyways, I'm just tired of the excuses. If there's a trojan, just get it fixed, no reason to be in denial over it if it really exists.
Member since:2005-11-12
Fans: 3
Member since:2005-06-29
Fans: 19
As far as I can recall, this is the first trojan in the wild for OS X - instead of previous alarm bells that were just proof-of-concepts or whatever.
That is what made me publish it on OSNews today. There is no conspiracy.
Member since:2007-10-26
Fans: 0
Member since:2005-11-12
Fans: 3
Member since:2005-07-06
Fans: 4
Member since:2005-10-19
Fans: 0
Ah yes, the "I don't like this news, so it not news" approach.
MacOS makes a big deal about how their OS does not get viruses:
http://movies.apple.com/movies/us/apple/getamac_ads1/viruses_480x37...
It is therefore newsworthy if they are then affected by them. Simple.
And yes, I am aware of the difference between a virus and a trojan, and it makes no difference.
Member since:2007-07-31
Fans: 0
yes it does... because you still have to agree to install/run the program
So yes, os X gets malware.. but in windows with IE all you have to do is surf a malicious website and suddenly you have malware without agreeing to it. Admittedly SP2 now USUALLY gives the option to install or not but this certainly does not mean OSX is vulnerable to un assisted crapware.
This is just like a malicious wmv codec license, nothing more nothing less.
Just wait till there is one for Ubuntu, then Bill Gates will know his monopoly is over.
[Edit:] TYPO
Edited 2007-11-01 05:43
Member since:2006-04-26
Fans: 0
I don't think anybody is making excuses, because there is nothing anybody can do against a program that the user deliberately installs. I suppose if Safari automatically downloaded and installed it without the user's knowledge, then Apple could definitely be taken to task for it.
However, it does highlight the issue (at least to me) that the "Download 'safe' files" option should not be checked by default in Safari. Still, even with this option checked all it does is download and mount the image. Though that is definitely scary in itself, it still doesn't hurt the user's system until they install the program. This is far different from say, the drive-by download and install BHOs and ActiveX controls that plagued IE on Windows for so long.
The article does say that one thing the user can do to protect themselves is to buy the Intego VirusBarrier X4 which incidentally is available from the company that issued the release 
Member since:2005-10-11
Fans: 1
Member since:2006-04-26
Fans: 0
Member since:2005-07-06
Fans: 4
If there's a trojan, just get it fixed, no reason to be in denial over it if it really exists.
It's not the trojan but the users willingness of bluntly installing anything that pops up. According to the article the user got a message to install something (should ring a bell or two), the user had to give admin credentials (should bring you into defcon 3).
I instructed a lot of users not to install anything unless you downloaded it from a verifyable source and with good reason.
Sex sells and still attracts a lot of people. The internet is just another medium. And as anything that works with files (software) can be abbused and sooner or later will be abbused.
The article is nothing extraordinary. What in my opinion is more remarkable ( mind i'm not an OSX expert in any way) is the lack of adjusting the dns server entries with the known OSX "it just works" userfriendlyness.
Member since:2005-07-07
Fans: 2
Member since:2005-07-06
Fans: 0
Member since:
2005-11-13
Fans: 1
This is a common ploy to get anything installed on a users machine.
I've seen more than just porn sites do this, although I've always seen the trojan being offered as a Windows .exe or ActiveX component. Software crack and hack sites have employed this style of attack for years now in the Windows world.
Interesting to see someone putting focus on OS X users.
Member since:2005-07-06
Fans: 0
I am always getting my mac desktop littered with gobs of .exe files from some of the torrent sites and 'others' I visit. I assume its from these sites trying to install trojons on windows boxes.
Firefox on Mac does not know what to do with them so it just drops them down on the desktop like an attachment/download.
Member since:2006-02-10
Fans: 0
Member since:
2005-06-29
Fans: 1
From Intego's website:
"If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator's password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download."
So tell me, how is different than just going to one's home folder and deleting all files? Of course, if you go about installing everything every page suggests, there may be trouble, *especially* if this something wants admin privileges.
It's not like there's any vulnerability involved where you navigate to a malicious site and get infected automatically. Sheesh!
Member since:2005-07-06
Fans: 0
Member since:
2006-10-12
Fans: 1
This "Critical" vulnerability is that you can download a program, authenticate yourself as an Administrator, and it doesn't do what it claims it will.
This is no security flaw in OS X. You could do the same thing for any other Internet-connected OS.
