A Primer on Trojan Horses and Their Aliases

--
There actually is a standard naming system for malware. But very few anti-malware developers care. Therefore, we end up with a bunch of names for exactly the same malware. The CNET POS article mentioned previously, not worth reading HERE, demonstrates the problem. Here are some translations. I list the standard name first, then the extraneous names after:

The Trojan.OSX.RSPlug series is aka "DNSChanger" and "Jahlav" and "Puter".

Trojan.OSX.Lamzev is aka "Malez"

Trojan.OSX.PokerStealer is aka "Corpref"

The Trojan.OSX.iServices series is the fourth current Trojan type for Mac OS X. I'm unaware of any aliases so far.

Scan backward through my previous posts for coverage on each of these Trojans.




Count with me!





As of today:

• The RSPlug series has variants A through P. That equals 16 variants. (When I checked last week there were 13 variants, so some mean old crackers have been very busy).
• The Lamzev Trojan has no variants. Add 1.
• The iServices series has variants A through C. That equals 3 variants. (The C variant is recent).
• The PokerStealer Trojan has no variants. Add 1.

Count them all together and what do we got?

The number 21!
That's 21 Trojans!

BwaHaHa!

I am using the iAntiVirus Threat Database maintained by PC Tools as my source. Their list of Mac malware has flaws, but at least they have one. Who else bothers? Certainly not Intego! (Ahem! hint! hint!)

Just for comparison: I was hanging out at the ClamXav forum yesterday and someone pointed out that as of June there were 574,043 malware signatures in ClamAV. Let's see... take away 21... that's somewhere around 574,022 Windows malware in the wild. A little more math and that comes to 1 Mac OS X malware for every 27,334 Windows malware. Wait! Wait! What was that?!

1 : 27,334!

So who was the dope who thought up that 'security by obscurity' myth? I don't think so.
--

Quickie Reviews of ClamXav, iAntiVirus and MacScan

--
Recently, I've been testing the free anti-malware options for Mac. At the moment, none of them are perfect. But there is progress! Below are posts I made this week over at the VersionTracker.com sites regarding iAntiVirus, ClamXav and MacScan:

I) MacScan Is Unreliable:

I've tested MacScan several times over the course of several versions. The results are consistently flaky. It is impossible to get it to detect items reliably. Instead you have to run it over and over and over and over to get the thing to pick up everything.

For some purposes, like detecting the full raft of 'legal' Mac Spyware and Tracking Cookies, this is the only show in town. But OMG does it suck. IMHO MacScan requires an entire rewrite in order get a rating better than one star. The developers have done some nice things like providing some sort-of working removal tools for current Trojans. So they aren't evil. They're just lousy programmers.

II) iAntiVirus Is Basic, Not Perfect, Mostly Works:

Keep in mind that this thing is FREE:

Despite some outright dishonest flame reviews of iAntiVirus here at VT, it actually does work, mostly. I let it loose on a folder full of Trojans a friend shared with me and it successfully found MOST of them:

Trojan.OSX.RSPlug.C, D & F
Trojan.OSX.iServices.A & B

Problems:
1) It did NOT find Trojan.OSX.RSPlug.E, of which I had a number of copies in my folder-full-of-Trojans. That is upsetting.
2) It also uses wrong names for the iServices Trojans. But sadly, despite a clear naming convention for malware, hardly anyone bothers, which is of course pathetic.
3) The app only gives you two choices when it finds malware: Either remove the malware or nothing. There is no sophistication to this app whatsoever.

Maybe the 'Pro' version is way better. I don't know. The PC Tools website certainly 'claims' iAntiVirus detects all the current Mac malware. Judging from the free version, it only finds some Mac malware. Maybe I'll test the Pro version some time.

In the meantime, I own Intego VirusBarrier, which frankly is the ONLY anti-malware app for Macs I can recommend. It works great, detects everything, is updated daily, is entirely reliable, is never a CPU hog, and has all the bells and whistles you could want.

If you want to stick with free stuff, the best idea is to use BOTH iAntiVirus AND ClamXav. Between the two of them you're probably just fine. This is thanks to the fact that the excellent author of ClamXav went out of his way to convince the ClamAV project to accept contemporary Mac malware sample definitions. *Applause*

Addendum: I should note that iAntiVirus also fails to detect RSPlug.I and .L.

III) ClamXav: Progress! But Still Waiting For Full Mac Malware Detection:

Recently, ClamXav developer Mark Allen went out of his way to convince the ClamAV project to accept contemporary Mac malware samples for definition integration. *Applause*

However, my testing today shows only partial progress from the ClamAV project.

MY TEST: A friend provided me with a large collection of recent Mac Trojan horses including all the iServices and RSPlug malware. There were 18 samples in all. I used them as my testing ground.

