A Primer on Trojan Horses and Their Aliases

--
There actually is a standard naming system for malware. But very few anti-malware developers care. Therefore, we end up with a bunch of names for exactly the same malware. The CNET POS article mentioned previously, not worth reading HERE, demonstrates the problem. Here are some translations. I list the standard name first, then the extraneous names after:

The Trojan.OSX.RSPlug series is aka "DNSChanger" and "Jahlav" and "Puter".

Trojan.OSX.Lamzev is aka "Malez"

Trojan.OSX.PokerStealer is aka "Corpref"

The Trojan.OSX.iServices series is the fourth current Trojan type for Mac OS X. I'm unaware of any aliases so far.

Scan backward through my previous posts for coverage on each of these Trojans.




Count with me!





As of today:

• The RSPlug series has variants A through P. That equals 16 variants. (When I checked last week there were 13 variants, so some mean old crackers have been very busy).
• The Lamzev Trojan has no variants. Add 1.
• The iServices series has variants A through C. That equals 3 variants. (The C variant is recent).
• The PokerStealer Trojan has no variants. Add 1.

Count them all together and what do we got?

The number 21!
That's 21 Trojans!

BwaHaHa!

I am using the iAntiVirus Threat Database maintained by PC Tools as my source. Their list of Mac malware has flaws, but at least they have one. Who else bothers? Certainly not Intego! (Ahem! hint! hint!)

Just for comparison: I was hanging out at the ClamXav forum yesterday and someone pointed out that as of June there were 574,043 malware signatures in ClamAV. Let's see... take away 21... that's somewhere around 574,022 Windows malware in the wild. A little more math and that comes to 1 Mac OS X malware for every 27,334 Windows malware. Wait! Wait! What was that?!

1 : 27,334!

So who was the dope who thought up that 'security by obscurity' myth? I don't think so.
--

Quickie Reviews of ClamXav, iAntiVirus and MacScan

--
Recently, I've been testing the free anti-malware options for Mac. At the moment, none of them are perfect. But there is progress! Below are posts I made this week over at the VersionTracker.com sites regarding iAntiVirus, ClamXav and MacScan:

I) MacScan Is Unreliable:

I've tested MacScan several times over the course of several versions. The results are consistently flaky. It is impossible to get it to detect items reliably. Instead you have to run it over and over and over and over to get the thing to pick up everything.

For some purposes, like detecting the full raft of 'legal' Mac Spyware and Tracking Cookies, this is the only show in town. But OMG does it suck. IMHO MacScan requires an entire rewrite in order get a rating better than one star. The developers have done some nice things like providing some sort-of working removal tools for current Trojans. So they aren't evil. They're just lousy programmers.

II) iAntiVirus Is Basic, Not Perfect, Mostly Works:

Keep in mind that this thing is FREE:

Despite some outright dishonest flame reviews of iAntiVirus here at VT, it actually does work, mostly. I let it loose on a folder full of Trojans a friend shared with me and it successfully found MOST of them:

Trojan.OSX.RSPlug.C, D & F
Trojan.OSX.iServices.A & B

Problems:
1) It did NOT find Trojan.OSX.RSPlug.E, of which I had a number of copies in my folder-full-of-Trojans. That is upsetting.
2) It also uses wrong names for the iServices Trojans. But sadly, despite a clear naming convention for malware, hardly anyone bothers, which is of course pathetic.
3) The app only gives you two choices when it finds malware: Either remove the malware or nothing. There is no sophistication to this app whatsoever.

Maybe the 'Pro' version is way better. I don't know. The PC Tools website certainly 'claims' iAntiVirus detects all the current Mac malware. Judging from the free version, it only finds some Mac malware. Maybe I'll test the Pro version some time.

In the meantime, I own Intego VirusBarrier, which frankly is the ONLY anti-malware app for Macs I can recommend. It works great, detects everything, is updated daily, is entirely reliable, is never a CPU hog, and has all the bells and whistles you could want.

