Mac FUD, again Ping!
If you want on or off the Mac Ping List, Freepmail me.
Mac threats may be rare, but they do pop up from time to time. In June 2008, for example, Mac security vendor Intego warned of an active Trojan horse that exploited a vulnerability in Apple's Mac OS X.
FUD! There was no "active Trojan Horse" in the wild. In fact, the ArdAgent vulnerability was announced by Apple when they patched it. What Gregg Keizer and Computerworld were reporting was not an active, in-the-wild Trojan but a DISCUSSION on a hacker board about what kind of things COULD be done with a Mac IF they could get such an Ardagent Trojan installed, and IF the Root user was activated on that computer. While the ArdAgent buffer overflow DID exist, and patched in both Tiger and Leopard, the Trojan DID NOT and DOES NOT EXIST! This was merely a theoretical discussion by people who did not know how to actually accomplish what they were theorizing about.
"Computerworld (June 21, 2008) - Security researchers reported last week that they have spotted a Mac Trojan horse in the wild that could compromise machines running Apple Inc.'s Mac OS X 10.4 or 10.5.
Last Thursday, SecureMac, a Mac-specific vendor of antivirus tools, posted an alert saying that its researchers had found a Trojan horse, dubbed "AppleScript.THT," being distributed from a hacker-operated site where discussions of spreading the malware via iChat, Apple's instant messaging and video chat software, were also taking place.
The company classified the threat posed by the Trojan as "critical."
The malware exploits a recently publicized vulnerability in the Apple Remote Desktop Agent (ARDAgent), part of Tiger's and Leopard's Remote Management component. Composed as a compiled AppleScript, or in another variant, script bundled into an application, the Trojan leverages the ARDAgent bug to gain full control of the victimized Mac."
Since ROOT is not activated on Mac OSX by default, the proposed malware could not have "gain(ed) full control of the victimized Mac."
The article in Computerworld that announced this "active Mac Trojan" garnered all of eight comments. . . hardly what would be expected of major critical Trojan in the wild.
Last January, a different Trojan was found piggybacking on pirated copies of Apple's iWork '09 application suite circulating on file-sharing sites.
Last January, a different Trojan was found piggybacking on pirated copies of Apple's iWork '09 application suite circulating on file-sharing sites.
This is true. Someone put up a modified copy of Apple's iWork'09 Free Trial Version (which could have been downloaded for free from Apple's website) with a trojan attached to two bitTorrent sites.
However the bogus, adulterated files were quickly discovered and taken down. The bitTorrent sites reported that the total downloads while the files had been available were in the "dozens." The Trojan, on analysis, did not do what it was designed to do, which was to send a copy of itself to every address in the infected Mac's addressbook. It didn't work.
If you want on or off the Mac Ping List, Freepmail me.
bookmark
I have just reviewed the actual report on "THE PARTNERKA – WHAT IS IT, AND WHY SHOULD YOU CARE?" (PDF reader required for non-Mac users.) It's really a quite interesting look into the seamy underbelly of Internet Commerce.
With it's breathless, scare tactic FUD headline, Computerworld gives the impression this researcher was researching Macs and their vulnerabilities. However, the thrust of the article is not about Apple, Macs, or even "hijacked computers." In the entire six pages of the report, the string "Mac" is found only five times referring to Mac computers, four of them in the following paragraph,
"Mac users are not immune to the scareware threat. In fact, there are ‘codec-partnerka’ dedicated to the sale and promotion of fake Mac software. One of the recent examples is Mac-codec.com. At the time of writing this article, the site is no longer available, but just a few months ago it was offering $0.43 for each install and offered various promo materials in the form of MacOS ‘video players’."
The Mac paragraph, which is included in the article out-of-the-blue, is dropped almost jarringly into the middle of a section discussing the lucrative profits "partner" websites can garner from participation in these unethical and criminal practices. The placement of the Mac paragraph appears to be a non-sequitur in relation to the overall topic of the section. I get the impression that the author was told to mention Macs being vulnerable into his article. It appears to be an afterthought.
The other instance of "Mac" is in the heading for a graphic of the mentioned Mac-codec.com site. That there were Mac Trojan Codec download sites is not news. The first of the two known Codec Trojans appeared almost three years ago. Macs are not mentioned again, anywhere in the article.
As I said, the comments about Macs are not at all the thrust of the research or the subject of the article, but Computerworld leads their article with "Hackers pay 43 cents per hijacked Mac" even though the dollar value of the infected Windows machines is apparently much higher because of the opportunity for each to infect other PCs. What they are talking about in that one paragraph, is that Mac users can be susceptible to the social engineering used by malware purveyors to peddle their wares, or to induce a mark to download their Trojan. It really has nothing to do with the OS. Just like all other computer users, Mac users are human.
The report DOES NOT even relate to "hijacked computers" except secondarily. What it does investigate and discuss is the Russian connection to the sale of Canadian Pharmaceuticals through spammed email, Trojan video codexes, and useless, Scareware anti-malware applications and the web-sites that host the scareware. The first, Canadian Pharms, is almost legit except for the spam used to market it, compared to the other two.
The Scareware has to do with ad pop-ups that announce to the user that the XYZ Anti-Virus company has scanned their computer and found it infected with a virus and offers to remove it. Clicking on the Pop-up ad takes the user to a site to buy the "cure" for the found viruses. Buyers of the anti-virus receive nothing of value. Websites who agree to use this underhanded scareware approach to sales, receive a commission of up to $30 per sale from the publisher. While there have been a few reports of platform selective pop-up warning, very few Mac users would believe the warning or accept the offer because they "know" their computers don't get viruses, however, apparently lots of Windows users, expecting viruses, will.
Alternately, the video codec scams involves another version of the pop-up, usually found on bogus Porn sites, which would announce that a specific Codec is needed to view the content on the bogus site. Clicking on it would start a download of the required "Codec", but which is actually a Trojan Horse for either Mac (only two varieties with about a dozen variants) or Windows (thousands of possible malware). On a Mac, the user will be presented with a warning that the downloaded file contains an executable applications and gives the user a chance to cancel the download. The Mac OS will again warn the user when he first runs the bogus applications, giving the user a chance to stop the run. On Windows machines, the download installs automatically. In either case, the website operator is compensated for the download.
Because of all the warnings on the Mac, the odds of any user actually installing the fake Codec are slim. In addition, because of the lack of other viable re-transmission vectors for OSX, infecting a Mac is highly unlikely to result in any more infected Macs, thus not resulting in the huge botnets that are so lucrative to such malware purveyors. Perhaps this is the reason that a Mac Trojan Codec download was worth only 43¢. The website, Mac-Codec.com is now defunct, probably because so few Macs were being infected with the Codec.