That Mac Trojan…

Unless you’ve been potholing for the past week or so, you’ll have heard of the Mac Trojan originally reported by Intego, makers of VirusBarrier, at http://www.intego.com/news/ism0705.asp, and later taken up by a number of other sources and resources. Most vendors are referring to as OSX.RSPlug.A or OSX/Puper, and some have referred to its links to the W32/Puper or W32/Zlob families of Windows malware.

Here are some sound links you might find useful.

http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml
http://vil.nai.com/vil/content/v_143511.htm
http://www.sophos.com/security/analyses/osxrspluga.html
http://www.avertlabs.com/research/blog/
http://www.avertlabs.com/research/blog/index.php/2007/10/31/crimeware-comes-to-os-x/
http://isc.sans.org/diary.html?storyid=3595
http://sunbeltblog.blogspot.com/
http://www.us-cert.gov/current/#mac_dns_changer_trojan
http://www.sophos.com/pressoffice/news/articles/2007/11/mac-osx-trojan.html
http://www.bleedingthreats.net/index.php/2007/11/01/sig-for-the-new-mac-trojan/ (includes a snort signature).

The significance of this particular threat is not that it’s malware that affects Mac users: there’s lots of that, though most of it predates OS X and won’t work properly in an OS X environment. (NB: there are also macro viruses that might spread through Mac systems even though they don’t have a payload that works in that environment.) Nor is it the first OS X-specific threat: attempted OS X rootkits, Trojans, even the occasional “real” virus, are not common, but have been seen. It’s not a script kiddie “hey, look at me, I wrote a Mac Trojan” effort. It’s not a sophisticated “Proof of Concept” threat that gives the author bragging rights, but isn’t likely to be seen in the real world. Nor is it spreading, AutoStart worm-like, through the entire Mac world. But it is different. It indicates that criminal elements are thinking about the possibilities of infecting or exploiting Macs as well as Windows machines. It’s a basic but viable program from a “professional” source. It uses a similar programmatic and social engineering approach to malware used to exploit Windows machines for frankly criminal purposes. If the bad guys take home the feeling that it has ROI potential, it’s unlikely to be the only example we’ll ever see.

There are positives, here, though. In general, most of the Mac community has reported this soberly and responsibly, rather than going for the kneejerk “Macs don’t have a malware problem” reaction, and that bodes well. If the more security-knowledgeable Mac people are taking the issue seriously, less sophisticated users are less likely to be misled. However, there are still people insisting that this isn’t a major problem, because it’s “only a Trojan, not a virus” and it requires the victim to give it permission to install (and because the anti-malware companies are stressing the low risk factor with this particular malware, rather than its potential as an indicator of future trends. However, those who are over-anxious to dismiss it as unimportant are missing some points.
(1) In the world of Windows, where most malware lives at present, volumes of malware that doesn’t (self-)replicate have exceeded volumes of replicative malware (worms and viruses, primarily) for a while.
(2) Not so long ago, viruses and worms that spread far and fast were the measure of success in malware distribution. Nowadays, with the professionalization of malware writing, the success of malware is better measured by its ability to steal data from any given system than it is by the number of systems infected by a single variant or subvariant.
(3) There’s a persistent myth in the Mac community that Windows malware is primarily “self-launching”: that is, it doesn’t need the victim to execute or install it, because it uses software vulnerabilities, drive-by downloads, buffer overflows and such to force itself onto a system without any action or attention from the computer user. Malware that does do this sort of thing exists, and has for many years (going back to some of the early network worms of the 1980s). But most malware -does- require user interaction.

Roger Grimes (a very sound researcher and writer) recently estimated (http://www.infoworld.com/article/07/10/19/42OPsecadvise-insider-threats_1.html) that “86 percent of all announced vulnerabilities were client-side attacks requiring end-user interaction”. He doesn’t claim that his figure is definitive, and he didn’t cover all platforms or all vulnerabilities, but I suspect he’s in the right ballpark.

If we’re right, it suggests that malware which works by “social engineering” — tricking the victim into running malicious software, in this case — is more “successful” than malware that relies on exploiting software vulnerabilities. There are still those who claim that Mac users are smarter than Windows users, and won’t be fooled by social engineering. I’ve seen no evidence of that: in fact, I’d guess that, at the moment, Mac users with no particular security knowledge are particularly vulnerable in that they believe that their systems are so secure out of the box that they don’t need to know or to do anything about security.

Whatever happens next, and whether or not this is the tipping point where Mac users start, to suffer like Windows users, I’m convinced that this is not the time for partisan bickering from either side of the Mac/Windows divide. This is a time to watch and learn, and seek out fact rather than prejudice.

Share