Re: [Fed-Talk] DNS changer Trojan for Mac (!) in the wild
Re: [Fed-Talk] DNS changer Trojan for Mac (!) in the wild
- Subject: Re: [Fed-Talk] DNS changer Trojan for Mac (!) in the wild
- From: Dave Schroeder <email@hidden>
- Date: Fri, 02 Nov 2007 15:30:49 -0500
On Nov 2, 2007, at 3:25 PM, email@hidden wrote:
Read story at
http://isc.sans.org/diary.html?storyid=3595
This isn't really a "!", in my personal opinion. The DNS changing or
anything else it does doesn't really matter: it's already been given
root privileges, and could really do *anything* to the system.
My view is this:
- This is by no means the first malware for Mac OS X, nor the first
malware written by "professionals" for Mac OS X. It appears that many
news outlets still see this as some kind of "first", when we've seen
several of these already in various forms, some even years ago.
- This requires the user to choose to download a disk image containing
an installer that advertises itself as a video codec (ostensibly to
watch free porn). When "Open 'safe' files after downloading" is
checked in Safari, which is the default, the installer within the disk
image will automatically start and sit at the first screen, waiting
for the user to continue.
- The user must choose to continue with the installation, and supply
the administrative password to the computer, at which point the
software has root-equivalent privileges. After this point, anything it
does is somewhat academic (although in this case, it changes the local
system's DNS servers).
- This uses no shortcoming or vulnerability in the OS of any kind. It
is a standard Mac OS X package installer on a standard Mac OS X disk
image that the user must elect to download, run, and provision with
administrative privileges. A classic social engineering trojan, albeit
targeted at Mac OS X.
Unfortunately, this seems to be getting more coverage than some
completely automated remote exploits requiring no user interaction
that we have seen in the past from time to time. It seems that every
new piece of Mac malware that appears, even if it's completely
uninteresting from a technical perspective and takes advantage of no
technical vulnerabilities, will continue receiving an inordinate
amount of press coverage. The problem, in my own personal opinion, is
that this leads to coverage in the mainstream press, and normal
readers can't parse out the severity of such issues. All they really
come away with is the idea that something is somehow "insecure" or
"less secure", when this threat pales in comparison to current threats
on other platforms. Perhaps there is no way to avoid this.
In the future, we will continue to see Mac malware, just as we have
for years. But when software requires a user willingly download and
install it, I'm not sure what measures can meaningfully be taken on
any platform to prevent it. Sure, there's always code signing, but
even that can be problematic for a variety of reasons. To me, the far
more interesting malware is that which takes advantage of OS
vulnerabilities and can propagate without user interaction. That's not
to say that social engineering malware isn't effective; just that it
proves that people are vulnerable to things more than a particular OS
necessarily is.
- Dave
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden