View Full Version : Mac Attack

Tar Devil
11-02-2007, 12:09 PM
Apple on Thursday confirmed reports of pornography Web sites where hidden software, once downloaded, could take control of an Apple computer. Apple did not immediately respond to claims that it is the first instance of a Trojan horse attack on Apple's Macintosh platform.


In Rare Attack, Virus Targets Macs (http://online.wsj.com/article/SB119401479695380513.html?mod=googlenews_wsj)

John of Phoenix
11-02-2007, 12:36 PM
"If we see a rise in Mac malware, then we will have to assume that there are profits to be made in malware for Macs as well," he wrote. "Stay tuned."

"As well"? What profits are made from screwing up someone's computer? I though hackers did it for the challenge.

Bruce Hooke
11-02-2007, 12:44 PM
Sadly, my understanding is that these days a lot of hacking* has indeed become more of a criminal enterprise devoted to at least a couple of means of making money:

1. Using the hacked computers as relays for spam. As I'm sure you've noticed, most spam is trying to get you to buy something, so there is very much money to be made with spam.

2. Installing keystroke loggers on people's computers in hopes of capturing passwords and other personal information that can be used to steal money from the person or sold to others.

*Actually, we should make a bit of a distinction here: "hacking" to some people means direct attempts to penetrate a particular (usually corporate or government) computer system. This is really rather different from more automated "attacks" such as viruses, malware, spyware and so on, which is what we are talking about here.

11-02-2007, 01:07 PM
I'm a piker with this stuff, but since I installed a new firewall I've gotten a bunch of attack notices, maybe a dozen a day. Don't know what they mean, they're in computer gobbledygook. I looked for a few days but it didn't mean much to me, and I've now turned off the notice balloons.

Strange, to me anyway. I guess this firewall alerts to some legitimate traffic as well as nefarious ones. I hope it's on its toes, but good luck getting anything serious out of this computer.

11-02-2007, 02:25 PM
Sadly, as the market share for macs increases expect to see more of this stuff.


11-02-2007, 02:42 PM
Well, it should be rather clear that there's money to be made. The Trojan Horse comes from a purveyor of porn, perhaps the industry experiencing the most growth from the internet and possibly the industry growing most at present in the Western world.

If you don't understand the connection between computer attacks and the porn industry, you're living in la la land!

The only time I ever tried to make sense of a PC was last winter. It was virus ridden and I attempted to clean it out. The first thing that happened to me when I opened IE was three popups for porn sites, which had gotten into the PC through the various viruses and trojan horses that were in there. I was actually trying to download Security Pack 2 for XP!

So much for computer security.

The Mac OS is designed so that one must fill out a login and password screen to install updates and new applications. The passwork has to be input at the time that one begins the installation, cannot be in the keychain. Although this Trojan Horse will take over the computer at the root level, it still will not do that if you simply cancel the password screen, but that does require that the user understand the importance of the login screen when installing or updating apps.

Trojan Horses of this type succeed on the backs of ignorant or inexperienced or undiscriminating users who doen't understand the importance of that login screen. For that reason I emphasize forcefully the importance of knowing what you're doing when you fill it in to all the people I teach to use their Macs.

11-02-2007, 02:44 PM
And yes, most Mac champions do realize that their relative imperviousness to such attacks has been partly a function of their tiny market share. In fact, the folks on my Mac Fora discuss the vulnerability of their Windoze partitions on their modern Macs pretty regularly.

Bruce Hooke
11-02-2007, 03:04 PM
I don't have any familiarity with the Mac OS, but I would just add that sometimes there are unintentional "back doors" that allow computer code to evade things like passwords and logins, so following proper procedures, while a good idea, is not necessarily a complete solution.

Joe (SoCal)
11-02-2007, 03:10 PM
OSX is essentially a UNIX based OS
UNIX is one of the most secure operating systems, Linux is also a UNIX based OS. MicroCrap is a hodge podge of code over an archaine machine based OS.

Bruce Hooke
11-02-2007, 04:07 PM
Yup, but nothing is perfect...

11-02-2007, 07:36 PM
So, from the Mac-L, here's an exact description of what a Mac user has to do to get infected with the Trojan Horse:

"With all the news about the new Mac trojan and possibility of more and the increasing popularity of the Mac which makes it a more tempting target, is it time to consider an anti-viral program for the Mac and if so, which are good?"


So far the only way for mal-ware to gain a foothold in your computer is for you to do something foolish. This trojan requires that you be on a porn site, (already a risky and foolish choice), and then comply with a request to *download* something (they tell you its a 'codec') from that untrusted site, and then you will discover it is a disk image file and you must open it, and then you will find you have opened an *installer* and must run the installer.

No anti-viral software will save a person that stupid from himself. None is needed for the reasonable cautious person."

11-02-2007, 07:57 PM
The Mac is definitely safer in that it raises hurdles against automatic downloads, but it is not perfect. Apple sends out security updates about once or twice a month to presumably patch holes in the OS or the applications that it identifies and fixes.

Here's an article about a zero day exploit in Safari.


Just google "zero day mac exploit" and read on for others.

Nicholas Carey
11-02-2007, 08:02 PM
It's not much of a "trojan horse" -- more like a door-to-door salesman :D

You have to work at getting infected. From the announcement (http://www.intego.com/news/ism0705.asp) of its discovery, the following has to happen to get infected:
Visit malicious web (porn) site.
Click on link to supposed free porn video.
Get redirected to web page that sez
Quicktime Player is unable to play movie file. Please click here (http://www.webpagesthatsuck.com/dailysucker/) to install new version of codec.
A disk image (*.dmg) file is downloaded to your machine.
If the user has adjusted their browser settings to make their browser less secure, the disk image will auto-mount. If they haven't, they'll need to manually mount the disk image.
In either event, the user will then have to double-click on the installer package (*.pkg) in the virtual disk which will fire up the OS X installer.
Should the user choose to proceed with the installation, they'll then be prompted and need to supply their userid/password to continue (and allow the infection).

Assuming that the user is a member of Wheel (the administrator's group), or is otherwise authorised as a user of sudo(8) (http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/sudo.8.html) [SuperUser DO], supplying their login credentials will then allow the installer to sudo as root and install the software.Anybody that does all this is, to be blunt, stupid :rolleyes: :o

Needless to say, the installed software is not a Quicktime codec. Two things are installed:
Software that uses scutil(8) and [URL="http://developer.apple.com/documentation/Darwin/Reference/ManPages/man5/resolver.5.html"]resolver(5) (http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/scutil.8.html) to install a new DSN resolver ahead of the standard DNS resolvers so as to hook and reroute requests for certain domain names to phishing sites or ads for porn sites.
A root crontab(5) (http://developer.apple.com/documentation/Darwin/Reference/ManPages/man5/crontab.5.html) is installed, so cron(8) (http://developer.apple.com/documentation/Darwin/Reference/ManPages/man8/cron.8.html) runs a job that checks once per minute to see if the DNS resolved is still configured and running.