Current Mac Malware, 2011-07: Introduction

In order to help Mac users understand the current state of malware on the platform, I am providing a review  of each current form. This will not be an exhaustive review, but should help relieve much misunderstanding and concern about the ongoing, many years old, anti-Apple security FUD Fest.

I will be going through the malware in reverse chronological order, featuring the most current concerns first and the oldies but gnarlies last.

The first thing to know is that technically, ALL currently active Mac malware are Trojan horses. That means that they are entirely inert until such time as a user (or 'LUSER', in cynical terminology) inadvertently installs them.

I am NOT including any hacker tools or 'legal' spyware in my details articles. These require a third party to be able to physically access your computer and directly install them for their nefarious purposes. You won't personally be in any danger of installing them unless a hacker or IT administrator directs you to do so. They require hackers or administrators to access your computer in order for them to do any harm. I may address these forms of software at another time. I am more concerned about what YOU might mistakenly install.

THE LIST:

1) Trojan.OSX.MACDefender.A - O [15 strains]

2) Trojan.OSX.BlackHoleRAT.A - C [3 strains]

3) Trojan.OSX.Boonana.A

4) Trojan.OSX.OpinionSpy.A - B [2 strains]

5) Trojan.OSX.iServices.A - C [3 strains]

6) Trojan.OSX.PokerStealer.A

7) Trojan.OSX.RSPlug.A - Q [17 strains]

The total number of Mac malware species are 7.
The total number of Mac malware strains are 42.


The 'Malware' Hacker Tools I Am Leaving Out:

'Trojan'.OSX.Lamzev.A

'Trojan'.OSX.Hellraiser.A - D [4 strains]

There are a number of inert malware as well as 'Proof of Concept' malware of no concern which I have also left out of my list. You may find them on other lists but you won't find them infecting anyone with up-to-date computers, apart for test computers in a lab. (A famous example of 'Proof of Concept' malware is Trojan.OSX.Oomp.A, aka Trojan.OSX.Leap.A. It is of no consequence or importance).

If you'd like a list of current 'legal' spyware, I suggest the list kindly provided at the MacScan/SecureMac site.

Note that, due to the lack of adherence to standards within the anti-malware community, there are a lot of name variations for the exact same malware. In the case of the MAC Defender Trojan I discovered 15 different names. I am not including them here in my list as these alternative names are irrelevant and needlessly confusing. What I have listed here are the 'official' names from my point of view as well as those whom I consider to be professional experts and original malware discoverers in the field. However, I will be listing a number of the alternative names in my subsequent articles that provide details about each of the current malware species.

As ever, I request corrections to my information. If I have missed a malware species or strain, please let me know asap. Much appreciated!

Intego Errors! Marketing Vs Fact, Money Vs Reality

--
Kids. Didn't I tell you the computer anti-malware community was 'unprofessional'? Here we go again.

For shame Intego! Publishing FUD to sell your anti-malware software. For shame!

I like the folks at Intego a lot. But this is the SECOND time they have outright FUDed the public for the sake of making sales of their indeed superior anti-malware software. Note that this is entirely in line with our current era of PROPAGANDA at the expense of both facts and reality. I DESPISE FUD! I DESPISE PROPAGANDA! If you check out my zunipus blog you'll see I'm well versed on the subject.

This very WRONG page of information was posted at the Intego website this week. It makes me want to gag. It's crap like this that inspires me to keep writing my own, independent, 'hey look at me I have a brain in my head', Mac-Security blog:

Intego: Learn About Mac Malware

The Post-Mortum:

I) This page claims to provide a "clear explanation of what types of viruses and malware are a danger for Mac OS X."

Bullshit.

There is nothing 'clear' about FUDing customers and confusing them with ignorant information. If you haven't already spotted the garbage on this page, read on.

II) The Mac picture provided on the page, with its arrows to various malware, includes the word "Botnet". This is WRONG. There is no such thing as a 'botnet' form of malware. A 'botnet' is the result of having many computers infected with BOT malware. The software that infects your computer is called a 'bot.' Not a 'botnet'. A BOT!

