The tubes are ablaze today with news from CNN of the first ever latest malicious program to be found on the Mac. The trojan was first discovered in January but it did not receive wildfire-like popularity until recently when two experts at Symantec published a bulletin on the subject of the malware.

The trojan, named "iBotnet" (get it?), has only affected a few thousand Macs in the wild and it is currently not known to do any real harm. Should you be concerned? Well, the answer to that depends on whether you're a software pirate or not. The distribution method for this particular piece of malware is through the downloading of certain bootlegged copies of Apple's iWork.

Brian Krebs over at the Washington Post details some information about the actual first botnet specifically for the Mac. He points out that the current media storm is for a trojan that was actually discovered in January. He goes on to mention that the first botnet for the Mac was actually released in 2006 and targeted both Macs and PCs alike.

In other news, sales of Symantec's Norton AntiVirus shot up following the release of the security bulletin and subsequent frenzy of coverage. Actually, this is not true (at least to this humble blogger's knowledge); but it does pose an interesting question. Who profits most from the release of malware on any platform? One thing we know for sure, though, is that the end-user is definitely losing out in this game.

The moral of this story: stop all the downloading! Thanks G.I. Joe! In all seriousness, though, the majority of malware on the Mac (and on the PC) is distributed through nefarious chains of content acquisition. Be careful out there when clicking links and downloading files or programs from sites that you may not trust.

Thanks to everyone who sent this in!

Apple Mac malware: Caught on camera from Sophos Labs on Vimeo.

It's not every day that you can watch Mac malware in action, but the team at Sophos Labs has put together the demonstration video above; it shows a malicious installer downloaded from a site pretending to serve up an HD video player, which actually carries the RSPlug-F trojan. Even though Mac users would still have to provide admin credentials to install the application (unlike Windows users, who might catch the Zlob malware just by visiting the webpage), it would be perfectly natural to go ahead and authenticate after downloading an installer... but not a good idea in this case. The fake site and bogus application are appearing in two versions, one billed as MacCinema and another trying to steal the goodwill of a legitimate Windows app called HDTV Player (the real app is from blazevideo.com).

RSPlug-F does try to change your DNS settings to point at bad-guy controlled servers, which could conceivably result in you being redirected to malicious or phony sites; however, if your ISP is on the ball, those bogus DNS servers are already blocked. The only way to catch this bit of malware is via the installer, but it's easy to see how an innocent Mac user might be fooled by the convincing-seeming download site.

[H/T Ars Technica Infinite Loop]

The folks over at Intego let the world know about a new trojan making the rounds along with copies of an application designed to crack Adobe Creative Suite 4. They consider the risk "serious."

If you don't download software using peer-to-peer tools like BitTorrent, then you're perfectly safe. You can stop reading this story, if you like. If you're one of the 5,000 people who recently downloaded and installed the serial crack, then you have a bad day ahead of you.

The malware, after asking for your administrator password, installs an executable with a random name in /var/tmp, a folder that isn't deleted when the computer restarts.

The randomly-named program will install itself in /usr/bin/DivX, create a startup item in /System/Library/StartupItems/DivX, and if it has root privileges, save a hash of your password in the file /var/root/.DivX.

The software then listens on a random TCP port and awaits instructions from its evil overlords. With an infected computer's root password, those in control of the software will be able to execute commands on the infected computer, including deleting files and performing malicious network tasks.

Late last week, pirated copies of iWork '09 were infected with similar malware.

Intego VirusBarrier X4 and X5, as you might imagine, protect you against the Trojan. Either looking for (and removing) the files mentioned above or using a virus removal utility is recommended.

Also recommended: Not downloading pirated software (and their associated tools) on peer-to-peer networks. If you do choose to get your software that way, you have nobody to blame but yourself if your system gets infected.

Our friends at Intego sent out an alert this morning, warning users about a new variant of the RSPlug trojan horse, found on several adult websites. The risk to users is classified as "medium."

RSPlug trojans, themselves a form of DNSChanger, change local DNS settings to redirect to phishing sites for banks, PayPal, and eBay. All these trojans must be downloaded at the user's request, and an administrator password has to be supplied.