If you want to stick with free stuff, the best idea is to use BOTH iAntiVirus AND ClamXav. Between the two of them you're probably just fine. This is thanks to the fact that the excellent author of ClamXav went out of his way to convince the ClamAV project to accept contemporary Mac malware sample definitions. *Applause*

Addendum: I should note that iAntiVirus also fails to detect RSPlug.I and .L.

III) ClamXav: Progress! But Still Waiting For Full Mac Malware Detection:

Recently, ClamXav developer Mark Allen went out of his way to convince the ClamAV project to accept contemporary Mac malware samples for definition integration. *Applause*

However, my testing today shows only partial progress from the ClamAV project.

MY TEST: A friend provided me with a large collection of recent Mac Trojan horses including all the iServices and RSPlug malware. There were 18 samples in all. I used them as my testing ground.

RESULTS: ClamXav, via the latest engine and definitions of ClamAV, found 10 of them and successfully put them into my quarantine folder.

As my control, I used Intego VirusBarrier, latest version with current definitions. It found all but one of the malware. (The undetected malware was a .pkg with the payload inside a .bom file).

What ClamXav, via ClamAV, didn't detect:
DMG files containing:
RSPlug.D
RSPlug.E
RSPlug.F
RSPlug.I
RSPlug.L

I'm testing iAntiVirus, (runs on Mac OS X Leopard only). But it too is unable to detect RSPlug.E [as well as .I and .L].

CONCLUSIONS:

1) ClamXav is the best of the free anti-malware application options. But the ClamAV database of current Mac malware is still not completely up to date. However, it is far better than it was a couple months ago thanks to Mark Allen's work.

2) Even with the combination of ClamXav and iAntiVirus, it is still possible to have a current Mac Trojan sneak by. But then again, Intego VirusBarrier missed one as well, possibly due to the way the Trojan was packaged.

A high quality paid anti-malware application remains the best way to go for professional use. But for casual use, ClamXav is the best, despite remaining ClamAV deficiencies. I would combine it with iAntiVirus as well if you are running Mac OS X Leopard.

--

Current List of Mac OS X Active Malware

--
This evening I was busy over at the ClamXav forum. In response to a suggestion there, I provided a current list of Mac OS X active malware. I decided to cross-post the list here as well:

Below is a list of all the Mac OS X active malware I am aware of. I've been attempting to keep up to date on this subject since 2005. I have a blog where I share all my knowledge of Mac security:

http://mac-security.blogspot.com

As far as I am able to ascertain, the only active Mac OS X malware ClamAV is able to detect is Trojan.OSX.RSPlug.A (aka DNSChanger.A). In a previous thread I have asked for help trying to determine if any further Mac OS X malware are detected.

Note that there is only one official standard name for each of the 11 malware. This is what I use to name each family. However, anti-malware providers call them anything they choose. This is why I provide alternative names. There are four families of Trojans listed below with various strains/versions/variants designated by "A" through however many exist for the family. In the case of RSPlug I list A through G specifically because the PCTools site lists that many. Most other sites list only A through F.

If anyone knows of further names for these malware, or of any further ACTIVE malware (please not inert or proof-of-concept malware) please let me know at my blog.

The current list of active Mac OS X malware as of 2009-05-17:

I) Trojan.OSX.RSPlug family, aka DNSChanger or Jahlav.
01) Trojan.OSX.RSPlug.A
02) Trojan.OSX.RSPlug.B
03) Trojan.OSX.RSPlug.C
04) Trojan.OSX.RSPlug.D
05) Trojan.OSX.RSPlug.E
06) Trojan.OSX.RSPlug.F
07) Trojan.OSX.RSPlug.G

II) Trojan.OSX.Lamzev family, aka Malez.
08) Trojan.OSX.Lamzev.A

III) Trojan.OSX.PokerStealer family, aka Corpref.
09) Trojan.OSX.PokerStealer.A

IV) Trojan.OSX.iServices family.
10) Trojan.OSX.iServices.A
11) Trojan.OSX.iServices.B

Sources of these malware:

The RSPlug family are all offered by websites that tell you that you must install their file or program in order to access specific media they are offering. Originally these Trojans showed up on porn sites where you were told to download a video codec in order to view their videos. These days the websites could be telling you anything. The basic idea is to use 'Social Engineering' to fool you into installing their Trojan. The most recent of these Trojans can potentially zombie your computer and use it in a botnet.