III) The paragraph entitled "MAC VIRUS" is WRONG. There are NO viruses for Mac OS X. There never have been any viruses for Mac OS X. So this paragraph must be proceeded with the word:

NO

The description of viruses by Intego in this wrongful paragraph is entirely inadequate. Read these instead:

Computer Virus
or
What is virus?

In fact there are dozens of pages on the Internet that have superior descriptions of computer viruses. Google "What is a computer virus?"

IV) Examining the wrongful "MAC VIRUS" paragraph we see two wrongful examples. They are NOT viruses. Here is what they REALLY are: PROOF OF CONCEPT malware. Did you see 'Proof Of Concept' listed as a type of malware in Intego's illustration? No. Why? Because they are only demonstration malware that are NOT released into the wild, cannot replicate in the wild, and are only created to prove a software security problem. They are HARMLESS to one and all except on test machines used for EXPERIMENTATION. Anyone telling you that Proof of Concept malware will ever appear on your machine at any time, except within an experimentation situation, are FUDing you. FUD = a classic form of propaganda known as FEAR, UNCERTAINTY and DOUBT.

You can read about FUD here:

Fear, uncertainty and doubt (FUD) is a tactic of rhetoric and fallacy used in sales, marketing, public relations, politics and propaganda.

If you'd like to read about Proof Of Concept malware, check these out:

Proof of concept

Prototype

What is proof-of-concept virus?

And for fun, here is what these two Proof of Concept malware actually do:

A) OSX.MacArena.A - Here is a quotation from 2006 from Kaspersky's Securelist.com:

"Macarena was the first attempt to create a virus for Mac OS X that infects mach-o format executable files. The virus only infects files in the current directory and only runs on Intel platforms, i.e. it does not pose a threat to machines with ppc architecture. These malicious programs are purely proof of concept code, i.e. they demonstrate that such programs can be created."

Darn. This thing can only self-propagate within its own current directory. Wow. So scary. It is NOT in the wild. It does NOTHING to harm your computer. Not-a-thing.

B) "OSX/Oomp-A or Leap.A" - First off, note use of two different names for the exact same thing, AND the total lack of conformity to the published malware naming standard. I'd be ticked off, except this is again harmless proof of concept malware, so who cares. Here is an article from Macworld, published in 2006, about what is ACTUALLY called the "Oompa-Loompa Trojan" by the first person to publicly describe it, Andrew Welch of Ambrosia Software:

Reports emerge of Mac OS X Trojan horse or worm

"Reports indicate that someone has let loose a �Trojan horse� or worm for Mac OS X users. The program is hidden within a package that purportedly contains screenshots of Apple�s as-yet unannounced next major revision to Mac OS X. Whether it�s a Trojan horse or worm seems to vary depending on the source of the information."

Do you see the word 'virus' in this description? NO.

"So-called Trojan horses are differentiated from viruses because they masquerade as a regular application or file and do not replicate themselves arbitrarily."

Ah! So NOT a virus!

"Anti-virus software maker Sophos takes issue with this description claiming this is the �first ever virus for Mac OS X.�

Traveling over to the Sophos page, what do we see in the TITLE of their article?

"First ever virus for Mac OS X discovered
OSX/Leap-A worm spreads via iChat instant messaging software"

So it's a 'worm', and NOT actually a virus. That's what Sophos are actually saying.

But I thought proof of concept OSX.MacArena.A was "the first attempt to create a virus"!!!

Are you getting the idea of how chaotic the anti-malware community can be?

And guess what folks. Ooompa-Loompa was made entirely INERT with the next Apple revision of iChat. So be scared. Be VERY scared!

And no, it's NOT a virus. No, it CANNOT replicate itself in-the-wild. This thing can only replicate via iChat within a LAN. That means it hasn't even got a clue what the Internet is. Got that? NOT-IN-THE-WILD at all. It can't get there. There was only ever ONE place it was ever found on the Internet, at that was in a forum at a Mac rumor website.

