That Mac Trojan…

Unless you’ve been potholing for the past week or so, you’ll have heard of the Mac Trojan originally reported by Intego, makers of VirusBarrier, at, and later taken up by a number of other sources and resources. Most vendors are referring to as OSX.RSPlug.A or OSX/Puper, and some have referred to its links to the W32/Puper or W32/Zlob families of Windows malware.

Here are some sound links you might find useful. (includes a snort signature).

The significance of this particular threat is not that it’s malware that affects Mac users: there’s lots of that, though most of it predates OS X and won’t work properly in an OS X environment. (NB: there are also macro viruses that might spread through Mac systems even though they don’t have a payload that works in that environment.) Nor is it the first OS X-specific threat: attempted OS X rootkits, Trojans, even the occasional “real” virus, are not common, but have been seen. It’s not a script kiddie “hey, look at me, I wrote a Mac Trojan” effort. It’s not a sophisticated “Proof of Concept” threat that gives the author bragging rights, but isn’t likely to be seen in the real world. Nor is it spreading, AutoStart worm-like, through the entire Mac world. But it is different. It indicates that criminal elements are thinking about the possibilities of infecting or exploiting Macs as well as Windows machines. It’s a basic but viable program from a “professional” source. It uses a similar programmatic and social engineering approach to malware used to exploit Windows machines for frankly criminal purposes. If the bad guys take home the feeling that it has ROI potential, it’s unlikely to be the only example we’ll ever see.

There are positives, here, though. In general, most of the Mac community has reported this soberly and responsibly, rather than going for the kneejerk “Macs don’t have a malware problem” reaction, and that bodes well. If the more security-knowledgeable Mac people are taking the issue seriously, less sophisticated users are less likely to be misled. However, there are still people insisting that this isn’t a major problem, because it’s “only a Trojan, not a virus” and it requires the victim to give it permission to install (and because the anti-malware companies are stressing the low risk factor with this particular malware, rather than its potential as an indicator of future trends. However, those who are over-anxious to dismiss it as unimportant are missing some points.
(1) In the world of Windows, where most malware lives at present, volumes of malware that doesn’t (self-)replicate have exceeded volumes of replicative malware (worms and viruses, primarily) for a while.
(2) Not so long ago, viruses and worms that spread far and fast were the measure of success in malware distribution. Nowadays, with the professionalization of malware writing, the success of malware is better measured by its ability to steal data from any given system than it is by the number of systems infected by a single variant or subvariant.
(3) There’s a persistent myth in the Mac community that Windows malware is primarily “self-launching”: that is, it doesn’t need the victim to execute or install it, because it uses software vulnerabilities, drive-by downloads, buffer overflows and such to force itself onto a system without any action or attention from the computer user. Malware that does do this sort of thing exists, and has for many years (going back to some of the early network worms of the 1980s). But most malware -does- require user interaction.

Roger Grimes (a very sound researcher and writer) recently estimated ( that “86 percent of all announced vulnerabilities were client-side attacks requiring end-user interaction”. He doesn’t claim that his figure is definitive, and he didn’t cover all platforms or all vulnerabilities, but I suspect he’s in the right ballpark.

If we’re right, it suggests that malware which works by “social engineering” — tricking the victim into running malicious software, in this case — is more “successful” than malware that relies on exploiting software vulnerabilities. There are still those who claim that Mac users are smarter than Windows users, and won’t be fooled by social engineering. I’ve seen no evidence of that: in fact, I’d guess that, at the moment, Mac users with no particular security knowledge are particularly vulnerable in that they believe that their systems are so secure out of the box that they don’t need to know or to do anything about security.

Whatever happens next, and whether or not this is the tipping point where Mac users start, to suffer like Windows users, I’m convinced that this is not the time for partisan bickering from either side of the Mac/Windows divide. This is a time to watch and learn, and seek out fact rather than prejudice.

Microsoft Live OneCare – May Need More Care

A number of news resources have already shown interest in Virus Bulletin’s [1] recent comparative test of antivirus scanners for Vista: for instance, the Register. [2] Not surprisingly, the inclusion of Microsoft’s own Live OneCare antivirus package received particular attention, and maybe its failure to achieve the VB100 award attracted more criticism than was strictly fair, simply because of the Microsoft brand name.

This morning, however, my attention was drawn to another item [3] about Microsoft’s plans to expand its security response and research operations into Europe and Asia. No-one – except maybe the company’s competitors – is likely to regard it as a Bad Thing for Microsoft to increase its investment in security, and the acquisition of AV luminaries like Jimmy Kuo and Katrin Tocheva won’t do their credibility any harm. It would be ungracious to stress that OneCare is not, in fact, Microsoft’s first excursion into antivirus scanning – a minimally rebranded version of Central Point Antivirus was supplied with the last versions of MS-DOS – since it seems to have been CNET that overlooked that fact, not Microsoft. MS was, however, probably hoping that no-one else remembers that particular fiasco – sorry, guys. 🙂

While the VB review tables show that OneCare missed 37 samples from the In the Wild (ItW) test set, Vinny Gullotto was quoted by CNET as saying that “We missed one virus in their collection. ” In fact, Gullotto seems to be correct: close examination of the original review shows that the product lost out on the VB100 award because it missed “numerous samples” of a W32/Looked variant from the WildList set. Still, the numeric disparity does illustrate once more the complexities of interpreting – let alone conducting – antivirus testing. And with its Forefront business range of security solutions starting to loom, it’s reasonable to assume that MS will indeed be thinking more carefully about meeting the testing criteria for industry standard detection testing…




WARP factor

A couple of weeks ago, I co-chaired a workshop on the role of WARPs (Warnings, Advice and Reporting Points) in health and education. Since my job in the UK’s National Health Service has just disappeared, to be replaced in due course by one or more NHS WARPs, there’s a certain irony there. However, I do find the WARP culture rather interesting.

WARPs are an extension of the CERT/CSIRT concept. They’re intended to have some of the functionality of a full-blown CERT, though not generally the full technical response function. The theory is that a WARP will provide:

• An alert service in which the alerts are filtered to suit the specific needs and interests of the community the WARP serves.
• A limited helpdesk service.
• Somewhere to report incidents.

As you might expect with an initiative that arose from the UK Government CERT, there is a fairly stringent formal registration process for approved WARPs. However, other teams performing similar functions might benefit from exposure to a community of trust beyond the borders of their own organization. Certainly we could all benefit from shared experience and incident reporting, and the raising of security awareness and involvement at end-user level. And, since they can be run on a part-time or volunteer basis, WARPs can provide enhanced community security very economically.

OSX/Inqtana False Positive

It’s old news that Sophos briefly took their corporate eye off the ball and released an IDE (virus identity file) that incorrectly detected Inqtana.B in some application files on OS X Macs. While the incident seriously inconvenienced some users and sites by necessitating reinstallation of some misdiagnosed programs, the vendor did replace the offending file very quickly, apologised, and put in place measures to avoid a recurrence.

Worryingly, however, some have seen this incident as an argument for jettisoning commercial anti-virus in favour of an open source solution. Is there a place for volunteer AV in the workplace, though? As a supplement, sure, as long as the organization and the end-user realise the limitations of the genre. I don’t doubt the motives of the public-spirited purveyors of AV freeware. The AV commercial vendors are not whiter than white, and of course they have a commercial agenda, but they have to meet standards of functionality and support in order to stay in the market place. Perhaps now, when malware authors seem to have rediscovered the Mac platform, is not the best time to put all your worm-free Apples in one basket, or entrust the corporate crown jewels to software that doesn’t detect all known malware on that platform, offers no guarantees of freedom from future FPs, and doesn’t offer professional levels of service and technical support?