Mac OS X targeted by Trojan and backdoor tool

midijeep

Registered
Mac OS X targeted by Trojan and backdoor tool

Matthew Broersma ZDNet.co.uk

Published: 21 Nov 2008 12:08 GMT

Two pieces of malicious software affecting Apple's Mac OS X appeared this week: a Trojan horse with the ability to download and install malicious code of an attacker's choice, and a hacker tool for creating backdoors, according to security vendors.

The Trojan — called 'OSX.RSPlug.D' by Intego, the Mac security specialist that discovered the threat — is a variant on an older piece of malicious code but with a new installer, Intego said.

"It is a downloader, and it contacts a remote server to download the files it installs," Intego said in an advisory. "This means that, in the future, the downloader may be able to install payloads [other] than the one it currently installs."

In other respects the Trojan is similar to previous versions of RSPlug, which first surfaced in October 2007, Intego said. It installs a piece of malicious code known as DNSChanger, which routes the user's internet traffic through a malicious DNS server, leading users to phishing websites or pages displaying advertisements.

The Trojan is found on porn websites posing as a codec needed to play video files, a technique used to trick the user into downloading and installing it.

Intego said OSX.RSPlug.D has been widely confused with a separate threat publicised this week by several security firms. That threat is called OSX.TrojanKit.Malez by Intego and OSX.Lamzev.A by other vendors, including Symantec and Trend Micro.

OSX.Lamzev.A is a hacker tool designed primarily to allow attackers to install backdoors in a user's system, according to Intego. However, the company dismissed the tool as a serious threat because a potential hacker has to have physical access to a system to install the backdoor.

"Unlike true malware and Trojan horses, OSX.TrojanKit.Malez requires that a hacker already have access to a Mac in order to install the code," Intego stated.

Other antivirus vendors noted that Lamzev could be disguised as a piece of legitimate software and used to trick users into creating the backdoor themselves.

Lamzev is not related to RSPlug, despite several high-profile reports confounding the two, Intego emphasised. "This hacker tool has nothing to do with the RSPlug Trojan horse," Intego stated.

Security vendors have long warned that the Mac platform is not as secure as some users might like to believe. Apple had not responded to a request for comment at the time of publication.
 
Again with the porn sites. What I want to know is, are these legitimate porn sites that have been hacked (or maybe even designed maliciously), or merely fronts designed to deliver this malware?
 
The keyword in the above article is "trick."

If you are "infected" by either of these trojans, then it is the sole fault of the user his/herself. These trojans require you to let them install on your system. They cannot infect your system without you specifically and explicitly giving them permission to install themselves.

If you do find yourself infected, it is by your own doing. The same as if someone asks you for your PIN number to your ATM card and you willingly tell them, then you have no one to blame but yourself when your bank account is depleted.
 
The way a Mac user is tricked is the web page will say "You need this QuickTime Plugin ...". Remember the best all around free QuickTime Plugins that most any Mac user will ever need is Perian and Flip4Mac. After installjng these two free plugins you will be able to see most every other video stream on the whole internet EXCEPT Windows Media 10+ because all those videos have the Microsoft proprietary DRM automatically imbedded in the transcoded video. There is no getting past that on a non Windows system. This is why most video streaming is going flash based.
 
The way a Mac user is tricked is the web page will say "You need this QuickTime Plugin ...". Remember the best all around free QuickTime Plugins that most any Mac user will ever need is Perian and Flip4Mac....

That, Satcomer, is the most useful piece of prose I've seen in a while. Good stuff!
 
The keyword in the above article is "trick."
.... it is the sole fault of the user his/herself ... They cannot infect your system without you specifically and explicitly giving them permission to install themselves. If you do find yourself infected, it is by your own doing.

Good points EDCC, but has anyone yet come up with the means to get rid of this Trojan? I note a post on another forum seeking help in finding where in the OS the Trojan's got to, and how it might be identified. I dare say it's got some obscure file name or number.
 
The keyword in the above article is "trick."

If you are "infected" by either of these trojans, then it is the sole fault of the user his/herself.