When visiting certain sites, the user is alerted that there is a "Video ActiveX Object Error" and is told that their "Browser cannot play this video file." The alert instructs the user to download the "missing Video ActiveX Object." If the user clicks OK, a disk image called "cleanlive.dmg" downloads (which may change in the future). Depending on the user's browser settings, this disk image may mount and installation may automatically start.

Intego VirusBarrier X5 users are, as you might imagine, already protected. Updating your virus definitions today will improve detection.

And, as always, be careful where you put your mouse online.

The fine folks at Intego sent out a warning this morning about MacGuard, a bogus piece of software that claims to clean up your system and remove adware, spyware, and trojans. It doesn't.

According to the warning, MacGuard is simply a clone of a Windows app called WiniGuard. The company releasing the software, Innovagest 2000 SL, may be using the credit card numbers they harvest during the purchase process for "nefarious purposes."

WiniGuard "hijacks the user's desktop and typically displays exaggerated or false claims of spyware found to frighten the user into paying for the program," according to Sunbelt Malware Research Labs.

While our fine readers wouldn't get suckered into such a scheme, parents, grandparents, aunts and uncles might not be so educated. If you know someone with a Mac who might fall for this, do them a favor and forward them this warning.

The MacGuard website is at macguard.net.

With the recent trojan scare PC Tools' timing for the beta release of iAntiVirus for Mac could hardly be better. While there are a variety of anti-virus applications for the Mac, iAntiVirus seems to be especially designed to reduce resource usage by simply ignoring virus signatures for Windows. The idea is that your Mac is immune to Windows viruses so why waste memory, etc. scanning for them? Otherwise iAntiVirus is pretty conventional with a menubar interface and real-time scanning.

In some ways I'm of two minds about this approach. It's true that I don't allow any Windows boxes on my home network so having a Mac-only solution makes sense. However, by not scanning for non-Mac viruses it's possible that your Mac might unwittingly pass along a virus or trojan by email, etc. I run an Enterprise version of Sophos provided by my University and I've been surprised by how many Windows virus signatures it has picked up on my machine from various downloads.

iAntiVirus is a free download, but virus definitions and updates are $29.95 for one year.

[via Macworld]

In the wake of the ARDAgent vulnerability discovered yesterday, we all have something new to look out for: OSX.Trojan.PokerStealer is the official name of a trojan horse masquerading as a poker game. The trojan is distributed in a 65K .zip archive.

According to security company Intego, running the trojan activates SSH, and transmits the username, password hash, and IP address of the computer to a server. It asks for an administrator's password after displaying a message about a corrupt preference file that needs to be repaired.

The "PokerGame" application is 159,843 bytes, and includes the text "Copyright 2008 Andrew" in the version information (visible in Get Info).

As always, please remember to use extreme caution when running applications downloaded from the Internet, or received via email.

Thanks to Rosaline from Intego for the heads-up.

SecureMac has identified AppleScript.THT, a trojan-horse type virus of malware that exploits a Apple Remote Desktop Agent vulnerability publicized earlier this week that can "allow a malicious user complete access to the system."

The malware is distributed as a compiled AppleScript, named ASthtv05, or an application bundle named AStht_v06. The files are 60K and 3.1MB in size, respectively.

Users must download and run the scripts in order for their computer to become infected. The trojan will install itself in the /Library/Caches folder, and will set itself to run at startup.

To protect yourself, use extreme caution when running AppleScript files or applications sent to you in an email, or downloaded from the internet.

While we can't say for sure that these are the same people that developed this malware, you can read about the evolution of a very similar exploit script here, including a June 14th mention of the ARDAgent vulnerability. Very depressing.

We recently mentioned the new OS X malware that's floating around the (nether side) of the net these days. Over at Macworld, Rob Griffiths has an extensive article discussing the ways you can tell if a piece of downloaded software is fishy. The tips range from the obvious (only download from trusted sources) to the arcane (diving into packages to examine the installer components). The overall strategy is to examine the software carefully and look for tell-tale signs that it's not legitimate.

In any case, it should give you a good set of strategies to use when evaluating a questionable download.

Damien went into detail about the "hacker challenge" story and, as he explained, it's much ado about nothing— for now. Clearly, this Mac security thing is only going to get more important. Even Headline News had a largely exaggerated report on the Bluetooth exploit found a while ago... So what is the average Mac user supposed to do? It's all well and good if you're a sysadmin and you can do stuff like lock down a server, but if you just bought your iBook and you are now cowering in a corner because you're afraid to even open the thing (knowing that you will automatically "catch" something), what then? Read on, as I have some stories and advice for you.

First it is important to note that the most likely vector of any computer attack is human. And keep in mind the difference between a vector of attack (like the SSH "hack" mentioned by Damien), and a payload, which would be a true virus or Trojan. A worm is a vector, but it might deploy a payload. Make sense? Anyway, the point is humans are the weakest link in the whole chain, yet also the most important in stopping any attack. It is this central fact that makes almost all OS'es equal in terms of security. You are only as good as the people who use a system, and those who set it up. Case in point: phishing.

Phishing is a huge problem, and easy to set up. You get an email claiming some guy is your long-lost relative, and he needs some money to get out of jail. If he gets out, he'll double your money. Or, even easier to trick (but harder to set up) is the fake URL scam, where it looks like Paypal or ebay (common targets) is sending you a letter about your account. This is the true phishing scenario, played out millions of times a day on the internet. Just click on the link to "verify" your account info, or it will be deleted. Unfortunately, the link will take you to a spoofed site, and you'll be typing your sensitive info into a trap designed to steal your passwords and credit card numbers. These are spins on classic grifters' tricks, and phishing scams aren't very well guarded on OS X. Microsoft and Mozilla are trying to attack this problem with tools in their browsers (or in email clients) that will alert you to spoofed websites. So what can you do on OS X? First, check out the US government's guide to avoiding phishing scams. Second, make sure you're using something to filter spam, as this will often catch a lot of generic phishing scams. If you use Firefox, Netcraft has a toolbar that will supposedly guard against phishing, but I haven't tried it. It essentially checks URL's for you. Third, use common sense. Would ebay really send out an email to an account and NOT use their username? Of course, the common sense cure is the hardest one to invoke...

One more thing about the human vector: it's all about education. You have to teach people the rules of the road, yes? Well you'll have to educate yourself or others on some basic security precautions, especially if you are the cautious type. One common concept is to never share passwords. Also, most people would recommend you don't use the same password for everything you do. And since we're talking about passwords, don't forget to change them often, and use combos of letters, numbers, and uppercase/lowercase where appropriate. If you want a freeware tool for making passwords, there's Pazzle. With Keychain, I have a bad good habit of just setting a great password, but instantly forgetting it. Let's just hope I back up my Keychain database on a regular basis, eh? Oddly enough, Wayne State has a quick little ditty on setting passwords, and of course Wikipedia has the whole history plus some ideas too. Without exposing my own tricks, I can say that if I have to remember it, I'm more likely to use l33t type spelling for relatively common stuff. Maybe not the most secure in the world, but more secure than "Fluffy" or "PHilton." And did you know OS X includes a password helper, to help create good passwords? It's all here on this Tiger Tips page. Essentially you click the little question mark (or key, as in FileVault it was a question mark, but sometimes it's a key, as in the pic on the Apple page, go standard GUI!) and a tiny dialog pops open to help you make a password. Pretty slick.

Tiger introduced a ton of very necessary security features too (aside from the password helper). Stuff most people don't think about is now included, like Kerberos support in VPN, secure virtual memory, and a certificate assistant. A lot of these things are hard to find to the uninitiated, which I guess is good, since most folks won't use them. So instead, let's go over some more basic things you can do to protect yourself (after the jump).

My money is on this being another proof-of-concept design, but Sophos is listing a new Mac Trojan, dubbed Mac/Cowhand-A, which lets other people gain control of your Mac: "Mac/Cowhand-A is a proxy Trojan for the Mac OSX platform. The Trojan may copy itself to the user's Preferences folder. In order to run itself on startup, the Trojan may add itself to the user's Startup Items."  It's supposedly a Tiger trojan (say that three times fast), but it's listed on the low-end of Sophos's prevalence chart.

The Chicken Littles among you may want to update all your virus software, but I'm going to go out on a limb and say that Sophos is trying to gain some attention / sell some security. Why do I post about this then? Why, as an excuse to use my all time favorite picture, of course!

[auf Deutsch via Heise Security und fscklog]