V) Then we move along to the wrongful paragraph about BOTs. I'm perfectly happy to ALSO call them by other malware names. But the ONLY bots for Macs exist in the form of Trojan horses. There are three of them: Trojan.OSX.iServices.A - C, which is to say that there are versions A, B and C. They have only ever been found, as Intego indicate, within the installers of pirated software. These include pirated copies of Apple iWork and Adobe Photoshop CS4.

Once Macs were infected, via these pirated installers, with the bots, the computers were then 'zombied' or 'botted'. Via communication over the Internet, these machines then joined into what is called a 'botnet'. In early 2009 there was a guestimate that the resulting botnet contained over 10,000 Macs, which indicates the popularity of pirated software. The only published attack carried out by this botnet that I am aware of was a DDOS, or Distributed Denial of Service attack. I've never heard or read about it again. But note that this malware is indeed still in-the-wild and can infect you.

VI) Then we get to the WORM section: Note how Intego don't list any for Mac. That's because THERE AREN'T ANY for Mac, except as Proof of Concept malware. Yawn. Therefore, this section also requires the removal of the 'YES' to be replaced with:

NO

The description of worms here is poor. Reading this stuff you'd think they were the same thing as viruses. They aren't. Read this from Wikipedia.org:

Computer worm

"Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer."

The main, if not only, point of a worm is self-replication. Whereas, the point of a virus is not merely to replicate but to DAMAGE.

~~~~~~
I know Intego are not going to be pleased that I've ripped apart this blatant propaganda / FUD piece. To be honest, I'm really miffed that I, a non-professional in the Mac malware field, end up having to point out these ERRORS and FUD. If dimwit security amateur me knows full well the bullshit in this Intego article, why the hell are the 'professionals' at Intego publishing it?!

My proposal:

Dear Intego,

FIRE your Marketing Manager. Dishonest marketing damages your company's reputation. Witness Adobe.

And please don't bother writing to me to attempt to explain the bullshit in your article! Just take the article down, remove it, kill it. Then get a serious professional at Intego, (I know they exist! I've talked to them!), to write a seriously HELPFUL, HONEST and INFORMATIVE article that misleads no one and educates everyone. THAT will bolster your reputation and sales. Not this FUD crap.

Where's my aspirin?
--

A Primer on Trojan Horses and Their Aliases

--
There actually is a standard naming system for malware. But very few anti-malware developers care. Therefore, we end up with a bunch of names for exactly the same malware. The CNET POS article mentioned previously, not worth reading HERE, demonstrates the problem. Here are some translations. I list the standard name first, then the extraneous names after:

The Trojan.OSX.RSPlug series is aka "DNSChanger" and "Jahlav" and "Puter".

Trojan.OSX.Lamzev is aka "Malez"

Trojan.OSX.PokerStealer is aka "Corpref"

The Trojan.OSX.iServices series is the fourth current Trojan type for Mac OS X. I'm unaware of any aliases so far.

Scan backward through my previous posts for coverage on each of these Trojans.




Count with me!





As of today:

• The RSPlug series has variants A through P. That equals 16 variants. (When I checked last week there were 13 variants, so some mean old crackers have been very busy).
• The Lamzev Trojan has no variants. Add 1.
• The iServices series has variants A through C. That equals 3 variants. (The C variant is recent).
• The PokerStealer Trojan has no variants. Add 1.

Count them all together and what do we got?

The number 21!
That's 21 Trojans!

BwaHaHa!

I am using the iAntiVirus Threat Database maintained by PC Tools as my source. Their list of Mac malware has flaws, but at least they have one. Who else bothers? Certainly not Intego! (Ahem! hint! hint!)

Just for comparison: I was hanging out at the ClamXav forum yesterday and someone pointed out that as of June there were 574,043 malware signatures in ClamAV. Let's see... take away 21... that's somewhere around 574,022 Windows malware in the wild. A little more math and that comes to 1 Mac OS X malware for every 27,334 Windows malware. Wait! Wait! What was that?!