There's nothing OS developers can realistically do to prevent problems arising when the administrator of a machine can be tricked into something (which you can't do without preventing them from doing the things they bought the computer to do: the only solution is education).
Anybody claiming this to be a "flaw" in anything but human behaviour is headline-grabbing. Incidentally, who the hell are Intego anyway?
Edited 2007-10-31 21:40
Member since:2006-06-21
Fans: 2
Member since:2006-05-26
Fans: 12
Member since:2005-07-24
Fans: 33
"""
There's nothing OS developers can realistically do to prevent problems arising when the administrator of a machine can be tricked into something
"""
Sure they can. The OS could require that all binaries be cryptographically signed by the OS vendor, and refuse to run them if they are not. All programs would have to be certified by the vendor. The hardware could require the same of the OS kernel, and refuse to run a kernel that isn't signed.
Yes, it *is* a horrid "solution", and a horrible idea. But it *is* something that could be done.
Member since:2005-06-29
Fans: 1
Signing things cryptographically won't get you anywhere. If anything it'd only certify that some certain piece of software came from vendor "A". That doesn't mean any mailicious code in that software would be automatically disabled.
Unless you want Apple to sign each and every app out there separately after proving internally it doesn't do any damage - impossible task.
Member since:2006-04-22
Fans: 2
This would not be impossible at all. If malicious code is inserted by the developer, then the software code be un-certified by the OS maintainer. You could then have the option on whether to allow loading a kernal that allows certified or uncertified. For many servers this would be ideal as most software will remain more static throughout the lifetime of the installation.
Member since:2005-08-18
Fans: 15
Member since:2005-07-10
Fans: 0
As lame as this "Trojan" is, it's still a potential trend. Perhaps we should be shopping around for a comprehensive solution, because, after all, we are becoming a target.
Duck -[in a]- row?
"The vendor could still trojan you though."
... or the Country:
Germany Seeks Expansion of Computer Spying:
http://www.latimes.com/news/nationworld/world/la-fg-security30oct30...
http://yro.slashdot.org/yro/07/10/31/1955205.shtml
"The LA Times reports on a proposal to secretly scan suspects' hard drives which is causing unease in a nation with a history of official surveillance. Along with several other European countries, Germany is seeking authority to plant secret Trojan viruses into the computers of suspects that could scan files, photos, diagrams and voice recordings, record every keystroke typed and possibly even turn on webcams and microphones in an attempt to gain knowledge of attacks before they happen."
[from Slashdot]
If they're asking permission it's already happening, this could have ramifications for the US Military/Citizens in Germany.
They recently outlawed all "hacking tools" [ping to Nmap?] from use, even by security professional.
... unarmed peasants anyone? If your copy of Nortons has the Disk Editor [or similar] included you could be taken in for a new portrait.
hylas
Member since:2006-04-22
Fans: 2
"this could have ramifications for the US Military/Citizens in Germany."
This would have no impact what so ever on the US military, as German laws such as this do not intersect with US law. Although US bases are not "sovereign" territory such as an embassy, the US military is there after all as an occupying force. To put it bluntly and as nicely as I can, Germany really does not have any say. US citizens not employed through either the government or military are of course the same as any other citizen of a foreign nation.
Member since:2005-08-28
Fans: 1
Member since:
2006-11-08
Fans: 2
We all know whether we are pro mac, Linux, or windows that this is by no means a vulnerability. If you download a file, run the installer, and authenticate with admin credentials you are installing applications.
Whether it is office itunes, or "planet of the freakin ape's. This is complete BS and we should all be insulted by the sure thought that Intego would attempt to put this out.
This is not news it is a attempt to capitalize on a newly released platform by a company selling antivirus.
Member since:
2006-03-23
Fans: 0
besides, who cares about such things you are never going to catch.. now.. if apple instead would focus on changing behavior on their string parsers from:
"hey, i see an url, i better try download and EXECUTE whatever it points to"
to
"hey, a string, well, ill pass it along to whichever app needed it"
osx would be a hell of alot more secure
Member since:
2006-02-01
Fans: 1
To say OS X is less secure because of it is rubbish.
So you need to visit the actual site with the infected sites. Ok, might be hard, depends on your surfing habits.
After you find it, you'll need to download it, and then mounts the DMG, then runs, put in your password and your infected.
If you have the Safe files off you have to go do all that manually.
Worse yet, in Leopard, anything you download seems to pop up an additional Window saying "You've opened this off the Internet at <blah> time and are you sure you want to open it, Internet Files can be dangerous" or something very close to that effect.
So you have to click Open again.
