Current List of Mac OS X Active Malware

--
This evening I was busy over at the ClamXav forum. In response to a suggestion there, I provided a current list of Mac OS X active malware. I decided to cross-post the list here as well:

Below is a list of all the Mac OS X active malware I am aware of. I've been attempting to keep up to date on this subject since 2005. I have a blog where I share all my knowledge of Mac security:

http://mac-security.blogspot.com

As far as I am able to ascertain, the only active Mac OS X malware ClamAV is able to detect is Trojan.OSX.RSPlug.A (aka DNSChanger.A). In a previous thread I have asked for help trying to determine if any further Mac OS X malware are detected.

Note that there is only one official standard name for each of the 11 malware. This is what I use to name each family. However, anti-malware providers call them anything they choose. This is why I provide alternative names. There are four families of Trojans listed below with various strains/versions/variants designated by "A" through however many exist for the family. In the case of RSPlug I list A through G specifically because the PCTools site lists that many. Most other sites list only A through F.

If anyone knows of further names for these malware, or of any further ACTIVE malware (please not inert or proof-of-concept malware) please let me know at my blog.

The current list of active Mac OS X malware as of 2009-05-17:

I) Trojan.OSX.RSPlug family, aka DNSChanger or Jahlav.
01) Trojan.OSX.RSPlug.A
02) Trojan.OSX.RSPlug.B
03) Trojan.OSX.RSPlug.C
04) Trojan.OSX.RSPlug.D
05) Trojan.OSX.RSPlug.E
06) Trojan.OSX.RSPlug.F
07) Trojan.OSX.RSPlug.G

II) Trojan.OSX.Lamzev family, aka Malez.
08) Trojan.OSX.Lamzev.A

III) Trojan.OSX.PokerStealer family, aka Corpref.
09) Trojan.OSX.PokerStealer.A

IV) Trojan.OSX.iServices family.
10) Trojan.OSX.iServices.A
11) Trojan.OSX.iServices.B

Sources of these malware:

The RSPlug family are all offered by websites that tell you that you must install their file or program in order to access specific media they are offering. Originally these Trojans showed up on porn sites where you were told to download a video codec in order to view their videos. These days the websites could be telling you anything. The basic idea is to use 'Social Engineering' to fool you into installing their Trojan. The most recent of these Trojans can potentially zombie your computer and use it in a botnet.

Lamzev is a hacker tool used to create backdoor access into a computer. The only way to 'catch' it is if a hacker has physical access to your computer and hand-installs it. Note that there are plenty of other hacker tools around, but this is the only one listed as a Trojan because of the potential damage it can do to a victim computer.

PokerStealer originally called itself "PokerGame". You download it, install it and are infected. The original version put up a bogus warning message that a corrupt preference file had been detected and that your administrative password was required to repair it. It then sends your ID, password and IP address to crackers who can then access your computer via SSH and do whatever they like with it. Theoretically this Trojan can be named anything.

iServices showed up earlier this year in pirated programs, buried inside their installer. The original A and B variants were buried in pirated versions of iWorks 09 and Photoshop CS4. You install the pirated program and get infected. There are reports that the installers actually fail to install the listed program and only install the Trojan. In any case, iServices zombies your computer and makes it part of a botnet. This Trojan formed the first officially verified Mac botnet back in February. It apparently consists of thousands of computers. It has so far been used in a DDOS attack. Note that once a Mac is zombied, the 'bot wranger' or cracker-in-charge can do anything they like with the computer. This particular zombie botnet is so far is being used for money making ventures over the Internet.

If/when further Mac OS X active malware is discovered I'll list it in my blog.

--

The First Reported Mac BOTNET

--
Let me first share news from SANS Institute, then provide a brief perspective on the situation.

Below is a quote from SANS NewsBites Volume 1, Number 30, released last night. (I added some bolding for emphasis). You can sign up for the SANS newsletters HERE.

--Trojan in Pirated Mac Software Helped Create First Mac Botnet
(April 15, 2009)

Malware embedded in pirated versions of Apple's iWork and Adobe Photoshop CS4 for Mac that were available over a peer-to-peer network in January is responsible for what appears to be the first known Mac botnet. The zombie network attempted to launch a distributed denial-of-service (DDoS) attack against an unidentified website. The malware had spread to several thousand computers before it was identified.

http://www.cbc.ca/technology/story/2009/04/15/ibotnet-trojan.html

http://blogs.zdnet.com/security/?p=3157

[Editor's Note (Honan, Schultz): Looks like the Mac platform is an increasingly fruitful target for cyber criminals. ]

Indeed it has. "Several Thousand Computers." This is incredibly sad, but also inevitable.

While all the FUD mongers have a sadism party at our expense, (and they will), keep in mind that NONE of the current Mac malware is able in penetrate any Mac unless the user (often called the 'luser') deliberately installs a Trojan horse on their computer. This happens specifically because the user has been conned by what is called Social Engineering, or in this case, the luser is using pirating software that has had the Trojan carefully placed in the installer to go along for the ride. What do you call it when a dirty deed is done to someone pulling a dirty deed? How about 'Dishonor Among Thieves'. It is more like poetic justice, parasite chewing on parasite.

Anyway, Mac Botnets have arrived. What is done with them will be of interest. Typically these days they are used for money making schemes. Go read all the news about the Windows Conficker worm scare of April 1st and beyond. Once created via infection, a botnet can pull off just about anything you can do over the Internet except in mass numbers at one time.

OK! You're a luser and maybe you did something that could have gotten you infected. Now what?