RESULTS: ClamXav, via the latest engine and definitions of ClamAV, found 10 of them and successfully put them into my quarantine folder.

As my control, I used Intego VirusBarrier, latest version with current definitions. It found all but one of the malware. (The undetected malware was a .pkg with the payload inside a .bom file).

What ClamXav, via ClamAV, didn't detect:
DMG files containing:
RSPlug.D
RSPlug.E
RSPlug.F
RSPlug.I
RSPlug.L

I'm testing iAntiVirus, (runs on Mac OS X Leopard only). But it too is unable to detect RSPlug.E [as well as .I and .L].

CONCLUSIONS:

1) ClamXav is the best of the free anti-malware application options. But the ClamAV database of current Mac malware is still not completely up to date. However, it is far better than it was a couple months ago thanks to Mark Allen's work.

2) Even with the combination of ClamXav and iAntiVirus, it is still possible to have a current Mac Trojan sneak by. But then again, Intego VirusBarrier missed one as well, possibly due to the way the Trojan was packaged.

A high quality paid anti-malware application remains the best way to go for professional use. But for casual use, ClamXav is the best, despite remaining ClamAV deficiencies. I would combine it with iAntiVirus as well if you are running Mac OS X Leopard.

--

Current List of Mac OS X Active Malware

--
This evening I was busy over at the ClamXav forum. In response to a suggestion there, I provided a current list of Mac OS X active malware. I decided to cross-post the list here as well:

Below is a list of all the Mac OS X active malware I am aware of. I've been attempting to keep up to date on this subject since 2005. I have a blog where I share all my knowledge of Mac security:

http://mac-security.blogspot.com

As far as I am able to ascertain, the only active Mac OS X malware ClamAV is able to detect is Trojan.OSX.RSPlug.A (aka DNSChanger.A). In a previous thread I have asked for help trying to determine if any further Mac OS X malware are detected.

Note that there is only one official standard name for each of the 11 malware. This is what I use to name each family. However, anti-malware providers call them anything they choose. This is why I provide alternative names. There are four families of Trojans listed below with various strains/versions/variants designated by "A" through however many exist for the family. In the case of RSPlug I list A through G specifically because the PCTools site lists that many. Most other sites list only A through F.

If anyone knows of further names for these malware, or of any further ACTIVE malware (please not inert or proof-of-concept malware) please let me know at my blog.

The current list of active Mac OS X malware as of 2009-05-17:

I) Trojan.OSX.RSPlug family, aka DNSChanger or Jahlav.
01) Trojan.OSX.RSPlug.A
02) Trojan.OSX.RSPlug.B
03) Trojan.OSX.RSPlug.C
04) Trojan.OSX.RSPlug.D
05) Trojan.OSX.RSPlug.E
06) Trojan.OSX.RSPlug.F
07) Trojan.OSX.RSPlug.G

II) Trojan.OSX.Lamzev family, aka Malez.
08) Trojan.OSX.Lamzev.A

III) Trojan.OSX.PokerStealer family, aka Corpref.
09) Trojan.OSX.PokerStealer.A

IV) Trojan.OSX.iServices family.
10) Trojan.OSX.iServices.A
11) Trojan.OSX.iServices.B

Sources of these malware:

The RSPlug family are all offered by websites that tell you that you must install their file or program in order to access specific media they are offering. Originally these Trojans showed up on porn sites where you were told to download a video codec in order to view their videos. These days the websites could be telling you anything. The basic idea is to use 'Social Engineering' to fool you into installing their Trojan. The most recent of these Trojans can potentially zombie your computer and use it in a botnet.

Lamzev is a hacker tool used to create backdoor access into a computer. The only way to 'catch' it is if a hacker has physical access to your computer and hand-installs it. Note that there are plenty of other hacker tools around, but this is the only one listed as a Trojan because of the potential damage it can do to a victim computer.

PokerStealer originally called itself "PokerGame". You download it, install it and are infected. The original version put up a bogus warning message that a corrupt preference file had been detected and that your administrative password was required to repair it. It then sends your ID, password and IP address to crackers who can then access your computer via SSH and do whatever they like with it. Theoretically this Trojan can be named anything.

iServices showed up earlier this year in pirated programs, buried inside their installer. The original A and B variants were buried in pirated versions of iWorks 09 and Photoshop CS4. You install the pirated program and get infected. There are reports that the installers actually fail to install the listed program and only install the Trojan. In any case, iServices zombies your computer and makes it part of a botnet. This Trojan formed the first officially verified Mac botnet back in February. It apparently consists of thousands of computers. It has so far been used in a DDOS attack. Note that once a Mac is zombied, the 'bot wranger' or cracker-in-charge can do anything they like with the computer. This particular zombie botnet is so far is being used for money making ventures over the Internet.

If/when further Mac OS X active malware is discovered I'll list it in my blog.

--