http://www.macbytes.com/images/bytessig.gif (http://www.macbytes.com)

Category: News and Press Releases
Link: Mac users warned of web-based malware threats (http://www.macbytes.com/link.php?sid=20090325090948)
Description:: Mac users should be on their guard against websites hosting malicious code designed to infect their systems. The advice follows the discovery of a new version of the OSX/RSPlug Trojan horse that is being distributed via a legitimate-looking website offering HDTV software.

Posted on MacBytes.com (http://www.macbytes.com)
Approved by Mudbug

A screenshot or URL of this "legitimate-looking website" would be nice.

I guess I'm not in the market for an HDTV for a while, then.

This'll be fixed in a week or so, either with 10.5.7 or a new Security Update, so I'm not too worried.

A screenshot or URL of this "legitimate-looking website" would be nice.

I guess I'm not in the market for an HDTV for a while, then.

This'll be fixed in a week or so, either with 10.5.7 or a new Security Update, so I'm not too worried.

A video of the site in question is available in the linked article. It seems to be a website for some kind of HDTV player program.

Also, in the video it seems that it only actually downloads the Trojan when the user starts downloading the offered software (.dmg)

Again.. it is user ignorance that will determine whether they get infected or not.

Right where I thought I was unbeatable with my Mac.

A screenshot or URL of this "legitimate-looking website" would be nice.

I guess I'm not in the market for an HDTV for a while, then.

This'll be fixed in a week or so, either with 10.5.7 or a new Security Update, so I'm not too worried.

How about a video?

http://www.sophos.com/blogs/gc/g/2009/03/25/apple-mac-malware-caught-camera/

Okay, I guess I take back the ignorance bit after watching the video.

All it would take is for someone to clone a popular site (HandBrake, Plex etc) and instead of downloading that app you are downloading the trojan. And I guess it would be quite difficult to tell the difference.

Again.. it is user ignorance that will determine whether they get infected or not.

Yeah but a good OS should at least try to protect the user from doing things that could be harmful. You can't expect every user to be as much of an expert as most of us MacRumors regulars would be.

I do think, however, that Mac OS is already doing ok in that department. It will warn the user before opening downloaded files that they may be harmful, and once this site has been added to the list of known malware sites, Safari will even issue its usual warning before even showing it.

There's also the balance between freedom of choice and safety. If Apple would check every app before it is allowed to install it (as they do on the iPhone), this couldn't happen anymore. It would be way too big a compromise for me, as a power user, though. Although I can imagine that some users would actually benefit from and appreciate such a scheme for the safety it offers.

There's also the balance between freedom of choice and safety. If Apple would check every app before it is allowed to install it (as they do on the iPhone), this couldn't happen anymore. It would be way too big a compromise for me, as a power user, though. Although I can imagine that some users would actually benefit from and appreciate such a scheme for the safety it offers.

There was a rumour about that. Apple could do it both ways - offer a secure set of 3rd party applications and then just let users install whatever they want at their own risk.

With the applications on Apple's download bit, we're kind of halfway there anyway.

On the video... when he downloaded the .dmg file, the icon came up as a Quicktime icon. hmmmm

I find it amusing how he refers to the computer as an "Apple Mac."
And I like how every header on that site begins with "High-definition television." While this wouldn't necessarily make me leave the site (I do love that HDTV), it does give me pause.
I recall a friend coming to me because he thought he had a virus after downloading a sketchy "video player" that he need to play a torrent file. It seemed exactly like this (great media player for this type of file etc.) but I believe that one was only for Windows.
And wait, what? The file says it's an .exe, but downloads as a .dmg with a QuickTime icon? Weird.

Nothing in the video showed any trojan and or virus. It just showed 2 web sites, an attempt to download a .dmg file (with Quicktime being the default opening programme?!?), and a big sales pitch showing us their product works on a "trojan" they have "discovered". Well Done!

