Malware authors take aim at growing number of Macs

In November, I wrote that many Windows users who are switching to the Mac are doing so because they're fed up with viruses, spyware and other threats aimed at the platform. Many are victims of malware that often relies on social engineering to infect a system. They're enticed into taking some action that places malevolent code on their machines. In other words, these users' bad computing habits are a major cause of their own woes.

These security-clueless folks, I wrote, are now bringing those bad habits to the Macintosh platform, and according to a new story on Times Online, the bad guys are starting to notice. With Apple's market share now around 8.5 percent -- and growing quickly, with sales of almost 2.5 million Macs in the last quarter -- these Mac newbies are a tempting target for profit-minded cybercriminals.

The "OSX/Hovdy-A Trojan" referred to in the article has never been seen in the wild. In fact, it is not even a proof-of-concept malware.

As reported here on FR, Hovdy-A was merely a discussion in a hackers forum about how malware writers MIGHT exploit a newly found vulnerability in OSX. They postulated that it might be included in an Applescript that someone might download... another suggested that it be put into an Application—he suggested a Poker game. Some even went so far as to write some sample scripts... none of which were actually workable.

The list of things that Hovdy-A "does":

disable system logging and delete system log files
start PHPShell and web server
start ARD, VNC and SSH services
disable system updates
open ports in the firewall
disable third party security software
install LogKext keylogger
steal various password hashes and keys which may be used to compromise other systems

was merely speculation offered by various comments on the thread about the ARDAgent vulnerability. The fact is that it does NONE of those things.

The last comment in the Sophos listing for OSX.Hovdy-A, "OSX/Hovdy-A will also attempt to use the ARDAgent vulnerability to obtain root access," is particularly funny—it is ONLY through exploiting the ARDAgent;s permission to run as ROOT would it be able do ANY of the preceding list items!

If this "trojan" could do all of what was listed, it would have garnered a far higher threat rating than "slightly-higher-than-low."

The vulnerability can be negated by simply moving ARDAgent to another directory, renaming ARDAgent, changing the permissions of ARDAgent, or merely running ARDAgent for yourself.

I picked up some kind of persistent pop up on my 6 month old iMac from a eMail link to a you tube video yesterday and I had to do a force quit of my Camino browser. I should have written down what it said but it claimed it was a anti adware for windows XP and I don't have MSFT on my box.

The wording was poor grammar similar to the “All your bases are belong to us”

I don't use Camino. However, Safari has a built in Pop-Blocker that is very good.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.