I agree that it's kind of dumb to install software from a porn site, but at the same time, I don't think it's quite fair to blame the user entirely. LOTS of software requires admin privileges to install in OS X. Entering your password to install something is perfectly normal. It's not a big reason for suspicion on its own.

(I realize now that I already said some of this last time.)

So what's the cause of suspicion here? Only that it came from a porn site. That's why I ask what kind of sites these are. I know a lot of people will dismiss all porn sites as shady and illegitimate, but porn is perfectly legal, and I'll bet most of the sites are perfectly legal and aboveboard. We should distinguish the ones that are not.

If it were software sites instead of porn sites, I'm sure we'd see more details. Are we talking about the porn equivalent of adobe.com, download.com, or some random warez site here? I think it's unjournalistic to leave this information out (presumably) just because it's porn.
 
I think the more important question for users out there still is: How to identify the trojan and remove it completely. Is there a guide, a free tool like DNSChangerRemoval or something?
 
I agree that it's kind of dumb to install software from a porn site, but at the same time, I don't think it's quite fair to blame the user entirely. LOTS of software requires admin privileges to install in OS X. Entering your password to install something is perfectly normal. It's not a big reason for suspicion on its own.
True, but I liken this to someone changing the "3" on a 30-mph speed limit sign to an "8" with some black spray paint -- then trying to argue your way out of a ticket. You should know the roads you drive, and if it's your first time down that road, you should be extra careful instead of taking everything at face value.

Owning and using a computer requires a level of responsibility that I think a lot of people today refuse to own up to. Hooking that computer up to the internet increases the level of responsibility required by tenfold, at least. People are out to get you. Be aware of this.

You wouldn't (and I use the term "you" generally) hop behind the wheel of a forklift if you didn't know what you were doing, right? You wouldn't try to rewire your house unless you were versed in the training of an electrician, right? You wouldn't fry a turkey without thawing it first, right (hint: it asplodes!)? You wouldn't try and change the oil in your car without knowing what nut to remove, right?

While all of these examples would cause physical damage in the real world, and computer illiteracy only causes digital damage, I do believe the same thinking applies. While great strides have been taken to bring computer use to the masses (color-coded connections in the back, etc.), I still think that unless you know what you're doing, it's best to stick to something else until proper training is obtained -- and there are PLENTY of free, local training courses offered all over the world. Libraries still exist and contain the same information, and you can't blow up a computer with a book. A computer is not a necessity -- there are other options to gain the same information, and there is no "right to a computer."

I hate to be an aggressive ass, but sometimes a good, old-fashioned ass-whooping is what it takes to get through to some people when a passive talking won't work. Remember the text/audio going around the 'tubes some time ago about the tech support person recommending to the helpless user on the phone that they should box up their computer and send it back because they had no business using one? I subscribe to that fully... so sue me!

It seems the thinking nowadays is "click everything, if something bad happens, it's not my fault." Well, that thinking isn't going to get you very far in terms of computer use. The best thing to do (and this is common sense, not learned knowledge) is to not click anything unless you know what you're doing. My mother is a back-asswards technology buffoon (self-admitted), but with coaching, she uses Google just fine and researches Ph.D-level papers on the internet as well as emails colleagues and uses the calendar portion of Outlook. If she comes across something unknown, she stops dead in her tracks until she knows what the hell is going on. She's never had a virus, and she uses a Windows computer -- and she's the precise demographic that virus writers target, too.

I just wanted to provide my point of view, and that it's worked out very well for me and those around me. When you push buttons on your computer, it is your sole responsibility for everything that happens from there on out, and no one else's. Getting tricked on the internet is no different from getting tricked in real life -- the internet is real life. If you contract this trojan, you may or may not have been tricked, but one thing is definite: you did it to yourself and you own 100% of the responsibility for infecting your computer.

I don't own a forklift. Some people should not own computers... especially those who refuse to own the responsibility.
 
Just as an addition, the article did mention that this seemed to be a variation on the old theme: the idea that something other than DNSChanger would be included in the trojan, something that might actually introduce backdoors into an OS X system. This is where it could possible get a little more hairy than just changing one's DNS. But of course, they also said that it required someone with physical access (or possibly even just local access, not necessarily physical if you think about it). So it all falls back to the weakest link in the security chain, the user.
 
