Filed under: Enterprise, Security, Found Footage
Sophos video shows Mac trojan caught in the act
Apple Mac malware: Caught on camera from Sophos Labs on Vimeo.
It's not every day that you can watch Mac malware in action, but the team at Sophos Labs has put together the demonstration video above; it shows a malicious installer downloaded from a site pretending to serve up an HD video player, which actually carries the RSPlug-F trojan. Even though Mac users would still have to provide admin credentials to install the application (unlike Windows users, who might catch the Zlob malware just by visiting the webpage), it would be perfectly natural to go ahead and authenticate after downloading an installer... but not a good idea in this case. The fake site and bogus application are appearing in two versions, one billed as MacCinema and another trying to steal the goodwill of a legitimate Windows app called HDTV Player (the real app is from blazevideo.com).
RSPlug-F does try to change your DNS settings to point at bad-guy controlled servers, which could conceivably result in you being redirected to malicious or phony sites; however, if your ISP is on the ball, those bogus DNS servers are already blocked. The only way to catch this bit of malware is via the installer, but it's easy to see how an innocent Mac user might be fooled by the convincing-seeming download site.
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
Ryan Saunders said 12:50PM on 3-26-2009
Maybe Sophos should stop wasting their time on making videos and work on putting out a decent product.
Reply
Michael Rose said 1:03PM on 3-26-2009
I'm actually pretty fond of Sophos' product, it holds up well compared to Intego or Symantec. What's the trouble you have with it?
Hawkman said 12:52PM on 3-26-2009
They really don't give up, do they? My word, these antivirus and "security" companies really are just one half-step away from running a protection racket. In other news: any application, script or installer which asks for admin privileges could run "sudo rm -r /*" and erase your hard disk.
This is one reason installers are evil. They should be used rarely, if ever, because they desensitise users to what's actually happening. You're giving software the right to do anything it likes with your system! Only major vendors (Apple, etc) get the right to dick with my system, and a dialog popping up which asks for your password should always be a red flag. These guys can't sell you software that stands in for _using your brain_!
Reply
KarlW said 12:57PM on 3-26-2009
Hands up if the first thing you did was go to that web site
Reply
Smith said 7:09PM on 3-26-2009
Guilty!!!
WillGonz said 1:05PM on 3-26-2009
Any programmer could make a trojan for the Mac. Then that program can display pop-ups or turn your computer into a zombie.
First off with a Mac you can always boot up the system and hold down the "T" key. This will turn your Mac into a mountable hard disc drive. Then connect to the mac with another Mac with the Firewire port. You will then see the other Macs' HD on the good Mac. Now remove all the Malware and you are good to go. No FireWire ports. I heard a rumor that you would be able to use the Ethernet Port if not now then later.
Reply
WillGonz said 1:11PM on 3-26-2009
Oh if you don't have another Mac Handy you can always boot from external devices. Install Leopard on an external USB or Firewire HD. You can boot from it. Once booted remove all that is bad. Of course most Malware on a Mac is easy to remove. But if it ever gets bad as the Windows world, at least it will be easier to remove.
Reply
Dave said 1:17PM on 3-26-2009
So once again, don't be stupid (download programs from unconfirmed sources, visit strange web sites, etc.) and you'll get by just fine.
Reply
KA said 1:40PM on 3-26-2009
OS X should require a security certificate for authenticated installers.
Reply
Adam Franke said 1:45PM on 3-26-2009
How is this even possibly considered a virus or trojan? All it does is change DNS settings, which would have little effect anyways if you use a half decent ISP. Now Conficker, that's a damn virus. Here's what the latest version does: "Conficker.C, which surfaced earlier this month, shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan. It also reaches out to other infected computers via peer-to-peer networking and includes a list of 50,000 different domains, of which 500 will be contacted by the infected computer on April 1 to receive updated copies or other malware or instructions. Previous Conficker variants were written to connect to 250 domains a day."
So how is that at all comparable to what the video was showing?
Reply
Dave said 1:53PM on 3-26-2009
This does fall under the category of a Trojan horse, not because of what it does but because of how it operates.
There are a lot of ISPs out there and not all of them block every malicious DNS server. By re-routing DNS requests the Trojan can essentially send the user wherever the Trojan-author wants. This can lead to seemingly countless other crimes ranging from DOS attacks to identify theft.
Bryan said 2:01PM on 3-26-2009
And someone might break into my house if I leave the keys on the door.
Reply
rotovibe said 3:02AM on 3-27-2009
Actually any "decent" burglar will be suspicious of a door with keys inserted. That's kinda reverse psychology. Aaaaaand may be, that's why we haven't that much of a threat with macs: that lack of paranoia.
Erik said 2:03PM on 3-26-2009
"...and that's why you need to be very careful what you download off the net, whether you're a Windows user or a Mac user."
While the above statement may be true in some sense, I think that it's a bit disingenuous to lump Windows and Mac OS X together in that way, as if there is a widespread epidemic of malware, downloadable from the web, that Mac users need to be wary of. That privilege belongs, almost exclusively, to Windows users.
Reply
Tino Klumpen said 2:28PM on 3-26-2009
I'm really sure they made this trojan themselves.
I would if I were Sophos, Intego, Symantec or Norton.
$$, and they happily lived ever after...
Reply
Kmobs said 2:29PM on 3-26-2009
If you use IE7 or Firefox, you wouldn't get the malware on a PC either. 99.9% of malware comes from installing things on a PC, just how it happens on a Mac. TUAW just doesn't want to admit that Windows has become secure now.
Reply
uptnjeff said 3:23PM on 3-26-2009
And what they DON'T show you is that the .dmg may have malware attached, you'd still have to type in your password to actually install it to have any affect on your computer.
Granted, if it were me, I'd most likely type the password w/o a second thought, but I'd have been weary at the .exe file for sure, and would have stopped there.
Ok.. so of the BILLIONS of web sites out there, we have ONE that looks bad for Macs.
Reply
michas_pi said 8:20PM on 3-26-2009
One website is all it takes.
jbelkin said 3:23PM on 3-26-2009
this is why FLASH is pointless - anything requiring a plug in that requires updating - dumb as rocks. Anything on the web that requires users to jump through hoops is pointless ... yea, yea, and a pro burglar can break into my house in 8 weeks, point NOT taken. I'll be sure and watch my mac if I'm in a lab at these viruses places - otherwise, zero for 9 years and 60 million OSX users ...
Reply
Julian said 3:56PM on 3-26-2009
solution: program your router to use OpenDNS and use VLC for all your video watching needs..
Reply