Intego, an antivirus company which usually has to sit around drumming its fingers while its long wait for a Mac virus to pop up goes on, has caught one: a "codec" download from a porn site which tricks users into installing a Trojan file that can take over their web browsing.
If you download the file and install it,
it uses a sophisticated method to change the Mac's DNS server (the server that is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services).
It's not a new trick - Windows users surfing for pr0n have been targeted in the same way for years - but Alex Eckelberry over at the (excellent) Sunbelt Software blog says that it is important news:
I don't mean to sound breathless about it. As far as we know, it's not widespread. But this is the first targeted, real attack on Mac users by a professional malware group.
It's that "professional" label that matters, he says:
when I showed our resident Mac guru this Trojan, his reaction was real surprise. In his words, "I've been using Macs since 1989. This is the first time I've seen something like this." This is a good story.
Again, I'm not trying to overhype. Mac users, hungry for pr0n, really do have to go through a few hoops to get this thing loaded. But we now have millions of new Mac devices out there, between the Touch and IPhone, running OSX.
The sole driving force behind malware these days is money. And this is simply a new market for these bad guys.
Let's not ourselves in the security space get complacent.
Because someone else might. At which point we note that eWeek has an interesting article in which various security researchers tear holes in the new firewall in Apple's Leopard, because
- it's not on by default; if you do an upgrade install, it will turn off the firewall you had on (as bad as Windows XP, in my view)
- you can't deny by service (or port), only by application - which is a step backward from OSX 10.4 ("Tiger"), where you could do port-based denial (ideally, you want both, of course)
- you can't distinguish between trusted and untrusted networks to join (Vista does this better)
- you can't block outbound services, which is usually the problem, rather than inbound
- "deny all" doesn't: "Heise's Schmidt was dismayed to find that choosing the option to block all incoming connections does not in fact stop connections—a finding that means users "can't rely on the firewall," he said."
This leaves big holes:
It's not clear whether the bugs are relevant or if Apple has back-ported fixes, Schmidt said, but the worst-case scenario could have serous consequences, given that both Samba and ntpd run as root and don't appear to be supported by new sandbox functions in Leopard.
"If, therefore, a security problem which can be exploited remotely to inject and execute code is detected, an attacker could gain complete control over the system—with all the consequences this entails, right up to mass distribution via a worm," Schmidt said in his posting.
Moral: let's be careful out there. And don't trust pr0n sites which say "Just download this codec to view our movies!"