I think the more important question for users out there still is: How to identify the trojan and remove it completely. Is there a guide, a free tool like DNSChangerRemoval or something?

The article makes it sound like the payload is the same as before, and the difference is with the installer. So I'm guessing the existing removal methods for the last variant of the trojan would still work. Some details on removing the last one: http://www.macworld.com/article/60823/2007/10/trojanhorse.html

I can't be sure, though.
 
The concept that someone wouldn't meet the criteria (for want of a better word) to own and operate a computer on the internet is foreign to me.


If I take myself as an example, I'm even too suspicious to press the "Fart" button on certain web pages I've been to in my time .... so I guess my over cautious nature in real life has a purpose in the virtual world too.

Having said that, I don't think I would judge a person too harshly if they had allowed a trojan onto their computer. I don't like to generalise, but those types of users *might* not be too interested in the behind the scenes workings of OS's and would be happy to pay someone to *fix* it for them.

On the other hand, I consider myself a *proud* user and would be looking to sort the problem out myself if I was unlucky to fall for the "install this codec" trick.

The odd times I have seen the dialogue box in question, I simply thought "no pron movie is that good where I would allow a website to install something on my system in order to watch it ..."

I have had emails in the past from Africa, informing me that if I am interested in helping out with accessing a deceased persons large bank account, I can earn myself a few hundred thousand dollars. I snorted when I read it but was totally amazed to later watch a current affairs story telling of people who were sucked in to this or similar scams and had unwittingly forwarded large amounts of money to the bogus scammers.

I'm not saying there is a parallel between the two scenes, but I truly believed no person could possibly fall for such an obvious scam.

This is a reflection of how cautious I am in every day life ... and that my listed DNS servers are the ones I entered myself and thus are not malicious, is a reflection of this cautiousness and not directly related to anything I've learnt about using a computer.

I sometimes think that certain people shouldn't be allowed to drive a car on the road based on how I perceive their actions behind the wheel so I guess that the idea that a person shouldn't be behind the wheel of a computer travelling down the information super highway isn't that foreign after all.

That's my rare rant for the year .... ;)



.
 
Last edited:
Yes. Or don't install stuff from unknown sources. Yes. Still: I need to know how to solve the problem. I've had three or four customers with the last trojan, and DNSChangerRemoval was the simple answer. Here, I don't even know how to exactly identify an infected machine. Maybe the same tool will work, maybe not. From what I read, it does _not_ use the same installer and it might hide in other places, so I guess the old remover won't work.

But since that's all guesswork, it just means I'm in the dark. :/

Now: I've got one case (an elderly couple, don't laugh) that acts like DNSChanger is active, but the removal tool won't work. My _guess_ is, it's this.
 
Now: I've got one case (an elderly couple, don't laugh) that acts like DNSChanger is active, but the removal tool won't work. My _guess_ is, it's this.

Interesting. Have you tried the other methods listed in the MacWorld article I linked? I'm especially interested to know whether it uses cron jobs like before.
 
I'm still preparing. When I go there next, I want to simply solve the problem, not mess around for an hour and then leave again. ;)

Doctor X: It's a simple truth that a clever Trojan _will_ get installed. And the user doesn't have to be *too* stupid:

1.) Browsing the web, you come across something that spikes your interest. Doesn't have to be pr0n, could be a nice little game or a nifty utility.

2.) Since you'll *expect* it to be installed, downloading a .dmg-file won't surprise you.

3.) Since _many_ installers need admin-rights, that message *also* won't turn you off.

4.) You're done. You've just installed whatever that installer wanted to have installed. If you ask a 1000 or 10'000'000 Mac users, I guess more than 95% wouldn't go look at logs what was actually installed. And even then the filenames would probably not say "Hey, I'm a Trojan!".

So: It's *not* simply a matter of stupidity. We're lucky that so far this stuff obviously only turns up on shady sites, it seems. If something's automatically downloaded, that's a warning sign. But the actual warning signs in place don't shock users, because the system asks them for their password all the time.
 
Back
Top