Uli's Web Site
[ Zathras.de - Uli's Web Site ]
Other Sites: Stories
Pix
Abi 2000
Stargate: Resurgence
Lost? Site Map!
 
 
     home | blog | moose | programming | articles >> blog

 Blog
 
 Archive
 
 Blog Topics
 

15 Most Recent [RSS]

 Less work through Xcode and shell scripts
2011-12-16 @600
 
 iTunesCantComplain released
2011-10-28 @954
 
 Dennis Ritchie deceased
2011-10-13 @359
 
 Thank you, Steve.
2011-10-06 @374
 
 Cocoa Text System everywhere...
2011-03-27 @788
 
 Blog migration
2011-01-29 @520
 
 All you need to know about the Mac keyboard
2010-08-09 @488
 
 Review: Sherlock
2010-07-31 @978
 
 Playing with Objective C on Debian
2010-05-08 @456
 
 Fruit vs. Obst
2010-05-08 @439
 
 Mixed-language ambiguity
2010-04-15 @994
 
 Uli's 12:07 AM Law
2010-04-12 @881
 
 Uli's 1:24 AM Law
2010-04-12 @874
 
 Uli's 6:28 AM Law
2010-04-12 @869
 
 Uli's 3:57 PM Law
2010-04-12 @867
 

More...

Heise reports Mac Trojan

Looks like the Mac has finally reached critical mass and become attractive enough for Malware authors. German publisher Heise reports:

Mac-Trojan in video codec of porn sites

Security companies Intego and Sunbelt have discovered a Trojan that has its aim set for Mac-users. According to Intego, porn pages were advertised using spam in numerous Mac forums, attempting to expose them to the OSX.RSPlug.A malware program.

(...) If a user clicks the purported link to videos, he gets a message about a missing codec.

As is to be expected, this uses either the Open Secure Files option that Apple should have removed years ago, or alternatively instructs the user how to expose themselves using social engineering ("to install the codec, launch the downloaded installer and enter your password"). However, the damage it causes is very interesting:

(...)The Trojan twists [sic!] the DNS-entries to point to servers controlled by the virus authors, which will return manipulated DNS answers for eBay, PayPal and some banks, pointing to phishing sites, and will install a cron job that checks these settings every minute and restores them as needed.

To me, if this malware really works as advertised, I'd say the Mac has been cracked.

And neither code-signing, nor the sandboxing offered in Leopard help here, because the malware makers can sign their files themselves, and the sandboxing is done by the application itself. So unless Apple adds a method to prohibit any application from changing the system configuration without being explicitly allowed, and separately from any permission one may need to simply install an application, this will be a problem we'll have to live with from now on.

But even then this won't remove the exploit: I guess the problem is that it's not obvious that a codec should not need internet access. The user may think it's a streaming codec. And if not, that may be the explanation the web site will give. Social engineering will always work, even though it'll be harder to apply to educated users that don't follow spam links and don't trust any old web site.

We get asked for our password for many installations, why shouldn't a codec ask for it? I guess one way to let at least knowledgeable users avoid issues like this is for Apple to standardize on an installer for all installations.

E.g. if I have an app that is a drop-install, but then installs a Kernel extension to do its magic, my app should launch an Apple Installer Package embedded in its bundle and then the user could inspect this package, get a summary what gets installed where, etc. And Apple could have different "safety levels" for packages, so that they can either use standard hooks which the installer can display in a readable way even to newbie users, or if they need a script to do their work, the package would get flagged as potentially dangerous. If Apple offers enough canned behaviours for common things, users could get used to not seeing this warning, and wouldn't be tricked as easily. Moreover, they could be educated that a Codec should never need to contain a Kernel extension or need access to system configuration or address book.

And why is there still no way to prevent applications from accessing my address book?

Reader Comments: (RSS Feed)
No comments yet
Comment on this article:
Name:
E-Mail: (not shown, hashed for Gravatar)
Web Site URL: (optional)
Comment: (plain text only)
Please Enter the following word:
Or E-Mail Uli privately.

 
Created: 2007-11-01 @703 Last change: 2007-11-01 @743 | Home | Admin | Edit
© Copyright 2003-2014 by M. Uli Kusterer, all rights reserved.