Lamzev is a hacker tool used to create backdoor access into a computer. The only way to 'catch' it is if a hacker has physical access to your computer and hand-installs it. Note that there are plenty of other hacker tools around, but this is the only one listed as a Trojan because of the potential damage it can do to a victim computer.

PokerStealer originally called itself "PokerGame". You download it, install it and are infected. The original version put up a bogus warning message that a corrupt preference file had been detected and that your administrative password was required to repair it. It then sends your ID, password and IP address to crackers who can then access your computer via SSH and do whatever they like with it. Theoretically this Trojan can be named anything.

iServices showed up earlier this year in pirated programs, buried inside their installer. The original A and B variants were buried in pirated versions of iWorks 09 and Photoshop CS4. You install the pirated program and get infected. There are reports that the installers actually fail to install the listed program and only install the Trojan. In any case, iServices zombies your computer and makes it part of a botnet. This Trojan formed the first officially verified Mac botnet back in February. It apparently consists of thousands of computers. It has so far been used in a DDOS attack. Note that once a Mac is zombied, the 'bot wranger' or cracker-in-charge can do anything they like with the computer. This particular zombie botnet is so far is being used for money making ventures over the Internet.

If/when further Mac OS X active malware is discovered I'll list it in my blog.

--

Proof Of Concept Trojan.OSX.Tored.A & Related Rants

--
Last month an eMail distributed proof of concept (aka nonfunctional) malware program was discovered for Mac OS X. A couple different companies claim they 'discovered' it. It is being labeled as a 'worm' because it is able to replicate itself after infection. It does not qualify as a virus because it does not damage the host computer. However, it is actually a Trojan horse because it requires user error in order to be installed. Its worm behavior is therefore secondary and cannot be used in its name. Sorry. (;_;)

Rant: I'm a biologist who became addicted to Mac technology and works as a professional Mac technologist. So how come I, without a computer science degree, am able to distinguish a Trojan horse from a worm while professional computer security companies can't? I am thoroughly baffled. Was there perhaps one person who made the initial error and everyone followed along like good little sheep? Likely. It became evident eight years ago in the USA that sheep are the 'in' thing to be. Shameful. End of rant.

The best reports I found on Tored.A are over at Intego, F-Secure and CA. The lamest report is at Sophos, not worth linking.

An interesting short article about Tored.A was posted over at the HowStuffWorks blog. I wrote a reply to the article and tossed in some of my usual educational chatter. Here is a repost for your pleasure:

Here are some useful facts:

1) Symantec started the Anti-Mac security FUD campaign back in August 2005. In the intervening three and a half years Mac OS X has failed to be deluged in malware. There was no doom and gloom. The sky did not fall. Symantec continues to make the single worst anti-malware app for Mac. Figures.

2) There is a standard naming system for malware. This is how it works: First comes the type of malware. Tored-A is a Trojan horse. It is NOT a 'worm' until AFTER it has been installed by a computer user, which is of secondary importance. Therefore, the first part of its standard name is 'Trojan'. Second comes the name of the operating system on which it runs. In this case it is 'OSX'. Third comes that identifying 'name' of the malware. The discoverer in this case chose 'Tored'. Why is up to them. Last comes the 'strain' or version of the malware. The first discovered version is called A. Next is B, etc. Take note that despite this long published standard, anti-malware companies usually don't care. That's why there are often many names for exactly the same malware, resulting in needless chaos and confusion.

3) There never was any such thing as 'security by obscurity' for Mac OS X. The fact is that Mac OS X is incredibly harder to hack than Windows. That is why there are only Trojan Horses for Mac OS X. They require user error in order to break into a Mac. There are no viruses, worms or illegal spyware/adware for Mac OS X for that reason.

Responding to the article:
"Many accounts say that the MacOS is naturally more secure than Windows."

