New Mac Trojan Reported

[stainlessliquid]

That would be a really bad trojan, a proper trojan would be from a website that tells you that you need to install an image viewer or something the user recognizes like Adobe Acrobat to see the photos, then it would ask for your password during the installer and the user would think everything is normal. Hackers are a lot more clever than just giving a trojan a jpeg icon.

 

[dejo]

That would be a really bad trojan, a proper trojan would be from a website that tells you that you need to install an image viewer or something the user recognizes like Adobe Acrobat to see the photos, then it would ask for your password during the installer and the user would think everything is normal. Hackers are a lot more clever than just giving a trojan a jpeg icon.

The OSX.Leap.A hackers weren't that clever.

 

[whooleytoo]

OK, here's a method you can use to minimize the chances of unwittingly installing a trojan.

You've probably gotten emails from your bank or other financial institutions that tell you to go to their website and login, rather than clicking a link in the email to login. That's because an email can be spoofed to make it look like it's from the bank, and if you click a link in the email, you can be directed to a site that's not owned by the bank, but is made to look like the bank's login page. If you login there, you've just given your login and password to the hacker. That's why it's important to look at the address bar when you're about to enter login credentials, to make sure you're on the site you think you're on.

In the same way, if you visit a site that claims you need an updated version of Flash, or some other plug-in or codec, don't install it from that site. Instead, go to the Adobe site or the codec author's site and install from there, to make sure you're getting a legitimate copy of the software, and not one that could have been tampered with.

Sure, that will help, but only against obvious, clumsy trojan attempts.

If I genuinely wanted to create some malware, I'd be a lot more subtle. I'd build a game, or system utility was is genuinely playable/useful. I wouldn't distribute it via my own site, but try to get it on typical Mac software download sites. If users downloaded it, they would need to provide their password to install. (Many Mac users use admin accounts anyhow, which reduces the need for that). On install, I'd copy a small 'helper' process to the Application Support folder, and change it's date-modified field so that it doesn't match the install date of my app.

When the app/game launches, it works perfectly, so the user isn't suspicious. After a period of time - say a few days - the helper process will launch (ideally it would launch when the Mac isn't being used, perhaps when the screen-saver launches), scan the hard drive for useful into (personal info, credit card info especially), encrypt it, and encode it into a URL and send it. By encoding it into a URL, it's less likely to be blocked by something like Little Snitch; and it could easily be made to look like a harmless version check.

How would any user know that it's malware, until it's far too late? How do I know that no one has already done this to me?

Trojans are typically fairly blatant and not very clever; because they catch enough people as it is. If users become more cautious, trojans will become more subtle and clever.

 

[GGJstudios]

If I genuinely wanted to create some malware....

But you haven't. Your whole argument is hypothetical. The advice I offer works in real-life situations that exist today. Anyone can play the "what if..." game, but it has no bearing on what real threats exist in today's world. Until a smarter trojan is released into the wild, my recommendation works just fine.

 

[whooleytoo]

But you haven't. Your whole argument is hypothetical. The advice I offer works in real-life situations that exist today. Anyone can play the "what if..." game, but it has no bearing on what real threats exist in today's world. Until a smarter trojan is released into the wild, my recommendation works just fine.

Absolutely.

My point isn't that there are clever trojans out there now, but that there's no reason to believe that if you're cautious, you can never be tricked by one. Which is why I hope Apple are putting some thought into protection now, rather than waiting for some point in the future when damaging trojans appear on the Mac.

 

[munkery]

Which is why I hope Apple are putting some thought into protection now, rather than waiting for some point in the future when damaging trojans appear on the Mac.

Webkit2 is that thought. More complex delivery of malware relies on exploitation. Most default Mac client-side software (Safari, Mail, iTunes) uses Webkit. Webkit2 will make drive-by-downloads and remote exploitation much more difficult (see Chrome, similar sandbox model).

Simpler means to deliver malware that do not rely on client-side exploitation are downloads and emails. Then, rely on social engineering or privilege escalation for installation. If the malware includes privilege escalation (does not rely on social engineering for install), then AV software provides protection if the software has a definition for the malware. If not detected by AV software and includes privilege escalation (rare in OS X, no reported use in malware in OS X in wild), then there is no defence against infection.

 

[vincenz]

Thanks for the heads-up, I'll keep the eyes and ears open.