FW: Hacker writes easy-to-use Mac Trojan

noah_swanson
New Contributor

Anyone heard of Apple addressing this? We use McAfee on Macs and PC’s here so we’ve asked them for any feedback. Just thought I’d see if anyone else has heard anything.

http://www.computerworld.com/s/article/9211659/Hacker_writes_easy_to_use_Mac_Trojan?source=CTWNLE_nl...

Thanks,
Noah Swanson
Imaging Specialist
Enterprise Desktop Services
Phone: 309-765-3153
SwansonNoah at johndeere.com

10 REPLIES 10

talkingmoose
Moderator
Moderator
On 3/1/11 7:10 AM, "Swanson Noah" <SwansonNoah at JohnDeere.com> wrote: Anyone heard of Apple addressing this? We use McAfee on Macs and PC's here so we've asked them for any feedback. Just thought I'd see if anyone else has heard anything.

I've read about it but so far the reports seem pretty benign. The Trojan's
not even full-fledged yet according to the articles. And like any other
Trojan, it requires social engineering and an admin account to work.
Nothing new, just different. Worth being aware, though.

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

noah_swanson
New Contributor

Yeah, I know our McAfee guys in the office are going crazy over it "OH THEY HAVE A MAC VIRUS NOW". There have been "scares" like this before, but like you said, no one has really done the "dirty part".

Thanks for the input!
Noah

Not applicable

Yeah - and if it was true, that would bring the score to something like 200,000 to 1

-- John DeTroye Email: johnd at apple.com
Sr. Consulting Engineer Systems Management Specialist
Edu IT resources - http://www.apple.com/education/resources/information-technology.html

Not applicable

huge difference between a virus and a trojan.

a virus propagates on it's own without user knowledge or credentials. a trojan can be engineered that way but it mainly carries a payload that causes bad things. getting that payload into your systems is what a virus may do.

if any of these so called experts can show how either a torjan or a virus can infect a mac without user/admin knowledge and credentials, then you have a something to go "crazy" over.

so far, the best i can see, all that's out there require some form of admin aware installation before they can do bad things. and after they are one system (with admin permission) they have no way to propagate on their own.

the worst these things can do is infect one system with admin authentication and then not spread - that the worst. i.e. no propagation. the only attract vector is asking for admin credentials to install itself.

i may be wrong and would love to be corrected. i have presented this question to many a windows security expert who responded with bewildered with silence.

am i wrong?

cv

tlarkin
Honored Contributor

In security the human being is always the weakest link. If you ever
read any Mitnick you would be way aware of this. Point in case, if I
wanted to write a trojan that gives me back door access to a system I
could easily with very little programming skills do so. Then embed this
Trojan into say a common software suite like iLife, then distribute
iLife over P2P networks and distribute my Trojan. Since iLife will
install things in /Library it will ask for admin rights to do so. When
a user inputs their admin rights, they are allowing me to root the
machine.

This is nothing new and has existed since the beginning of OS X. If
you fool the user into installing faulty software then you fool them. There is no protection against such things.

However, since we all use legit software and test it out before hand,
this should circumvent any Trojan from being deployed in your
environment. Unless users are admins, then well, you just gotta deal
with that.

-Tom

rmanly
Contributor III

I sent this to my guys... ;)

***

This article hit the blogosphere this morning:

http://www.macworld.com/article/158175/2011/02/mac_trojan.html
http://www.pcworld.com/businesscenter/article/220823/hacker_writes_easytouse_mac_trojan.html

Here is some follow-up:

http://ithreats.net/2011/02/25/rat-blackhole/
http://blog.intego.com/2011/02/28/black-hole-rat-is-really-no-big-deal/

This software comes in a Client & Server configuration. The Server
runs on an "infected" machine and the user interacts with the remote
Client. This software provides functionality similar to the old "Back
Orifice" tool from the late 90's. Sophos' free AV tools already detect
this on Mac OS so I am sure the corporate versions do as well, if not
I have taken other precautions.

At this point Sophos, Symantec, and Intego all agree that the software
is not currently in the wild. Given the nature of the software it will
likely be embedded in some other free utility or game etc. that asks
for an admin password to install.

I have added both the client and server to Casper's restricted
software list. When either are detected a message will be displayed on
screen and the software will be killed and deleted. When the client is
run a pop-up will appear on screen that says "NO NO NO" :) When the
server is detected a pop-up will appear stating "A Virus has just been
removed from your computer. Please be more careful."

If you want to inspect this software it is available here:

http://www.mediafire.com/?rv44oqvj9rl37n1

They have a fun little puzzle to get the Password to actually run it.
Which I am sure will be readily available with a quick Google search
shortly. Good luck :)

Ryan M. Manly
Glenbrook High Schools

talkingmoose
Moderator
Moderator

If folks here haven't read the Art of Deception by Kevin Mitnick then I
On 3/1/11 10:26 AM, "Thomas Larkin" <tlarki at kckps.org> wrote:
encourage them to do so. It's not only a really fun read but an eye
opener, even for the non-technical person!

<http://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/076454
280X>

--

William Smith
Technical Analyst
Merrill Communications LLC
(651) 632-1492

jstrauss
Contributor

And some of Bruce Schneier's books talk about the human aspect of
security, too.

http://www.schneier.com/

tlarkin
Honored Contributor

I like how you think Ryan, good call on the restricted software
functionality in Casper.

Ok, Cool story bro time....

A few years ago I was helping someone on a mac centric forum and they
said they were being hacked. After some investigation they sure were
being hacked, and someone had popped a ssh account on their machine and
was accessing it from China. Long story short, it all came from a free
flash game the guy had downloaded to play 'off line' on his Mac.

Moral of the story is, don't install software unless you know it is a
reputable company providing it.

donmontalvo
Esteemed Contributor III

Yep, although I can imagine a script kiddie could whip together an "rm -Rf /*" script that'll run fine once a user authenticates. :)

Personally, if users didn't have admin rights (and we harden the box), I wouldn't worry about this kind of stuff. Unfortunately enterprise environments mean someone is liable, so we have to have AV stuff installed and configured, not that it would protect a box more than taking away admin rights...it's just that the later isn't always possible.

Don

--
https://donmontalvo.com