Accounts have nothing to do with it. Mac OS X = UNIX = consistently proven to be the safest operating system commercially available. Its rivals are the Open Source operating systems FreeBSD and OpenBSD, both of which are integrated into Apple's CLI version of UNIX called 'Darwin OS', the basis of Mac OS X. That being said, UNIX / Mac OS X is NOT perfect. Security flaws are frequently being patched. Never at any time was there any myth that Mac OS X was not 'mortal'. If you want hacker heroes, applaud Dr. Charlie Miller and Dino Dai Zovi, the most revered of those who have proven how to break into a Mac (with user error required). They wrote a book about it called "The Mac Hacker's Handbook" published March 2009.

The least secure Apple software is NOT Mac OS X. It is in fact QuickTime, which Apple write and provide for both Windows and Mac OS X.

Windows was never designed to be secure until Vista. And even then Microsoft significantly failed. Theoretically Windows 7, which is mainly a paid service pack for Vista, may repair this problem, but it has not been proven at this time.

The future: Watch for the Mac malware coming out of Red China. Few people know that China formally declared a "Technology War" against the USA several years ago. China has been successfully cracking into US federal computers since 1998 when they formed The Red Hacker Alliance. Note that this was the year China was provided "Most Favored Nation Status" by the US government. Despite being caught red-handed cracking government computers all over the planet, the USA still maintains this favored status. Conclusion: We are out of our minds. Enjoy the results.

--

The First Reported Mac BOTNET

--
Let me first share news from SANS Institute, then provide a brief perspective on the situation.

Below is a quote from SANS NewsBites Volume 1, Number 30, released last night. (I added some bolding for emphasis). You can sign up for the SANS newsletters HERE.

--Trojan in Pirated Mac Software Helped Create First Mac Botnet
(April 15, 2009)

Malware embedded in pirated versions of Apple's iWork and Adobe Photoshop CS4 for Mac that were available over a peer-to-peer network in January is responsible for what appears to be the first known Mac botnet. The zombie network attempted to launch a distributed denial-of-service (DDoS) attack against an unidentified website. The malware had spread to several thousand computers before it was identified.

http://www.cbc.ca/technology/story/2009/04/15/ibotnet-trojan.html

http://blogs.zdnet.com/security/?p=3157

[Editor's Note (Honan, Schultz): Looks like the Mac platform is an increasingly fruitful target for cyber criminals. ]

Indeed it has. "Several Thousand Computers." This is incredibly sad, but also inevitable.

While all the FUD mongers have a sadism party at our expense, (and they will), keep in mind that NONE of the current Mac malware is able in penetrate any Mac unless the user (often called the 'luser') deliberately installs a Trojan horse on their computer. This happens specifically because the user has been conned by what is called Social Engineering, or in this case, the luser is using pirating software that has had the Trojan carefully placed in the installer to go along for the ride. What do you call it when a dirty deed is done to someone pulling a dirty deed? How about 'Dishonor Among Thieves'. It is more like poetic justice, parasite chewing on parasite.

Anyway, Mac Botnets have arrived. What is done with them will be of interest. Typically these days they are used for money making schemes. Go read all the news about the Windows Conficker worm scare of April 1st and beyond. Once created via infection, a botnet can pull off just about anything you can do over the Internet except in mass numbers at one time.

OK! You're a luser and maybe you did something that could have gotten you infected. Now what?

What NOT to use:

ClamAV. Worthless for Macs. I've covered this disappointment several times.

MacScan. The botnet Trojans are out of its league. It's clunky unreliable software anyway.

Symantec Norton Whatever. I consistently get reports that Norton Anti-Virus continues to be one of the single most buggy and CPU hogging applications you can buy for Macintosh. Symantec also invented the anti-Mac security FUD campaign back in 2005. Save your money and your patience. Avoid. Run away. Just my opinion.

Freeware:

iAntiVirus from PC Tools. It can detect and remove all current Mac malware. You don't have to pay for the application unless you are a business or are running a large network. The paid version offers technical support. Note that it only runs on Leopard. I use it and find it to be very simple and unobtrusive.

Shareware / Commercial-ware:

Sophos Anti-Virus. It is designed for companies and networks of computers.