1 : 27,334!

So who was the dope who thought up that 'security by obscurity' myth? I don't think so.
--

Quickie Reviews of ClamXav, iAntiVirus and MacScan

--
Recently, I've been testing the free anti-malware options for Mac. At the moment, none of them are perfect. But there is progress! Below are posts I made this week over at the VersionTracker.com sites regarding iAntiVirus, ClamXav and MacScan:

I) MacScan Is Unreliable:

I've tested MacScan several times over the course of several versions. The results are consistently flaky. It is impossible to get it to detect items reliably. Instead you have to run it over and over and over and over to get the thing to pick up everything.

For some purposes, like detecting the full raft of 'legal' Mac Spyware and Tracking Cookies, this is the only show in town. But OMG does it suck. IMHO MacScan requires an entire rewrite in order get a rating better than one star. The developers have done some nice things like providing some sort-of working removal tools for current Trojans. So they aren't evil. They're just lousy programmers.

II) iAntiVirus Is Basic, Not Perfect, Mostly Works:

Keep in mind that this thing is FREE:

Despite some outright dishonest flame reviews of iAntiVirus here at VT, it actually does work, mostly. I let it loose on a folder full of Trojans a friend shared with me and it successfully found MOST of them:

Trojan.OSX.RSPlug.C, D & F
Trojan.OSX.iServices.A & B

Problems:
1) It did NOT find Trojan.OSX.RSPlug.E, of which I had a number of copies in my folder-full-of-Trojans. That is upsetting.
2) It also uses wrong names for the iServices Trojans. But sadly, despite a clear naming convention for malware, hardly anyone bothers, which is of course pathetic.
3) The app only gives you two choices when it finds malware: Either remove the malware or nothing. There is no sophistication to this app whatsoever.

Maybe the 'Pro' version is way better. I don't know. The PC Tools website certainly 'claims' iAntiVirus detects all the current Mac malware. Judging from the free version, it only finds some Mac malware. Maybe I'll test the Pro version some time.

In the meantime, I own Intego VirusBarrier, which frankly is the ONLY anti-malware app for Macs I can recommend. It works great, detects everything, is updated daily, is entirely reliable, is never a CPU hog, and has all the bells and whistles you could want.

If you want to stick with free stuff, the best idea is to use BOTH iAntiVirus AND ClamXav. Between the two of them you're probably just fine. This is thanks to the fact that the excellent author of ClamXav went out of his way to convince the ClamAV project to accept contemporary Mac malware sample definitions. *Applause*

Addendum: I should note that iAntiVirus also fails to detect RSPlug.I and .L.

III) ClamXav: Progress! But Still Waiting For Full Mac Malware Detection:

Recently, ClamXav developer Mark Allen went out of his way to convince the ClamAV project to accept contemporary Mac malware samples for definition integration. *Applause*

However, my testing today shows only partial progress from the ClamAV project.

MY TEST: A friend provided me with a large collection of recent Mac Trojan horses including all the iServices and RSPlug malware. There were 18 samples in all. I used them as my testing ground.

RESULTS: ClamXav, via the latest engine and definitions of ClamAV, found 10 of them and successfully put them into my quarantine folder.

As my control, I used Intego VirusBarrier, latest version with current definitions. It found all but one of the malware. (The undetected malware was a .pkg with the payload inside a .bom file).

What ClamXav, via ClamAV, didn't detect:
DMG files containing:
RSPlug.D
RSPlug.E
RSPlug.F
RSPlug.I
RSPlug.L

I'm testing iAntiVirus, (runs on Mac OS X Leopard only). But it too is unable to detect RSPlug.E [as well as .I and .L].

CONCLUSIONS:

1) ClamXav is the best of the free anti-malware application options. But the ClamAV database of current Mac malware is still not completely up to date. However, it is far better than it was a couple months ago thanks to Mark Allen's work.

2) Even with the combination of ClamXav and iAntiVirus, it is still possible to have a current Mac Trojan sneak by. But then again, Intego VirusBarrier missed one as well, possibly due to the way the Trojan was packaged.