I wouldn't exactly panic when you have to perform half a dozen steps to actually get it installed, and it depends on if you actually hit a site with this exploit, so the chances would be extremely low.
Unlike the Windows Counterpart when some Virus's and Trojans, all you needed to have your computer turned on and connected to the Internet.
There's a limit as to how much safety you can put into a computer without it affecting other users.
Sure you could prevent heaps of things from happening, but then it annoys the hell out of the Power users who already know to avoid this crap and now they have a locked down OS they cant' do what they want with because it's been dumbed down behind comprehension.
It's just good news I suppose.
Regardless to Antivirus people have, and Spyware tools and every other prevention tool on the Internet.
If you practice safe hex, you'll be fine
Edited 2007-10-31 22:24
Member since:
2005-07-06
Fans: 0
Mac users aren't trained by default to let anything that wants the Admin password needs to have it.
Or, more specifically, Mac users basically don't run in admin mode at all.
Historically, most Mac programs require no special privileges at all, so when something asks for privileges, it sets off at least some alarm bell to think twice before entering your password.
But window users have for many years run in "admin" mode by default, thus alleviating that "annoying" popup. It seemed EVERYTHING you downloaded for Windows wanted admin privileges.
Hell, back in the day you couldn't play WarCraft 3 without being an admin (which is, you know, insane).
Anyway, since legit software tends to be much better behaved on the Mac than on Windows, that kind of training will reduce the impact of having a "Trojan in the wild".
Member since:2005-06-29
Fans: 19
Member since:2005-07-06
Fans: 0
Each first user on a Mac is an admin.
Yes, but being an admin is not the same as running in admin mode. By comparison, we have a lab of Windows-based computers at work, and on those computers being admin means running in admin mode. I don't have to retype my password every time I want to install software that mucks around with the system.
Member since:2007-03-23
Fans: 0
Member since:
2007-05-03
Fans: 0
This company is so full of shit it hurts. They like to scare the Mac community into thinking there are threats everywhere.
Their own software does not work with Leopard. Hello Intego! How about fixing the damned software I purchased so it works with Leopard? You have had long enough!
Edited 2007-11-01 01:31
Member since:2005-07-06
Fans: 1
Their own software does not work with Leopard. Hello Intego! How about fixing the damned software I purchased so it works with Leopard? You have had long enough!
They didn't get the final bits until you did. Less than a week is long enough? Go take it up with Apple...
And that tripe got modded up? WTF?
Member since:2006-02-10
Fans: 0
Member since:
2006-09-21
Fans: 2
I'm going to suggest that this is a critical security flaw, for one simple reason: there is no good reason for software to use an installer, never mind one that requires administrative access, in order for it to be operable. Like it or not Apple, and other vendors, have made the practice of installers that demand administrative access the norm. Because of this, users see responding to requests for administrative access as normal.
If that wasn't the case, Apple could create an effective and user friendly wrapper that all programs would have to go through. That wrapper would allow bar resource access unless the user explicitly allowed for it. And that wrapper doesn't have to be complex (from the user's perspective) either. It may simply pop-up with a dialog box on the first run and ask what the program is allowed to do. It could give convenient answers like: "access the internet", "access files in my directory", "access any file on my computer". Security experts could figure out the most effective way to present these options, so that the user realises that it is not normal for certain types of programs to access certain types of resources.
Member since:2005-07-06
Fans: 0
[T]here is no good reason for software to use an installer, never mind one that requires administrative access, in order for it to be operable... If that wasn't the case, Apple could create an effective and user friendly wrapper that all programs would have to go through.
Maybe I misunderstand you, but I don't have to run an installer every time I want to install new software. When I want to install Firefox or Lyx or some other program, I simply plop it into the Applications directory—done.
I'm not sure I agree with the second part of what you describe. It seems silly that I should have to give a browser that I download off the internet the explicit permission to access the internet, or even to access files in my directory.
Member since:2005-07-24
Fans: 33
"""
"""
Really? I'd say that a promiscuous app like a browser, making connections to sites we don't even know about (think banner ads, etc.) should be sandboxed. We should have an "Internet home dir" and a "Regular home dir". The browser should be chrooted to the sandboxed dir. The file manager would have access to both, so you can move files between them.
OK. Maybe not chrooted, since on Linux, at least, a chroot is not really a jail. But locked into that directory in such a way that escape is not trivial.