Oh and who would be stupid enough to put their own telephone number onto their site which is supposed to give you a trojan?

http://upc.edesignuk.com/uploads/macros/dontgetscared.jpg

It is a version of that same 'plugin' trojan from 2007, though as always requires the user to install it dumbingly. (Is that a word?)

http://www.google.com/search?q=OSX%2FRSPlug+Trojan

http://www.macworld.com/article/60823/2007/10/trojanhorse.html

Sadly, Sophos makes just about the only decent antivirus software for Mac OS X. It's pretty stable and doesn't bring your system to a grinding halt when it performs a scan. However, it's not sold to individuals: it's only available in multi-user packs for businesses. So I guess the point of this alert isn't to scare the people at home, but to scare the IT managers of the world.

I run Sophos SBS at one of my clients. Since we've retired a number of the PCs, we now have some spare client licenses that could go towards installing the antivirus clients on our Macs, but as of now, there's just no reason to do so.

Looking at the video I noticed that the alert message showed even before he actually clicked the download button in the popup window, and the text in the trojan message points to a cache file.

This hole thing feels very fishy and I think is it´s a set up to lure mac users into buying antivirus software.

Looking at the video I noticed that the alert message showed even before he actually clicked the download button in the popup window, and the text in the trojan message points to a cache file.

This hole thing feels very fishy and I think is it´s a set up to lure mac users into buying antivirus software.

Which you should have running anyways IMO. Mac OS X isn't this special OS where nothing will ever happen to it. There WILL be something someday and everyone without protection will be screwed!

Looking at the video I noticed that the alert message showed even before he actually clicked the download button in the popup window, and the text in the trojan message points to a cache file.

This hole thing feels very fishy and I think is it´s a set up to lure mac users into buying antivirus software.

+1

Nothing but a sales pitch. That said, care should always be taken when downloading from sites you are new to.

Which you should have running anyways IMO. Mac OS X isn't this special OS where nothing will ever happen to it. There WILL be something someday and everyone without protection will be screwed!

No... everyone WITH it will be screwed, as well, as anti-virus software is only designed to stop Windows viruses.

The first Mac virus would slip right past, as the software has NO idea what it is looking for.

Anti-virus is worthless until they actually exist.

No... everyone WITH it will be screwed, as well, as anti-virus software is only designed to stop Windows viruses.

The first Mac virus would slip right past, as the software has NO idea what it is looking for.

Anti-virus is worthless until they actually exist.

Well, those without it will still be vulnerable too, not just those with AV.

Looking at the video I noticed that the alert message showed even before he actually clicked the download button in the popup window, and the text in the trojan message points to a cache file.


Yes, in the Firefox download cache. This is expected behavior. Every file you download with Firefox works the same way. :)

It is a sales pitch but the video is not faking anything.

Any chance this could be a bit of propaganda considering it comes from the Sophos website and he had quite a fair understanding of the malicious website in question.

Im not denying that the possibility exists but it could be a bit of scare-mongering to get people on a mac to buy anti virus software and challenge the common belief of "Macs dont get virus's"

Sadly, Sophos makes just about the only decent antivirus software for Mac OS X. It's pretty stable and doesn't bring your system to a grinding halt when it performs a scan. However, it's not sold to individuals: it's only available in multi-user packs for businesses. So I guess the point of this alert isn't to scare the people at home, but to scare the IT managers of the world.

I run Sophos SBS at one of my clients. Since we've retired a number of the PCs, we now have some spare client licenses that could go towards installing the antivirus clients on our Macs, but as of now, there's just no reason to do so.


I run intego Net Barrier but i have not come across a single virus and its years subscription runs out tomorrow.

Though being well educated in internet safety i know what to look for and what not to.

I run intego Net Barrier but i have not come across a single virus and its years subscription runs out tomorrow.

Though being well educated in internet safety i know what to look for and what not to.

It's funny you would say that because although the video was almost certainly a set up and the website in it was designed by a professional at Sophos, that site interface would have fooled me and eventually burned me as well.

There's no way a virus can infect my computer since it's a Mac!

Someone here on Mac Rumors got infected not too long ago.

http://forums.macrumors.com/showthread.php?t=667921

So what are some things that I can do to protect my computer from being infected?

It's funny you would say that because although the video was almost certainly a set up and the website in it was designed by a professional at Sophos, that site interface would have fooled me and eventually burned me as well.

even disregarding what the guy said on the video about the obvious faults (chinese number, linked as exe file, etc...) HDTV is a hardware and not a software upgrade. eg blu-ray drive, HD monitor and so on...