A high quality paid anti-malware application remains the best way to go for professional use. But for casual use, ClamXav is the best, despite remaining ClamAV deficiencies. I would combine it with iAntiVirus as well if you are running Mac OS X Leopard.

--

Current List of Mac OS X Active Malware

--
This evening I was busy over at the ClamXav forum. In response to a suggestion there, I provided a current list of Mac OS X active malware. I decided to cross-post the list here as well:

Below is a list of all the Mac OS X active malware I am aware of. I've been attempting to keep up to date on this subject since 2005. I have a blog where I share all my knowledge of Mac security:

http://mac-security.blogspot.com

As far as I am able to ascertain, the only active Mac OS X malware ClamAV is able to detect is Trojan.OSX.RSPlug.A (aka DNSChanger.A). In a previous thread I have asked for help trying to determine if any further Mac OS X malware are detected.

Note that there is only one official standard name for each of the 11 malware. This is what I use to name each family. However, anti-malware providers call them anything they choose. This is why I provide alternative names. There are four families of Trojans listed below with various strains/versions/variants designated by "A" through however many exist for the family. In the case of RSPlug I list A through G specifically because the PCTools site lists that many. Most other sites list only A through F.

If anyone knows of further names for these malware, or of any further ACTIVE malware (please not inert or proof-of-concept malware) please let me know at my blog.

The current list of active Mac OS X malware as of 2009-05-17:

I) Trojan.OSX.RSPlug family, aka DNSChanger or Jahlav.
01) Trojan.OSX.RSPlug.A
02) Trojan.OSX.RSPlug.B
03) Trojan.OSX.RSPlug.C
04) Trojan.OSX.RSPlug.D
05) Trojan.OSX.RSPlug.E
06) Trojan.OSX.RSPlug.F
07) Trojan.OSX.RSPlug.G

II) Trojan.OSX.Lamzev family, aka Malez.
08) Trojan.OSX.Lamzev.A

III) Trojan.OSX.PokerStealer family, aka Corpref.
09) Trojan.OSX.PokerStealer.A

IV) Trojan.OSX.iServices family.
10) Trojan.OSX.iServices.A
11) Trojan.OSX.iServices.B

Sources of these malware:

The RSPlug family are all offered by websites that tell you that you must install their file or program in order to access specific media they are offering. Originally these Trojans showed up on porn sites where you were told to download a video codec in order to view their videos. These days the websites could be telling you anything. The basic idea is to use 'Social Engineering' to fool you into installing their Trojan. The most recent of these Trojans can potentially zombie your computer and use it in a botnet.

Lamzev is a hacker tool used to create backdoor access into a computer. The only way to 'catch' it is if a hacker has physical access to your computer and hand-installs it. Note that there are plenty of other hacker tools around, but this is the only one listed as a Trojan because of the potential damage it can do to a victim computer.

PokerStealer originally called itself "PokerGame". You download it, install it and are infected. The original version put up a bogus warning message that a corrupt preference file had been detected and that your administrative password was required to repair it. It then sends your ID, password and IP address to crackers who can then access your computer via SSH and do whatever they like with it. Theoretically this Trojan can be named anything.

iServices showed up earlier this year in pirated programs, buried inside their installer. The original A and B variants were buried in pirated versions of iWorks 09 and Photoshop CS4. You install the pirated program and get infected. There are reports that the installers actually fail to install the listed program and only install the Trojan. In any case, iServices zombies your computer and makes it part of a botnet. This Trojan formed the first officially verified Mac botnet back in February. It apparently consists of thousands of computers. It has so far been used in a DDOS attack. Note that once a Mac is zombied, the 'bot wranger' or cracker-in-charge can do anything they like with the computer. This particular zombie botnet is so far is being used for money making ventures over the Internet.

If/when further Mac OS X active malware is discovered I'll list it in my blog.

--