Intego VirusBarrier. I find them to be the best-in-class for single users. I'm disappointed at their disorganization as a company. But the program is top notch. Just be prepared to shell out money year after year. Bleh. Nonetheless, I own it, use it and like it.

I used to use Virex X, now called McAfee Virus Scan. But it got clunky. Many people downright hate it. I don't know why. These days it is designed for companies and networks, not single users. I would have shoveled McAfee into the grave along side Symantec for having FUDed the Mac. But oddly, their CEO ended up stating that the single best way to escape computer malware was to "buy a Mac." So they can't be entirely stupid over there.

There is other stuff around, but it makes me yawn. You can get a listing of it all at the download sites by searching for 'virus'.

DEFENSE!

If you are in charge of a home computer shared by others, or you are an IT manager, stop the luser users from installing Trojans by giving them Mac OS X accounts that Do Not Allow Program Installation! If a user wants a program installed, let them ask you to do it for them in YOUR account. Then give them access to the program.

But of course this means that YOU, the boss of the machines, have to be careful too. Always verify that what you install has specifically been tested somewhere. I always use the download sites like VersionTracker or MacUpdate. There are many others. Be sure that either the site itself has tested that version of the program and given it an OK, or that a lot of users have tested it and OKed it. Buy commercial-ware directly from the company, and make certain they are entirely, unquestionably reputable. Adobe.com = reliable. Jake's Super Deluxe Fly-By-Nite Site.com ? reliable. You get the idea.

And just to tick off the FUD mongers:

A) There is no such thing as a 'virus' for Mac OS X.
B) There is no such thing as a 'worm' for Mac OS X.
C) There is no such thing as illicit 'spyware' for Mac OS X. All Mac spyware is sold legally for the purpose of surveillance of network machines.
D) There is no such thing as 'security by obscurity' for Mac OS X. If you know how to do math, you can prove this for yourself. Go backwards in my blog if you want to read the gravestone I wrote for this mythological absurdity form of FUD.
E) As a Mac user you must keep computer security in mind. Follow the basic rules:

1. Make regular backups. This is the #1 Rule Of Computing.
2. Learn how to use your router's firewall and use it.
3. Learn how to use Mac OS X's built-in firewall and use it.
4. Always use password protected accounts. Make very sure your password is strong, obscure, unintuitive and plain old nasty. Be sure you remember it. Don't give anyone else access to it.

I've gone into greater detail about add-on measures in previous posts. The list above covers the essential basics.

And of course, don't ever pirate software. Now it's extra dangerous. If that gets you excited, welcome to the botnet.

:-Derek
--

Mac Malware #8: OSX.Trojan.iServices.A

--
Intego, makers of VirusBarrier, posted an alert on Thursday 2009-01-22 regarding a newly discovered Trojan horse specific to Mac OS X. They have designated it "OSX.Trojan.iServices.A". It was found in torrented/pirated copies of Apple's iWork 09 installer.

Conclusion: If you have torrented, downloaded or been given any pirated copy of iWork 09, do not install it! Throw it away!

Cures: Intego of course has provided a removal method in the latest malware definitions file for VirusBarrier. The folks at MacScan have also provided a FREE removal tool here.

A MacRumors article about the Trojan can be found here.

How does it work?

1) Included with the iWorks 09 package is an added bogus Trojan package entitled "iWorkServices.pkg". When you install iWork 09, the Trojan is installed along with the legitimate program packages. It is specifically installed as a startup item within your system.

2) According to Intego: "The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac."

Essentially, you've been zombied. The cracker controlling the program can do anything with your computer. Examples include money making schemes such as stealing your identity, spamming the net or using your machine in a denial of service attack.

For Mac users, this method of infection is entirely new. It can also be used in any other similarly pirated program installer, not just iWorks 09. The only things specific to iWork 09 about this Trojan are the name of the package used and its placement along side all the other installer packages for iWorks 09.

In other words, pirated Mac program installers are now all suspect. Pirates beware.
--

Update: The State Of Trojan OSX.RSPlug, aka the 'Porno Trojan'

The net-cracker effort to bring the 'RSPlug' Trojan horse from Windows over to Mac OS X continues apace. As of this week we are now up to version E, aka Trojan OSX.RSPlug.E. Again, this Trojan is showing up at scam pornography websites.