Ive yet to see a piece of software that can improve SDTV technology into becoming HD-Ready.

Sophos, a company that sells anti-malware software for Macs, pops up every 6 months or so with a dire warning to Mac users that they are in just as much danger as windows users and - hey! - we just so happen to sell software to protect you.

Notice how the Mac malware is a Trojan, but the windows threat is an actual virus (which they don't actually say but the description sounds like one). What clowns.

I tell all my Mac buddys the same thing: Firewall and don't download anything from anywhere unless you know it's legit. Pretty simple and it doesn't require buying a processor cycle-sucking anti-virus program.

There's no way a virus can infect my computer since it's a Mac!One of the features in MacOS X that many people ignore is that every application generates a warning the first time that it runs. After an application is updated, a warning is generated when it runs the next time. This means that an executable file that masquerades as something else must get explicit permission from the user before it can run.

Who just randomly googles for software and downloads the first one they come to without reading third party reviews to seeing if it's legit??

A screenshot or URL of this "legitimate-looking website" would be nice.

I guess I'm not in the market for an HDTV for a while, then.

This'll be fixed in a week or so, either with 10.5.7 or a new Security Update, so I'm not too worried.

I would just say a porn site would be the place to hide that in. Just have basic video set up and boom you are done.

I suppose this could be a useful warning to those fools who think Mac OS is immune to all forms of malware, but I have yet to meet any such person.

It is well known that malware exists, and it isn't possible for any operating system to block it all. I can write a one-line shell script that deletes the contents of your home directory - if you download and run it, there's nothing any operating system can do to stop you.

The big deal isn't that Macs can't be damaged by malware but that there are sufficient security measures in place so that it is very difficult for malware to install itself without explicit action by a user or administrator. In the example here, the user explicitly downloaded a DMG file, despite lots and lots of warning signs. And even if the download wasn't blocked, the user would still have to unpack it and run the installer (and probably provide an administrator password as well.)

Additionally, Firefox 3 (and I think recent versions of Safari as well) verify URLs against blacklists of known malware/phishing/scam sites. Unfortunately, we don't know the URL used in the Sophos demo, but I would be pretty confident that Firefox would give me a full-screen warning before allowing me at the site. I'd have to deliberately ignore the warning in order to get to the page where the malware can be downloaded.

Now there are plenty of idiots who will do all that, and for them some kind of antivirus software might be useful, but that is hardly an indication that Macs are in any more danger than they were six months or six years ago. (And an idiot who ignores repeated warnings will probably ignore his antivirus software as well.)
Looking at the video I noticed that the alert message showed even before he actually clicked the download button in the popup window, and the text in the trojan message points to a cache file.
Actually, that looks correct to me.

Firefox begins downloading in the background before you click OK in the save-as dialog. It does this so the download will complete more quickly.

So the infected dmg could easily be in Firefox's cache at the time Sophos popped up its warning.
Who just randomly googles for software and downloads the first one they come to without reading third party reviews to seeing if it's legit??
He didn't "randomly google" for it either. He started typing in a URL and picked it out of his browser's history cache. This was a very carefully prepared demonstration. For all we know, the site might even be run by Sophos, for the purpose of making this video.

Sadly, Sophos makes just about the only decent antivirus software for Mac OS X. It's pretty stable and doesn't bring your system to a grinding halt when it performs a scan. However, it's not sold to individuals: it's only available in multi-user packs for businesses. So I guess the point of this alert isn't to scare the people at home, but to scare the IT managers of the world.


Well, I find iAntivirus pretty decent too. Sure, it's run by a small company, and it usually detects threats a day/2 days after some other company does (and the company doesn't work on weekends), but considering that the free version is full featured for non-commercial purposes and is very light, I think it's very good.

All AV software is bad: It puts the onus on the user instead of the OS maker. For example, why should Microsoft spend money fixing their OS when they can make money selling AV software? It doesn't matter that AV software can't catch new viruses until somebody discovers and defines them. What matters is that people buy it, and don't abandon Windows en mass for Mac/Linux. Until that changes there will be no shortage of viruses on the Windows platform.