Member since:2005-07-06
Fans: 0
I don't want to have to download several, or even hundreds, of files to an internet home directory, then sort the files that I want to move out of that directory. I'm very happy downloading files into the directory I want them to be, and I don't need a nanny OS scolding me and telling me I can't do that. Even if it did, I would be no less vulnerable to the trojan horse cited in this story than I am now. Hmm... I want to view a film that requires a new codec, and installation requires the admin password?
If you are talking about forbidding the browser from running a script that reads files outside its cache (to avoid snoopers) that's another story, but I don't believe that we need the kind of system stated here to do that.
Member since:2006-01-04
Fans: 0
Your point about installers being awful, particularly on OS X, where you are trained to think that there's nothing special about app files, is accepted.
However, this is a really bad trojan horse implementation. I'm pretty sure you could design a trojan horse for OS X that doesn't require either an installer or admin privileges to work correctly -- anything that has the ability to execute code on the CPU should be sufficient. The majority of the data a trojan wants to capture is available to non-admin users.
The real solution to this problem should be some sort of MAC or RBAC, coupled with cryptographically signed binaries. Unfortunately, making a UI for this type of system is extremely difficult and you need to make sure to avoid the Vista "Allow or deny" type problems, while still allowing for appropriate security.
Package management on Linux makes this sort of system far easier to manage, so long as you trust the distribution's package repository and signed packages.
Member since:
2007-07-31
Fans: 0
Member since:
2005-07-06
Fans: 0
Member since:
2006-09-21
Fans: 2
That's because Firefox did it right. At least on the Mac. But think of a program like NeoOffice, which does have an installer. It's probably easy enough to circumvent that installer if you have the technical knowledge (IIRC, installer bundles are just gzipped pax files), but the average computer user won't have a clue how to do a manual installation.
Alas, we don't live in 1977 anymore (or 1997, for that matter). The average piece of software will connect to a remote serve, even if it does not have a particularly good reason to do so. The typical person now uses a multitude of programs and those programs are regularly upgraded, which makes them hard to vette. We store more valuable data on networked computers, which makes us more appealing targets. Programs like Firefox, IE, and Opera run code indiscriminantly; and while it is possible to turn off things like ActiveX and Java, it is nearly impossible to turn off JavaScript and Flash. Particularly for the user who wants things to just work.
And while it is fine to say that we should educate people to avoid social engineering, so that technical solutions aren't needed for this more complex computing world, most of the education either falls into the category of "don't do that stuff", which leaves them out of the technology loop when they dearly want to be a part of it. The rest of that advice is so dynamic and broad ranging, because the criminals are adapting so quickly and use a lot of different tactics, that most people just cannot keep up.
Member since:2007-03-23
Fans: 0
Well, as far as I know, software that requires an installer are those that also installs libraries on a system level - like the iWork and iLife suites, Adobe CS and such, all of them complex applications.
I can perfectly well understand this requirement for some types of software, and I've not come across any application that asked for my admin password when i thought it shouldn't.
Member since:2006-09-21
Fans: 2
<quote>Well, as far as I know, software that requires an installer are those that also installs libraries on a system level - like the iWork and iLife suites, Adobe CS and such, all of them complex applications.</quote>
This is where I whole-heartedly disagree with you. Applications like iWork, iLive, and Adobe CS may be complex but they are fundamentally user-level applications.
Even breaking up an application into libraries, to share resources or reduce resource usage, is not really an excuse for forcing a user to use admin level access. IIRC, Mac OS X application bundles are versatile enough to have libraries bundled within them, which means that software can remain modular. IIRC, the ~/Library directory can also contain libraries. That means that it is possible to have shared libraries that are not installed at the system level. And that should be the case, because Apple made a fundamental mistake when they designed Mac OS X: the only administrative account allows the user to gain root level privileges.
Even things that need background processes need not be installed with administrative privileges. Developers could follow a practice that Microsoft used in the past: have a first-run script that asks the user to install certain files (including scripts that run in the background). If a user wants to let a user do so, then they can. If not, then they don't.
Is all of this a little inconvenient. Probably. It could even end up resembling Vista's UAC. Alas, we live in an age where computers store a lot of information that can make us more vulnerable to predators (or criminals). And some of us are even concerned about legitimate software doing things behind our back. (I forget whether it was iWeb or Garage Band, but one of them turned into a "telemarketer" when the new release of Garage Band came out.)
Member since:2007-03-23
Fans: 0
I see your point, but i still understand the need for some software having to be installed with admin privileges.
One solution would be to have applications that require admin privileges be digitally signed by Apple, as most applications don't.
This would also push developers to create software that keeps itself on a user-level.
Edited 2007-11-02 13:19