The difference with variants D and E, however, are particularly nefarious. Instead of the Trojan itself being the full payload of malware, it downloads the actual payload from the Internet. This means the Trojan can install literally anything into your system. It's not just for DNS forwarding phishing scams any more.

Of course, it will be possible to kill off the payload Internet sites one by one as sub-variants of D & E pop up. But once infected, a Mac could theoretically become zombied, which these days is the prime goal of net-crackers. Botnets can make big money. As was popularly reported last week, the taking down of one particular bot wrangler killed off as much as 70% of SPAM distribution for a few days. That's a massive botnet. Imagine the profit the bot wrangler was pulling in. Sadly, the botnet involved remained intact and another bot-wrangler stepped in to take advantage of it, restoring SPAM to its usual blasting volume.

You can read the details about Trojan OSX.RSPlug.E over at Intego's website.

One hilarious flagging giveaway of this Trojan is the continued laziness of the developers' social engineering method. Instead of altering their tease line to potential wetware victims, they left it exactly the same as the Windows version. This means that anyone who is both Mac and Windows savvy will realize immediately that something screwy is going on. The blunder is the tease line "Video ActiveX Object Error". For those who don't know, ActiveX is a scripting monstrosity perpetrated by Microsoft several years back. Yeah, it was another of their attempts to make the Internet proprietary. ActiveX is entirely irrelevant on Mac OS X, thank goodness, as it is a gigantic, wide open door for malware infection on Windows. The only web browser on Mac capable of running ActiveX rubbish is FireFox, and you have to specifically install an ActiveX extension. Therefore, for the moment, if you run into a "Video ActiveX Object Error" on a website, you have just run into an attempt to infect you with the Trojan OSX.RSPlug.
--

Trojan OSX.Lamzev.A

As of last week, Mac OS X has a second piece of malware. It is a Trojan horse officially called OSX.Lamzev.A. (It is also erroneously known as OSX.TrojanKit.Malez).

Detection and removal of this malware is built into the latest versions of the FREEWARE anti-malware programs ClamXav and iAnti-Virus.

So what is the strategy this time? To quote ZDNet:

OSX.Lamzev.A is a hacker tool designed primarily to allow attackers to install backdoors in a user's system, according to Intego. However, the company dismissed the tool as a serious threat because a potential hacker has to have physical access to a system to install the backdoor.

. . .

Other antivirus vendors noted that Lamzev could be disguised as a piece of legitimate software and used to trick users into creating the backdoor themselves.

Theoretically, this will become another piece of social engineering / wetware error malware where the user is tricked into installing it. Therefore, as usual, always verify that anything you install is legitimate software. Check it out at any of the well known shareware distribution sites like VersionTracker.com, MacUpdate.com, TuCows.com or MajorGeeks.com. All of these sites have human users and reviewers who can tell you what's legitimate. If you can't verify an application, don't install it! Also, if you want to be extra safe, work only inside a 'Standard' Mac OS X account, not an Administrator account.

I'm going to keep an eye on this Trojan to see what damage it can do. If it is a true 'backdoor' to Mac OS X, a cracker can do anything they like with your Mac. We'll see with time if this becomes a problem. For now, the anti-malware distributors consider it only a minor threat. Just run your usual FREEWARE anti-malware apps once a week, at least, to clean it out if somehow you've installed it.
--

Attack Of The Porn Trojan

Trojans have long been associated with pornography. But in this case, in the Macintosh community, we have a very bad Trojan called OSX.RSPlug.A. It's not that someone poked holes in the Trojan, it's that the Trojan itself is the hole. You don't want this malware impregnating your Mac, so it's time to learn how to be safe while you enjoy Internet.

I wrote the Mac security article posted above specifically for the use of Macintosh user groups. You are entirely welcome to grab it and post it wherever you like, as long as you do not change it. That means you must include the headers with my name and my copyright. If you don't follow the rules, I will come and get you. So please be respectful of my work. You are welcome. :-Derek