What NOT to use:

ClamAV. Worthless for Macs. I've covered this disappointment several times.

MacScan. The botnet Trojans are out of its league. It's clunky unreliable software anyway.

Symantec Norton Whatever. I consistently get reports that Norton Anti-Virus continues to be one of the single most buggy and CPU hogging applications you can buy for Macintosh. Symantec also invented the anti-Mac security FUD campaign back in 2005. Save your money and your patience. Avoid. Run away. Just my opinion.

Freeware:

iAntiVirus from PC Tools. It can detect and remove all current Mac malware. You don't have to pay for the application unless you are a business or are running a large network. The paid version offers technical support. Note that it only runs on Leopard. I use it and find it to be very simple and unobtrusive.

Shareware / Commercial-ware:

Sophos Anti-Virus. It is designed for companies and networks of computers.

Intego VirusBarrier. I find them to be the best-in-class for single users. I'm disappointed at their disorganization as a company. But the program is top notch. Just be prepared to shell out money year after year. Bleh. Nonetheless, I own it, use it and like it.

I used to use Virex X, now called McAfee Virus Scan. But it got clunky. Many people downright hate it. I don't know why. These days it is designed for companies and networks, not single users. I would have shoveled McAfee into the grave along side Symantec for having FUDed the Mac. But oddly, their CEO ended up stating that the single best way to escape computer malware was to "buy a Mac." So they can't be entirely stupid over there.

There is other stuff around, but it makes me yawn. You can get a listing of it all at the download sites by searching for 'virus'.

DEFENSE!

If you are in charge of a home computer shared by others, or you are an IT manager, stop the luser users from installing Trojans by giving them Mac OS X accounts that Do Not Allow Program Installation! If a user wants a program installed, let them ask you to do it for them in YOUR account. Then give them access to the program.

But of course this means that YOU, the boss of the machines, have to be careful too. Always verify that what you install has specifically been tested somewhere. I always use the download sites like VersionTracker or MacUpdate. There are many others. Be sure that either the site itself has tested that version of the program and given it an OK, or that a lot of users have tested it and OKed it. Buy commercial-ware directly from the company, and make certain they are entirely, unquestionably reputable. Adobe.com = reliable. Jake's Super Deluxe Fly-By-Nite Site.com ? reliable. You get the idea.

And just to tick off the FUD mongers:

A) There is no such thing as a 'virus' for Mac OS X.
B) There is no such thing as a 'worm' for Mac OS X.
C) There is no such thing as illicit 'spyware' for Mac OS X. All Mac spyware is sold legally for the purpose of surveillance of network machines.
D) There is no such thing as 'security by obscurity' for Mac OS X. If you know how to do math, you can prove this for yourself. Go backwards in my blog if you want to read the gravestone I wrote for this mythological absurdity form of FUD.
E) As a Mac user you must keep computer security in mind. Follow the basic rules:

1. Make regular backups. This is the #1 Rule Of Computing.
2. Learn how to use your router's firewall and use it.
3. Learn how to use Mac OS X's built-in firewall and use it.
4. Always use password protected accounts. Make very sure your password is strong, obscure, unintuitive and plain old nasty. Be sure you remember it. Don't give anyone else access to it.

I've gone into greater detail about add-on measures in previous posts. The list above covers the essential basics.

And of course, don't ever pirate software. Now it's extra dangerous. If that gets you excited, welcome to the botnet.

:-Derek
--

Mac Malware #8: OSX.Trojan.iServices.A

--
Intego, makers of VirusBarrier, posted an alert on Thursday 2009-01-22 regarding a newly discovered Trojan horse specific to Mac OS X. They have designated it "OSX.Trojan.iServices.A". It was found in torrented/pirated copies of Apple's iWork 09 installer.

Conclusion: If you have torrented, downloaded or been given any pirated copy of iWork 09, do not install it! Throw it away!

Cures: Intego of course has provided a removal method in the latest malware definitions file for VirusBarrier. The folks at MacScan have also provided a FREE removal tool here.

A MacRumors article about the Trojan can be found here.

How does it work?

1) Included with the iWorks 09 package is an added bogus Trojan package entitled "iWorkServices.pkg". When you install iWork 09, the Trojan is installed along with the legitimate program packages. It is specifically installed as a startup item within your system.

2) According to Intego: "The malicious software connects to a remote server over the Internet; this means that a malicious user will be alerted that this Trojan horse is installed on different Macs, and will have the ability to connect to them and perform various actions remotely. The Trojan horse may also download additional components to an infected Mac."

Essentially, you've been zombied. The cracker controlling the program can do anything with your computer. Examples include money making schemes such as stealing your identity, spamming the net or using your machine in a denial of service attack.

For Mac users, this method of infection is entirely new. It can also be used in any other similarly pirated program installer, not just iWorks 09. The only things specific to iWork 09 about this Trojan are the name of the package used and its placement along side all the other installer packages for iWorks 09.

In other words, pirated Mac program installers are now all suspect. Pirates beware.
--

Attack Of The Porn Trojan

Trojans have long been associated with pornography. But in this case, in the Macintosh community, we have a very bad Trojan called OSX.RSPlug.A. It's not that someone poked holes in the Trojan, it's that the Trojan itself is the hole. You don't want this malware impregnating your Mac, so it's time to learn how to be safe while you enjoy Internet.

I wrote the Mac security article posted above specifically for the use of Macintosh user groups. You are entirely welcome to grab it and post it wherever you like, as long as you do not change it. That means you must include the headers with my name and my copyright. If you don't follow the rules, I will come and get you. So please be respectful of my work. You are welcome. :-Derek